If It's Smart, It's Vulnerable

Everyone knows the game Tetris. Once you have built an entire line of blocks, it disappears. Working in information security is sometimes a bit like playing Tetris: your successes disappear but your failures accumulate. When information security works flawlessly, it is invisible. And rarely is anyone thanked for stopping a disaster that didn’t happen.

Ref. 6B8B-A

One of the saddest consequences occurred in Great Britain. The Down syndrome screenings for pregnant women gave opposite results due to Y2K. This error was not discovered until the summer of 2000. Due to this bug, several mothers bearing children with Down syndrome were told that their child was healthy, and many mothers with healthy children were told the opposite. As a direct result, the Y2K bug caused many unnecessary abortions.

Ref. 81F6-B

Mom and Dad. It’s lonely here. The nearest village is 10 kilometers away, and there are no neighbors. To pass the time, I wrote a virus and followed the BBS discussions as it traveled around the world. I felt really good when it spread to California. I can’t leave this place, but I wrote something that could.” In a way, I understood the boy. He was a typical virus author of his time: a talented, frustrated young man who wanted to leave his mark on cyberspace.

Ref. B83C-C

Andy told me that keeping the phone numbers of key personnel in hard-copy format at all times was among the lessons learned. Such a sheet of paper will probably never be needed, but if the need arises, it is sure to be acute. Once all the phone numbers of international branches had been gathered, Andy began to grasp how desperate the situation was. It was a case of total destruction—all Windows machines had been wiped clean. As the afternoon wore on, Andy wondered whether this concerned only Maersk, or if all Windows machines in the world had been destroyed. All Maersk’s systems were down, but was it the same everywhere? Looking into the street from his office window, Andy saw that trains were running and people were walking into shops—and breathed a sigh of relief. Only Maersk’s data systems had been destroyed.

Ref. A112-D

Maersk’s IT department worked day and night, only to confirm that data on the DC servers had been permanently overwritten and could not be restored. This had occurred on 150 servers; however, they also found that one DC server was missing. This server was located at Maersk’s Lagos branch in Nigeria. The investigators found out that, by accident, there had been a power outage in Nigeria just when Notpetya struck. This had taken the Lagos server offline, and by the time it was over, Maersk no longer had a network for the server to rejoin. It had been left isolated, outside the network but full of critically important information. It was now the only server that could be used to restore the company network. An attempt was made to transfer the data to the UK over the Internet, but this would have taken days due to slow international connections in Nigeria. Nobody at the Lagos office had a valid visa for travel to London, so the server was taken to Lagos airport, where a London-based employee picked up its hard drives. The IT worker sat in first class on the flight to London, with hard drives—literally worth more than their weight in gold—in their cabin luggage. The drives arrived safely, and the rebuilding of the network could begin.

Ref. 47B5-E

One of the problems with a rescue operation of this magnitude is that the existing systems are untrustworthy. Nobody wants to reactivate malware and allow it to destroy data that has already been restored. So, Maersk wiped all the data on all of their laptops. Next, they proceeded to update the operating system on all workstations.

Ref. E8AF-F

If I had to say something positive about ransomware trojans, at least they have substantially improved backup routines in companies. Major corporations are now much more diligent about backing up data held on all computers and ensuring that the backups are recent, kept in safe offline storage, and can be comprehensively and quickly restored. The criminal gangs behind ransomware Trojans have also been paying attention.

Ref. 4604-G

The Human Element All the security problems we’ve seen can be split into two groups: technical problems or human errors. Fixing technical problems can be hard, slow, and difficult, but fixing human errors might be impossible.

Ref. A507-H

The Two Problems In the end, all information security breaches or data leaks are attributable to errors in technology or human error. Technical errors, such as vulnerabilities in online services caused by programming mistakes, may be difficult, slow, and expensive to fix, but at least they are fixable: find the bug, fix it, find all the vulnerable systems, and update them. Human errors, on the other hand, are practically impossible to fix. People tend to: Use the same password across all services Open a remote connection to their computer when a scammer requests this over the phone Run shady utilities downloaded from the Web or install unnecessary browser extensions

Ref. 1B3C-I

No patch or hotfix is available for the human brain. The only way to update people’s skills is through training. However, after decades of experience, I can say with confidence that training nearly always fails. Regardless of how many times you tell users not to open every email attachment, they typically do so anyway.

Ref. 1522-J

All company networks will always be vulnerable to human error. Perhaps it would be wiser to grasp the nettle and say that some users should not be given responsibility for their own information security, as they are unable to handle it. Modern society requires being online, but how much information security know-how can we expect from pre-teens or pensioners, for example? The right answer may be to remove responsibility from users, who are incapable of bearing it, and shift it to where

Ref. 8ED3-K

belongs: with operating system creators, software companies, telecom operators—and information security companies. The Heist

Ref. 1F7D-L

never met the CEO. The caller spoke English and went straight to the point. “Are you alone? Can you talk in private?” “Yes, I can.” “Good. Listen carefully. I am putting you onto our company’s insider list. This means that, by law, you are not allowed to disclose anything discussed in this call to anyone. If you have any questions, contact either myself or our general counsel. Do you understand?” “Yes, I understand.” The attacker had planned the tactics well. F-Secure is a publicly listed company, and all such companies have lists of insiders. The conversation is more or less what happens when you are actually added to such a list for real. Convincing the victim that they are about to receive insider information achieves two things. First, the victim cannot easily ask anyone for advice. They cannot go to colleagues and ask what to do when the CEO asks them to settle the invoices. Second, the attacker tries to win over the victim by boosting their self-esteem. They have been specifically chosen by the CEO and are being entrusted with secrets. Once colleagues get curious and ask what the CEO was calling about, the answer, of course, is “Unfortunately, I can’t tell you, it’s classified.”

Ref. BFD2-M

Although the attempted fraud was very well conducted, it failed. It failed because we had already identified all people in our organization who are allowed to make money transfers of this kind and trained them in how to detect fraud. Furthermore, we had built a protocol that employees can use any time to check whether they are actually on the insider list. So, in this case, the victim immediately assumed that they were a target of attempted fraud. In fact, they even recorded the phone call for our research. Unfortunately, we never found the attacker—or at least we haven’t found them yet.

Ref. D88C-N