Thursday, June 25, 2009
Next is the state of Microsoft's anti-virus efforts. Many AV industry experts claim that Microsoft's entry into the AV market would be laughable and minimal. Indeed, Microsoft's previous OneCare suite left a lot to be desired. But according to AV-Test, Microsoft's new Security Essentials (codename "Morro") actually holds its own (well, the beta version at least). There was also speculation that Microsoft's AV scanner would be cloud-based, but it's confirmed to be a traditional local client application. The Security Essentials site indicates that no more beta downloads are being offered at this time, so we'll probably need to just wait for a full release later this year. In the meantime, Microsoft's AV efforts are readily apparent on their Malware Protection Center page. Also interesting is the quote by the CEO of AVG, another anti-virus company, in the previously linked ComputerWorld article. He basically says that viruses are so yesterday, and incoming web nasties and malware such as browser exploits are the big threats now. True.
Lastly is the state of man-in-the-middle attacks on public networks. Have you ever noticed that things like wireless hotpots and hotel networks are a huge catch-22 for trust and network security? You connect to a network and get assigned IP, DNS, and routing information from a DHCP server that may or may not be the legitimate DHCP server. Then you could come to a captive portal page that may or may not be the legitimate captive portal. The captive portal page says you must enter in various information (Room number? Credit card? T-mobile login? Daily access code?) before you can use the network, but the information it requests may or may not be the legitimate information that is necessary. And that's assuming you even connected to the legitimate wireless AP in the first place (see more than one AP broadcasting the same SSID? Yeah...) Even SSL doesn't help here, because different places use different hostnames for their captive portal service...so you have no idea whether https://secure.FooBarHotelNetworkServices.com/captiveportal/sheraton/ is the right place or not when asked for your credit card number to get Internet access. An attacker can register any legitimate-looking domain name, get an SSL cert for it, and run their attack, and you would never know. ("Hello? Front desk? Can you please tell me the exact hostname for your captive portal, and whether or not I will need to enter in a credit card number to get Internet access?") In a world of laptop cellular aircards and mobile phone tethering, they are a much safer bet these days.
Until next time,
Friday, June 19, 2009
Other than 'Quotes' and 'Dictionary', the remaining words are large well-known sites or brands. We sure do live in a commerce and media-driven world, don't we? Hopefully people aren't using Google to find out the web address of Youtube; it reminds me of the Little Rascals quote "Quick, what's the number for 911?"
I've also noticed that the results can vary at different times, so the list you get might be slightly (or majorly) different. And different languages/locales provide different results (I just checked with www.google.fr). Which I suppose adds to the fun. I'll also leave the list of numbers (0-9) for you to look up yourself. Oh, the suspense!
Until next time,
Monday, June 15, 2009
Despite the patches being available, history has shown that people don't always install them. Installing patches is an inconvenience; it interrupts the use of the system and potentially requires reboots. In enterprise environments, all of this can be semi-automated with patch management and deployment systems, centralized patch repositories like WSUS, and policies that dictate the employee just sit tight while mandatory patches are applied. But for home users, computer use is often casual--which means convenience has a very strong influence. If they get on the computer to check email or surf MySpace, they are likely to not want to postpone those computing desires in order to deal with installing patches first. That's assuming they even know about the availability of patches in the first place.
Recently some folks from Google and their partners released an analysis of web browser auto-update approaches. The analysis looked at the different effectiveness of how quickly patches gained widespread deployment due to the different patching processes they offer. For example, Chrome does "silent updates"--it will download patches/new versions and automatically install them without telling you. Firefox will automatically download updates, but then you have to still manually agree to the installation via a prompt given to you by Firefox. Safari tells you that an update is available, but then you have to manually agree to download and then install the update. Opera will inform you of a new version, but then you have to manually download the update yourself and proceed through the install wizard. Internet Explorer relies on Windows Automatic Update agent to download and install patches.
Overall, the Google analysis found that Chrome’s silent update approach resulted in the widest spread of update deployment (97% of systems patched/updated) within a fixed period (three weeks). Firefox wound up with 85% of systems patched/updated after three weeks, and Safari and Opera wound up with some pretty low numbers. The conclusion? Badgering the user to be involved in the update process causes them to interrupt, abort, or ignore the process, leaving the patches/updates unapplied. That is non-ideal when security is involved.
But just because there are auto-update mechanisms available (Chrome, Windows), doesn't solve the problem per se. I've encountered situations on numerous occasions where the user has disabled the automatic updating process because the software they were using was, well, "borrowed." Microsoft has been struggling with this issue for years now: whether to allowed pirated copies of Windows to be eligible for service pack updates and other patches. They have slipped various anti-piracy checks into their update process under the moniker Windows Genuine Advantage, which means only legitimate copies of Windows have access to the collection of updates. But even if the software vendor doesn't implement technical restrictions to prevent pirated versions from updates, the user's conscience might still prevent it. A person who "borrows" a commercial software application from their friend is less likely to run to the vendor asking for support and updates, because they do not want to get their friend in trouble for handing out pirated copies; so such people are more likely to disable anything that automatically alerts the vendor to the second copy, and/or will ignore any updates (where they might be asked how they got the software in the first place) and just stick with the original (now outdated and insecure) version.
Overall this whole timely security patching business is a tough problem to solve, because it's not simply just a matter of expecting users to download an installation file off a website and double-clicking it.
Until next time,
Friday, June 12, 2009
For one thing, a filter (a module or device that only some things go through, but others don't) is a very basic security technology. Just as there are a limited number of elements in the periodic table, there
are a very limited number of basic security technologies, so even when people are building "new" security technology, the most basic pieces to pick from are limited, and you'll see a lot of repeats. Since firewall is a pretty well-known word that covers several members of this family, any filtering technology that works on traffic of some sort (whether it be a packet filter or a web application firewall) will tend to be called a firewall, even though firewalls now frequently work much higher up the stack than they did in the 80s.
So the real question is, what good is a filter installed on a perimeter? Most people will say it's for defense in depth, i.e. "We know it's not perfect, but we're hoping each layer will catch some different things and minimize the bad stuff that gets all the way through." It's the stock answer, and I wouldn't argue against the concept, but I think it misses a key point:
In a network, filters (including firewalls) break what can be enormously complex into smaller, more manageable pieces. It's like providing an API and using it to write modular code. The goal is to minimize the cases in which tweaking something over here wiggles something unexpected way over there. Sounds good for maintainability, but what does reducing action-at-a-distance have to do with security? Here we go back to design flaws. If the designer wasn't expecting anything else to be using or modifying some resource, but something else can, there could well be an exploitable design flaw. A well-configured filter in a good location can reduce the possibility of interaction, and therefore the chance the design flaw will be exploitable. Plus, partitioning any system means you can partition security analysis: each portion, the partitions, and any possible interactions between them. Without the partitions, it's all interactions, which are the least-well-understood security analysis subject I can think of.
These days, you have more perimeters than you think, and the things you are dividing aren't necessarily more adversarial to each other than they are internally. But at least if you divide them, you have smaller chunks to worry about.
Monday, June 8, 2009
Recently, President Obama announced the establishment of a Cyber Czar, although the candidate for the position has not yet been named. The new position, will be a senior white house staffer, regularly reporting to the President. This position is an important one and I’d like to see the President make the right choice. Mr. Obama, I know that you’re a busy guy but here’s some friendly advice while mulling over the candidates.
Forbes asked the question – “should the head of cybersecurity in the new administration come from private industry, government or the military?”. The article debates the merits of each approach and discusses a few potential candidates. The answer, in my opinion couldn’t be more clear. The candidate must come from private industry but must know how to dance in government circles. I was encouraged this past weekend when the administration named Jeff Moss, founder of the Black Hat security conferences to the Homeland Security Advisory Council. It demonstrates a willingness to reach beyond political circles for candidates with real world experience. Jeff is an excellent choice having seen the world through the eyes of both a hacker and a businessman, not to mention being one of the best connected people in the security industry.
Selecting a candidate for Cyber Czar from private industry is critical because the answer doesn’t lie in small tweaks to the status quo but in wholesale change. The current state of security in government networks is abysmal and the government just doesn’t do change well. When the attackers are succeeding in stealing top secret plans for fighter jets, the air traffic control system is wide open to attack and the power grid is littered with backdoors, incremental changes won’t suffice. Moreover, the government can’t secure their infrastructure alone. They don’t make the technology that they run, nor do they independently have the expertise necessary to secure the massive infrastructure that Americans rely on each and every day. The soon to be named Cyber Czar needs to come from private industry but be politically savvy. Having served in the government at some point in his/her career would be a great asset as let’s face it, politics is a game and if you don’t know the rules, you won’t succeed.
This isn’t the first time that the Whitehouse has called upon an outsider to help secure the nation’s IT infrastructure. In September 2003, Amit Yoran, founder of RipTech was handed the title of Director of the National Cyber Security Division of the Department of Homeland Security. Despite the impressive title, the position was not in the Whitehouse, and came with limited power. Many speculate that Yoran left after only a year on the job after growing frustrated that he was unable to implement the changes that he sought. Unfortunately, despite the announcement from the President that that the Cyber Czar will have a Whitehouse position, we still don’t know exactly what powers the office will wield. If we expect change, the Cyber Czar will need the ear of the President and the power to make change happen. If not, the position will wind up being a revolving door for bright minds with great ideas who soon grow frustrated with the red tape pinning them down.
Mr. President, this is an important opportunity. Please be sure and bring on board an outsider who is a visionary with the patience to play the political game. But most importantly, be sure to listen to him.
Sunday, June 7, 2009
Web access is a critical activity for virtually all jobs, but how many employees recognize the risks that can be encountered simply by viewing a web page? How many times have you encountered web pages with a title such as “Page is loading… Please wait”? I’ve already talked about the threats posed by Phishing and ActiveX vulnerabilities in previous blogs. Another significant threat on the web is the increasingly popular drive-by download attack. In this attack, malicious software is downloaded without user knowledge by exploiting known/unknown web browser or opreating system vulnerabilities. Recently, we came across an interesting website hosting malicious animated page. The page shows animation that will entice the victim to wait patiently while content is supposedly being loaded on the page. Below is a screen capture of the page in question.
When someone visits this web page, it will continually play the ‘page is loading…’ animation and nothing will ever be displayed on the page. The victim will undoubtedly grow impatient and eventually close the page and continue surfing. But wait; did the victim notice what else was being loaded? Of course not as the malicious content was loaded in the background. Yes, the page actually contains a couple of malicious iframes,
The attacker has done his job behind the page by downloading malicious binaries without the user noticing. These attack toolkits spread by injecting malicious hidden iframes into otherwise legitimate sites. Once the victim visits those sites, they are redirected to attacker’s website. Social engineering can also be employed to convince victims to directly visit malicious sites controlled by the attakers. The frightening part of these attacks is that the victim does not have to do anything. They simply visit the malicious page and everything runs in the background. Such malicious sites are increasing every day with advanced techniques and with the help of different novel ways to spread malware. Browser patch management is critical for those enterprises seeking to defend against such attacks.
We have observed that number of websites that are infected by hidden malicious iframes and the latest ones include attacks carried out LuckySploit and Gumblar. We recommend you to keep your antivirus updated and keep your eye on such suspicious websites while surfing.