written by Pierluigi Stella
Towards the end of August, the FBI, the FDIC and some other FI related organizations apparently sent a memo to all the FIs in the US, alerting them that a number of IP addresses were spotted conducting attacks against FIs. The memo also contained a PDF with file names and MD5 hashes; these were the supposed culprit files being sent to FIs and contained malware.
Practically every single one of our FI customers opened tickets; or called; or emailed us that same memo, frantic that they might be attacked and wanting to be sure we were aware of the situation. Let me go over why this is all completely wrong, and why it brings no benefit to anyone in any way.
First of all, the files. They weren’t executables but appeared to be mostly source code. Source code can’t attack you; you need executables to be at risk. Even worse, the MD5 hashes were sent in a PDF. In this year of 2014, some tech person at the FBI apparently thought that we would manually copy those strings, one by one, character by character ~ at risk of human error, which would make the whole thing completely worthless. Why not send them as text, so we can copy/paste? I mean, seriously, it’s faster and error free!
There’s more to be said about the user agent strings and the trivial directory traversal, all already covered by several common signatures but, for now, we’ll pass over that.
As for the IP addresses, a list of 40 IP addresses is a ridiculous attempt at protecting anything. The internet of IPv4 contains 4 BILLION IP addresses, and a conservative figure says that 80% of computers on the internet are compromised.
Meaning at least half the public IPs on the Internet are potentially dangerous. Could someone please tell me how blocking 40 of them will improve anyone’s security? Seriously.
Keep in mind that real hackers do not stick to one IP for a long time. They simply_do_not. No, they change the source of the attack, constantly. They also ensure that even the country of origin changes. Therefore, blocking one IP is truly useless. It isn’t by blocking a specific IP that you protect a network from threats and attacks. These are stopped by knowing the vulnerabilities and potential exploits, and then creating protection so that whatever comes from those IPs, bounces against your firewall and IPS, and never makes it through into your network. Blocking IPs is a 1999 move, not 2014.
Now let me explain why all this isn’t just worthless but very dangerous.
When someone who doesn’t work in cybersecurity receives a memo like this, they’re prone to thinking that as long as they can block those IPs and stop those files, they’re OK. They’re protected. Such kinds of memos give off such a false sense that this is all there is – otherwise the FBI would alert us more often, right? Wrong! If the FBI were to alert us for everything that’s truly out there (and I’m being absolutely candid with you here), – they’d be alerting us a thousand times a day. They, as is the case with everyone else, just can’t keep up with the extent of the threat. I ask again, what good is it that we get these sporadic and inconsistent alerts, which do nothing but create panic?
The President’s Executive Order of Cyber Security issued during the State of the Union of 2012 was aimed at creating a collaborative environment between the law enforcement agencies and the private sector. We’re nearing the end of 2014 and so far, what have we got? A handful of IP addresses and a set of potentially harmless files? And even if the files weren’t harmless, still, is that all we get?
We welcome collaboration.
We certainly welcome receiving early notifications of attacks that can bolster our positions in this never-ending battle against cybercrime. But this information needs to be more forthcoming, more frequent, and definitely more structured and pertinent. We don’t need lists of IPs; those are things we can find in the reputations databases, and which we already use. We may need those MD5 hashes, but please, send them in text format, and send them sooner.
To give you an idea of the untimeliness of these advisories, I received one several days ago about an email scan related to EZ-Tag. The emails they were referring to started around 2 months ago. Two months! Seriously, what’s the use of an alert that’s 2 months too late?
Another thing – alerting the end users isn’t the way these things should be conducted. The FBI, the FDIC (and any other interested agency), should create something like Microsoft’s MAPP; a close-knit circuit of verified people, one or 2 per company, wherein members receive this information in encrypted text format, in a very timely manner. Now THAT would truly be useful. Of course, this is based on the assumption that said information is of use and not just worthless lists of compromised IP addresses.
Please don’t get me wrong. I do not bash for the sheer sake of bashing. I am, as all of you are, exceedingly concerned about cybersecurity. A sticker someone put on my office door says, “It is my job to be paranoid”. How true. So, if the FBI and all these other agencies wish to collaborate, my door is open wide. Just please, send information that’s worth our time, and send it in a timely manner?