Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: SANS's Alan Paller discusses the threat of cyberterrorism on CNN - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SANS's Alan Paller discusses the threat of cyberterrorism on CNN

On the heels of the fake Tweet this past week regarding injury to President Obama, and the subsequent stock market decline estimated to have wiped out $130 billion in stock value, SANS's Alan Paller spoke with CNN's Christine Romans during a Your Money segment on Friday 26 APR. Watch this succinct and impactful interview as they discuss the danger hackers pose to our banks and our economy.

Alan Paller discusses threat of cyberterrorism on CNN's Your Money

Russ McRee | @holisticinfosec

 

Russ McRee

178 Posts
ISC Handler
OK, so the suggestion is to have a dedicated machine that is used solely for banking or stock trading and nothing else. Alan pointed out that computers a cheap now, so you can get another machine for a few hundred dollars. I know its not quite as good as dedicated hardware, but what about a dedicated virtual machine? Is that good enough?
Moriah

133 Posts
Moriah,
Excellent discussion point you culled from the interview.
In my opinion, a dedicated virtual machine is even more optimal. That's precisely how I conduct sensitive work (not just financial). If you're comfortable with Linux or BSD-based operating systems, you have the advantage of a smaller malware target footprint but keep in mind that browser-born attacks know few bounds (Flash and Java). Regardless, a virtual machine, no matter the OS, allows you to work from a current, patched, ideally hardened snapshot, conduct your transaction(s), then revert to the snapshot when finished.
Russ McRee

178 Posts
ISC Handler
Which is exactly what I do. :-)
I have used vmware for this for many years, but I am currently switching over to qemu-kvm since I have had problems getting recent vmware versions to install under gentoo linux, which I prefer for its overall flexibility.
Moriah

133 Posts
A dedicated machine just for sensitive transactions might be the excuse I need to replace my aging Macbook Pro. It becomes the dedicated machine, and I don't need to recycle it.

But more seriously, this strategy only guarantees that my access to my sensitive information is from a non-infected machine. How do I know that my bank or stock broker is not vulnerable from third-party attacks. I could still lose my money.
Anonymous
Outside of the technical solutions to the problem, there is another question that hasn't really been answered yet since this incident: since when is Twitter an official news source? I understand that some "official" news sources are using it as another avenue for audience and followers; however, even today I don't consider Twitter an official news source no matter who the Twitter account belongs to (CNN, Roger Rabbit, or Blogger XYZ). It was never built to be an official news feed and consequently, doesn't have the scrutiny/security built around it to be one. It's like using a go-cart to get to work and then wondering why you broke down on the highway.

Really? Twitter? What's next, using some kind of text message publishing as an official news source?

What happened was deserved since Twitter shouldn't be treated much different than Facebook.
da1212

69 Posts
I understand it's not the best solution for a general audience, but I'd tend to put a financial-use-only OS on a USB stick, which cost just a few dollars. No need for a complete separate computer to run it on.

Steve - agreed, it won't help if attackers target your bank directly. But (1) more people are victimized financially by user-targeted attacks, so this "only" actually decreases your risk by over 50%, and (2) this answers the question of what you personally can do - you can't force effective security on your bank...
da1212
6 Posts
@JacCO - I believe it may be folks that have programmed their automatic trading software to sell based on certain "authoritative" news feeds and certain key phrases. Clearly this can be pretty faulty logic if those sources are compromised.

Regarding using a VM - great idea, but that means you cannot use the host OS for any surfing. It's actually not that hard to do - have a VM for each security context. Use shared storage from the host OS for things that need to pass back and forth (but agian, segregate what each VM can access). Have a VM for goof-off surfing. Have another for somewhat sensitive surfing. Finally, have one for your financials/highly sensitive information. RAM is cheap, storage is cheap. No reason not to do this. But again, don't use the Host OS for anything other than to update the Host OS and update the VM software.

But telling family to do this is complicated. Telling them to get a $300 laptop dedicated for financials is a lot easier.
da1212
42 Posts
Very true, I guess even Twitter can be considered authoritative. I did hear about the logic and key phrases that caused the trading software/algorithm to trigger massive selling. I guess the attempt to outsmart the market by sniffing for phrases in social media backfired this time.
da1212

69 Posts
A dedicated machine is probably out of the question for many as many individuals and families cannot afford $300 for an additional computer or may not have the space. VMs have complexity as others have noted. A bootable OS on a stick sounds like a sensible low cost and small footprint alternative.
Alan

57 Posts
Are we not getting rather crazy here expecting that users outside of the DoD or other truly sensitive operations would go to these lengths on a routine basis? This is insane to me for a routine user. Just think about the usability impacts of this stuff.
Example: I use a bank register program to keep track of my accounts but since I should wall this off I need to put it on a separate computer than my usual one. So I now need double the desk space or a KVM and the extra knowledge to set one up (or pay someone else to do it if I am not IT savvy). I now have to perform backups on both systems doubling my backup space requirements unless I am only backing up key files, which is a joke with many Windows programs which do not store data where they should but instead store it next to their own program code because Windows does not require their programs to behave better. You still have to patch both systems including A/V which now you have to purchase another license for. And good luck if you need to incorporate any of that bank account information say into a letter to snail mail say authorizing a new signer like your spouse on an account. No person in their right mind is ever going to follow this kind of advice outside of the security community.

Regular users need something far more practical to combat these challenges than taking us back 20 years in computer usability. Please listen to what you are suggesting for people that often don't know what a program vs a document is.
BGC

23 Posts

Sign Up for Free or Log In to start participating in the conversation!