Malware Undetected

June 16, 2009 in malware

bug

The recent massive attacks on web sites, dubbed Beladen and Gumblar, show that one of the primary weaknesses (if not the primary weakness) of information systems is the endpoint.  Attackers have been using malware to steal the FTP credentials of web site maintainers and uploading malicious code that redirects site visitors to servers that attempt infect their machines.  Leaving aside the fact that a small minority of people may have systems running no or outdated anti-malware software, how do these types of attacks continue to be so successful?

For one reason, most anti-virus software does a very poor job of detecting new, in the wild malware.  This is the dirty little secret of the anti-virus industry.  Most anti-virus companies tout 99% or greater detection rates and many independent organizations back this up in their testing.  However, these tests are based on samples of known malware for which vendors have signatures.  These tests often show numbers such as those found in this Virus Bulletin news article.

However, tests that focus on new malware, programs that are actively circulating on the Internet show a much different result.  In this case, most vendors are lucky if they can detect 50% of the samples.  SRI’s Malware Threat Center conducts daily tests of the major AV vendors’ products against active, in the wild malware and the average detection rate is typically below 60%.  Thus, until a new malware is discovered by the AV vendors and a signature developed, it can infect large numbers of systems.  Plus, most virus authors test their code against the major AV products to ensure it will spread unimpeded.

Anti-virus vendors have added additional technologies to try to improve their ability to detect malware that they do not have signatures for.  One popular mechanism is to use cloud-based detection techniques.  Essentially, this involves comparing a file or its fingerprint to a database of recently discovered malware, even before a signature has been created.  McAfee Artemis is one such product that uses this type of technology.  Vendors are also using more behavioral techniques to detect malware based on the way the application acts when running.  And finally, whitelisting is growing in popularity.  This involves specifying only those applications that are allowed to run.  All others will be blocked.

Reflections on a DDoS Attack

May 25, 2009 in Denial of Service

attacksize2008_31871

In the past few months, there has been a noticeable increase in the number of DDoS (distributed denial of service) attacks being launched against large and small targets on the Internet.  For example, during the last 120 days, GoGrid, Telefonica, Register.com and The Planet all suffered large scale DDoS attacks that affected their ability to operate normally.  These attacks have also been directed at smaller web site operators, with sometimes devasting effects.

I recently worked with a client who was the target of DDoS attack.  This client operates a number of medium volume web sites.  The attack lasted over a week and caused interruptions to the business as well as to the visitors of the sites.  Below are some of the lessons learned from dealing with this incident and how you can help mitigate such attacks against your own networks or those of your clients.

1)  The most important thing you can do to mitigate a DDoS attack is have an incident response plan in place prior to the attack.  Don’t wait until you are in the heat of the moment to figure out how you will react.  You must have a plan in place before the attack begins so that you will be prepared and everyone will know what their responsibilities are.  The plan should include the incident response team, the team leader, internal communications mechanisms, involvement with service providers, public relations, outside security vendors, and any other people who need to be involved with the response.

2)  A high quality firewall, properly placed in the network architecture can mitigate many types of DoS attacks.  Most leading firewalls, from vendors such as Juniper, Cisco, Checkpoint and Fortinet, can detect and block SYN, ICMP, and UDP floods.  They are also capable of blocking other types of DoS attacks based on protocol anomalies and signatures.  But what we found to be most useful was source IP rate limiting.  This defense mechanism allows the adminsitrator to define a limit on the number of sessions that a single IP can establish.  During a DoS attack, it is typical to see very high numbers of connections from the attacking systems, even when the attack is distributed.

3)  No defense mechanism is very helpful if you don’t have much bandwidth.  If bandwidth is limited, a DoS attack can saturate the network and prevent legitimate users from being able to connect to your systems.  No firewall can help in this situation.  This is why it is important to have a good relationship with your hosting provider or ISP and have a plan in place to deal with these types of attacks.  Ensure that your provider can add additional bandwidth if necessary and that charges will limited due to the situation.

4)  Some attacks operate at the application layer and as a result, can be much more difficult to address.  Many firewalls have limited capacity to deal with application layer attacks.  This capability is becoming more common, but still may not be helpful if the attacking systems are sending massive numbers of GET requests for example.  Another tool you should have in your arsenal is a reverse proxy, an application layer firewall and and IPS.  These tools will give you additional capabilities to write your own rules and block more sophisticated application layer attacks.

5)  Finally, in the event that a DoS attack is sustained and the above mentioned mitigation techniques are not proving successful, there are DDoS mitigation service providers that can be very effective at mitigating these attacks.  These services tend to be very expensive and usually need to be in place prior to the attack.  It requires routing your traffic through the service provider’s network so that when an attack occurs, mitigation can be applied and the traffic scrubbed.  Companies such as Tata Communications, Prolexic, and AT&T all offer this type of service.  If you are a large enterprise, you can purchase your own hardware to mitigate DDoS attacks from vendors such as Arbor or Cisco.  Plan to spend a significant sum on such devices.

Denial of service attacks can be very difficult and expensive to defend against.  It is very important to plan ahead for this eventuality as waiting until the attack is in progress will lead to more downtime, greater expense, dissatisfied customers and unhappy management.  If you manage even a moderately popular web site, start planning now for how you will respond to a DoS attack.  Odds are that it is only a matter of time before you will have to face this situation.

Airport Security Theater

May 17, 2009 in Risk Management

airlines_security

Bruce Schneier has written extensively on the airport security practices that have been implemented since the 9/11 attacks and for the most part, he views them as “security theater”. This term is used to describe security countermeasures that provide the feeling of improved security or safety, but in actuality provide little, if any, benefit. Examples of such practices include the No-Fly List, random searches of passengers, and the banning of liquids in containers larger than 3.4 ounces. None of these practices actually improve airline security at all, but rather provide the illusion of improving security.

I recently took a international flight on American Airlines where I experienced an egregious example of security theater. It was even worse than theater, because it didn’t even provide the illusion of added security. On the flight home, I had a piece of luggage that I had carried on as well as a backpack. Of course I went through the usual screening and security process where my bags were x-rayed and checked for prohibited items. However, prior to boarding the plane, all passengers had to submit their items for search again. There were about 5 AA staff who forced us to open our carry-ons so that they could look in the bags. This search was cursory at best, and if I had a hand gun, for example, in the bottom of the bag, it would not have been detected. The staff were not conducting a thorough search of the bags and in fact, seemed disinterested.

This type of security theater adds absolutely nothing to flight safety. My bags had already been examined when I went through the normal security process. If I had a prohibited item in my carry-on luggage, presumably it should have been detected then. The second search was pointless. Such countermeasures cost money for the airlines, passengers, and tax payers while providing zero value.

One of the hallmarks of risk management is performing a risk analysis. A risk analysis should include an assessment of the value of the asset being protected, the cost of the countermeasure and the probability of the loss of the asset. If the cost of the countemeasure outweighs the amount of the expected loss of the asset, then the countermeasure should not be implemented. As an example, if the value of the plane is $10,000,000, but the probability of a terrorist planting a bomb on the plane is .01%, then the loss expectancy is $1000. I don’t know the actual probability of a terrorist attack on any particular plane, but I suspect it is VERY low and .01% is probably not unreasonable. Having 5 or 6 staff search the bags of every passenger on a flight certainly costs more than $1000 in terms of lost time, inconvenience and employee salaries. Based on typical risk analysis it appears this countermeasure is not a good use of limited resources. Thus, I can only conclude that this is being done to provide the illusion of security, in other words, security theater.

SEO Poisoning Techniques

March 23, 2009 in Web

poison

Search engine optimization (SEO) has traditionally been the domain of web masters and Internet marketing specialists who understand the importance of high search engine ranking and how to influence sites’ ranking based on various search criteria.  It didn’t take long after the popularity of sites such as Yahoo and Google grew, for people to look for ways to manipulate site rankings in order to drive more traffic to their preferred destinations.  Lately, hackers have begun using SEO poisoning techniques in an effort to spread malware and make money.

In order to understand how they do this, it is necessary to understand how search engines rank sites.  This is primarily done on the basis of site popularity.  If a web site is linked to by many other sites, it is assumed that this is a reputable site and it will generate a higher ranking by search engines.  Similarly, if a popular site links to other web sites, those sites will be given a more favorable ranking in search results.  The goal of hackers is to poison search results such that their malicious (typically) web sites will rank high in search results and drive more traffic to them, resulting in increased opportunities for compromising systems.

So how do hackers take advantage of search engines for their own purposes?  Below are a several techniques used for SEO poisoning:

1)  Site compromise

Approximately 1 year ago, tens of thousandes of web sites, including some very prominent ones, were compromised through the use of XSS to inject iframes into search queries on the sites.  The iframes then were indexed by Google and others such that they ranked very high in certain poisoned search results.  This type of SEO poisoning was possible due to improper input validation on the web sites’ search tool resulting in a stored XSS vulnerability.  Some of the sites affected included Wal-mart, Target and USA Today.

Another way hackers can take advantage of vulnerabilities in a web site to poison search results is through SQL injection attacks.  If a hacker can find vulnerable web sites (easily achieved through advanced Google searching) and inject links into the targeted sites that point to a malicious web site, then the ranking of the malicious web sites will be increased in search engine results.  A recent SEO poisoning attack involving NCAA March Madness search terms was discovered that employed such a technique.  Those who clicked on the malicious links are redirected to malicious web sites that attempt to install rogue AV malware.

2)  Spam domains

Another way for hackers to increase their ranking in particular search results is by registering many domains specifically for the purpose of linking to their desired site.  By creating a large number of sites linking to the target web site, they can increase its rank in search results and thus traffic to that site.  Hackers will often register hundreds of these spam domains purely for the purpose of SEO poisoning.

3)  Comment spamming blogs

As any blogger can attest, many of the comments placed on blogs are nothing more than spam with links to spam or malicious web sites in an effort to increase their search result rankings.  Even on my blog, which gets little traffic (unfortunately), gets a tremendous amount of spam comments.  In fact, I have stopped allowing comments because I have grown weary of deleting them.  I know their are tools to detect and block spam comments, but when 95% of the comments are spam designed for SEO poisoning, it doesn’t seem worth it.  Usually these comments are generated by automated spambots, so at the very least bloggers should be sure to hold all comments for moderation.

Scam Soup

March 9, 2009 in Vishing, Web

soup

Lately I have been reading about a veritable alphabet soup of Internet scams.  Some are run-of-the-mill phishing or email scams, but some are rather innovative and utilize new attack vectors that I have not seen before.  In this post I will review some of these scams, including one that targeted me.

Economic Stimulus Scam

Cyber criminals frequently use events that are in the news as an opportunity to trick people into visiting malicious web sites where they can infect their systems with malware.  Recently, criminals have been using the economic stimulus bill being proposed by President Obama as a method to attract unsuspecting users.  One email asks the recipient to provide bank account information in order to receive a government deposit.  Another, which appears to come from a government agency asks the recipient to verify that they qualify for a payment by visiting a web site and inputting personal information.  Of course in both cases the criminals use the information to commit fraud and/or identity theft.  The FTC has released detailed information about these scams.

Parking Ticket Scam

This is truly an original scam that I thought was rather clever.  In Grand Forks, North Dakota criminals placed phony parking tickets on parked cars.  The ticket instructed drivers to visit a website where they could “view pictures with information about your parking preferences”.  When the user visits the web site it attempts to install malware on their computer.  This is believed to be the first scam of its type, however, it is likely that it won’t be the last.  I can imagine leaflets distributed on cars in mall parking lots advertising some bogus product with a URL to a malicious web site.  Expect to see more of this type of scam.

My Personal Vishing Experience

I recently received an SMS message that appeared to be from my bank.  I have pasted the message below (with bank information changed to protect my personal information):

FRM:auto-notice@bank.org
MSG:State Bank CU urgent notification:unusual activity,please verify your online information at 877-555-8787.

I was immediately suspicious as I was not aware that my bank had my cell phone number and did not think they would contact me in this manner even if they did.  For fun I called the number in the text message and was directed to a full voice mailbox.  No doubt had the mailbox not been full I would heard a message asking me to leave my bank account information.  This is an example of a vishing attack which I have written about in a previous post.  Don’t be fooled by such attacks.  No banks request your account information by SMS or email.

Scammers are always looking for new ways to get your personal information.  And as I have shown, criminals will find new and innovative ways to obtain it.

Malicious Websites Target Internet Explorer

February 24, 2009 in Browser security, Web | No comments

I have always been a fan of Mozilla’s Firefox browser. To tell the truth, I have been using it since its original incarnation when it was known as Netscape Navigator (and Mosaic before that). I always thought it was more intuitive, faster, and had more and better features than Microsoft’s Internet Explorer. Of course, given that IE is included with the Windows operating system, and that Windows commands more than 90% of the desktop computer market, it is no surprise that IE remains the most popular browser in use today with 67% penetration.

However, there is another, even more important reason why Firefix is my prefered browser. Security. IBM’s ISS X-Force recently released its annual report on Internet security which analyzed trends in threats and vulnerabilities for 2008. This is an excellent report that all information security practitioners should read carefully in order to understand the the types of threats that we all face. But it was the information on page 56 of this report that really caught my attention.

For many years I have argued that Firefox provides a more secure browsing experience than IE. And now, I have proof to support this opinion. According to the ISS report, nearly 68% of all exploits hosted on malicious websites target ActiveX and IE. Conversely, less than half of one percent of exploits target Firefox. Admittedly, this is likely as much a result of IE’s popularity as a browser as it is Firefox’s superior security. However, Firefox is the second most widely used browser with 21.5% penetration. All things being equal, one would expect more than .3% of the exploits to be targeted at a browser with this much penetration. Clearly there are other forces at work.

screenshot001

So why are criminals giving Firefix a pass?  In order for a vulnerability to be exploited, it must be worth the time and effort that will be required to create the exploit.  That means, there must be a high probability that the exploit will be successful and generate revenue for the criminal organization.  The fact Firefox does such a great job of automating software updates makes it much more difficult to exploit vulnerabilities in the browser.  A July 2008 report found that over 83% of Firefox users were running the most up-to-date and secure version of the browser.  Conversely, only 47% of IE users were using the most up-to-date and secure version of the browser.  This translates into hundreds of millions of people who are using vulnerable versions of IE, ripe for exploitation by criminal elements.  When viewed from this perspective, it is easy to understand why Firefox is a more secure browser than Internet Explorer.

Security Vendors Lacking Good Security

February 15, 2009 in General Information Security, Vulnerabilities | No comments

kettle

In two separate incidents ealier this month, well known security companies had their web sites breached as a result of SQL injection vulnerabilities.  The first was Kaspersky Labs, an anti-virus vendor which reported the incident on February 9.  Two days later, it was reported that BitDefender, another anti-virus vendor also had their web site hacked by the same Polish hacker who had successfully breached the Kaspersky site.  Again, a SQL injection vulnerability was the cause.

If you do not pay attention to reported incidents and vulnerabilities, you might assume that security vendors would not frequently be the victims of web hacks or have vulnerabilities found in their software.  However, nothing could be further from the truth.  I have been in the security industry for over 13 years and sadly, the companies that are selling security software and services seem to be just as likely as everyone else to be on the wrong end of a security problem.  McAfee, Trend Micro, Barracuda, Cisco and Check Point (to name just a few) all reported serious vulnerabilities in in their products in 2008.  And now we are seeing security companies falling victim to web application attacks as well.

We should demand more from our security vendors.  These are the companies that are securing our infrastructures and protecting our data.  They need to ensure that the products they are selling are secure, because as a consumer of these products, I cannot afford to take the chance that my environment will be compromised due to a weakness in their systems.  And I certainly don’t want to be in a situation where I am frequently applying security patches to my security systems.  I for one will avoid purchasing products from any security vendor that has a poor track record of providing quality, secure products.  This is the only way that they will get the message that we expect more from the vendors that we entrust with the security of our data.

Heartland Payment Processor Breach

February 1, 2009 in Credit Card Fraud, PCI DSS | No comments

Another day, another major breach of credit card data. And this one is a doozy. The payment processor Heartland Payments Systems released a statement on January 20th that they had suffered a breach and an unknown number of credit card accounts had been compromised. Heartland is the 5th largest payment processor in the world, with over 250,000 customers and handling over 100 million transactions per month. It is likely this breach will result in the compromise of more accounts than the infamous TJX breach of 2006 in which approximately 95 million card accounts were exposed.

It appears this hack was a result of poor endpoint security and a lack of encryption of data in motion. I will start by stating that Heartland was in compliance with the PCI DSS and had been audited in April of 2008. That being said, PCI DSS compliance does not guarantee that data is secure. It is a good starting point, but more can and should be done, to ensure the protection of cardholder data.

Back to the Heartland hack; according to the information I have read so far, it appears that some number of systems in their cardholder data environment became infected with spyware that was able to sniff credit card account information while being transmitted over the network. If this is true, it validates my belief that endpoint security is often times the weakest link in the enterprise security environment. I have no doubt that these systems had anti-virus software installed. However, anti-virus software is only as good as their signature database and most are woefully inadequate at detecting malware, especially custom malware. In environments with high security concerns, it is appropriate to utilize application whitelisting utilities that allow only those applications that are specifically defined to execute. These utilities don’t rely on signtures and significantly reduces the threat of malware.

The other problem in the Heartland environment was the fact that credit card data was being transmitted between them and the card companies in clear text. The reason this was not highlighted as a violation of the PCI DSS is because many payment processors use dedicated leased lines to the payment brands, which is often cited as a compensating control for the use of encryption. Clearly, this is a weak compensating control that allows for unfettered access to information on the network in the event that a workstation or server is compromised. Best practice would dictate that account numbers should be encrypted over the network, which is easily achievable with a variety of methods. Defense in depth is lesson to be learned here.

Finally, it appears that Heartland did not have very strong logging and monitoring controls in place as they did not detect the malware themselves. They were notified by Visa and Mastercard of suspicious activity coming from their network. Once notified, Heartland took nearly two months to disclose the breach. It appears their handling of this incident may be in violation of several state laws. If the scope of the breach is as large as is being reported, Heartland may end up spending $100 million dollars or more to deal with this incident. They are already facing a lawsuit as a result of the incident. This is far more money than it would have cost to secure their endpoints and encrypt data in motion. Look for the PCI DSS to be amended as a result of this incident to address these issues.

http://datalossdb.org/incidents/1518-malicious-software-hack-compromises-unknown-number-of-credit-cards-at-fifth-largest-credit-card-processor

Data Breach Trends

January 18, 2009 in Identity Theft, Legal | No comments

breach

Recently, several organizations have released data on security breaches for 2008. As you would expect, there were more reported breaches in 2008 than in 2007. Based on information from the Identity Theft Resource Center, the trend is summarized below:

  • 2008 - 656 breaches with 35.6 million records exposed
  • 2007 - 446 breaches with 127 million records exposed
  • 2006 - 315 breaches with 20 million records exposed
  • 2005 - 158 breaches with 64.8 million records exposed

Clearly the trend indicates that more breaches are being reported with a more than 4X increase in the last four years. The question is whether this indicates an actual increase in compromised systems or an increase in the number of organizations reporting breaches.

In 2003, California became the first state to pass a data breach disclosure law. Since then, at least 43 other states have passed similar legislation requiring organizations to notify their customers in the event that their personal information is disclosed. And the federal government is considering passing similar legislation. Thus, enterprises are now required to report data breach incidents, whereas in the past this was not the case. Therefore, it would be a mistake to assume that the rise in the incident of reported data disclosure incidents is strictly due to a greater number of such incidents. It is difficult to know whether the rise is due to greater reporting requirements or an actual increase in the number of incidents.

One thing is certain; state laws requiring notification of data disclosures have lead to a wealth of information on such incidents. And organizations such as the Open Security Foundation have built web sites that track and publish information on data loss incidents. This is a positive outcome of state breach notification laws, as it will force companies to take proactive measures to secure their customers’ personal information which will help make us all more secure.

Looking Into the Future

January 1, 2009 in General Information Security | No comments

crystal_ball

This is the time of year when information security professionals like to make prognostications about future trends in the industry.  The soothsayers who pen these prophecies rarely provide any information that could be considered earth shattering or even mildly prescient.  I am not gifted with the ability to see into the future, and even if I was it is likely I would suffer the same fate as Cassandra and no one would believe me.  Thus, I will not attempt to make any predictions about the future.  I will however, make a statement of fact about the future.  And since this is a truism, it is not a prediction:

Those who use computing resources for nefarious purposes, including phishers, spammers, virus writers, crackers, organized crime units and any other group or individual who sees an opportunity to make money by obtaining information illegally or using computing resources without authorization, will continue to stay 2 or 3 steps ahead of those attempting to secure systems against such people.

I have been involved with information security for over 10 years and I can honestly say that the state of information security has never been worse.  There are more threats now than at any time in the past.  There are more vulnerabilities now than at any time in the past.  Any the job of the information security professional is more demanding and complex than ever.

To some extent, this is to be expected.  Information systems are pervasive in every aspect of our lives.  And moreover, these systems are all interconnected.  Our appliances can communicate with their manufacturers.  Our phones have morphed into miniature computers with all the power and vulnerabilities common in desktop PCs.  Our cars have computers that are capable of determining faults and sending this information to dealers who can resolve the issue.  And our national infrastructure, such as electrical grids, dams, nuclear power stations and stop lights, are all controlled by computers and often are connected to the Internet.

Information systems are more complex than ever.  The bad guys have ever more opportunities to attack those systems and make money from using them illegally.  The threats are real and protecting against them is difficult.  Unfortunately, I don’t see anything that will change this scenario in 2009.  Happy New Year.