I’m at McAfee Focus this week and at the core of the keynote address is the very real idea that the world is a very scary place.
According to the address, the World Economic Forum has concluded that cyber attacks represent the greatest economic threat in the world today. What has changed is that it used to be hard for attackers to find information once an attacker broke in. Not anymore. Now malware is created from code libraries in line with top enterprise applications, which are designed to help employees to make decisions. In short, malware is often better than the big data analytics programs that have been legitimately deployed. Or attackers likely have better access to your information than you do these days.
An example was provided in the form of the successful High Roller bank user attack, which started with a transaction monitor secretly installed inside a company that monitors and reports user activity to target those moving the most cash. They then target the browser. They capture the targeted user ID and password, then pass the user through their hardware and capture any challenge questions. From here, they transfer cash while showing you a hijacked session showing a balance without their theft to buy time so the transaction can’t be reversed in time. This actual attack resulted in the fourth-largest bank robbery ever.
This very successful attack, and others like it, are what has resulted in enterprises and governments going to a war-like footing for cyber defense.
Funny that I just got Gartner’s top 10 trends and either they missed a meeting (because they don’t include this malware trend) or we are truly screwed. (I’m hoping they missed a meeting).
McAfee’s CTO showcased a proof of concept tool that worked on most hardware and then demonstrated it working on every major platform. On a Windows 7 PC, it could corrupt a file while you were using it to corrupt the boot record, and remotely wipe a Windows PC. They then brought out a Mac and faked an update that would run even though the user wasn’t an administrator. The end result was a fully bricked and unusable PC that would need a firmware flash to work. With Android, they actually cooked the device by creating a loop that fried the hardware, destroying it. What was interesting was that Windows 7 actually did the best. When they got to the hardware-assisted protection, currently only available on Windows Intel boxes, they demonstrated that it wouldn’t work on Windows 8. I think they unintentionally provided the strongest business reason to move to Windows 8 and avoid Apple and Google until they address this exposure.
The interesting part of these demonstrations was that the attacks were all done while the user was using the machine but the damage generally occurred when they had left their desk. The most catastrophic was the Android example, because that showcased an attack that would literally destroy the machine by overheating it. Overheating has other potential safety issues depending on how well protected the lithium-ion battery is in the device and whether the device is near flammable materials.
In addition, it showcased that without a significant hardware element, almost any application could become a malware enabler. What was exploited often wasn’t an OS vulnerability but one in an otherwise trusted third-party application that could and would make it through the vetting process in even the best-curated application stores. The testing process in the stores looks for apps that are malware, not for apps that are vulnerable to malware, suggesting a two-pronged attack, first giving away a compelling app with intentional vulnerabilities, then attacking through those vulnerabilities.
When you tie the two elements together, you get enterprise malware that can identify who in a corporation has the most access, then targets these people with free compelling apps that contain secret vulnerabilities in order to steal their access rights and use them in a hostile way. Or, you get the potential for a mass attack that can either reformat most of the PCs and tablets in a company (Windows), or brick them (Apple) or cook them (Google). All of which would pretty much shut the company or corporation down.
It’s not even Halloween and I’m suddenly scared half to death.
Wrapping Up: Looking Forward
The keynote closed with a ray of hope. Governments and corporations are raising security efforts and coordinating them to provide faster identification and response. In addition, security vendors are coordinating and cooperating to address global threats. Both Intel and McAfee plan to be at the center of this effort and are currently unmatched.
While you’d typically write much of this off as vendor grandstanding given the DOD presentation of a few weeks back that flagged the coming 9/11 anticipated cyber attack, this all showcases that while a lot of firms and government groups are taking this seriously, those that aren’t will likely be at ground zero of the anticipated attack either wondering where their assets went or why all of their client devices are either no longer functioning or smoking ominously. I’m also thinking that the job I wouldn’t want to have right now is that of CSO, because I doubt anyone is funding this adequately given the potential exposure.