G DATA ADAN at WKÖ eDay:16 in Vienna

Yesterday, G DATA Advanced Analytics was present at the WKO eDAY:16 in Vienna; a magnificent event, gathering Austrian economists and security professionals. Talks and panels were centered around the question, how to level up on Austrian corporate security in times where the internet is a hostile place.

Live on stage that day was our own Marion Marschalek, who was invited to hold the afternoon keynote. The keynote topic, translated to English, would be “The good, the bad, and the clueless”, a title potentially covering so much that’s happening on today’s internet. There are a lot of WTFs in the cyber, right? On that specific occasion, the focus of ‘cyber’ was all on the wild, wild west of the internet. Just like Clint Eastwood and Lee Van Cleef in the prairie back in the days, we now all have fictional roles and lots of pretentions while hunting for the lost treasure. In reality, roles and intentions aren’t super clear anymore on the cybersinterwebs.

Marion Marschalek during her keynote (CC-BY Paul Landl/wkoe)

To sum it up: Today, you could be chatting with a fridge on IRC. Also, your network could be nuked by a DDoS attack, carried out by an army of… home routers. Yes, indeed there are DDoS botnets operating on CPUs of routers. Furthermore, there are botnets being operated by criminals. And then, there are botnets being operated by spooks. One of those was used by the GCHQ to nuke Anonymous [1]. Now go back home to check up on your router, will you? Scary.

Just like “Hello Barbie”, Mattel’s latest Barbie doll, pretty as ever, and, since recently, extravagantly smart. Because “Hello Barbie” can now listen, understand, and answer things your kid tells her [2]. Or you. Or anyone else who is around, for that matter.

The keynote then moved on to critical infrastructures: lights in Ukraine went out early this year and the BlackEnergy malware was found to be the root cause of trouble [3, 4]. The world was shocked for this attack on critical infrastructure being the first of its kind on such large scale. Security pros on the other hand may be impressed the effort that went into the attack and its minute coordination [5], but aren’t really surprised by the attack itself, silently whistling told ya, told ya, told ya so.

Meanwhile, on the cybercomputerycrime venue — the mere continuation of longstanding objectives with the more or less novel means of information technology [6] — incident responders have taken a step back from the general “It’s China”-attribution to accept that other nationals might also be occasionally involved. Nation states have done their share of espionage on corporations too [7-9], but we don’t quite know yet what that is all about.

What we do know is that nation states have done their share on espionage in general; not only in the Snowden era but naturally since the invention of secret services. The issue now with that particular wild, wild west at hand, is now that espionage has gotten a whole lot easier for nations with offensive capabilities in the information, computer, and network domain (commonly sold as cyber*) [10].

So it happened that some of this planet’s nations turned on to their own citizens with digital weapons. Countries like Bahrain and the UAE put political figures and activists to prison under the pretext of national security, based on information gathered on the cybers. The arms traders in that game are plenty, the two most nefarious are likely HackingTeam, and Gamma Group with their FinFisher product [11]. Those companies operate on the lawful interception market and sell digital surveillance gear to those countries who opted to not develop their own [12].

If, in the end, you do want our advice on how to weapon up for the prairie: keep your eyes open and watch your data carefully, but don’t go crazy. It isn’t your fault wild west has turned upon us, but we all need to deal with it. A vast part of crime on the one side and privacy loss by surveillance on the other side are political concerns rather than technological ones. Meanwhile, ‘cyber’ has entered the agendas of parliaments and roundtables, on some occasions even us normal cowboys and -girls are asked for an opinion. Don’t be shy if that comes to you, Clint Eastwood wouldn’t be either.

Event website: https://www.wko.at/Content.Node/kampagnen/E-Day/index.html

[1] UK Government Used ‘Rolling Thunder’ DDoS Attacks Against Anonymous, LulzSec and Syrian Electronic Army, IBTimes
[2] About Hello Barbie, Mattel
[3] BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents, SecureList
[4] First on CNN: U.S. investigators find proof of cyberattack on Ukraine power grid, CNN
[5] Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid
[6] Russian hackers used Windows bug to target Nato, BBC
[7] Brazil-Canada espionage: Which countries are we spying on?, CBC News
[8] Snowden Documents Show U.S. Spied on Petrobras, Globo TV Reports, Bloomberg
[9] French Said to Spy on U.S. Computer Companies, New York Times
[10] Long-Term Strategy Needed When Analyzing APTs: Researcher, Security Week
[11] Schrodinger‘s cat video and the death of clear text, CitizenLab
[12] Here are all the sketchy goverment agencies buying HackinTeam‘s spy tech, Motherboard

Cyber? WTF!

“The only real difficulties in programming are cache invalidation and naming things.” — Phil Karlton

Everything needs a name to go by, right? So did this blog. When we scrolled through the seemingly endless list of new TLDs, we stumbled upon .wtf and while it is all a bit of a blur looking back, our fingers must have developed a dynamic of their own and out came ‘whois cyber.wtf’, which was unregistered for whatever reason¹. During the several days of juggling alternative names – actually spending quite a few thoughts on ‘we probably shouldn’t do this’, anticipating what corporate communications and marketing might think of it – we kept returning to cyber.wtf. When you hear or read people prefixing ordinary, proper, and once actually useful nouns with ‘cyber’, what are your thoughts? We think that ‘WTF?’ might actually be the only appropriate letters to follow on ‘cyber‘. Anyway, this will be our home for the time being. Don’t expect a fixed post frequency, we don’t intend to post for the general sake of creating more bytes on the internet. Expect a post whenever there is both content and time for posting. Expect content that is mostly malware- and/or security-centric, the occasional nifty thing we find mixed in, and where we happen to give a talk. We’ll probably start out with the latter. Judge us by our content, naming is hard.

¹ which at that time actually resulted in

No whois server is known for this kind of object

because whois is pleasantly old-fashioned in its default. -h whois.donuts.co or the line

\.wtf$ whois.donuts.co

in your whois.conf catapults it into a part of the modern age of completely unnecessary but partially wonderful TLDs.