Every blog should touch on the recent announcement by Google that it has been under attack by Chinese entities, right ?
Here I am with my personal observations 
enjoy !
This is actually a good thing !
When Apache got hacked a few months ago, most comments were not about who,why and what but about the way Apache handled the attack. In contrast of what we saw up until then in the corporate world, Apache reacted with openness, detailing what happened, why it happened and how they reacted to the situation. Secretly, I was hoping that companies would look at this and learn from it.
Today we see a similar reaction by Google, Adobe, etc. I can only cheer this on and hope that this type of reaction becomes the standard ! All stakeholders (shareholders, employees, partners, customers, …) benefit from openness as it does not leave room for speculation.
It’s just China, get over it.
It’s pretty funny to see that all of a sudden everybody seems to be an expert on China, Chinese culture and the Chinese hacker culture/economy in particular. All of my in-laws are Chinese and I have spent a generous amount of time travelling through China. The Chinese are, in general, pretty ordinary people, like you and me. Generalizing and saying that “The Chinese” are up-to-no-good, PI stealing spies won’t help. There’s plenty of cases where US corporations have spied on European corporations, and I don’t doubt most of them involved at least some computer manipulation. Let’s add to that the less than favorable reputation the US has build up by interpreting international law rather flexibly, and this discussion is mute.’
’0h my god’-day rather than 0-day
Several people have commented on the technicalities of “the hack”. Andrew Jaquith wrote down his observations over at CSOOnline . Now I have to admit that Andrew is one of my favorite infosec people ever since he wrote his Security Metrics book, but I disgress …
Here’s what bothers me the most about that post :
Our most recent annual IT security survey, which we are busy analyzing, shows that “compliance” (big-C compliance like PCI and HIPAA, and little-C compliance with security policies) is the motor that drives security budgets in large corporations. Enterprises have gotten used to the idea that they need full-disk encryption and DLP to keep toxic customer and payment data from spilling.
Now, if you, as a company, fail to identify your business-critical information as important enough to implement sufficient controls to protect it from getting spilled at the first browser 0-day, you suck. It means that you have failed completely. If any security effort is dictated by compliance, aka a checklist that defines the minimum you should do, IT IS NOT ENOUGH ! Surveys, statistics, magic quadrants and waves won’t save your ass even on a sunny day. Don’t do what “everybody is doing”, do what is necessary to protect YOUR assets.
Relying on one browser is a liability.As we have seen, this attack succeeded because of flaws in Internet Explorer.
…
In this day and age, it is shameful that I still see many corporations (including Forrester) whose business processes rely on web page formats and ActiveX controls that chain them to a specific browser. It should not be that way. Enterprises should strive to deploy web-based applications that are browser-independent; when one browser is targeted, enterprises can mitigate their risk by switching.
The search engine for security vulnerabilities at securityfocus.com reports 6 pages of vulnerabilities for Firefox, in general, and 6 pages for IE starting at IE5 SP4. I could do extensive research, but call me lazy and it’s Saturday, I got a life. There isn’t a lot of difference between both browsers in terms of being more or less vulnerable. (I’ll do a survey though and maybe create a magic rectangle of sorts !)
What do you mean exactly by “when one browser is targeted, enterprises can mitigate their risk by switching.” ? Choosing a (new) browser for your corporate workstations isn’t something you do overnight, as a reaction to an 0-day being reported. If I want to attack your infrastructure, I will find out what software you’re using and I’ll hit it until I find an exploit that I can use to bring you down.
When I have to protect an infrastructure, one of the first rules (in my very humble opinion) is standardization. If you rule your infra like a sheriff in the wild west, allowing everybody to use whatever they want, you’re bound for disaster. When standardizing you look for manageability. In terms of manageability in a corporate environment, IE is your browser of choice. Why? Two reasons :
- You can control settings through Group Policy Objects extensively. You can basically decide what someone can or can’t do with the application from a central point. This assumes you’re using Active Directory, but if you’re running IE … why aren’t you?
- Updates come in through Windows Update, which you can centrally control as well. You can approve and distribute updates to IE in one sweep with the updates for your workstation at no or minimal extra cost.
What I do see regularly is poorly and/or ad-hoc developed and often unsigned Active-X controls. This has nothing to do with IE in itself. If you’re a crappy developer or your company has shitty development processes and you let this type of BS through QA, it could just as well be your next Firefox plugin. If you develop for a certain platform, you should take into account the risks related to that platform. I do agree with that. “Switching” isn’t easy and it’s not a solution …
Humans remain the weak link.I spoke with a contact at an aerospace company who knew something about the Adobe PDF attacks. He was surprised that good old fashioned phishing attacks still work. “This kind of stuff is driving the defense contractors nuts. They should know better, and yet, they are still affected.” It bears repeating, one more time: attachments from strangers are bad. CISOs should dust off their social engineering playbooks and do some internal phishing testing on their employees to make sure their staffs get the message.
Andrew gives Adobe the get out of jail free card here because now suddenly it’s the user who’s at fault !! If you’re using IE you should switch to Firefox because, you know, Microsoft don’t know how to develop but if you’re using Adobe Reader, well, it’s your own fucking fault ! Fact of the matter is that unless you’ve been living under a rock, Adobe has shown neither responsible behaviour nor secure development skills in the past 12 months while Microsoft has consistently improved security in their development process and their behaviour in relation to serious vulnerabilities.
Let me spell this out : people click links just as people open attachments. If there is one resource we are not utilizing enough in our security efforts, it is the people who are using our infrastructure on a daily basis. If your users are randomly opening attachments and clicking on links they shouldn’t be clicking on, the CISO should not dust of his social engineering playbook … He should be looking for new employment !
Previous 
Next 
Categories
Tag Cloud
Blog RSS
Comments RSS
Last 50 Posts
Back
Void 
Life 
Earth 
Wind 
Water 
Fire
I could not agree more.
One of the rules I try to abide by is: “Your information infrastructure and the information there in is like an ecosystem. It is fragile, and precious, and should be treated as such.”
Most importantly to abide by this rule is to make sure that the people that use your infrastructure and information know and practice the rule as well or even better than you do.
A lot of people forget about the people. Even I, to my humbling shame, have been prone to forgetting about the people.
But still: one cannot expect a quality house from unstable foundations.
Stay Secure!
Like or Dislike:
0 
0
Well; most of the security community will agree with the standardization & people points. I would add that even with these taken care of if you do not have a good policies & enforcement methods in place things would not work out. Essentially in China (& lots of Asian countries even in India) there are laws but holes exist and enforcement is lacking; that’s why you are able to openly buy pirated items in shops @ China.
It is a long way to go; however i am not sure if similar approach like Google’s boycott China would speed this process
Like or Dislike:
0 
0