Once word hit our office of the upcoming Google Wave, we saw renewed interest in leveraging such collaboration tools, which means we have to again evaluate our stance against putting our intellectual property ‘in the cloud.’ (I really hate that term)

Putting information in the cloud means relinquishing control of that document to whatever provider is hosting the application as a service. Our business can basically be boiled down to “information provider” (I work for an architecture firm). A large chunk of what we sell is information in the form of computer-generated drawings, schematics, pictures, animated fly-throughs, etc.

Therefore our information, our intellectual property, is our life-blood. If we lose control of it and the competition gets it, we’re dead in the water. We can’t compete for jobs if the competition knows what we plan to propose and how much we plan to charge. A huge part of competing for a job in our architecture niche is being able to deliver something so unique that it blows away the competition. Therefore securing our information is very important to us.

The future of collaboration obviously lies in the cloud. We’ve been able to resist so far, but I don’t expect that to last.

So I’m posing a question to both readers of this blog

How do you deal with the risks of putting intellectual property in the cloud?

While this will be obvious to many, it still bears mentioning; Blackberries and other smart-phones can be carriers for worms and viruses when USB storage is enabled.

I ran into a case earlier this week. Our HIPS software was alerting to an auto-run virus on an IT staffer’s F drive, which usually indicates a USB drive. When asked about it, he indicated the only thing he used was his Blackberry. He had a micro SD card installed and used it to move pictures and movies between computers.

Explorer in Windows wouldn’t display the autorun.inf nor the virus executable so I plugged the Blackberry into my Mac, which showed both files. VirusTotal.com verified the executable as a virus and we manually removed it and he’s now going through all of his computers to find out which ones have the virus.

Our primary antivirus software didn’t detect the virus at all. Luckily the supplemental AV in our HIPS software triggered on the autorun.inf and prevented execution of the virus executable. We implemented strict rules regarding auto running anything from a USB drive after Conficker. Since then, the HIPS software does its own scan of the entire USB drive before permitting access to it, including access by the primary AV software. So far this has protected us significantly, because the primary AV rarely flags the autorun.inf files, but the supplemental does.

Another win for defense in depth.

The conficker/downadup worm has impacted the French Ministry of Defense, according to an article posted by The Telegraph. According to the article;

…aircraft were unable to download their flight plans after databases were infected by a Microsoft virus they had already been warned about several months beforehand.

At one point French naval staff were also instructed not to even open their computers.

Like the recent compromise of the British MoD, the compromise of the French MoD appears to have been isolated to the unclassified network called Intramar. Coincidentally it was the navy that has reportedly been compromised in both cases.

It’s still being questioned whether or not aircraft were grounded by the worm. However, the fact that the worm impacted the MoD is not in question and that illustrates the risk of having weapons systems interconnected with the Internet.

To my knowledge the botnet created by conficker/downadup hasn’t been put into action yet. However, the fact that it now has two major trophies; the French and the British Ministries of Defense is certainly worth pondering. The propagation methods this worm uses have proven to be very effective.

Conficker, aka Downadup is gaining popularity among the non-techy news sites. Today I ran across this article on Rawstory.com. In it, David Perry of Trend Micro is quoted as saying “Downadup uses brute force from the infected network of botnets to break the password of the machine being attacked”.

To my knowledge that isn’t how the worm works, but please correct me if I’m wrong. According to everything I’ve read, a single instance of the worm will indeed try to “brute force” passwords but it isn’t a distributed effort spread across portions of the botnet. In none of the following evaluations of conficker is ‘distributed brute forcing’ mentioned:

Trend Micro (fails to even mention the password-guessing aspect)
Symantec
Sophos
F-Secure
McAfee
Panda (added to my list 1/23/09)

Not to mention the fact that the total number of passwords hardwired into the worm is 184, which is miniscule when compared to Cotse’s “all-words” list of 53,082. The smaller number of passwords was certainly intentional to keep the code lean and mean and doesn’t lend itself to distributed brute force.

The author of the story also states that “A troubling aspect of Conficker is that it harnesses computing power of a botnet to crack passwords.” That, according to everything I’ve read is false. Conficker does not crack passwords, it guesses them from a small list of “weak” passwords. Something like L0phtcrack built into a worm would indeed be new and certainly nasty but what conficker is doing isn’t near what L0phtcrack does…

Can anyone validate Mr. Perry’s statement?

CIO.com has an article about a ‘rapidly spreading virus’ that is giving the UK Ministry of Defense a run for its money.

First, viruses don’t spread on the network — worms spread on the network and a virus can be their payload.

Semantic arguments aside, the story demonstrates just how effective a worm can still be, especially in cyber warfare. Not only do you have the direct impact of the worm; delivery of the payload, but you also have secondary effects; network and host congestion and the potential over-reaction by the IT groups by simply shutting off machines to avoid compromise. According to a Ministry of Defence spokeswoman;

“The reason why so many people are without their computers is because we’ve turned them off rather than they’ve been wiped or destroyed by this virus”

Without knowing what this particular bug is and what it does, shutting down systems may very well be a solid defense but that obviates the fact that the network wasn’t well prepared for a worm outbreak. The best defense against a network worm is defense in depth but it doesn’t have to be complicated. In fact I would argue that it shouldn’t be much more complicated than:

1. Patch management
2. Network segmentation
3. IPS and AV protection at segment links
4. HIPS protection on critical hosts and AV protection on *all* hosts
5. Established incident response

But I digress.

As I stated previously; targeting military networks can have far reaching, even strategic gains:

Crippling the network of a carrier group would be a punch to the solar plexus, which would allow for a follow-up attack, such as a swarm attack or suicide attack by aircraft and small watercraft. The combination of the two less-conventional and relatively inexpensive attack methods stands a good chance of forcing the carrier group to disengage until they can repair damage, replace assets, and restore their data network. This kind of ‘more bang for your buck’ is one of the key advantages of cyber warfare.

Note that neutralizing a carrier group borders on strategic, as these are key assets in any expeditionary force of modern warfare.

Wouldn’t you know it, the rumor mill suggests BBC confirms that the HMS Ark Royal, an invincible-class light aircraft carrier was or still is affected. I guess their network isn’t invincible-class.

The fact that the worm spread through multiple networks and ultimately ended up on the carrier’s network demonstrates the potential a worm has for damage simply through the Achilles heal of interconnected systems; their very connectedness.

If this is in fact the conficker worm and not some one-off, custom job cooked up by someone intentionally targeting the MoD, I’d expect some heads to roll. It would be extremely disappointing to learn that a garden-variety* worm targeting a three month old vulnerability whipped some MoD ass.

*Conficker is neither exceptional nor cutting edge as worms go. In fact, the core vulnerability that conficker targets resides in the Windows Server service, which is known to be vulnerable as early as 2006 if not earlier and RPC attacks enjoy an even longer history. Given the core role Windows’ server service and RPC play in networking Windows machines, any shop deploying it as an infrastructure should protect both at all costs.

Update:

According to the BBC, as of 1/20/09, this is still affecting the MoD and it has affected 70 sites. What’s interesting is the statement that it’s successfully redirected email traffic to email servers in Russia:

Conservative MP Mark Pritchard said he had been told by one defence official that e-mail traffic from some RAF stations had been re-directed to a Russian internet server as a result of the virus.

Officials note they don’t think the MoD was targeted, which leads me to believe it was indeed a garden variety worm that hit them. That statement (that email was redirected) could be caused by the ‘fog’ of incident handling on such a large scale. However, if it’s true, I assume it happened because the email server or servers were compromised by the worm, which deployed a bot that phoned home, and the compromise was escalated through remote control of the bot.