The Sky Is Falling: 10 'Chicken Little' Security Stories
The story of Chicken Little goes something like this. An acorn falls on Chicken Little's head one day and she tells all of her friends that "the sky is falling." But smart Foxy Loxy takes advantage of Chicken Little's friends, compromised with their belief that disaster is imminent, and manipulates them into his kitchen so he can eat them. However, one friend, Cocky Locky, is able to get away fast enough to warn Chicken Little and she escapes.
It's a familiar fable. All too often, security vendors and the media portray security incidents as apocalyptic, world-ending events. That's not to say that security threats don’t exist or that there aren't dangerous criminals lurking on the Internet. There is and there are. But thus far, the world hasn't ended. And it's probably not about to. Here are a few of the most overblown stories to remember the next time it seems that the sky is falling.
Google Blames Microsoft For Its Problems
Google is the global search engine giant and a multi-billion dollar company, but it is not above taking its bat and ball and going home. Rumors circulated earlier this month that Google would be phasing out its internal use of Microsoft Windows systems. According to a Financial Times report, new Google hires are now given the option of using Apple Mac or Linux-based computers.
Ostensibly, Google's decision to part ways with Microsoft was based on a massive malware attack in January, known as Operation Aurora, which targeted the search engine's network and the systems of more than 30 other high profile corporations.
Never mind that the hackers knew the ins and outs of Google's internal systems and were going to find a way to infiltrate the network and tailor their attack accordingly, regardless of what system it was using. Never mind that the vulnerability the hackers exploited was an Internet Explorer flaw, and not Windows OS. And never mind that Google itself has been riddled with security issues. Let's face it. It's just easier to blame Windows for everything.
Electrical Power Grid Hack
It could be the stuff of Hollywood cinema. During the summer of 2008, Congress vaguely alluded to cyberspies from Russia, China and other countries, hacking into the electrical grid and installing malicious software used to disrupt or completely stop power supplies.
A mild hysteria ensued from the security and political community. Officials espoused that cyberspies intended to navigate and take control of the U.S. electrical system, warning that the software that the attackers left behind was dormant but could be used in times of war.
However, no damage occurred to the electrical grid. Everyone seemed to keep their lights on. There weren't even any rolling blackouts. And even if there were, channel partners say that the power meters communicate at very low power levels, that "by today's standard it would be unimaginably slow. There are only proof-of-concept attacks. They're very easily defeated," said Andrew Plato, president of Beaverton, Ore.-based Anitian Enterprise Security. "Anyone who carried out a rolling blackout by using this method, well it wouldn't roll very fast. I think after about by the third or fourth house, the power company would catch wind."
All Out Cyber War
It's no secret that in recent years the U.S. and China have engaged in a war of words, among other things, as both superpowers fight for commercial domination and global mindshare. One of the most inflammatory incidents occurred in June 2008, when two U.S. Congressman accused China's citizens of hacking into their office computer in an attempt to compromise sensitive information on Chinese dissidents.
Rep. Frank Wolf, a Republican Congressman from Virginia said that he believed he was the victim of an attack because of his ’long history of speaking out about China’s abysmal human rights record, although he mentioned that he ’had no information to confirm’ his remarks.
And so it goes. Every so often, the U.S. seems to pick an adversary, accusing them of conspiring to launch a cyber attack against Washington aimed at crippling all of the U.S. computer systems that house precious government secrets and information, which would inevitably leave the country vulnerable to attack. So far, it hasn't happened. However, should a cyber war occur, it's likely that the U.S. has enough resources and infrastructure in place to deal with the threat, channel partners say.
"It's the fundamental reboot principal -- if you're having a cyber war, how do you stop it? You reboot the router," said Andrew Plato, president of Anitian Enterprise Security, based in Beaverton, Ore. "That's why we're never going to see a cyber war of any size or complexity. The way to diffuse them is to flip a switch. That is the essence of defense for a cyber war -- we can literally flip a switch and fend off the offending army."
Who can forget the infamous Conficker worm? During Conficker's heyday, the rogue worm seemed to generate more worldwide publicity than pop queens and certain debutante heiresses. A slow boiling hysteria escalated during the first few months of 2009, as the Conficker worm infected millions of computers around the world, incorporating them into a massive global botnet with techniques that ranged from brute force password guessing and transmission through USB sticks and peer-to-peer networks.
April 1 marked doomsday in which the botnet was scheduled to update with a new domain generation algorithm that would give it unimpeded access to 500 of the newly generated 50,000 domains it could contact. Some experts said that it was possible that it was opening up a path for new instructions from its command and control center. All security vendors were on the bandwagon -- Microsoft, Symantec and other security industry and academic leaders started cracking down on the Conficker worm by putting up a $250,000 bounty and disabling domains that enabled the spread of the botnet.
But April 1 came and went without a hitch, and Conficker left not much more than the sound of crickets in its wake. Security experts said that the worm had received so much media play that its authors were waiting stealthily before making their next move. More than a year later, the Conficker worm has either won an award for its patience, or has slithered away in abject humiliation.
Black Screen Of Death
Every so often, an obscure security software company hypes a threat, (let's blame, oh I don't know, Microsoft!) and then serendipitously (bada bing) comes up with the antidote.
And since most users are familiar with the "blue screen of death," Prevx leveraged a similar, but just as scary sounding threat -- the "black screen of death." The U.K.-based security firm fingered Microsoft's November 2009 security update as the root of a crippling black screen, which caused users' computers to seize up and remove everything except a single My Computer window. Prevx said that the problem stemmed from a Microsoft patch that made changes to registry keys. Consequently, some installed applications failed to run properly when the registry keys interacted with Microsoft's Access Control List, in effect launching the "black screen."
But it appeared that Prevx spoke too soon. In reality, the problem was not caused by the Microsoft update at all, but instead was related to a characteristic of the Windows registry. Prevx later recanted its accusation, admitting sheepishly in a blog that Microsoft wasn't to blame for the "black screen" and apologizing to the software giant for "any inconvenience."
Meanwhile, the "black screen of death" -- now synonymous with embarrassing under-researched assumptions -- will likely haunt Prevx for quite some time.
Raw Sockets And The End Of The Internet
It seems like all "Chicken Littles" stories result in the "end of the Internet," and this one's no exception. Back in 2001, security consultant Steve Gibson predicted that Microsoft's decision to implement Raw Sockets into its then-latest platform, Windows XP, would enable hackers to send and forward spoof packets that would result in massive, serial denial of service attacks.
Gibson said that by incorporating Raw Sockets into its software, Microsoft was opening the door for malicious hackers to use its new OS as a springboard to launch massive DDoS attacks that no one could stop, essentially bringing the Internet to a grinding halt, and culminating in (yep, you guessed it), the end of the Internet.
The prediction alarmed journalists, security vendors and geeky types alike, who waxed philosophic on the future of digital communications on every media outlet. Was this a legitimate threat? Could it really crash the Internet?
Perhaps not surprisingly, there were no major DDoS attacks that leveraged the raw sockets feature in Microsoft's XP. And, as with most "end of the world" fear mongering, most users moved on to look for something else that would eventually result in the "end the Internet."
Facebook Does Not Equal Privacy
News flash: No matter which way you slice it. Facebook is not about privacy. And it never will be. After all, it's about social networking -- two words that are completely antithetical to privacy. Why pretend otherwise?
In recent months the social networking giant got itself into some hot water with Congressional leaders and privacy rights watchdog groups when it implemented new privacy settings that exposed users' information on search engines and linked some profile data on their "Interests and Activities" page to third-party applications.
Oops. Okay Facebook fixed that, sort of. The hype even led some users to initiate a grass roots campaign attempting to boycott of Facebook on May 31. The half-hearted effort turned out to be a flop, perhaps because it's almost universally accepted that the almost 500 million users like the site enough to surrender some privacy here and there.
The fact of the matter is, most users accept that if you're voluntarily putting your personal information online, it probably won't be completely private. And maybe, just maybe, that's not the end of the world.
DNS Cache Poisoning Flaw
Warning: Everything You Do On The Internet Can Be Hazardous To Your Health. Dan Kaminsky, IOActive director of penetration testing, rocked the security community boat when he revealed that the Internet contained fundamental flaws that allowed hackers to exploit a Domain Name Server vulnerability which paved the way for cache poisoning attacks. To exploit the flaw, all the hackers have to do is trick the DNS to accept an incorrect domain, which will subsequently reroute the users to another malicious Web site unbeknownst to them. Once the user is redirected to the new site, the attacker could then install Trojans or keystroke loggers onto their computers to extract financial and personal data.
Unlike other vulnerabilities, the DNS flaw flung the door wide open for attacks across all platforms, including Mac and Linux.
But wait, there's more. And in addition to cache poisoning attacks, Kaminsky revealed that this new type of vulnerability also allowed attackers to exploit IPSec VPNs, SSL certification, automatic software update systems, spam filters and VoIP systems. Yowza.
And that's not all. This tactic could enable hackers to take over .com, .net, and .org domains, infiltrate email communications, and infect them with malware, before sending them along. Kaminsky went on to say that the DNS vulnerability could spark a "domino effect" that would wreak havoc in practically every corner of the Internet.
While Kaminsky's research was valid, many organizations deployed patches for the DNS flaw, and the hype gave way to other threats that were thought to obliterate the Internet.
McColo Take Down
Okay, so maybe this one is more like an inverse Chicken Littles -- an incident in which everyone thought that the world was going to get better, only to realize that nothing really had changed.
Internet Service Provider McColo was disconnected from its upstream providers earlier this year, rendering it without a huge portion of its Internet traffic. Why? Because, among other things, the ISP was known to host illegal child pornography sites, malware and copious spam, and was found to carry some of the world's largest botnets. Shortly following McColo's take down, researchers noted that spam levels dropped significantly -- as much as 60 to 80 percent in some case -- in the lull before spammers found new providers.
And some thought that the incident was an indication that the spam industry would deteriorate and eventually fade into oblivion.
Not so much. Since then, many of the spammers and malware writers found alternate hosts to distribute their wares, fragmenting their spam campaigns provided by a multitude of hosts. And in the year and a half since the incident, spam has risen to previous levels. Even though it was short lived, McColo's eradication was possibly one of the year's biggest successes for the security community, although spam is, and likely will continue to be, the bane of its existence.
The classic. Was it really 10 years ago? The problem took root when experts began to think long and hard about digital and non-digital systems that were coded to abbreviate four-digit years with only two digits.
What happens when it's time to roll over the two digits from x99 to x00? No one knew, and wild speculation ensued. Without corrective action, it was suggested that systems would break down when the ascending numbering system suddenly became invalid. Subsequently, computer systems would fail, digitized critical infrastructure would come to a halt, planes would crash, bank accounts would be wiped out and the whole world would go dark.
But, needless to say, the New Year's countdown the clock progressed evenly from 11:59 p.m. to 12:00 a.m.
The lights stayed on. The planes remained in the air. There were no runs on the banks. And the world continued to party like it was 1999.