Friday, February 19, 2010

Take the CSA Top Threats Survey


The Cloud Security Alliance is working on a project entitled Top Threats to Cloud Computing, which will be published at the Cloud Security Alliance Summit during RSA 2010. For the past few months, we've assembled a panel of experts to debate the top security threats related to cloud computing and now it's your turn to participate. You can help us with this effort by completing the Top Threats Survey. The survey takes about 5 minutes to complete and will allow us to better understand the severity of the threats that we've identified thus far from the perspective of a broad audience. We'll present the summarized results of this survey at RSA. This project will continue to evolve after the conference as we solicit feedback to continually adjust the list to accommodate new threats. Stop by the Cloud Security Alliance Summit for the unveiling!

Friday, February 12, 2010

Fake Vancouver Winter Olympic Videos Spreading Malware

It certainly didn't take attackers long to take advantage of the Olympic Winter Games, which began today in Vancouver. Within minutes of the completion of the opening ceremonies, Twitter messages were appearing from an account called gamesvancouver. The shortened URL displayed promises footage of the opening ceremonies but instead redirects users to a page that is effectively a mirror image of the official web page for the 2010 Vancouver Olympics. Upon closer inspection, however, it can be seen that the domain name used by the site is a slight misspelling of the official site, replacing a 'u' for an 'n' in the vancouver2010.com domain name.

The attackers are using a common technique of social engineering victims into downloading a fake codec for Flash, which the site states is necessary in order to view the requested video. In reality, the victim is downloading and installing a Windows executable which contains a Trojan/Downloader. The malicious file is currently detected by only 11 of 41 anti-virus vendors (VirusTotal results). Given the popularity of the Winter Olympics, it is not surprising that attackers are taking advantage of the event to spread malware. It is however concerning that most anti-virus vendors are unable to address this particular threat. Given the authentic nature of the attack site, lack of anti-virus signatures, use of Twitter to advertise the campaign and timing of the attack, it is reasonable to assume that it will succeed in achieving its goal of infecting numerous machines.

Enjoy the Olympics, but be careful where you click!

- michael

Thursday, February 11, 2010

Google Buzz for Spammers


The Google Buzz sign-up is being advertised to users when logging into Gmail, and is a fairly transparent process to users with an existing Gmail account.

Clicking on “Sweet! Check out Buzz” brings you to your initial follower/follow back network of friends:

And as the privacy statement suggested, it automatically determined people who have communicated with me over Gmail and that joined Buzz to follow me. Similarly Buzz made suggestions on whom I should follow. From the Buzz privacy statement:

For me, the default web apps connected to Buzz were my public facing Picasa and Google Reader:

By default, (as stated in the Google Privacy statement) the list of people that I am following and the people following me will be publicly displayed on my profile.

As numerous folks have blogged about (e.g., CNET), this could be a privacy concern for users who do not want to share their social network with the world. As with other social networks, this could be used to gather intelligence on individuals, the corporations/organizations/groups they belong to, and could be used in targeted spear phishing or impersonation attacks. To the general user on the web however, many of the benefits of social networking out-weigh the risks.

In addition to these concerns, there are also a few other items that Google Buzz brings to the table for an attacker. One item in particular is email validation. I clicked on one of my co-worker's that was following me from his default setup for his Buzz profile … I was able to then see the people that he is following and those following him (again, default setting). The people in his social network that I had emailed in the past from my Gmail account have their email address exposed, those that I had not emailed in the past did not have this exposed.

A user with a Buzz account, means that they have a Gmail account, and the name visible in Buzz is often used in some form or another as the user's Gmail account. As a spammer, one could create a network of Gmail accounts connected to Buzz and follow a large number of users, follow their followers, etc. Harvest user names / alias names for those being followed, and do best guess attempts at guessing their email address and start sending test messages. Once a successful guess has occurred, the email address will then be exposed in the Buzz interface validating that the email address exists and is tied to that user.

The way this would likely work and scale for the spammer is through the creation of an automated Google Buzz bot or worm to build a list of followers and spider out to the followers of followers and so forth in order to harvest Gmail names / aliases to guess against and build an email spam list. The email validation not only validates that the email account is live, but validates that it is linked to the social network visible in Buzz. In other words, knowledge of that particular user's social network could also be used in an automated but more targeted spam campaign. For example, email subject "Hey I see you are friends with XYZ..." email body: "Here are some pictures of her that I thought you would get a kick out of: insert malicious link/attachment" (remind you of Koobface?).

Additionally, once a user is connected / followed in Buzz you can interact in other mediums besides email. This could be leveraged to bypass spam filters within Gmail. Gchat, Google Wave, Blogger, Google Reader, etc. are some examples of interactive mediums that Buzz provides its users.

Friday, February 5, 2010

Indian Gov't Site Victim of Ad Campaign

I noticed an Inidan Gov't site in Zscaler's blocked logs from yesterday:

hxxp://www.hil.gov.in


Hindustan Insecticides Limited: A Government of India Enterprise
(I'm sure you can appreciate the irony here, as insecticides are used to kill bugs).

Viewing the source of the page, there is an embedded iframe in the beginning to:
hxxp://193.104.27.99/ad.php


which redirects to: hxxp://cfkrdbfplrla.com/ld/tuta4/and is used to advertise A/V, registry cleaner, etc. wares through:

hxxp://www.searchmagnified.com/Free_Antivirus.cfm?domain=cfkrdbfplrla.com&foiffs=in100fweg&cifr=1&fp= ~snip~

McAfee SiteAdvisor and other Google results for SearchMagnified lists it as being involved in some suspicious activities.

I was expecting to follow the link and reach an obvious Fake A/V page. Instead I reached:

hxxp://www.cyberdefender.com/EDC/landing/10/?affl=tsayahooedc_antixvirusxfree&campaign_code=002048&int_page=1& ~snip~

Note the affiliate ID and the campaign code in the link parameters. The SearchMagnified links are pay-per-click links, so they are making a buck off the Indian Gov't redirect when folks follow the links. The links in this case pointed me to CyberDefender, a legit A/V vendor who are paying affiliates to advertise on the web for them - the problem is that the affiliates may engage in less than legit practices (as is the case here).

Thursday, February 4, 2010

The Death of IE 6 is Greatly Exaggerated

Champagne bottles were popping this week as victory was declared in the war on IE6. I say not so fast. The effort to rid the world of IE6 has been going on for some time but a couple of recent high profile events have brought this issue to the masses. The first was Operation Aurora, the Advanced Persistent Threats that allegedly came out of China and infiltrated Google, Adobe and 30+ other large corporations. While the vulnerability used to install the Hydraq Trojan at the core of the attack affected all supported versions of IE, the exploit leveraged, only worked against IE6. Why? Because IE6 lacks advanced security protections found in IE 7 & 8. The second story making the rounds this week is that Google has taken a stand and starting next month will phase out support for IE 6, starting with Google Docs and Google Sites. I applaud this move. Only when end users can't access their favorite sites will we finally see an across the board upgrade that should have happened years ago.

Enterprises argue that there is no urgency to upgrade beyond IE 6 as it is still a supported browser. I argue that as a CISO, you're flat out negligent if you haven't fought to get IE 6 off of your network. Just because a product is still supported doesn't make it secure. Yes, Microsoft will release security patches when IE 6 breaks, but IE 6 lacks numerous security features found in IE 7&8. Features like DEP, ASLR, malicious URL/phishing block lists and XSS/Clickjacking protections. This is why IE 6 is targeted by attackers, because it is the low hanging fruit in the browser world.

One thing is bothering me though. I keep hearing how IE8 is making great strides and that IE6 is finally dying off. I read numerous articles this week covering the NetApplications January 2010 report, which revealed how IE8 has now overtaken IE6 in terms of market share. Whenever I see such data I ask myself what the sample population is. Generally, such data is collected from server logs. As such, it represents a broad spectrum of end users, including both corporate and personal web traffic. I have long believed that individuals are more likely to upgrade web browsers than corporations. Afterall, we all want the latest features and software upgrades are just a click away. Corporations on the other hand don't generally allow users to decide what software runs on their desktop and from a security perspective, they shouldn't. They also tend to focus on concerns over breaking functionality, often to the detriment of security. What I'm interested in is seeing the percentage of browser market share for only corporate users. This is something that Zscaler is in a strong position to answer. We sell an enterprise offering, so our clients tend to be corporations or government entities. Being a SaaS offering, any web capable device can utilize the Zscaler cloud and certainly some enterprises have traffic from user owned/controlled devices (personal laptops and smartphones) running through the cloud as well, but it's fair to say that overall, our view of the world is primarily enterprise traffic as opposed to personal traffic. I therefore ran a query to determine the results of web browser usage on our network for all of Q4 2009. As you can see, our results are very different than the results from NetApplications. From October to December 2009, 72.21% of the traffic that we saw came from IE browsers. The pie chart breaks this traffic down to reveal the individual versions of IE encountered. Not only is IE6 still in the lead but IE8 is barely on the map, a finding vastly different from the NetApplications stats which show IE8 in the lead. My conclusion? Enterprises are not moving away from IE6 as quickly as the web population as a whole.

Let's hope that recent events such as Operation Aurora and Google's stand to drop IE6 support cause enterprises to better understand the urgency of this issue. Let's further hope that Microsoft puts IE6 out to pasture once and for all.

- michael