“‘We just received a report that a particular site uses the vulnerability to install a spybot variant,’ the SANS Institute’s Internet Storm Center (ISC) warned Friday in an alert. ‘It is a minor site with insignificant visitor numbers according to Netcraft’s ‘Site rank.’”

 Read the whole Story

Listen to our Podcasts –>

Free security training available at http://adventuresinsecurity.com/SCourses

In this paper we focus on one of the most dangerous types of attack – DNS cache poisoning.  To provide a complete picture of this threat, we’ll explore how DNS works, two ways crackers facilitate cache poisoning, what impact this type of attack can have on your organization, and steps you can take to protect your information assets.

Download this paper

Author:  Tom Olzak 

Listen to our Podcasts –>

Free security training available at http://adventuresinsecurity.com/SCourses

On Monday, March 13, CipherTrust plans to make available for download a free toolbar for Outlook and Lotus Notes email users.  The toolbar will be available from the CipherTrust Research Portal, which will also launch Monday.

This is the way it works:

1. The user clicks on an email
2. The CipherTrust toolbar program sends the IP address of the sender to a CipherTrust hosted server running the TrustedSource reputation engine for analysis
3. The results of the analysis are returned to the user’s desktop causing the toolbar to flash:
1. Green with a happy-face when the email is from a reputable sender
2. Yellow for questionable trustworthiness
3. Red when the user should probably just delete the message

The data used for analysis come from CipherTrust’s global network of more than 4,000 sensors installed in business and government networks.  They’re collected on TrustedSource servers where the trustworthiness of the source is assessed to a very granular level.  The assessment is based on the following criteria:

1. Is this the first time the sender has been seen?  According to CipherTrust, about 30% of IP addresses analyzed fall into this category.  Of those, about 95% are spam, viruses, etc.
2. How much email is the sender responsible for?
3. Does the sender send and receive email, or just send?
4. Does the sender’s behavior seem “bursty” or is it more continuous?

This is one more step in the right direction.  Although not perfect, it goes quite a distance down the path toward a world in which the Internet is a safe place to travel the globe. 

Author:  Tom Olzak

When I read this story, which was covered on almost every security web site, I was initially concerned.  Who wouldn’t be?  The BIOS is the most fundmental layer of functionality in any PC.  But the more I thought about it, the more I wondered about how much risk a BIOS rootkit actually presents to a business network.  After some research, I concluded that the risk is very low for businesses that take normal precautions.

In this article, we’ll look at rootkit technology, how engineers or programmers flash the BIOS, the typical safeguards protecting BIOS access, and what you can do to protect your business from BIOS rootkit issues.

Rootkits appeared about 10 years ago.  Their initial purpose was to provide “back doors” into applications and systems, bypassing the normal security safeguards.  Many rootkits were installed by developers who wanted quick access to system internals, especially if the standard access methods failed.  But the one defining characteristic of rootkits was stealth.  They were invisible to users, system administrators, and to most malware detection tools.

Over the years, rootkit development and use took two paths.  The first path led to ethical uses.  Again, providing back door system management functionality as well as the ability to collect information for forensic or administrative purposes.  The second path led to malicious activities designed to surreptitiously acquire information with criminal intent.  Today’s rootkits can perform many functions, including

1. keystroke logging
2. interception of system calls, resulting in system behavior modified to suit the needs of the rootkit owner
3. remote control of a system

Malicious rootkits are typically installed by exploiting a software vulnerability, either in the operating system or an application.  Although there was one well known successful application of rootkit technology to BIOS firmware in 1999 (CIH), rootkit infections of BIOS implementations have been largely ignored by the hacking community.  But with stronger system safeguards, attackers are looking for other avenues of entry into your computers.

So how can an attacker gain access to PC, server, and peripheral BIOS firmware? One way a to install a rootkit in BIOS firmware is through a user-initiated firmware upgrade.  Firmware upgrades are often necessary to correct problems with hardware operation or to add additional functionality.  In this scenario, the point of greatest vulnerability is retrieving the new firmware file.  It should be downloaded from the hardware vendor site or obtained from a reputable local hardware vendor.  This is the point at which it’s most probable that an infection will occur.  As with the CIH attack, the firmware may already contain a rootkit.  This is why it’s important to get it from a well-known and secure source.The other way infected firmware can be loaded into your hardware is through the actions of an attacker.  This normally requires physical access to the system to be compromised.  Why?  Because most hardware components are protected against changes to BIOS firmware with a jumper or a password.In the case of a jumper, the attacker would have to physically move the jumper to enable firmware flashing.  With most hardware, this requires not only physical access to the device, but also the opportunity for partial disassembly of the system in which the device is installed.  Standard physical controls should be sufficient to prevent this type of access.The effectiveness of firmware password safeguards depends on how you manage both administrative and physical processes.  If your engineers changed the password, the attacker may have to execute a series of steps to reset the BIOS security configuration to factory defaults.  This requires the same kind of access as that described for jumper manipulation.  However, once the factory defaults are restored, vendor passwords are easily obtained.  Again, standard physical access safeguards should be sufficient to prevent this type of access – especially if your engineers change the firmware password as part of all hardware installations.There are other ways to compromise the BIOS.  For example, overloading keyboard buffers is often one attack method that works on older systems.  And BIOS password cracking software exists and is available for download from the Internet.  But physical access is still necessary in many cases to enable firmware changes.  

Although firmware rootkit attacks should be considered when reviewing the effectiveness of your security program, I don’t believe you have to declare a state of emergency because of this week’s announcement.  A business that follows security best practices should be adequately protected from the kinds of access necessary to effect a firmware rootkit infection.  Probably the most important point to take away from reading this article is how critical it is for your engineers to be aware of the potential risks related to obtaining clean firmware.  Awareness is your first line of defense against BIOS rootkit attacks.

Author: Tom Olzak 

Resources:  RSS Feed for our Podcasts 

Sources:

Researchers: Rootkits headed for BIOS

The Basics of Rootkits: Leave no Trace

BIOS Flashing and Hotflashing

How to Bypass BIOS Passwords

Since Skype is the unquestioned leader in this space, I’ll use it as an example provider to examine how these services work, the potential risks they pose for your business, and possible ways to reduce that risk. 

In 2003, Skype Technologies launched a free peer-to-peer Internet telephone service.  At first, users could only call each other via their PCs.  In 2004, however, Skype introduced SkypeOut.  SkypeOut allows users to place calls from their PCs using traditional phone service.  Skype services, now estimated to be installed on 245 million computers worldwide, provide a very inexpensive way to communicate with anyone, anywhere.  Let’s walk through an example of how Skype works.

In the graphic above, Tom and Chris have Skype installed on their PCs.  Tom is placing a call to Chris.  Tom’s PC, using a private IP address, is unable to communicate directly to Chris’ PC.  The Internet only sees a NAT address presented by ESI’s perimeter devices. Like all peer-to-peer IP telephone services, each skype end point must communicate with the other end point’s IP address.  Skype has solved this problem with the use of supernodes.

A supernode can be any PC on the Skype network that has a public IP address (one that can be routed over the Internet) and is visible to an end point with a private IP address.  In our example, ESI has left all outbound ports open, so Tom’s PC searches the Skype network looking for a system it can use as a supernode.  Once it finds one, Tom’s PC establishes a relationship with the supernode so it can act as an intermediary to establish a voice connection with Chris.

Before the voice connection is established, Tom must enter his Skype user ID and password.  These are stored in the only central database in the Skype peer-to-peer network.  Once authenticated, Tom’s PC establishes an encrypted voice communication with Chris’ PC.  Chris hears a ring through the speakers on his PC.  He completes the call setup by using his Skype software to accept and process the call.  Tom and Chris then use microphones, headphones, speakers, etc. to communicate with each other with a high quality VoIP connection.

If Tom wanted to connect with a traditional telephone number instead of another PC with Skype software installed, he would have to use the SkypeOut service.  This is a for- fee service that routes Skype calls from the peer-to-peer network to the standard switched voice carriers.

This all sounds pretty simple.  It is.  It’s easy to implement, inexpensive, and it’s flexible.  In addition to voice, users can transfer files and participate in instant messaging conversations.  So with all these advantages, what’s the downside?

Skype will not release the details of its encryption scheme.  Although they claim to base it on the RSA standard, this isn’t verifiable.  Nor is it possible to test for vulnerabilities.  The best that can now be said about Skype encryption is that it prevents casual compromise of voice and data packets.

According to Gartner, the overall security of the Skype solution depends on many factors, in addition to encryption.  These factors include:

1. The reliance on the security of all the other nodes in the network.  Threats related to monitoring conversations as they flow through a supernode and receiving malware that rides the voice or IM connection are possible.
2. Skype program auto updates.  These updates occur without warning in a manner that is often transparent to Skype network users.  These changes may introduce new, unknown vulnerabilities. 

One of the biggests issues with Skype is the manner with which it establishes and maintains voice sessions.  Unlike other VoIP vendors, Skype founders didn’t believe the IETF standard SIP was suitable for their purposes.  So they came up with a new way — a proprietary way — to move voice over the Internet.  According to Gartner, there are problems with this approach.

Firewall vendors typically support SIP filtering.  This allows secure management of call packets.  But since Skype’s Proprietary Protocol (SPP for the purposes of this article) is not in widespread use, firewall vendors don’t see value in paying for the R&D necessary to incorporate SPP support into their products.

To enable Skype within an organization’s network, network administrators must provide Skype with unrestricted access to outgoing TCP connections.  If open ports in the firewall isn’t an option, administrators can set up port 443 (SSL) or port 80 (HTTP) in a non-standard configuration that allows SPP to pass.  Either approach punches holes in perimeter defenses.

Malware, like worms and keystroke loggers, can use the open ports to call home.  This common malware function allows unwanted software to either send sensitive data to an attacker or to retrieve additional, possibly more destructive, malware from a home server.  If administrators allow protocols other than SSL and HTTP to pass through ports 443 and 80, additional attack paths trageting servers or PCs behind company firewalls are possible.

If an organization feels that the reduced cost of peer-to-peer VoIP is worth the additional risk, here are a few risk management recommendations.

1. Do not configure company Internet firewalls to allow either of the connection methods recommended by Skype – opening all outgoing ports or using nonstandard port 443 and port 80 configurations.  This effectively shuts down the use of Skype from the internal network.  Remote users can still connect with Skype by initiating a direct Internet connection rather than using a connection via the company network. 
2. If an organization must use Skype from its internal network, only allow port 443 access.  In addition, ensure the PCs are protected with personal firewalls and up to date anti-virus and anti-spyware software.  Regular checks should be made to ensure root kits and keystroke loggers haven’t managed to ride the Skype trail to your resources.

Peer-to-peer VoIP might eventually become an enterprise solution.  This will require standardization on open standards and more cooperation with third party testers and analysts.  But until that day comes, be very careful about reducing costs at the expense of information security.

Author:  Tom Olzak 

Sources:

Evaluate the Security Risk of using Skype for Enterprise Telephony (Gartner #G00126501)

VoIP and Skype Security

Scientists warn Skype ideal for hackers

A keystroke logger is software or hardware that captures each key pressed by a user.  In this way, it can obtain user IDs, passwords, banking and credit card information, social security numbers, employee IDs, etc.  The following is a list of other possible keystroke logger capabilities: 

1. Invisible to the user and to network defenses, like the perimeter firewall
2. Invisible to support personnel viewing the Windows task list or startup list
3. Remote installation and update
4. Capture of screen information when the mouse is clicked
5. Logging of web sites visited by the user
6. Capture of instant messaging chat sessions
7. Monitoring of the Windows clipboard

This information is then sent to the attacker for use in identity theft, theft of intellectual property, theft of national defense secrets, or other types of cyber crime.  It’s important to point out that not all users of keystroke loggers are criminals.  Keystroke logging is often used in testing software or in cyber crime investigations.

The threat to your organization is painfully obvious.  An attacker can obtain critical and sensitive information about your business, your customers, and your employees without having to break into a database or having to crack a strong data center perimeter. 

Protecting yourself against a keystroke logger attack is not easy.  Due to the potential invisibility of the malware once it’s on one of your PCs, neither the user nor your support personnel may have any idea it exists.  Further, anti-virus applications often fail to identify keystroke loggers.  Finally hardware keystroke loggers that sit between the keyboard and the computer are completely undetectable by AV tools. Even more disturbing is the possibility that an attacker has replaced a user’s keyboard with one that has integrated keystroke logging. However, physical access to the system is necessary to mount a hardware-based attack.  This makes capturing your data a little more challenging for the attacker.  So what can you do to protect your critical assets?

Your defense against keystroke logging lies within two areas: technology and user awareness.  In the area of technology solutions, applications like SpyCop and SnoopFree are designed to detect software keystroke loggers.  But again, these applications won’t work against hardware-based attacks.  

To protect your organization against hardware keystroke loggers, and to provide a first layer of defense against any type of logging attack, an organization must educate its users on the dangers associated with certain activities.  Examples of steps users can take include: 

1. Locking their computers when they leave their work area
2. Don’t surf the Internet with an account that has administrative rights; this provides an attacker with the rights necessary to install software on the system

Keystroke logging is just one threat facing organizations in this era of global networking.  The best defense against this and other types of attack is a strong layered defense. Because no one safeguard is sufficient to protect your environment, design your network defenses so that multiple safeguards support each other.  The only other option is to isolate your network from the outside world – hardly a wise business decision.

Author:  Tom Olzak 

Sources:

Be aware of the threat of hidden keystroke-logging

Keystroke logging definition

Resource:

SpyCop

SnoopFree

Organizations that dispose of old PCs or servers without taking special precautions to ensure sensitive information is actually removed from storage are failing to safeguard data that might be covered by regulations like HIPAA, or might reveal enough information about employees and customers to enable identity theft.  There are many utilities available to help with this challenge.  SDelete from Sysinternals, available at the link in Resources below, is a free program you can use to remove the data from one or all files on a disk.

But improper disposition of PCs and servers isn’t the only problem facing many companies.  PDAs and smartphones also present a risk.  Although these devices might store sensitive company information, they are often reassigned or turned in to the wireless vendor without first wiping their storage.

Every organization must have policies and processes in place to ensure the proper handling and disposal of data in its care.  A company that collects consumer and employee information has an obligation to protect it until the data is properly destroyed. 

Author:  Tom Olzak 

Sources:

Don’t leave information on old hard drives

The hidden threat: Residual data security risks of PDAs and smartphones

Resource:

Sysinternals SDelete Data Erase Program – Free Tool