Thursday, December 31, 2009

Bricking ourselves into a dark corner

Bruce Schneier's brilliant piece on Security Theater got me thinking.  Terrorism's aim isn't solely to kill people, it's main goal is to instill fear and force a change in the way of life of a people.  That people is us civilized westerners.  Think about it.

What's interesting is this: every time a suspected terrorist is arrested the media circus around it makes it feel like another episode of 24 with Jack Bauer just around the corner ready to fend off another bad terrorist plot.  The problem with this is that we're building fear - exactly what the terrorists want to happen.  Psychologically this actually achieves almost as much damage as actually committing the terrorist act and being successful.

What's worse is the results that happen afterwards in the political theater, here in the US.  Politicians and clueless bureaucrats [like Janet Napolitano who heads up the DHS (Dept. of Homeland Security)] have what we call knee-jerk reactions to these types of situations which actually amplify the effects beyond anything the terrorist can create himself.  Allow me to explain.

Remember Richard Reid, the would-be shoe bomber?  What about those idiots in the UK who were going to bring down a plane with liquid explosives?  The result was the same predictable one each and every time.  The response from our beloved TSA (Transportation Security Administration) was to react to the previous threat in a way that could have prevented that threat, had we been able to go back in time.

You see, the TSA believes in a policy of reactive security.  More specifically, reactive security theater, as Bruce so eloquently coined the phrase.  It's not that taking your shoes off and sending them through the x-ray machine will likely prevent any future attacks; rather, it's a reaction meant to prevent a repeat offender.  Same with the 3.0oz of liquid in the plastic baggie.  Same goes for not being able to get up during the last hour of flight -although the logic behind this one is truly bizarre, even when I really try and think it through.

This kind of thinking is dangerous, and should be eradicated from a department as critical to our way of life as the Department of Homeland Security (especially the TSA).  When we enact these half-cocked measures of illogical security we endanger more lives than we protect.  What I'm alluding to here is what we in computer security always refer to as the "false sense of security".  It's like having anti-virus installed, running, and 2 years out of date.  Sure you have something there that makes you "feel good" that you're protected but in reality you're doing nothing for your actual security.

Think I'm crazy?  Think of how the last several uncovered and publicized terrorist plots have affected your life.  UK liquids plot ... 3.0oz or less in a plastic 1Qt baggie.  Shoe bomber ... take your shoes off and place them in the bin, or on the conveyor, no wait, in the bin.  Crotch-bomber nearly burns his twig n' berries off ... can't get up for last 60 minutes of flight and the pilot can't even point out what you're flying over anymore.  Do I need to continue?

Open your eyes and realize the terrorists are winning.  They're effectively changing our way of life.  They're forcing hapless, clueless government which we're all living under to enact changes that restrict our personal liberties and ability to move about our country freely.  They're drastically breaking the rights afforded to us against unwarranted search and seizure.  Hell, you can't even take a picture of a national monument without some rent-a-cop security guard in your face about it!

So let's take a minute to step back this holiday season and apply some logic.  If we continue to allow our politicians to create these knee-jerk, backwards-looking reactionary policies we will effectively paint ourselves into a corner the American people won't be able to get out of.  Think about it!  What if terrorists are discovered trying to make laptop battery bombs?  No more laptops on planes?!  What about iPod bombs?  No more iPods or worse yet, electronics, on planes?  At what point will air travel become so incomprehensibly painful and unnecessarily inconvenient that people simply stop leisure travel by air?  Have our politicians thought of what that does to the air travel industry?

I know I've heard people say that we get what we pay for, and that the TSA simply doesn't have enough money to work with... If I read this correctly the president's budget allocated over $6 Billion dollars for security, what have we done with that?!  From the Budget document:
"...Devotes nearly $6 billion to the multi-layered, risk-based aviation security system"
WOW!


All I'm asking is that we evaluate the actions the TSA and the DHS are taking and see them for what they are - knee-jerk reactions to deter already-happened events.  We can't possibly keep our nation safe trying to prevent what's already happened, that's logical right?


Here's to hoping 2010 is a more prosperous, safer, and more logical year.


----
UPDATE:
From his blog Chris Elliott has a great post about the schizophrenic TSA rules after this latest disaster near-miss.  Chris also has a few things to say about the TSA, go give him a read.

Wednesday, December 30, 2009

International Travel, Security, and the Utter Failure that is the TSA

Here's something I never thought I'd say ...US airports are not the worst-run in the world.  The US TSA is still, sadly, run by semi-trained apes.

Over the past 2 years I've been traveling regularly cross-country (and even up into Canada) on business and have had some abysmal experiences with airports ... but then I found myself on holiday in Holland (Amsterdam to be precise) the day after the idiot from Nigeria tried to blow up his crotch and a Northworst Airlines (now Delta) plane.  Let me tell you that the Dutch airport security at Schiphol airport took inconvenience and stupidity to an entirely new level.

It's important to remember that this experience was the day after the dumbsh** tried to kill several hundred people over Detroit, so the level of knee-jerk "security" measures was unprecedented since the 9/11 atrocities.  This is my personal experience ...and will naturally have a lot of my highly-opinionated commentary so grab a coffee, sit back and enjoy.

First ... Holland (and really, northern Europe) had been absolutely buried in a massive snow-storm the likes of which they hadn't seen in >20yrs according to locals, so I was already bracing for the long lines, cancellations, delays and silliness that goes along with poor weather.  Second, I was already expecting people to be hyper-vigilant to a point of stupidity given that the attacker had left Amsterdam's Schiphol airport the day before and now all eyes were on the Dutch.

The flight I was on was supposed to leave Schiphol airport (UA 947) at 12:20pm (local time).  When I got to the airport at 9:30am, I figured it was a safe bet because there were undoubtedly slight delays in security measures.  I had also heard of some of the absolutely ludicrous security measures the TSA had enacted like "nothing on your lap, or standing up for the last hour of flight" and the 1 carry-on only rule... and I was annoyed. When I checked in, and dropped off my bag the United agent was absolutely super-polite and checked mine and my wife's suitcase and told us that we would need to be at our gate by 10:30am which meant I still had time to have a cocktail (or two) in the lounge, and get to the gate with plenty of time.

My wife and I arrived at the gate at precisely 10:28am, only to see an absolutely empty gate with lots of people standing around looking very confused.  [Another note- Schiphol airport apparently does their security at the gate rather than at one central point.  This is something very important to remember as it is a drastically different model than we're used to in the 'States.]  Anyway, getting there and seeing no one from the airport staff for a full hour really got to me, and many of the other passengers, so you can imagine that when the 4 airport workers (security staff) showed up with a cart full of tensa-barriers at 11:35 there was a riot about to break out.  By now I had learned that most people there had connecting flights, must like my wife and I, and only a few of them were actually staying in Washington DC (Dulles was the landing airport).

The airport security folks took 15 minutes (give or take a few) to set up their barriers and start barking out orders.  They explained that due to heavy new rules everyone would be, as they put it, "100% checked" before getting on this plane.  What the hell is 100% checked mean?  I didn't see any rubber gloves so I thought were were safe.  Wrong.

We were 2nd in line in the priority line which didn't seem to matter because both the priority line and the economy line were moving just as slowly.  The person in front of us had her passport taken, was drilled with questions then pulled aside.  She had her purse gone through, more questions, and then had to take off nearly everything that was decent and send it through the X-ray machine.  She was then patted down, no I mean really patted down...  On the other side of the x-ray machine, both her purse and her carry-on were opened, emptied and each item was inspected one by one.  No privacy screen, no caution, no care for people's decency/privacy.  It was revolting.

My wife and I went through the same treatment.  They opened my camera bag, emptied it nearly breaking some >$800 lenses and asked what everything was and had me show them how everything worked.  Next came my completely packed laptop bag.  It took nearly 10 minutes to take everything out, inspect it, and tell me to put it all back together and move out of the way.

The whole ordeal for my wife and I took 17 minutes.  The really crazy part was that there was now a line stretching as far as the eye could see with people waiting to undergo the same gestapo security.  Between the time that the screeners showed up and the gate opened, and the time that the plane was actually ready to push back from the gate was nearly 3 hours.  Of course, this meant that we were really late.  The announcement from the captain was that of course due to increased security many people would miss their connections and United would do its best to re-book or ask flights to "wait on us".  Given that we had a connecting flight from Washington Dulles to Chicago O'Hare with only a 1 hour layover I wasn't holding my breath to make it home.

Surprisingly though we touched down with an hour left before my next flight was to take off, one gate over from where we had landed (we landed at C7, we took off from C5 in 60 minutes).  This is where the real adventure began... and underscores why I think everyone at the TSA should be strung up then fired.

The landing was as expected with the "nothing on your lap" rule 1hr before landing.  Oddly enough, I kept my iPod on, and kept reading my magazine and none of the flight attendants were around (because they were sitting, haha) to say or do anything.  How effective is this rule?  Hint: not at all.  I actually feel bad for those folks who have kids who have to go to the restroom in the last hour of flight because now you have to figure out a way to not only immobilize your kid with nothing to keep them occupied (you know, in case your 7yo is mixing a chemical bomb in their lap...) but keep them from having to go potty (good luck!)... Clearly none of the twits running the TSA have ever traveled internationally with children or they simply don't have the sense to care.  Either way - this is a massive failure... shocking.

After we landed we were herded off the plane, into US Customs (which was a surprisingly long, yet refreshingly fast-paced line) where the agent was polite, smiling and generally well mannered.  It gave me hope that the rest of the trip wouldn't suck.  Enter the TSA rules again.

Apparently when my checked and screened baggage got off the plane I was forced to pick it up, take it 15' into a "baggage re-check" (please, someone explain this idiocy to me!) and then go through security screening again.  You think the half-wits at Schiphol were tight on security... the nice TSA monkeys once again dug through everything as if I was traveling from Yemen and shouting anti-American propaganda ... my camera was apparently a weapon?  Oh, no wait, that was my monopod ... right - that could be used to poke someone I guess?  Again, morons.  Whiskey Tango Foxtrot.

FINALLY getting back on a plane and bound for home the ordeal was over... I hope never to go through that stupidity again; sadly I sense my request will be short-lived.

Now, after that harrowing experience I have plenty to say.


  1. What purpose does the "sit down and nothing in your lap for the last hour of flight" rule serve?  We all know this is at best a knee-jerk reaction by the monkeys at the TSA to appear as if they are doing something real to combat a threat that is unlikely to manifest itself in the same manner twice.  As far as I can tell this is just going to annoy legitimate passengers, and not deter any would-be bad guys from doing anything evil.  I think a better deterrent would be to keep re-airing that interview with the guy who tackled and beat the snot out of the would-be bomber ...that was a hero who actually contributed to security.
  2. Why don't we have those full-body screening machines at every airport?  That is a civil liberties trespass I, and I'm sure many of you, am willing to take to make sure some jackass doesn't try and light his balls on fire on my flight.  We bitch about real security being at the level of stupidity yet we're unwilling to allow for something that makes sense in?  I'm sensing this is all political - but I promise you that the next election if you didn't vote for the full-body screening machines, I'm not voting for you.
  3. Let's do a comparative study of the US TSA against any of the EU security groups.  I especially was impressed with Germany's security at Frankfurt airport.  They were all professional, were dressed in shirt/tie and looked official.  They didn't walk around talking about who was going on break next and what their evening plans were ...rather, they were there, polite and professional.  TSA take note: if you hire people who couldn't even get a GED and pay them minimum wage they'll behave like McDonalds workers and won't really be effective.
  4. Training... there's something I could write an entire blog post on.  The TSA isn't even smart enough to understand PDF redaction let alone how to actually effectively train their staff.  I'll revert to the point above in bold about minimum-wage drones.
Before this post gets too long, I'll just finish up by saying that we here in the USA are woefully behind.  To quote some anonymous gentleman who was sitting next to my wife and I ..."Europe hires security based on merit, while you Americans hire based on affirmative action, what do you expect?"... yikes.

Do I sound angry?  Goddamn right I'm angry.  I'm living in the greatest country on the face of the earth and we're light-years behind Europe in real security.  I loathe the TSA and everything they've done.  I don't believe we're one teencie bit safer than we were before the tragedies of 9/11.  I strongly feel that in spite of all the rules, rhetoric, and millions of dollars that have been spent we're just as blind to real threats as we have ever been... except now we're pissing off passengers and deterring good people from coming into the US.

Mr. Obama ... I'm still waiting for that "change I can believe in" ... so please FIRE THE TSA and appoint someone competent.

Saturday, December 19, 2009

Adobe Flash 10 ... now with McAfee?

I went to update my Flash Player today (manually) on one of my VMs and noticed that this new "option" stuck out at me...

Now, not being one to turn down a free security feature I wanted to read on.  Clicking the "Learn more" option takes you to the "LiteApps" McAfee site which has this to say about the "McAfee Security Scan":

"McAfee Security Scan is a free tool that automatically checks and reports if your PC is protected. Your PC's security status is determined by the state of your anti-virus and firewall protection. Your security software may be switched off or become out of date without you realizing. Or, you may not have security software installed on your PC. McAfee Security Scan lets you know if your PC is at risk and what you can do to protect it. Feel confident knowing that McAfee works behind the scenes to protect you by automatically starting the scan every week so that you are kept informed if your PC's security changes."

That's kinda cool right?  Maybe Adobe has gotten so much pressure not only from us in the security community but also from end-users that are sick of their machines being trojaned and rooted from terribly-coded Adobe software - that they are now partnering with McAfee (now, granted McAfee isn't exactly a good A/M engine) to give you the courtesy scan to let you know how badly you've been rooted before applying the latest in a round of never-ending bug fixes...

Hey Adobe ... how about you guys just write slightly less crappy "everyone's gotta have it" software, and we'll all sleep better... just sayin'

As for me, I'm going to skip the free anti-virus scan and just uninstall Flash.

Thursday, December 17, 2009

*facepalm* - US Drone Communications Intercepted in Iraq

In a story that sounds like it belongs in a 007 spy novel, it appears as though some very enterprising Iraqis (no doubt backed by their Iranian, anti-US friends) have figured out that the Predator UAVs (Unmanned Aerial Vehicles) that strike fear into the hearts of insurgents everywhere transmit their video feeds over a semi-sophisticated satellite network.  That video feed can be leeched off the transmitting satellites with a $26 piece of Russian pirate software.  I will pause a moment while you gasp and re-read that...

.....

This bodes well for their efforts to evade detection, air strike or death by simply using some Russian-made (there's a shock) satellite-intercepting software called "SkyGrabber".  A quick blurb from the SkyGrabber site has this to say:
"The satellite transmits data all users in one stream. The data are accepted by all who are in the satellite coverage area. In fact, you can set up your satellite dish on this satellite and we'll receive the data, which is produced by other users.
But you say, well, well, we get the data, but how do we get the files that other users are downloading? The SkyGrabber can do it. The program intercepts data of other users, assemble in files and saves files in your hard drive. SkyGrabber makes your life more exciting and interesting." 
More exciting and interesting indeed!  What a brilliant (mis)use of technology right?  While this is a pretty cool way to get, as the site says, "free movies and softwares" - this isn't the software isn't the story.

News flash: US government is not encrypting military critical communications!  What does that say about our military's ability?  Not a whole hell of a lot if you ask me.  What amazes me is this quote from the WSJ article...

U.S. military personnel in Iraq discovered the problem late last year when they apprehended a Shiite militant whose laptop contained files of intercepted drone video feeds. In July, the U.S. military found pirated drone video feeds on other militant laptops, leading some officials to conclude that militant groups trained and funded by Iran were regularly intercepting feeds.
In the summer 2009 incident, the military found "days and days and hours and hours of proof" that the feeds were being intercepted and shared with multiple extremist groups, the person said. "It is part of their kit now."


That just blows my mind.  I've always figured our military wasn't the most brilliant at using digital-age technology, but this simply takes the cake.  How do smart, military-trained people figure that using non-encrypted communications is a good idea?  Was it a cost-savings?  Did someone do the risk-analysis on this one and say "Well, it's not critical communications data that will put our troops at risk, so the extra $50 on encryption is unjustified" ... Sadly I suspect so.

What I do find mildly sensational and amusing is the "shadow cyber-war" claim that everyone in the media seems to be taking up.  What does that even MEAN?!  This isn't a cyber-war tactic, not that the term itself has any meaning at this point that anyone comprehends (except for RSnake...) but this is simple military espionage, nay, simple surveillance!  This has nothing to do with any silly cyber-war ... it's an amazingly stupid lack of intellect on the US Military part, and an ingenious use of pirate software on the insurgents.

Wake up people... this is not an "escalating shadow cyber war" and anyone who says that should be beaten with their words.  Maybe the military should send their communications geniuses to some basic risk-analysis training? ...or just call 007, he'll know what to do.

Friday, December 11, 2009

"Locking" Touch Screen Devices

Do you have a touch-screen device like an iPhone, Android-based phone, or one of the others that require you to use your finger?

If so, do this for me.  Take out the device, and don't power it on yet or touch the screen.  Hold it up against the light so you can see the smudges and fingerprints on the screen's surface.

Now thing about it for a second.

Odds are, if you're like me what you're looking at is a concentration of fingerprint "marks" on the buttons where you most commonly press.  If you're like me and have an iPhone that has a PIN set on it you turn it on/off a few dozen times a day or more right?  After the course of a full day those fingerprints are pretty well established on the buttons that are making up your PIN.  This presents a problem.

Covering specifically the Apple iPhone I've done some digging and Google'ing and found a few manufacturers that sell "fingerprint resistant" screen protectors, but I've tried a few both off eBay and some bought at the Apple Store and none of them actually resist fingerprints that well.  Not well enough, anyway.

The issue comes down to the way that the iPhone's security is set up.  Clearly it's not meant to be a high-security device, as it's a "toy" by nature.  My wife's T-Mobile G1 touch-screen device is a little different and you can tell the HTC (manufacturer of the device) engineers actually tried to think things through.  First, it's not just buttons you press but a multi-point swipe you make with your finger on the G1.  It's like a big connect-the-dots game where you don't pick up your finger just connect a few dots ... that's your "PIN".  This is significantly more difficult to find patterns in since you're effectively creating smudges (lines) when you input your PIN.

While HTC's way is clearly better, at least to me it seems that way, both have the flaw that they pick up grease from our fingers and leave it there for someone who wants to get into your device to follow.  You don't even need fingerprint dust, or Krazy Glue (see fume trick the CSIs do on TV) ... you just have to hold your device up to the light at a certain angle and guess the password.  With there being typically a 4-digit PIN on devices like the iPhone it's not hard to figure out the combination when the total space is 256 combinations!  Throw in a little TV CSI magic and you can probably get it in a few tries.

The advice then?  When you are using your device WIPE OFF YOUR FINGERPRINT MARKS!  It's a simple, easy way to protect your device from being victimized when you're not looking.

Good luck!

Tuesday, December 8, 2009

Smoking doctors vs PC users

You know, I get one of these Greg House moments every once in a while, and this time it just happened to be when a friend on Twitter (@falconsview) brought up an interesting question... the train of thoughts went something like this:

...
ME: Looking down from doctor's office at a bunch of doctors at the back entrance of the hotel ... smoking.
@andrewsmhay: "ah, but at least they know, and accept, the risk (as stupid a risk as it is)."
@falconsview: "can you actually say that people "know the risk"? I mean, really? people tend to be v bad at estimating risks..."
...

We proceeded to poke fun of doctors and how they probably get a discount on cancer treatments and other rather tasteless things ... but this stuck with me.

As I was sitting in traffic on the way home I thought to myself ... "self ... you know this could really apply to the user categories in my previous post!" ...

How many people think they understand the risks of what they're doing when they use their computers in an unsafe manner yet in reality have no idea how big the risks they're taking?

For example, a very close personal friend of mine does all her life on her laptop - yet when asked why she doesn't back up her response is "it's no big deal ...".  This demonstrates a clear lack of understanding of the risks of the digital age.

Think about it this way, everyone that you know that has a computer, especially those that are not-so-tech-savvy probably thinks they have some clue on how to be safe.  They may even think they understand what it means when all those pop-ups asking them to make system changes pop up.  They may even fool themselves into thinking that they understand what's going on with their computer ...the reality is 99.999% of them don't.  I'd be willing to make a wager on that.

The solution?  Maybe Best Buy and the other PC stores should sell a free 1hr "class" with each computer.  This class would illustrate the risks of using the PC, and how to minimize un-necessary risks maybe?

Oh ... that's right.  Nevermind, that'll never happen.  Why?  Because as long as "Geek Squad" exists it is in the best-interest of the big electronics stores to have you buying, screwing up your PC, and coming back to get it "fixed" by one of these chuckle-monkeys.  Sad huh?

So those doctors that were smoking ... I'm sure they understood what they were doing is stupid, and to what degree it is stupid - but are they mentally comprehending the risks?  Like the users ... probably not.

Thursday, December 3, 2009

Exposing Malware - Part 2: Infestation

A little while ago I wrote part 1 of this series malware forcusing on it's insane efficiency ... and since that time I've had some more time to do additional research and play with a few more "code samples" which continue to baffle and amaze so I'm writing this second part of the series on "infestation".

The semantic issue here is critical to the post - this isn't necessarily an article about infection but really about infestation of connected computing devices by what can only be described, collectively, as malware.  Malware in this definition is essentially the collection of traditional viruses, trojan horses, worms, ad-ware, scare-ware, crime-ware, ransom-ware and everything else ... did I miss a catchy buzzword?

Anyway, the rate at which a connected computing device gets over-run by malicious software is incredible.  Recent statistics I've heard peg the average compromise time of a non-protected workstation on the open Internet at around 8 minutes.  This was 2+ years ago that this metric was measured ... I'm confident it's even less time now.  These types of studies in time to compromise are interesting because it serves to illustrate the sheer volume of evil circulating the Internet.  I've thought about the vectors for compromise (or over-run if you like) and have classified them into 5 categories:
  1. Self-Inflicted-Accidental
  2. Self-Inflicted-Ignorant
  3. Unattended-Circumstancial
  4. Targeted
  5. Delivered
I think these five (5) categories can be applied to all infections/infestations and each have unique qualities ...so let me dive into them here.


  • Self-Inflicted-Accidental
 While many people "do it to themselves" I firmly believe there is a segment of the Internet-using population that simply hasn't gotten the memo yet.  The Internet is a nasty, hostile, and vile place boys and girls.  This is easily dismissed as the naive crowd, those that just haven't been awakened to the stark reality of interconnectedness.  I will grant you this- this group shrinks faster than new members are added ... with education everywhere, and security-aware individuals (much like you reading this) beating the drums it's tough to be naive for very long, unless you operate your brand new computing device in a cave ... but that brings up other issues!

  The problem here with this group is that they are too trusting.  They're like your grandparents, who trust the maid who's "so nice" but is cleaning them out of every piece of valuable in the house.  They will be shocked when they find out they've been infested; then they will become educated (and some become jaded) and their outlook changes and they fall out of the group.

Impact: sadly, when these folks get hit, it's epic
Remedy: Either more education, or simply let them get whacked


  • Self-Inflicted-Ignorant
 This is the other self-inflicted group.  Unfortunately, I feel no sympathy for these folks that get infested.  They've been warned, maybe they've even gotten whacked before - but like the kid who keeps sticking his finger in the fire they just don't learn.  The really unfortunate thing here is that a vast majority of these folks feel like they're entitled to be compensated for the pain they self-inflict with their ignorance.  They'll likely get infested, have their banking credentials or credit card info swiped and money stolen then demand that their banks fix it.  Even more insane are the banks and institutions (primarily in the financial industry) who continue to foster this type of behavior.  Now, I understand there is a fine, very blurry line between being compromised where you can do nothing about it, and being just ignorant ... but if you're getting whacked repeatedly there has to be some accountability.

  I've met many threat-ignorant people in my years in IT and I'm certain you have too.  In fact, many of you chuckle as you read this because it's either your manager, your CEO, your parent, spouse or in-laws that drop into this category.  I'm sorry in advance for saying it but ... these folks should have their Internet-usage ability revoked.

  I just don't understand how people can be so ignorant and keep at it.  Maybe it's our fault (I say our and mean collectively the business & IT world) for allowing them to be this way.  Maybe we're not giving them enough responsibility for their own actions (or non-actions)?  I mean, look ... if you have a gun you have to be licensed to use it right?  ...and you're responsible if you cause yourself or someone else harm?  I know Internet access doesn't require a license or certification but maybe it should?  Maybe you should have to take a "basic certification" to get an IPV6 IP address (if that ever happens...)  I don't quite have the logistics worked out but there absolutely MUST be some accountability here ... we as an industry group must find a way to educate and drive out ignorance from the connected masses.

Impact: Epic fail ... made worse by the coddling currently coming from financial services industry
Remedy: Education and accountability ...or something!


  • Unattended-Circumstantial
  This category of infestations just happens by circumstance.  Picture a computing device Internet-connected just sitting there humming away serving up web pages, widgets or data.  Along comes a malicious agent ...doesn't matter whether it's a human being or a script - only that an infestation happens.  My favorite example here in this category is the kiosk at the airport or hotels.  These are unwilling participants set in place by people who for what-ever reason haven't fortified them enough against malicious intent.  Getting infested like this is painful because there is often someone to blame - but it's hard to point the finger.  Computing devices are connected to the Internet every minute of every day ... many of them for no good reason.  These devices are constantly getting infested in spite of any kind of "anti-virus protection" that is placed on them, and as worms and other automated attack vectors advance this problem is going to get worse!

  Look around, I am willing to bet you can name at least 5 connected devices within arms' reach right where you are this minute.  Whether it's a refrigerator, a video gaming console, your mobile phone, laptop, DVR or even television everything is becoming connected and too often there is no thought given to answering the "what if this thing gets infested?" question.

  What would you do if you woke up tomorrow morning only to find that your Internet-connected DVR has suddenly been taken over?  The warranty may or may not cover this problem because technically it's not a manufacturer's defect right?  There is no broken hardware, no smoking hard disk or sparking internals - only a malicious piece of software now embedded inside the device that randomly deletes your favorite non-watched hows, and orders adult material when you're not around.  What do you do!?

Impact: Everything from mischief to malice to catastrophic failure.  If your refrigerator becomes infested with malware and malfunctions, that's one thing, but if your car's on-board computer suddenly shuts down your car in the center lane on your way home at 65mph - that's an entirely different issue.  It could happen, soon.
Remedy:  I honestly don't have an answer to this.  Better SDL-integrated security is the only answer here that even makes sense as many of these devices and infestations are outside the realm of reasonable responsibility of not only the owners but even the operators!


  • Targeted
 Sometimes, you're just screwed.  We in information security have long told audiences, businesses and managers that if you are targeted for an attack there is very little you can do to "be safe".  Attackers have a way of getting their way.  This works the exact same way with malicious software and infection/infestation.  If someone writes a purpose-built piece of code that attacks users of AT&T broadband (as if we don't have enough problems with our carrier) who run Windows Vista (again...why? isn't this situation enough pain in itself?) and use a specific social media application (a la Facebook) I have news for you - they're going to win.  It's like the Canadian Mounties ... they'll get their man/woman/target.

  My main take on this specific segment of the problem is this - if you're worrying about this infestation type that to me means you've solved the other 3 previous ones (above) and I want to know how you did it.

Impact: What ever the bad-guys want.  Generally the impact isn't "catastrophic failure" ... and the less you notice the impact, the better for the bad guys.
Remedy: Stop worrying about this one, you're not going to solve this problem.


  • Delivered
  Finally we come to the "delivered" infestation type.  This type of infestation is very similar to the targeted type - except that the delivery mechanism is generally someone else's.  To elaborate further it's easier to just give an example.  Say you've a user of Twitter (and I know you are), and you use TweetDeck.  Now, in its own right, TweetDeck isn't a malicious piece of software ... I hope.  Now, if someone compromises the TweetDeck update system and you get a notification next time you fire up your client that an update is available, you click OK ...it's not your fault that you were just delivered a piece of malware and now are infested!  There are no ignorant actions on your part, and you're not naive because you're using reasonably trusted software which is being used as the delivery mechanism for malware.

  Again, just as in the previous example, there are very few things you can to do avoid being infested here in this situation.  You can't review every application you use manually, and it's unrealistic to think that you're not going to load up any 3rd party tools or software on your computing devices.  Again ...welcome to screwed-ville.  Take a number, get a seat and wait to be re-imaged.

Impact: As with targeted infestation ... this can be anything from annoyance to identity theft and digital impersonation!
Remedy: ... hrmm.... I'll let you know if I figure this one out.  I'm open to suggestions!

---
  There you have it, infestation by malware is ugly.  Sometimes you can prevent it, many times you can't.  The results are incredibly diverse and range from your search results being compromised and "swapped out" for someone else's targeted results, to identity theft and impersonation, to catastrophic failure.  Problem is ... out of these 5 types we're only realistically able to do something about 2 or so of them.

  What do you think?
Google+