Thinking About Next-Generation Security and Cyberwarfare

Taking the cyberwar challenge seriously requires thinking outside our comfortable technology or national security boxes. Unfortunately—regardless of the lip service many decision makers pay to cybersecurity—this ability is a rare quality. What the world needs is strategic leadership in navigating the murky waters of cyberspace. The digital world, as well as the threats and opportunities in it, is not “out there,” but part of our making.

The value of cyberspace arises from its close connection to the physical world. The Gains we achieve through the digital realm—efficiency, near simultaneity, global reach, cost reductions, new opportunities for business and civil society—are meaningful only when they improve the quality of our lives. Unfortunately, owning anything valuable also encompasses the fear of losing it. We are afraid of losing the functions that cyberspace enables, as well as the functions controlled by it. Because we are not sure how different functions relate to one another or affect the physical world, confusion prevails.

Moreover, we do not really know our potential enemies, their capabilities and vulnerabilities, logic, or willingness to do harm. We don’t know what to defend against, which makes us concentrate on the technologically possible instead of the politically feasible. By designing, constructing or acquiring, disregarding, and using technological capabilities, we build the future operating environment and the future world. This responsibility is huge and should not be carried out technology in the lead. Strategic thinking and the skill to effectively use our current capabilities have often proven to be the key to success.

Thus far technology has prevailed in cyberspace while our strategies have been reactionary. The voices of warning have existed for years. Still, we seem to take steps only after we see a disaster. For enhanced security we should learn to make decisions based on sensory information other than visibility—and not only on tactical and operational levels, but also on a strategic level. In addition, we must plan, build, and execute on the assumption that we can never reach perfect visibility.

The basic problem in strategic thinking about cyber-physical reality is that we try to apply concepts and logic drawn from the physical world to the digital world without modification. Thus we expect to recognize our opponents (or construct them in fierce naming and shaming campaigns), count stockpiled cyber weapons (and verify their existence), attribute attacks (and possibly retaliate), and deter (though effective deterrence requires a known enemy). We also try to conduct information operations in the era of Web 2.0 as if we were living in a world in which major media companies or national news broadcasts control the information sphere.

The aforementioned are only a few examples of flaws that dominate security thinking. Old-fashioned ideas prevail in public and private sectors alike. Both participate in contemporary security production and are stakeholders in cyberwar. The tendency to rely on familiar frameworks in the face of something unexperienced is understandable, yet it may hinder our attempts to scrutinize cyber-physical reality as it is and learn to live in it. The contemporary world is our creation, but it may not suit preexisting security frameworks.

How about starting with our cyber-physical reality? We must learn its basics and conceptualize it without prior frameworks, and learn to live in a multiphase reality in which we may not be able to know our enemies, build a strong security posture alone, or enjoy unambiguous truths. We cannot control cyberspace (although we try to) and must learn to live with its malleability and unpredictability. Absolute security is unattainable. Thus resilience should become the prime driver in security thinking. And that warfare should remain only a feature of politics.

Cyberspace and the changes it has brought about in warfare and security production do not represent a revolution. They cannot be addressed by those currently in decision-making positions. Rather, they are a phase in our normal evolution and should not be deferred to future generations who might better understand them. By then it may be too late.

The post Thinking About Next-Generation Security and Cyberwarfare appeared first on McAfee.

Outdated Software Is Not Necessarily the Cause Of Your Website Being Hacked

On this blog we focus a lot on the large problem of software on websites not being kept up to date. But the importance of keeping software up to date is misunderstood or misused, leading to more security problems. What we often see with web hosts, and to a lesser degree security companies, is that they tell people that their hacked website must have been hacked due to outdated software. There are a couple of major problems with this. First, websites are often are hacked due to reasons other than outdated software. It could be caused by malware on the computer of someone involved in the website, poor security at the web host, a vulnerability that even exist in the latest version of software, or a variety of other issues. The second major problem is that if you assume that the website was hacked due to outdated software and it wasn’t then the vulnerability doesn’t get fixed and the website could get hacked again (which based on the people that come to us to re-clean hacked websites, happens often). Below we dive into more detail of several of the important points on understanding what role outdated software plays in hacks.

Most Vulnerabilities Are Not Likely to Lead to Your Website Being Hacked

If you look at popular software like Drupal, Joomla, and WordPress they release security updates on a fairly regular basis. While you should be applying those security updates, it is important when dealing with a hacked website to understand that most security vulnerabilities fixed in software are not likely to lead to your website being hacked. For the average website, hackers will only try to hack it using very basic hacks that don’t rely on human interaction, so vulnerabilities that would require targeting your website are unlikely to be used. There are other vulnerabilities that would need to be combined with another vulnerability to be successfully exploited and yet other security vulnerabilities that couldn’t be used to hack your website, for example an old WordPress vulnerability allowed users to view other user’s trashed posts.

When it comes to Drupal, Joomla, and WordPress, only with Joomla have we seen a new vulnerability in the software successfully be exploited in the past few years. So with Drupal and WordPress if somebody is telling you an outdated version caused the hack chances are they are wrong. The vulnerabilities in Joomla could impact websites running 1.6.x, 1.7.x, and 2.50-2.5.2 if user registration is enabled or versions 1.5.x, 1.6.x, 1.7.x, 2.5.0-2.5.13, 3.0.x, and 3.1.0-3.1.3 if untrusted users are allowed to upload files.

When hiring someone to deal with a hacked website, finding someone with expertise with the software you use can be important for understanding what impact the security vulnerabilities in an outdated version of it potentially have and if they could have lead to the website being hacked.

You Need to Determine How the Website Was Hacked

Our experience is that many companies provide hack cleanup services don’t actually do the important task of determining how the website got hacked. While you might get lucky and the vulnerability is fixed without determining what it was first or the hacker doesn’t come back, you shouldn’t bet on that. We often have people comes that had previously had someone else clean up the website and then in short order it gets hacked again. Our first question in those situation is if the source of the originally hacked was determined and we have someone answer that it was, the usual response is that determining the source of the hack was never even brought up.

When it comes to saying that your website must have been hacked due to outdated software, what we have seen is this often not based on any evidence. In fact, in some cases we have seen web hosts blaming outdated software despite the software being up to date at the time of the hack. If somebody tells you that it is the cause they should be able to tell you what the vulnerability is and provide evidence that supports the claim. If the logs of access to the website are available they should be able to show you the relevant log entries showing when the hack was exploited. Unfortunately, in too many cases web hosts do not have good log retention policies so the logs are gone once the hack is discovered, but someone who knows what they are doing should be able to explain why the evidence still available matches exploitation of the vulnerability.

Before you hire someone to clean up a hacked website make sure that determining the source of the hack is part of their service, if it isn’t they are not doing things properly.

You Can Be Up to Date Without Running the Latest Version of Software

We often see people confusing the need to keep software up to date with the need to be running the latest version of the software. While they are the same in some cases when the developers only support one version of the software at a time, in other cases you only need to be running an up to date version of one of the supported versions to be secure. For example, Drupal currently supports versions 6 & 7, so at the moment you should be running 6.31 or 7.28. While newer versions may include security improvements over an older version, the older version should still be secure against hacking as long as it is receiving security updates. Using Drupal as an example, Drupal 7 introduced better password hashing, which improves security but would only have impact on it in a situation where someone has gained access to the database, which they shouldn’t if things are secure.

For those in charge of managing numerous websites you can use our Up to Date? Chrome app to keep track of the update status of websites running Drupal, Joomla, WordPress, and other software all in one place.

Microsoft Releases Security Advisory for Microsoft Malware Protection Engine

Original release date: June 17, 2014

Microsoft has released a security advisory to address a vulnerability to the Microsoft Malware Protection Engine. Successful exploitation of the vulnerability could allow an attacker to cause a denial of service.

An update is available for the following affected software:

  • Microsoft Forefront Client Security
  • Microsoft Forefront Endpoint Protection 2010
  • Microsoft Forefront Security for SharePoint Service Pack 3
  • Microsoft System Center 2012 Endpoint Protection
  • Microsoft System Center 2012 Endpoint Protection Service Pack 1
  • Microsoft Malicious Software Removal Tool (Applies only to May 2014 or earlier versions)
  • Microsoft Security Essentials
  • Microsoft Security Essentials Prerelease
  • Windows Defender for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2
  • Windows Defender for Windows RT and Windows RT 8.1
  • Windows Defender for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2
  • Windows Defender Offline
  • Windows Intune Endpoint Protection

US-CERT encourages users and administrators to review the Microsoft Security Advisory 2974294 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.