Incident handling and management calls for developing well understood and predictable responses to emergencies or damaging events as they occur. Frequent rehearsal of the response steps makes recovery from an incident faster and usually more successful. But predictive behavior can also be used against us, if an adversary knows (or can predict) what you will do when faced with a series of unfolding events. Some examples from the recent past include Y2K, the various terrorist attacks this decade, and natural disasters like Hurricane Katrina, the Indonesian tsunami, and the recent earthquakes in China. With Y2K, do you remember the wild panic of trying to find Cobol programmers at the last minute who could fix the two-digit date fields? Predictably, a lot of that programming got contracted to outside organizations - a well-trained adversary could have established multiple software companies that could have been used to insert malicious backdoors and booby traps into mainframes, control networks, and other critical computer systems. In the days following Hurricane Katrina's landfall, we predictably saw over a thousand websites get established that offered a mechanism for getting donations to the affected families. All they needed was your credit card number. Yeah, right. Most readers of the SANS Internet Storm Center's diaries know that we've followed nearly all of these events and sometimes we even predicted a few of them ourselves. So now it's time to go out on a limb again. Everybody is aware of the rapid rise in oil futures (the cost per barrel for crude oil), and if you drive a car you feel the result every time you fill up. This morning I saw that the local station near my house had crossed the $4 per gallon threshold overnight. I know that in Europe and Asia, $4 per gallon (that's about 0.67 Euros/Liter) is VERY cheap but it's about twice what we were paying for it this time last year. If gas prices continue to climb at the current rate, they could well double by the end of the year. So, here's the predictable behavior. With gas prices that high, many people will prefer to work from home rather than driving or taking public transportation, thus putting a heavy load on ISPs and the Internet in general due to telecommuting. So, if you were a Bad Guy, how would you take advantage of this predictable behavior? Some ideas some to mind, such as establishing web portals for work collaboration or marketing a new anti-virus solution for protecting home computers used for doing office work. Either of those capabilities would of course include a "value added feature" designed to syphon off sensitive information for criminal or espionage purposes. I'm sure there are many more evil ideas, so if you have any send them this way and we'll add them to the bottom of this diary. UPDATE 1 - Here are a few ideas submitted by readers. Feel free to use the "comment" capability or to send us your ideas via our contact page. Either is fine. Boris offered these thoughts:
A reader wanting to remain anonymous said:
Iain wrote to say:
Marcus H. Sachs |
Marcus 301 Posts ISC Handler May 26th 2008 |
Thread locked Subscribe |
May 26th 2008 1 decade ago |
Okay, off topic, but in Norway it's $10 per gallon these days.
On topic: it provides a rather large attack vector for targeted attacks. Not only of exposed services, but also the fact that home computers aren't as protected nor as controlled as those located at your office. Also, access to systems after midnight will greatly increase the chance of chaos due to a drunk worker logging in (or a just plain tired worker prone to make mistakes). |
tyldis 5 Posts |
Quote |
May 26th 2008 1 decade ago |
It's worth noting that split-tunnel VPNs (wherein only corporate address space is routed through the VPN tunnel, and the rest traverses the Internet as usual) pose a subtle but very significant threat. Many teleworkers may be tempted to work and play, so to speak, from the same PC. If compromised, this PC would likely provide a more favorable entry point (via VPN) to the corporate network than would a direct public connection.
While it's certainly possible to position teleworker connectivity in parallel with other "outside" connections in a DMZ, probably the most effective solution is to designate a work-only machine, configured to send all traffic through the VPN only. |
Anonymous |
Quote |
May 26th 2008 1 decade ago |
For what it's worth, GoToMyPC usage can be blocked by contacting Citrix:
https://www.gotomypc.com/pro/help2.tmpl#ys8 The last time I read this, there was a nice form you could fill out with your IP, but perhaps someone realized the potential damage that could be done. Still, at least this particular service can be blocked, as it's really an impolite thing to completely bypass network security. I'm rather skeptical about 'free' services like logmein, especially given that users rarely think about the implications. |
Anonymous |
Quote |
May 28th 2008 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!