This past week’s news headlines have once again been filled with a number significant cyber security incidents. Data breaches in JP Morgan, Bash shell vulnerability in a number of Unix/Linux operating systems (Apple OS X included), and many others. One that is of particular interest, not because it happened just around our neighborhood location, but one that’s concerned with a risk-based approach to information security management. That’s the Automated Teller Machine (ATM) attacks incident in Malaysia, which was reported in major newspapers online and offline on/around September 30th, 2014.
I was first curious about the ATM attacks as Malaysia had not had an ATM related fraud for quite some time then, at least a few years since all the banks there had upgraded their ATM to a chip card (smartcard) based system. Prior to the upgrade, a number of banks were seriously impacted by major organized crime attacks on their magnetic card system, which involved installation of fraudulent reader to copy the card holders’ account data on the magnetic stripe, and tiny camera overseeing the PIN pad to capture the user PIN as the cardholders enter it while using the machine. With the smartcard based system, data on chip cannot be copied easily, which makes cloning the ATM card a major challenge. Capturing the PIN via an external camera itself doesn’t serve any good when the card cannot be cloned. The smartcard based ATM card system basically “won” the war against the criminals. I was therefore interested to find out how the perpetrator did what they’ve done and got away this time. A good thing is that the news report did provide some useful information to understand the gist of the attack.
As reported in various news sources, the attack essentially involves a combination of physical and logical techniques, and of course a certain amount of courage, confidence, and luck on the part of the perpetrator. The attack begins with the perpetrator forcing open the ATM physical enclosure to reach the computer so as to insert a CD into the CDROM player to launch the logical attack. It appears that the targeted ATM systems were all using a form of weak physical protection that did not even have one of those temper resistant setup that would shutdown the machine, or intrusion detection mechanism that would trigger an alarm when it is forced open. This looks like a fundamental design failure. Otherwise, it would have to be a weak lock, or someone compromising the key.
Once the perpetrator overcomes the physical “protection”, a malware (a file named ULSSM.EXE) that resides in a CD takes over the rest of the work. At this stage, the activation of the malware requires that the machine to be using an operating systems that is compatible with it (which in this case, Windows XP), and more importantly, configured (or rather, mis-configured) in such a way that will “auto-run” the malware program in the CDROM. If it runs successfully, the perpetrator will eventually receive a code on his/her mobile phone that allows him/her to gain administrative access to the ATM to pour out whatever cash that is still in the ATM system at that point.
The perpetrator was either lucky, or had prior knowledge that the malware will work as planned, and there were sufficient cash in each machine to worth the efforts, or a combination of all this. The ATM systems were apparently running Windows XP, have a CDROM installed, and had “auto-run” enabled (a default setting in Windows XP anyway). The total loss reported ranges from 450,000 to as high as 3.1 millions Malaysian ringgits, over several (some say 17, others say 18) ATM systems across the Malaysia peninsula, including Selangor, Melaka, and Johor.
To gain more insights on the attack, I did a quick search of the malware, ULSSM.EXE, and apparently, it had been reported by quite a number of anti-virus software vendors as early as May 2014 (i.e., about four months ago). The first thing that comes to mind was, even if it was reported four months ago, how will the bank know of such a unique malware that was specifically targeted on ATM systems among the millions of malware that have emerged in the period? A subsequent report in the news confirmed our expectation — that the vendor of the ATM system should be monitoring for such vulnerability (and exploit) and inform their customers (the banks) accordingly. Whether the vendor actually contact all their customers directly, or simply post the vulnerability information on their web site is not known.
In Symantec report, the malware is diagnosed as a Trojan, and named as “Backdoor.Padpin”. Incidentally, the Trojan malware is rated as a “Very Low” risk, as shown in the screen shot captured from the Symantec web site on September 30th, 2014. The layout of the site seems to have been updated now, but the contents have remained unchanged.
The “Very Low” risk rating is based on three threat assessment factors: Wild level, Potential Damage, and Distribution. At the time of their assessment (first on May 9, 2014, and subsequently updated on May 20, 2014), the Wild Level is rated “Low” since the number of infections reported is between 0 and 49, number of sites infected is 2, and threat containment and removal are both assessed as “easy”. The Damage assessment is rated “Medium” as the Payload involves “opening a backdoor”, “displaying sensitive information to the attacker”, and “disables the local network to avoid triggering alarms”. Finally, the Distribution is “low” since only two sites have been reported infected at that time. If you are a security manager of a bank that uses the ATM system, how would you respond to such an advisory? My guess is that most security managers are not going to even see a report highlighting such a risk issue, given its “Very Low” risk rating, not to mention taking any precautionary step in view of the advisory that the vendor has published. There are many more “High Risk” items to pay attention to. In the online report, Symantec has also provided detailed recommendations for preventing and mitigating against the malware. They may not have been read by anyone if not for the attacks that have happened.
The risk rating (“Very Low”) appears to be largely influenced by the distribution, even though the potential impact is quite significant. What does “Medium” damage rating mean is not clear, but the capabilities of the malware appears to be sophisticated, designed for very specific purpose — being able to disable the local network and display sensitive information to the attacker at the same time. My retrospective assessment of the impact is perhaps influenced by the occurrence of the ATM attacks incident itself. As such, the incident looks very much like a Black Swan — a “low” risk, but high impact incident, which we only find it to be significant retrospective to its occurrence.
The Black Swan highlights one of the issues of a risk-based approach. That is, we can’t predict what will go wrong or how bad events will play out in the future. Incidents of the past are history, which tell us something about what can go wrong, but do not tell us whether they will happen again. Even if the attack is similar, their future frequency, and distribution of occurrence are basically unknown. Our risk assessments therefore can be wrong, and the worst case is when a low risk issue materializes, since we tend to ignore or give very low priority to low risk issues. Ironically, a risk-based approach relies on risk assessment to make decisions.
A continuous risk assessment approach, which builds on the risk-based approach, doesn’t fare much better either. How often do organizations re-assess their risks of an existing system? If they adopt the ISO/IEC 27001 certification standard, the normal cycle is once a year. If an organization relies on the internal control and audit function, which banks tend to be, it depends on the their schedule and priorities. In all cases, each cycle will normally look at a different scope (due to limited resources, and many new systems to review). The ATM systems security is thus unlikely to get a reassessment of its risk for a long time if the bank has not made any significant changes to it. The previous major change is likely to be the upgrade to the smartcard card system.
Getting back to the ATM incident in Malaysia, the vendor has responded as reported in the news that the banks were warned four months ago. It’s almost a week’s past since the publicity of the ATM attacks incident involving the Trojan malware, the risk information at the Symantec site has remained as “Updated: May 20th, 2014 9:44:15 PM” (as seen at the time of this writing), October 5, 2014 11:50 PM. Apparently, there’s no continuous risk assessment for such threat at its information source either.
Given our knowledge of the Black Swan, Nassim Taleb, the author of the book, “The Black Swan“, has asserted the importance of designing and building robust systems that is “anti-fragile“. Any attack on a system will occur as a change event, or a series of change events, from the perspective of the victimized systems, regardless of the outcome of the attack. A prerequisite for robustness, or antifragility is therefore responsiveness, i.e., having the ability to “see” the effects of the changes, and trigger appropriate actions for criticality alignment. We shall discuss more about Responsive Security in future blogs as the main idea of this blog is to highlight the Black Swan that was observed on the ATM system. Meanwhile, if you wish to learn more, check out the book itself from the links in the earlier blog.
- Time saving
- Commute – 1 to 3 hours a day, depending on where you are, that’s between 5 to 15 hours a week saving per employee
- Can work anywhere that you feel comfortable; don’t need to stick to an office, or a home office
- Productivity improvement
- Less interruption than working in the office (interruption factory) – possible to get work done only before or after others have arrived or left
- Interruption disrupt flow and rhythm of work
- True productivity happens only with uninterrupted span of time is made available for quality work to be done
- Work-life Balance
- Improve quality of life of individuals
- Have time for your hobby, interest (don’t need to wait for retirement) – music, biking, etc
- Have more time with family
- Improve employees’ loyalty and satisfaction
- Employees are adults, don’t treat them like children – respect them and trust them to do their best work in their career
- When people are respected and able to do their best work, they would stay with the organization
- Urge to have physical daily oversights
- Shift to ensure people are working on meaningful work rather than seems working on something
- Meetings can be toxic and disruptive to productive work
- An hour meeting involving five people is 5 hours of productive work loss.
- Use email and IM in productive ways to replace need for meetings
- Involve least number of people in a meeting wherever possible (a short chat will be more productive)
- Should be like the library, a place to learn and focus
- Create separate private space for collaborative discussions
- If you are going to have an office, it has to be inspirational – this is not possible for everyone; Remote gives people option to choose where they can be most comfortable to get the most done
- Implement a “no-talk day” (NTD) in the office – tremendous amount of work can be done when there’s no interruption for a day; this would make the office a productive place, a go-to place when need to get things done (on the NTD).
- Respect peoples space
- Slow down to get more – use the email or other communication tool effectively. Again, use of collaborative workspace such as WebEx Social allows one to read, comments, feedback, and updates project status at their own convenient time.
- Time zone overlap – 4 to 5 hours overlap the best.
- Great for creative and knowledge works
- “Why work does not happen at work” – Jason Fried at TEDxMidwest
- “David Heinemeier Hanson – REMOTE: Office Not Required“
- “Remote Work at 37signals“
- Jason Fried & James Warren: World of Work
Last week at the 14th RAISE Forum meeting in Bangkok, the hotel served breakfast every morning. Among the wonderful selection of western and eastern dishes were two choices of bacon, crispy (hard), or soft, arranged in a specially shaped Yin-Yang Taoist design plate (see picture below). As shown in the picture below, the crispy bacon looks hard and slightly burnt, whereas the soft bacon looks tender and seems delicious. Most hotels serve crispy bacon but not the soft ones as part of the breakfast buffet menu. I took two slices of each, which perhaps nullified the five kilometer run I just had early that morning. I have not taken soft bacon for quite some time now so I went for it first, thinking that it would be more delicious and an easy start, since it must be soft and tender. On first bite, I then realized that it was actually neither tender nor soft. It’s texture was rather rubbery, and kind of hard to chew. Strange. It was a bit more salty than I liked as well. Not a good experience after all. On the other hand, the crispy bacon was neither hard nor tough to eat. A soft bite and it cracked in the mouth, releasing the juiciness of the bacon, and the slight burnt was indeed fragrant. The verdict – crispy bacon was delicious.
At that moment, it reminded me of the notion of “hard” versus “soft” problems. Hard problems are such as those technical or engineering problems. They often seemed hard in the sense of difficult, or complicated, but normally can be solved if one put in the time, thinking, and efforts to work on them. On the other hand, soft problems are often not straight forward or as tender as they may sound like. Soft problems are problems relating to people, and group, the so-called “Human Activity Systems” (HAS). Every human being is different, and sees problems and challenges differently. Many personal and psychological factors could influence an individual’s decision, non-decision, action, non-action, and related behaviors, and often time a solution cannot be guaranteed. When people comes together forming groups, large or small, the problems become even “softer”, more complex to navigate, dissect and understand.
As I discussed in chapter 2 of “Responsive Security“, “information security risk management problems are considered ‘hard’ (difficult and complex) but are not ‘hard’ from a research perspective. Instead, information security risk management systems are essentially parts of human activities systems (HAS) and therefore classified as “soft” problems.” Just like the soft bacon, such problems are often harder to chew than the crispy ones, requiring more research efforts to understand the complexity and devise suitable solutions that address them. As the nature of our information environment are very much embedded and integrated with technology these days, we must also consider two other critical aspects of information risk that fall under the technical research paradigm: (a) the close relationship of information risks and information technology; and (b) the constantly changing nature of the technology, business systems, and environment. These two aspects, social-technical aspects in short, are but two of the many facets that we need to consider and address. For a more in-depth discussion on how we may approach this in the practice environment, and the issues and dilemmas that were surfaced as part of the research, check out chapter 3 of the book on “Responsive Security“.
Meanwhile, enjoy the good taste of the bacon, whichever you prefer :-)
Today marks the start of a new year on the Lunar calendar. As the Chinese saying goes, as the spring season arrives, happiness and prosperity follow. I would like to wish everyone a happy and prosperous lunar new year.
The Year of the Horse, according to the Chinese geomancy (feugshui) system, it’s a Wooden Year, which means a Wooden Horse Year. That immediately calls to our attention the well known Trojan Horse. Perhaps an important reminder of the many facets of security threats, which often leverage the surface appeal of beauty, innocence, or relevance of a subject to lure one into a hidden trap. Think Spear Phishing, Spam mails. Be prepared for the Trojan, be ready to deal with the many hidden challenges.
This year is also the “Jia Wu” year (甲午年) in the lunar calendar (more accurately, the sexagenary system, 六十花甲) that marks the 120th anniversary of the first Sino-Japanese war (甲午战争,1894-1895). The current political tension between China and Japan over various territorial and historical issues doesn’t give much comfort when we read about the historical conflict. Certainly, today’s situation differs vastly from that of 120 years ago. But again, we never know if the leaders will learn from the lessons of history. Perspectives of war often differ between the agressor and the defender. They get more complex as more parties are involved. The stakeholders are many, solution is never easy.
Similarly, perspective on Cybersecurity, Cybercrimes, Cyberwar, and for that matter, everything Cyber, often differs as well. Unlike the conflicts of nations or competition, which leaders and stakeholders can have a choice of actions or inactions, in the Cyberspace, we often don’t even know that we have been targeted or who or what the enemy is. As such, what really matter to an individual or an organisation on the Internet is whether do we know what’s at stake if something bad happens, have we thought about our potential exposure, and are we ready to respond? A few questions that may appear simple, but often, we don’t have the answers, or simply put, not ready.
Once again, wishing everyone a happy new year! 祝大家马年吉祥，身体健康！
After much anticipation, my new book, “Responsive Security – Be Ready to Be Secure“, is finally published today. Thanks to Prof Pauline Reich of Waseda University, and Chuan Wei Hoo, who helped to proof read the earlier drafts, my publisher, Ruijun He, my editor, Iris Fahrer, and many friends and family members for all the supports and assistance rendered throughout the long process to make this possible.
The book is based on my thesis on a Piezoelectric Approach on Information Security Risk Management, which captures the past decade of my experience and learning from my practice and fellow practitioners whom I have the opportunity to work with. The book walks through our current knowledge and principles of practice in information security risk management, with discourses on the underlying issues and dilemmas in a constantly changing risk environment. It introduces the concepts of responsiveness, and highlights the importance of readiness and preparedness in face of changes that we may not always able to anticipate, and lest unable to predict. Responsive Security focuses on events that could lead to systems failures rather than the current industry’s focus on the search for vulnerabilities and learning how perpetrators exploit and attack.
If you are interested to find out more about the Responsive Security concepts and approach, the book is now available at CRC Press (http://www.crcpress.com/product/isbn/9781466584303) and also Amazon, where an e-book version has also been published.
Talking about Shandong in the previous blog (“Before the ashes turn cold“) yesterday, in fact, I just came back from our 12th RAISE Forum meeting which was held at Jinan, the capital city of Shandong province in China on March 27 and 28, 2013. The meeting was co-sponsored and jointly organized by Beijing Powertime (北京时代新威) and Timesure, supported by the Association of China Information Security Industry (ACISI), and co-sponsored by (ISC)2.
Bruce Schneier wrote an interesting piece recently about the use of technology for political purposes and suggests that we need “more research into how to circumvent these technologies”: https://www.schneier.com/blog/archives/2013/04/it_for_oppressi.html
Technology is like a knife (in fact, a knife is also a technology). It is double-edged. It depends on the user more than the provider in terms of its application. If a user uses a knife to kill a human being, it is against the law, it is even considered barbaric, animal, etc. We know its danger, but that alone will not stop its use. If we look at the history of technology, explosive was discovered in China many years ago. The emperor then was worried about its negative effects and forbid further research and use. But its utility is far beyond the fear of the imperial order or the negative effects of an explosion. In the hands of the inquisitive minded scientists and the powerful politicians, it has since evolved and today it is not just gunpowder explosive that we are worried about anymore.
Finding ways to circumvent technology would reveal weaknesses that help the provider to strengthen it. It may even create a market selling the idea of its “safe use”. Even if a technology provider decided to discard it, another may acquire or reinvent it, as long as there’s a demand.
Beneath technology is intellectual, knowledge, and information. Knowledge is power. Information flows.
In the Qin (秦) dynasty period, the first emperor of China understood that knowledge is power, and was therefore fearful of the potential threats of scholars and their teachings to his rule of the country. As a result, the Qin emperor ordered the burning of books in an attempt to stop people from learning. Nevertheless, the dynasty was overthrown by two rebels who were illiterates. A poet in the late Tang dynasty summarizes this elegantly, “坑灰未冷山东乱，刘项原来不读书”, which roughly translates, “Before the ashes (of the books) turn cold, Shandong has already rebelled; Liu and Xian (the two leaders of the rebels) were in fact illiterate.” A few emperors in subsequent dynasties did the same thing and again failed badly.
Today, we thought that China and many others would have learned from history that censorship is not an effective tool for maintaining control of information and power (based on the historical lessons learnt). But they don’t. Control gives the perception of power. Power blinds one from seeing things clearly. Letting go (detachment), as we learn in Buddhism, is not a simple thing.