adventuresinsecurity.com Blog » Current Events

User Awareness Alert: Open source digital signatures might be vulnerable

Tom Olzak — Mon, 13 Mar 2006 14:36:19 +0000

“A pair of security bugs in cryptography software could allow an attacker to insert content into a digitally signed message or forge signatures on files.

“The flaws lie in the open-source GNU Privacy Guard software, also known as GnuPG and GPG, the GnuPG group said in two alerts. The software, a free replacement for the Pretty Good Privacy cryptographic technology, ships with many open-source operating systems such as FreeBSD, OpenBSD and many Linux distributions” (By Joris Evers, CNET News.com Published on ZDNet News: March 10, 2006, 2:38 PM PT).

Read the rest of the article

Listen to our podcasts –>

Free Security Training available at http://adventuresinsecurity.com/SCourses.html

Technical Security Alert: Rootkits can be hidden in virtual machines

Tom Olzak — Mon, 13 Mar 2006 14:13:02 +0000

“Security researchers have uncovered new techniques to hide the presence of malware on infected systems. By hiding rootkit software in virtual machine environments, hackers have the potential to avoid detection by security software, boffins at Microsoft Research and the University of Michigan warn” (John Leyden, published 13 March 2006 in The Register).

View the rest of the article

Listen to our podcasts –>

Free Security Training available at http://adventuresinsecurity.com/SCourses.html

CipherTrust Toolbar to Protect Email Users

Tom Olzak — Sun, 12 Mar 2006 20:16:05 +0000

Last week, I wrote a blog article about the growth of SPF and Sender ID technology in the fight against unwanted email (spam, phishing, etc.). It appears that CipherTrust is taking advantage of its own implementation of these standards to help make the Internet a safer place – at no cost.

On Monday, March 13, CipherTrust plans to make available for download a free toolbar for Outlook and Lotus Notes email users. The toolbar will be available from the CipherTrust Research Portal, which will also launch Monday.

This is the way it works:

The user clicks on an email
The CipherTrust toolbar program sends the IP address of the sender to a CipherTrust hosted server running the TrustedSource reputation engine for analysis
The results of the analysis are returned to the user’s desktop causing the toolbar to flash:

Green with a happy-face when the email is from a reputable sender
Yellow for questionable trustworthiness
Red when the user should probably just delete the message

The data used for analysis come from CipherTrust’s global network of more than 4,000 sensors installed in business and government networks. They’re collected on TrustedSource servers where the trustworthiness of the source is assessed to a very granular level. The assessment is based on the following criteria:

Is this the first time the sender has been seen? According to CipherTrust, about 30% of IP addresses analyzed fall into this category. Of those, about 95% are spam, viruses, etc.
How much email is the sender responsible for?
Does the sender send and receive email, or just send?
Does the sender’s behavior seem “bursty” or is it more continuous?

This is one more step in the right direction. Although not perfect, it goes quite a distance down the path toward a world in which the Internet is a safe place to travel the globe.

Author: Tom Olzak

Listen to our Podcast –>

Free Security training available at http://www.adventuresinsecurity.com/SCourses.html

Laptop Encryption: Reasonable and Appropriate?

Tom Olzak — Mon, 20 Feb 2006 17:52:39 +0000

Senior U.S. District Judge for the District of Minnesota, the Honorable Richard H. Kyle, ruled last week that companies don’t have to encrypt their data as a requirement of the Gramm-Leach-Bliley Act of 1999. The GLBA places a set of constraints on how financial insitutions should handle customer information. There’s been plenty of coverage on this issue since the ruling. But I’d like to look at this from a different perspective; given HIPAA, SOX, GLBA, and the standards of ethical behavior, what actions should be considered reasonable and appropriate when protecting sensitive consumer information?

Judge Kyle (Security Pro News)

Stacy Lawton Guin, the plaintiff in a suit against John Wright, held that any financial organization storing investor information on electronic media must encrypt that information. Wright, a financial analyst, did not encrypt Guin’s information on his laptop. So when his laptop was stolen during a burglary of his residence, Guin became potentially vulnerable to identity theft, fraud, or other types of crime related to the use of sensitive personal information.

When brought before Judge Kyle, he dismissed the case. Judge Kyle’s reason for dismissal was the lack of encryption requirements in the GLBA. But does this relieve Wright of all responsibility? Did he implement “reasonable and appropriate” safeguards to protect his clients’ information? Let’s examine the facts.

According to information presented before Judge Kyle, Wright’s home was in a low crime area. Further, the information stolen was in Wright’s home due to the nature of his job; he worked from home as a financial analyst for Brazos Higher Education Service. Finally, indications were that Wright took reasonable steps to secure his home. Based on this information, I personally believe Wright did take reasonable and appropriate steps to protect Guin’s information. But that’s just my opinion.

There are a lot of what-ifs that didn’t make it into the case, probably because they were irrelevant to the incident under review. I spent about five minutes thinking about variations for how Wright’s laptop data might have been used. Figure 1 is a short list(strictly fictional). Next to each condition I list whether I believe encryption should be used.

Figure 1 (Click to Enlarge)

It’s pretty clear that under any circumstances other than leaving his laptop in his locked home, with little or no transient foot traffic, in a low crime neighborhood, that it’s reasonable and appropriate to encrypt sensitive customer information stored on the laptop.

The point I’m trying to make is this — Judge Kyle’s decision based on a necessarily narrow interpretation of the law should’t be used as an excuse for businesses to immediately back away from any or all projects leading to laptop encryption. Because the GLBA isn’t grounds for civil liability in this case doesn’t mean that there aren’t strong liability issues under many other circumstances. Besides, protecting consumer information is the right and ethical thing to do.

Author: Tom Olzak

Resources: RSS Feed for our Podcasts

Your email:
subscribe unsubscribe

Invasion of the Botnet Armies

Tom Olzak — Sun, 12 Feb 2006 23:36:29 +0000

In previous articles, I wrote about malicious hackers (crackers) moving away from attacks for bragging rights to attacks for profit. Part of this transition is the increased use of zombie PCs, or bots, to surreptitiously acquire personal and business information with criminal intent. In this article, I describe the nature of bots and botnets, the danger to your organization from these growing threats, and some things you can do to protect your information assets.

What are botnets?

A bot is a program that, when installed on a system, provides the bot owner with remote control capabilities without the system owner’s knowledge.  The system on which the bot is installed is called a zombie. A network of zombies, under the control of a bot master, is a botnet. Botnets can range in size from just a few zombies to zombie herds of a million or more infected systems. So what’s the big deal?  Most networks are protected by anti-virus software. The big deal is that the way in which bots are deposited in systems is undetectable to most anti-malware software.

Bots are typically installed as part of a rootkit delivered to target systems via various attack vectors – the most common are email and spyware, with instant messaging closing fast. Crackers use rootkits to install bots on target systems so they aren’t visible when listing processes, directories or folders, or by using any other administrative search or management utility.

The value of botnets is their stealth. Organizations or individuals who know sensitive information about them is compromised can take steps to protect themselves. This limits the revenue potential of the illegally obtained information.

What is the danger to your business?

Once a bot master has control of a system, she can perform a variety of tasks to obtain valuable information.   These tasks include:

Keystroke logging of user IDs, passwords, and banking and credit card information

Theft of intellectual property

Information relevant to personal identity theft or social engineering

Social security numbers

Dates of birth

Addresses

Employee IDs

Zombies are also used to conduct Distributed Denial of Service (DDoS) attacks. For example, criminals use DDoS attacks to shut down access to Internet businesses or to disrupt operations of brick-and-mortar organizations until the victim pays the bot master, or his client, a specified sum.

A recent example of a more low key use of a botnet is the Jeanson James Ancheta case. Ancheta, based in California, built an army of approximately 400,000 zombies. He then allegedly sold access to his botnet to crackers and spammers. Further, Ancheta allegedly generated revenue by using his remote control capabilities to deposit adware on the compromised systems (Brandt, 2005). In January 2006, Ancheta pleaded guilty as part of a plea agreement. But this is just one of a growing number of botnets, most of which are still alive and well.

According to Symantec’s Internet Security Threat Report (Volume VIII), 10,352 botnets operated each day during the first half of 2005. This was a significant increase from the less than 5000 daily botnet count reported six months earlier. Symantec gathers this information by using 24,000 global sensors.

What can you do to protect your business?

The best thing you can do to protect your information assets is to be proactive. Once bots are placed on your systems, they are difficult, if not impossible, to detect. Some ways to prevent your systems from being shanghaied into a botnet army include:

Develop an effective patch management program to eliminate critical security vulnerabilities

Include in your employee security awareness training an explanation of the dangers of spyware and how it’s invited into end point devices

Monitor your network for network or packet anomalies indicative of attempted or successful zombie recruitment

Encrypt critical or sensitive information in transit and while residing in databases, flat files, backup tapes, laptops, etc. (see Data Storage Security)

Control or prohibit the use of public instant messaging or email services (i.e. AOL, MSN, Yahoo, et al)

Use enterprise web filtering software to prevent users from visiting sites known to harbor malicious code

Check enterprise email at the perimeter, before your users have to decide whether to open a message or attachment on their desktops

Malware detection vendors are beginning to provide software to identify and eradicate rootkits.  RootKitRevealer from Sysinternals is a free utility that performs this function. Other vendors are working on solutions, but progress is slow.

Conclusion

The mission of crackers is changing. Massive Internet attacks are being scaled back to attacks targeting specific targets for the purpose of generating revenue. Organizations must take steps to ensure the safety of their systems, their employees, and their customers – including applying pressure to vendors to accelerate development of rootkit and bot prevention and detection solutions.

Author: Tom Olzak

Sources:

Brandt, A. (2005, November). Alleged botnet crimes trigger arrests on two continents. PC World. Retrieved February 11, 2006 from http://www.pcworld.com/news/article/0,aid,123436,00.asp

Symantec Internet Security Threat Report, Volume VIII

Resources:

CypherTrust’s ZombieMeter

University of Washington Spyware Study Results

Tom Olzak — Fri, 10 Feb 2006 12:26:47 +0000

In a recent University of Washington paper (see Sources below), the results of a five month study (May 2005 to October 2005) of the state of spyware on the Internet were documented. The following is a summary of the researchers’ conclusions:

In October 2005, the researchers crawled 20 million URLs. Of that number, 19% contained executable programs.  5.5% of the executables and 4.4% of the domains contained piggy-backed spyware. Piggy-backed spyware is code that is attached to a file a user downloads from a web site.

Although most of the spyware turned out to be adware, 14% of the spyware contained potentially malicious code. This malware included trojans and dialers.

Sites specializing in pirated intellectual property have the highest percentage of drive-by attacks (malware downloaded without the user’s knowledge just by visiting the site). Celebrity sites were a close second.

There was a 93% reduction in pages carrying drive-by attacks during the five months of the study. But don’t uninstall your anti-spyware software yet. The researchers concluded that there’s still enough malicious spyware to go around.

Author: Tom Olzak

Sources:

A Crawler-based Study of Spyware on the Web, University of Washington

Your email:
subscribe unsubscribe

BIOS Rootkit Attacks: What’s the Real Risk?

Tom Olzak — Wed, 01 Feb 2006 16:45:00 +0000

As I’ve written in previous articles, the frequency of malicious rootkit installations is increasing. Now it seems that even the BIOS is a potential target. John Heasman, principle security consultant for Next-Generation Security Software, announced this week that a collection of functions known as the Advanced Configuration and Power Interface (ACPI) could be used to deposit a rootkit in the BIOS in flash memory. This is rather easy to do, said Heasman, because the ACPI has a high level programming language that’s easy to learn and easy to use.

When I read this story, which was covered on almost every security web site, I was initially concerned. Who wouldn’t be? The BIOS is the most fundmental layer of functionality in any PC. But the more I thought about it, the more I wondered about how much risk a BIOS rootkit actually presents to a business network. After some research, I concluded that the risk is very low for businesses that take normal precautions.

In this article, we’ll look at rootkit technology, how engineers or programmers flash the BIOS, the typical safeguards protecting BIOS access, and what you can do to protect your business from BIOS rootkit issues.

Rootkits appeared about 10 years ago. Their initial purpose was to provide “back doors” into applications and systems, bypassing the normal security safeguards. Many rootkits were installed by developers who wanted quick access to system internals, especially if the standard access methods failed. But the one defining characteristic of rootkits was stealth. They were invisible to users, system administrators, and to most malware detection tools.

Over the years, rootkit development and use took two paths.  The first path led to ethical uses. Again, providing back door system management functionality as well as the ability to collect information for forensic or administrative purposes. The second path led to malicious activities designed to surreptitiously acquire information with criminal intent. Today’s rootkits can perform many functions, including

keystroke logging

interception of system calls, resulting in system behavior modified to suit the needs of the rootkit owner

remote control of a system

Malicious rootkits are typically installed by exploiting a software vulnerability, either in the operating system or an application. Although there was one well known successful application of rootkit technology to BIOS firmware in 1999 (CIH), rootkit infections of BIOS implementations have been largely ignored by the hacking community. But with stronger system safeguards, attackers are looking for other avenues of entry into your computers.

So how can an attacker gain access to PC, server, and peripheral BIOS firmware? One way a to install a rootkit in BIOS firmware is through a user-initiated firmware upgrade. Firmware upgrades are often necessary to correct problems with hardware operation or to add additional functionality. In this scenario, the point of greatest vulnerability is retrieving the new firmware file. It should be downloaded from the hardware vendor site or obtained from a reputable local hardware vendor. This is the point at which it’s most probable that an infection will occur. As with the CIH attack, the firmware may already contain a rootkit. This is why it’s important to get it from a well-known and secure source.The other way infected firmware can be loaded into your hardware is through the actions of an attacker. This normally requires physical access to the system to be compromised. Why? Because most hardware components are protected against changes to BIOS firmware with a jumper or a password.In the case of a jumper, the attacker would have to physically move the jumper to enable firmware flashing. With most hardware, this requires not only physical access to the device, but also the opportunity for partial disassembly of the system in which the device is installed. Standard physical controls should be sufficient to prevent this type of access.The effectiveness of firmware password safeguards depends on how you manage both administrative and physical processes. If your engineers changed the password, the attacker may have to execute a series of steps to reset the BIOS security configuration to factory defaults. This requires the same kind of access as that described for jumper manipulation. However, once the factory defaults are restored, vendor passwords are easily obtained. Again, standard physical access safeguards should be sufficient to prevent this type of access – especially if your engineers change the firmware password as part of all hardware installations.There are other ways to compromise the BIOS. For example, overloading keyboard buffers is often one attack method that works on older systems. And BIOS password cracking software exists and is available for download from the Internet. But physical access is still necessary in many cases to enable firmware changes.

Although firmware rootkit attacks should be considered when reviewing the effectiveness of your security program, I don’t believe you have to declare a state of emergency because of this week’s announcement. A business that follows security best practices should be adequately protected from the kinds of access necessary to effect a firmware rootkit infection. Probably the most important point to take away from reading this article is how critical it is for your engineers to be aware of the potential risks related to obtaining clean firmware. Awareness is your first line of defense against BIOS rootkit attacks.

Author: Tom Olzak

Resources: RSS Feed for our Podcasts

Sources:

Researchers: Rootkits headed for BIOS

The Basics of Rootkits: Leave no Trace

BIOS Flashing and Hotflashing

How to Bypass BIOS Passwords

Your email:
subscribe unsubscribe

Cyber-espionage: How vulnerable are we?

Tom Olzak — Thu, 26 Jan 2006 17:56:33 +0000

Hacking activities thought to be related to the theft of government secrets are a real threat to national security. In a January 25, 2006 article in ComputerWorld, John E. Dunn reported that email containing an exploit for the Microsoft Windows WMF vulnerability was sent to recipients in the UK House of Parliament.

According to Dunn, over 70 PCs were targeted on January 2, 2006 with messages intended to install keyloggers. This was confirmed by MessageLabs Ltd – the government’s message filtering company. Luckily, the messages were identified and stopped before they could reach their targets. The most disturbing piece of information coming out of this incident is the source of the attack – Guangdong Province in China.

An isolated, one-time attack might be passed off as just another malicious individual flexing his muscles. But this is at least the second incident in which Chinese attackers have targeted foreign governments.

On November 1, 2004, attackers located in Guangdong Province launched an attack against the U.S. Army facility at Redstone Arsenal.  But this attack is thought to have been successful. It is believed that U.S. military secrets, including aviation specifications and flight planning software, were stolen. It is also believed that the intended recipient for this information was the Chinese government. This successful breach of U.S. Government security is part of an on-going attempt by the Chinese to hack into government computers. U.S. Officials have named the hackers Titan Rain.

So just how vulnerable is the U.S. infrastructure to cyber attacks by other nations or terrorist groups?

During a 2004 FISMA required audit of security implemented by entities within the Federal government, seven departments failed to achieve a passing grade. Included in the list of failed departments was the Department of Homeland Security (DHS).

Congress and the Bush administration cut by 7% the 2005 DHS budget for cyber security programs.

In February 2005, The Presidential IT Advisory Committee (PITAC) completed a report entitled “Cyber Security: A Crisis of Prioritzation.” The following findings and recommendations were presented to the Bush Administration:

Finding: ”The Federal R&D budget provides inadequate funding for fundamental research in civilian cyber security.” Recommendation: The NSF, DHS, and DARPA budgets should be increased significantly.

Finding: “The Nation’s cyber security research community is too small to adequately support the cyber security research and education programs necessary to protect the United States.” Recommendation: Double the size of the civilian cyber security fundamental research community by the end of the decade.

Finding: “Current cyber security technology transfer efforts are not adequate to successfully transition Federal research investiments into civilian sector best practices and products.” Recommendation: The relationship between the Federal government and the private sector must be strengthened. Lines of communication and cooperation must be developed and maintained.

Finding: “The overall Federal cyber security R&D effort is currently unfocused and inefficient because of inadequate coordination and oversite.” Recommendation: The Interagency Working Group on Critical Information Infrastructure Protection should become the focal point of R&D efforts, coordinating and priortizing all activities.

In December 2005, the members of the Cyber Security Alliance expressed to the Bush Administration its frustration with the lack of progress made in addressing online crime. The Group - including organizations like Computer Associates, McAfee, Symantec, and RSA – believes that the lack of support and leadership shown by the Federal Goverment threatens the economy and national security.

We should not expect the Federal goverment to solve all our problems. But we should expect leadership when national security and the overall public welfare are threatened. Congress and the President must change their priorities when addressing cyber security within the context of overall defense and social spending.  If this does not happen, hackers will continue to outstrip our ability to protect our national infrastructure; terrorists and foreign governments will find us a soft target.

Author: Tom Olzak

Sources:

Security experts lift lid on Chinese hack attacks

Tech Group Blasts Federal Leadership on Cyber-Security

PITAC Report on Cyber Security, February 2005

Your email:
subscribe unsubscribe

Planning for the Ultimate Hack

Tom Olzak — Tue, 24 Jan 2006 17:33:51 +0000

The attack surface for hacking opportunities is getting larger every day. Even anti-virus applications are vulnerable. F-Secure just announced a patch for a vulnerability in their product. On this side of the ocean, Symantec announced several weeks ago that its AntiVirus Library might allow the execution of malicious code because of a high-risk buffer overflow vulnerability. The important point to take from these announcements is that AV applications are still just that – client-side applications. ALL client side applications are written by humans. Humans make mistakes. Mistakes equal security vulnerabilities.

As organizations shore up their Windows operating systems, non-Microsoft applications are becoming a more attractive target for hackers. The SANS institute warns that the number of flaws in client-side applications continues to grow; this includes applications ostensibly intended to protect our end user devices and our networks. This is providing easier access to sensitive information, which can result in HIPAA violations, identity theft, etc. The bottom line? Plan for a hacking, because it’s coming to a network near you.

But what is the best planning approach? Some organizations plan for small events. They base their planning decisions on the premise that the probability is quite low that a worst case scenario will become reality. Other organizations plan for worst case scenarios, with the understanding that if their response team is trained in the worst that can happen, they can take care of lesser incidents. I subscribe to the latter approach.

Incident response includes planning, team development, and testing. If your team trains for small hacks, it may not be able to react to the big one when it occurs. The proverbial handwriting is on the wall; the probability that your business will be the victim of a major compromise is growing every day. Plan accordingly.

Author: Tom Olzak

Resources:

Anti-virus Software: The Next Big Worm Target?

The Worst-Case Hack Scenario

NIST Guide to Malware Incident Prevention and Handling

Your email:
subscribe unsubscribe

Mobile Mayhem

Tom Olzak — Mon, 23 Jan 2006 19:46:36 +0000

Cell phones have been relatively safe from the dangers faced by PCs, Servers, and other network connected devices. But this is changing. As cell phone use grows, so do the opportunities for attackers.

According to an eWeek article by Ryan Naraine, a new batch of Trojans targeting Symbian OS based cell phones has been released into the wild (see link below).  Two of the three are spread by Bluetooth connections.

As attacks against cell phones increase, anti-malware vendors are rushing to fill a growing demand for mobile device protection software. But so far, the malware infecting cell phones might not be causing the level of financial impact that justifies the added expense.

Resources:

eWeek Article – Triple Trojan Threat Calls on Symbian Cell Phones

Wireless Handheld Device Security

New Trojan Horses Threaten Cell Phones