[clug] Offline snooping

steve jenkin sjenkin at canb.auug.org.au
Thu Jan 30 19:17:50 MST 2014 

On 30/01/2014, at 9:11 PM, Keith Sayers wrote:

>     Would anyone know anything about this?  I had imagined that because I was 
> using a Linux operating system I was more secure than with Windows - am I 
> being naive?
> 
>> http://www.bbc.co.uk/news/technology-25743074


Keith,

The important para is the 3rd:
"Targets included the Chinese and Russian military as well as drug cartels, the newspaper claimed."

The important word there is _targets_.

Are you a _target_?

If so, to whom?? What do they stand to gain by hacking _you_??

"Threat Actors" are generally classified as:
 - Cyber Criminals
 - Hacktivists & mischief makers
 - Nation States, Espionage, Intelligence gathering and (Cyber) War

Those sophisticated exploits/intrusions cost a lot of money...
Think $5,000 per radio device and once installed, they have to be managed and data collected. You can't do that for less than $5,000/week per intercept station.

Threat Actors have budgets and need, and do, prioritise their investment according to the value of the target.

The NSA is interested in Espionage and wide-scale Intelligence gathering. Is that _you?

The joint USA/Israeli action against the high-protected Iranian Enrichment facility, known a Stuxnet, is an example. An extended, very expensive program against a very high value military target.

Do _you_ qualify as a high value target to them? I can't answer that, but I can guess "NO".
You have nothing to worry about from the NSA and other TLA's.

But you _must_ be on your guard against Cyber Criminals - they run very lean and inexpensive operations.
In 2005, hackers turned Pro. They stopped writing viruses & malware for fun and started doing it for money. There's a whole large, complex industry sprung up around this with many suppliers and channels.

Remote exploits are very cheap. If they get access to your credit card or bank account, they can siphon off money.
Or just scam you into sending them money: the Nigerian scams are still running hot after nearly 15 years.

By ditching Windows, Internet Explorer and Outlook and running a NAT Firewall, you've protected yourself against probably 99% of attacks. But that's a long, long way from being "100% safe".
If you can't make your house "100% secure", why do you think you can make

The Cyber Criminal gangs phising attacks and Social Engineering are becoming increasingly sophisticated.

I the last 4 weeks, I gave up the password to one of my GMail accounts because of a valid email from a friend's account. I clicked on a link which led to what seemed like a valid Google 'reenter your password' page.
I've since turned on 2-factor authentication for Gmail.

My mate doesn't know how they got his password, but did see the emails they sent from his account and he received a barrage of similar emails from his mates. Obviously he clicked on a link in one of those but can't remember it - says that the phising was very well targeted.

As well, I've had 10-20 phone calls from an Indian call centre trying to scam me. Not sure what the scam was, I never allowed them to "close the deal". It may have only been a $175 charge on my credit card, or a lot more.

They pretended to be from Telstra Bigpond ("your Internet access is about to be cut-off"),
from Windows Technical Support ("you have some malware on your computer")
and from somewhere else in Microsoft. ("you have to install an update").

The point of that:

 - "Security" is not a binary state ("good" or "bad"), it's checking things everyday and fixing things as the environment changes. The solutions you put in place 5 years ago must be reviewed and updated - the digital world changes around you and if you don't keep current, it will bite you.

- Bruce Scheiner said in 2000, "Security is a process, not a product": That will never change. To keep using the Internet and be reasonably sure you're bank accounts etc aren't broken into, you have to be "constantly vigilant". Just as any good mariner maintains a constant watch, does constant maintenance and prepares for changing conditions. It's not some onerous duty or a drudge, you need to stay alert and informed and act when necessary.
<https://www.schneier.com/crypto-gram-0005.html>

 - Technical protection measures are not nearly sufficient to maintain your "Digital Security".
   Other attack vectors trump _all_ technical security.
   If you succumb to a phone call or a well crafted email, all the firewalls, rules and monitoring in the world won't help. That was one of the prime lessons from APT1: the best run operations are still breachable.

 - You have nothing to worry about from the NSA, but should be actively working to keep your banking and financial access details secure.

I hope that puts the BBC article into context for you.
Your equipment won't be bugged by the NSA, but you have to pay some mind to protecting your accounts.

Neither is the "nuclear bunker" option of disconnecting from the Internet and going completely off-line a "100% safe" action.  Scammers and con artists have, for a very long time, called on the phone or gone door-to-door picking 'marks' and fleecing unsuspecting folk with everything from "I'm the Gas Inspector" to "I can paint your house cheap" to "let me fix your driveway".

Use your good judgement, don't over-react but don't bury your head in the sand,
Accept you might be conned or scammed at some point and figure out how to limit those losses.
If you're caught out, like I've been, learn from it and don't repeat the same mistake.


cheers
steve



some other useful links.

Mandiant APT1:
<http://en.wikipedia.org/wiki/APT1>

The Chinese agency responsible for Mandiant's APT1 attacks operated over years and years with a staff of ~1,000. They carefully choose their targets and sought very specific information. They were a "Nation State" actor doing industrial espionage (probably with a focus on high-tech and military equipment).

Ars on "BadBios" - specifically targeted at a high-profile security researcher using subtle "Covert Channels".

<http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/>

A reasonable overview, from 2012, on Cyber Threats given to US Congress.

<http://www.dtcc.com/~/media/Files/Downloads/Congressional%20Testimony/DTCC_Cyber-Security-Testimony_FINAL_6-01-12.ashx>
--
Steve Jenkin, IT Systems and Design 
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

mailto:sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin

More information about the linux mailing list