Friday, February 15, 2008

First They Came for Bandwidth...

One of the problems with being a defender is a tendency towards a lack of imagination. As I've maintained for years, sophisticated intruders are unpredictable -- so much so that I call them intrupreneurs. Most defense is reactive (filling holes in the highway instead of deploying flying cars), with Attacker 3.0 outgunning Security 1.0.

This came to mind when I read Ukrainian Hacker Makes a Killing in Stock Market Fraud by Kim Zetter. She writes:

The case involves a Ukrainian engineering consultant named Oleksandr Dorozhko who is alleged to have hacked into a computer belonging to IMS Health, a company that provides market research to the pharmaceutical and health care industries.

Through the computer breach, Dorozhko apparently obtained advance information about a negative earnings announcement that IMS was to make a few hours later on October 17, 2007. He quickly purchased 630 put options for IMS Health, betting that the price of IMS shares, which were then trading at $30 each, would drop within three days. Dorozhko invested about $42,000 in the options, an amount that nearly equals his annual income, estimated to be between $45,000 and $50,000.

Hours later, IMS Health announced that its earnings had dropped 15 percent from the previous year and 28 percent below analysts' estimates, causing its stock price to fall to $21.20 the next day. Dorozhko's prescient purchases landed him a tidy profit of $286,457 in one day -- nearly six times his annual income.


I like this story because it explains why an intruder wants to compromise your company. Too often executives have trouble envisaging risk (expanded on in Analog Security Is Threat-Centric.)

Overall I see a progression like the following. (I thought I posted this before but I cannot find it!)

  • First they came for bandwidth... These are attacks on availability, executed via denial of service attacks starting in the mid 1990's and monetized later via extortion.

  • Next they came for secrets... These are attacks on confidentiality, executed via disclosure of sensitive data starting in the late 1990's and monetized as personally identifiable information and accounts for sale in the underground.

  • Now they are coming to make a difference... These are attacks on integrity, executed by degrading information starting at the beginning of this decade. These attacks will manifest as changes to trusted data such that those alterations benefit the party making the change. This sort of attack undermines the trustworthiness of data.


The scariest part is the last attack can be the hardest to detect and recover.

5 comments:

Anonymous said...

"One of the problems with being a defender is a tendency towards a lack of imagination."

lack of imagination is a problem in many ways. it is difficult to get oneself out of the equation and take a wider view on things - mainly due to the sheer daily workload.
recently i had an interesting experiance... at the "digital life design" conference this year, one joe schoendorf asked the attending crowd (full lecture hall) who of us was under 25: maybe 3-4 hands were raised.
so sitting in a conference about digital lifestyle i realized this was a good point ;-)
working at an university, sure thing i used the question myself at the next meeting and (with the results of a conducted survey and some other arguments) everyone agreed to the investment.
although our team is good and not really disconnected from the users, we sometimes dont realize that, through our daily work, we lack the time and opportunites to familiarze ourselves with all available end-devices, applications and their full capabilities.
in my case, the simple question about the average age in our department and the comparison with our audience helped regain the perspective and in the end sold it.

Rob Lewis said...

Good point well raised. What are the implications of tampering with trade secrets in pharmaceuticals, insider collusion in money laundering and rackateering and modifying classified information in defense sectors?

I know you don't put much stock in prevention, but since our technology model allows ranking of users and code in terms of integrity, simply ranking important data higher than users prevent tampering with code (or audit trails).

This has implications for secure data hand-offs, data sharing, protection against anti-forensics tools and so on.

In this case, prevention might be easier than detection and recovery.

Jim Yuill said...

A limitation of this attack is that its exploitation is conspicuous, e.g., this dude got caught.

The hacker could use deception to cover his tracks...

The hacker conspires with the author of a financial newsletter. When the hacker discovers the upcoming stock devaluation, he informs the author. In the newsletter, the author recommends buying put options.

The hacker buys the options, and if questioned, attributes his purchase to the newsletter.

The author attributes his buy recommendation to his own brilliant analysis.

LonerVamp said...

In the hacking and criminal world, the creativity and success of the attackers provides a nice bit of natural selection on the threats that we'll end up caring about. The unimaginative ones fizzle back down where they came from, or stick to their two or three good tricks. Attackers also *have* to be somewhat imaginative if they are to make a career of it.

It is far harder to provide such selection for the good guys. Plenty of very unimaginative security folks will stick around for decades being less than effective and most likely very lucky.

A generalization, nothing more.

LeeRoy said...
This comment has been removed by a blog administrator.