Be very afraid: IT's security failure
- Chris Gibbons
- South Africa
- 31 May 2012 07:16 (South Africa)
If you think your state, company and personal data are safe, think again. If you think because you’ve got a security certificate you’re safe, think again. If you think because you own a Mac you’re safe, think again. If you think the government cares, be afraid. By CHRIS GIBBONS.
When it comes to security, the IT industry has failed and failed badly. The same message was repeated again and again by local and international experts for two whole days at the IT Web Security Summit, which took place recently in Johannesburg. If you think your computer’s Anti-Virus software is worth anything, they said, you’re wrong. If you think your company’s firewall is impenetrable, you’re also wrong. And if you think that all the bad guys on the Internet want is your credit card number, you’re wrong again.
For an outsider, with a limited knowledge of computing’s more arcane side, it was a glimpse of cyber hell. Most users in South Africa, domestic and corporate, have been brought up with a simple and enduring set of beliefs. Live behind the firewall, use anti-virus software, don’t give out your passwords, don’t click on unknown attachments - follow these rules like good children and you’ll be able to sleep safely at night. Forget it! If the bogeyman wants to get you, he will. The issue, said one expert, was the “elephant in the room” – the thing that everyone knows but no one wants to acknowledge.
Take AV software, which most people buy and use as religiously as condoms. Well, in fact, you might just as well take a condom and stretch it over your computer for all the good the AV software will do. That’s because it only protects against known viruses and not unknown ones. The unknown ones are appearing all the time and your AV software is no defence at all.
Apple users – once smugly secure even without AV – are under threat, too. The Flashback virus earlier this year was targeted at the OS X proprietary operating system. Malware of very different shapes and sizes is also targeting mobile devices, with the open-source Android units particularly at risk. Another speaker told delegates that he was trying to remove malware from his Apple MacBook Pro right at that moment.
A US expert with a PhD in mathematics explained in excruciating detail how he had been able to hack Apple’s App Store, with an App containing malware. He did it not with criminal intent, but because this is what he does: testing system vulnerabilities. He alerted Apple to their problem. Did they thank him? No, they responded by removing his Developer Privileges and banning him for 12 months. Hardly smart marketing.
Nor should you believe that you’re any safer if you deal with websites that have security certificates. A US company called Comodo issues roughly 25% of all security certificates on the internet. It was hacked in March 2011 and its response was to issue a news release suggesting that this had been “a clinical attack... very well orchestrated” and blaming “nation-state attackers”.
No it wasn’t. It was an attack by a lone hacker who posted a “How I Did It” video on YouTube. It was embarrassingly easy, in fact. In similar vein, the audience was reminded that another certification agency, VeriSign, had issued the certificate for “Microsoft Corporation” to an unidentified hacker. A still-unidentified hacker, by the way. Yet another expert opined that “Certificate authorities are a total rip-off,” which view he justified by explaining that VeriSign not only sells security certificates to you and me, but then makes more money by selling interception software to governments.
So who’s behind all this? Nation-states, organised crime at high level, organised crime at low level, “hacktivists” and bored 16-year-olds seems to be the answer. The high-level criminals want data and are involved in industrial espionage, the low-level ones are after your bank account, but delegates also learnt that the price of a credit card number “on the street” is now so low that almost no one bothers with those any more.
The nation-states are where it gets scary, and that brings us back to Flame. All of the experts were very careful not to make accusations directly. Instead, for example, they would cryptically confirm that large US telecom vendor Nortel had been “systematically hacked since 2000, from an IP address in Beijing.” Great amounts of commercially valuable data were lost in that attack, apparently.
Of more recent vintage was the Stuxnet virus. This was the attack on Iran’s nuclear technology, which set the programme back by at least two years. In essence, Stuxnet burrowed its way into the computers running the centrifuges required to enrich Iran’s uranium. On one side, the attack code told the centrifuges to destroy the uranium, on the other it told the system to report to the monitoring technicians that everything was proceeding perfectly. The complexity and sophistication of Stuxnet, said the experts, could only have come from a nation-state, but which one they were not prepared to say.
Flame, the latest case of cyber warfare, was first picked up by the International Telecommunications Union after a complaint from Iran, and then detected by Russia’s Kaspersky Lab, which calls it “the most sophisticated cyber-weapon yet unleashed.”
Vitaly Kamluk, chief malware expert on Kaspersky Lab’s global research and analysis team, confirmed to me earlier that this was a nation-state attack but, like his counterparts at the IT Web Summit, refused to be drawn on which one.
Where, then, does South Africa stand in respect of an attack of this kind?
The same IT Web conference had been promised a full briefing on national cyber security by deputy communications minister, Stella Tembisa Ndabeni. On her arrival, the entire gathering was made to stand – like six-year olds greeting the headmistress. Protocol, they were informed. She then welcomed all present “in the name of Jesus Christ” – embarrassing perhaps to a significant number of Muslim delegates, let alone any atheists present – before delivering a short speech exhorting the sector to employ more women, noting that government had adopted the Cyber Security Policy Framework and announcing the name of a private company that had been granted accreditation as a certification agency. Less than 10 minutes after starting her speech, she said thank you, goodbye, and left.
Had she been badly briefed? Were the delegates over-promised about what they could expect? Difficult to say, but the effect was one of intense shallowness at government level and little grasp at all of the sensitivity or importance of the subject at hand. It could, of course, have been a brilliant and deliberate feint, a subtle strategy to throw potential hackers and cyber-criminals off course. We may never know.
What is certain is that silent, highly destructive and massively expensive cyber attacks are now commonplace, both in the commercial and geopolitical spheres. It takes only a little imagination to conjure up a scenario in which one goes wrong and we are cast back into a world without IT, no internet, no corporate networks, no email – none of the things we all take for granted. The return of the Dark Ages indeed! DM
Photo by Dustball.