Who will stop the rain?

The long hot summer may be over for now so a question may soon reemerge on everyone's lips, suggests Calum MacLeod

One question has been asked by most people living in the UK this year, as at times it has seemed as if the rain will never stop.

For those of us old enough to remember, the question has been asked many times and never more eloquently than by John Fogerty and the late '60s rock band Creedence Clearwater Revival many years ago.

Long as I remember the rain been comin' down;
clouds of mystery pourin' confusion on the ground;
good men through the ages tryin' to find the sun;
and I wonder still, I wonder, who'll stop the rain.

And if I listen to the "good men" of the various government agencies trying to solve certain problems, there doesn't seem to be much more than "confusion on the ground".

And it's not just the literal rain that seems to be comin' down, but often, in recent weeks, it has been raining malware. Denial of service attacks targeting NTP, malware targeting POS terminals, Yahoo web sites being used to distribute malware, and the theft of sensitive information from the likes of Barclays, and Orange, and that was only the start.

Add to this list the never-ending revelations around government snooping. Turns out that the Dutch government has been monitoring calls for several years.

They finally admitted this, after initially implying they had nothing to do with US National Security Agency activities. The Indian government has been investigating a hacking allegation involving Huawei and relating to its state-run carrier BSNL, and hackers have targeted the websites of the Nepalese government.

Shelter from the storm
Information theft is the tip of the iceberg, and inconvenient as it might be, the bigger issue is that those with the ability to steal information also have the ability to search and destroy.

In just the same way that someone who has gained access can exfiltrate data, they can use that same access level to disable a system.

Yet whether it is the UK government warning about threats to national infrastructure due to cyber attack, or former US Defence Secretary Leon Panetta warning of a cyber Pearl Harbour that would cause physical destruction and the loss of life, most organisations generally continue to blindly follow industry analysts.

And while all this is going on, IT security companies make hay while the rain pours.

While one anti-virus company is lauded with a "Best Protection" award for 2013, another crows that it has boosted its market share against the competition with massive year on year growth -- at the same time claiming success for having discovered malware that has been around since 2007 and which targets government entities, energy companies and other high-profile victims such as research institutions and private equity firms.

Seems like we're all -- as John Fogerty sang -- "caught up in the fable watching the tower grow, five year plans and new deals wrapped in golden chains, and I wonder still I wonder who'll stop the rain."

Rushed together tryin' to keep warm
One might assume malware inventors might be earning millions of pounds, and that's a conservative estimate. Malware can earn many thousands of pounds a day, until it is detected.

Of course some of those involved only sell to governments; selling a bug to a gang may guarantee it will be dead in no time, and criminals aren't known for their generosity.

In fact malware has become a legitimised business. Companies like Vupen only share their discoveries with their clients. After all it doesn't help anyone if you advise software companies how to fix the problem.

The Vupen chief executive has been quoted as saying: "We don't want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers."

These customers are government agencies which purchase zero-day exploits or hacking techniques that use undisclosed flaws in software, with the explicit intention of invading or disrupting the computers and phones of crime suspects and intelligence targets.

Although Vupen claims to do its best to ensure that only suitable organisations are customers, how can that be ensured? A crumb of comfort in the rain!

Those responsible for the development and use of malware rely on human naivete and trust in others. Ask anyone if he or she would leave the house unlocked, just because they have nosy neighbours, a local police force, and a legal system that supposedly deters burglars, and he or she would think you insane.

Yet we treat our IT infrastructure like that. We invest in anti-virus, intrusion prevention and detection, advanced persistent threat protection, firewalls, you name it, and then simply leave our systems wide open.

When was the last time you checked your customers' systems for extra local accounts, inappropriate local group memberships, bad registry entries, unauthorised directory shares, unauthorised file or directory permissions, file versions on systems, BIOS versions, patches and installed programs?

In most organisations, the answer is probably "never". And yet a regular check of these basic components will probably make the difference to whether their "house" is safe or not.

"Still the rain kept pourin', fallin' on my ears, And I wonder, still I wonder who'll stop the rain."

Calum MacLeod is EMEA channel director at Lieberman Software