Security Watch | Matt Hines » September 2007

September 25, 2007 | Comments: (0)

Pump-and-dump spam changes image

TAGS: Security

Symantec's spam trackers are reporting that the trusty old pump-and-dump penny stock format has once again changed its spots -- and had a remarkably noticeable impact on overall spam trends.

While the pump-and-dump format has been around for a while, apparently it does still make some money for some of its purveyors, as it would appear that the messages -- particularly in their image-based and attachment-based forms -- have represented a healthy portion of all unsolicited e-mail, at least up until a recent shift toward other formats.

How do we arrive at this assumption?

According to Symantec and other researchers, the use of the image-based spam model -- adopted by spammers over the last few years in an effort to hide their message contents from text-driven e-mail content filters -- has fallen dramatically over the course of this year -- likely because most commercial filters have been updated to sniff-out the technique.

At the same time, so has the use of the attachment/PDF model, which utilizes documents amended to spam messages as the preferred method for content delivery to end users, dropping from over 20 percent of all spam as late as August, to less than one percent in recent weeks, according to Symantec's estimates.

Both of the formats had become well-worn avenues for pump-and-dump spammers -- whose intent is to convince people to drive up the price of penny stocks that they advertise in their messages in the hopes of making an investment windfall for themselves.

In the same timeframe that image and attachment spam has dwindled, use of messages carrying new text obfuscation techniques to hide their contents has jumped rapidly, reports Symantec, in particular those that carry pump-and-dump lures.

So, it would seem that as pump-and-dump schemes have morphed, the shift has had a fairly significant impact in larger spam trends.

Perhaps other types of spam messages are also being moved to the new obfuscation formats, but pump-and-dumps appear to have bubbled up to the top before others, such as advertisements for Viagra, which have also stuck around despite lots of work to stop them.

(With the variety of themes being attached to those messages moving beyond comical into downright ridiculous these days)

The resilience of the pump-and-dump theme, as with Viagra, is interesting from a social engineering standpoint in that it has become so widely publicized, and filters have been tuned to block it, so you would think that its usage would have fallen off.

Apparently end users are still as stuck on the idea that an anonymous stock tip could make them rich as they are concerned with their bedroom performances. Will they ever learn? That seems to be the operable question in actually fighting spam on a grassroots level.

Among the newer pump-and-dump spam variants Symantec is noting are those that include:

-No subject line in the message headers, but rather in the body of the e-mail
-Random, alphabetized e-mail addresses in their bodies
-Additional sets of headers in their bodies followed by the penny stock information
-Html with the the price of stock symbol in "mailto:" format in a place that would usually be reserved for URLs

"The most recent morphing we've observed over the past few days includes highly obfuscated messages with a few distinctive features," Kelly Conley, a manager in Symantec's Security Response group, wrote on a company blog.

"For starters, none of the message headers in the attack contain a subject line. This means that when it lands in your inbox there will be no subject line for the message," writes Conley. "Spammers may be utilizing this tactic as a means to entice end users to open the message by banking on the curiosity of an end user to open the mysterious message. There is a subject line in the body of the message. The spammer is most likely doing this for obfuscation purposes."

Posted by Matt Hines on September 25, 2007 09:24 AM

September 24, 2007 | Comments: (0)

Bubbles the worm adds keylogger

TAGS: Security

As the so-called Bubbles worm continues to wind its way across the Web, passing itself along via the contact lists and chat feature of people's Skype VoIP calling software, researchers have now isolated a far more devious iteration of the virus.

According to experts working on the SpywareGuide blog -- which is run by security vendor FaceTime Communications -- one new version of the threat has moved it from nuisance stage -- it previously posted the "Bubbles" screensaver in Windows onto affected users' machines -- to the nasty stage -- adding a keystroke logging program.

As another twist on the attack, the latest version of Bubbles also appears to take aim at users of the Runescape massive online multi-player game, one that is known to be popular among younger users, specifically teens.

Now, most of you enterprise security readers may think that means you don't have to worry, but it's an interesting bit of social engineering that could easily be used to create subsequent versions that might be aimed at professionals.

You should also consider that people in your company much older than teens may already be playing such games.

(Am I the only one reading this who knows otherwise normal, adult people who need a trip to Worlds of Warcraft anonymous?)

Anyway, the trick displayed by Bubbles -- aka Ramex, Skiki or Pykspa -- adds to its existing ability to shut down a PC's anti-virus defenses, a pretty neat attack on its own. In addition to dropping the keylogger, it watches for PCs running Runescape and attempts to steal log-in data.

So, what if someone did the same thing for LinkedIn, or Salesforce.com or something? Now you get the idea.

Basically, it doesn't matter if you're a gamer or not if you get the virus, because according to the researchers: "it logs everything the victim does on the infected PC, storing all logged information to a file in the system32 directory called syswinf32.dll."

Fun, fun. And: "It shows applications that have run, any action taken within the application, any text typed, and any Web sites visited."

Then: "Now that it's effectively stealing every piece of information on the victim PC it's time for the worm to spread to every Skype contact."

Nice.

This is proof positive that something like Bubbles -- believed to be create by a group of young hackers who identify themselves as "Youngsters Against McAfee" (YAM) -- can be quickly and easily manipulated into something much worse, and something that can be used to attack everyone from children to adults.

And while this one only targets the IM chat feature in Skype, most security researchers are saying "stay tuned" when it comes to the development and distribution of more sophisticated threats that attack VoIP itself.

Now ask yourself, is anyone in your company using VoIP software, and what have you done to secure it?

Posted by Matt Hines on September 24, 2007 02:34 PM

September 24, 2007 | Comments: (0)

Microsoft preps for hacker confab

TAGS: Security

Microsoft is getting ready to hold the sixth in its series of invite-only meetings for security researchers and white hat hackers -- dubbed BlueHat -- on Thursday and Friday of this week.

Held on Microsoft's Redmond, Wash. Home campus, the twice-per-year event is officially slated as BlueHat v6: The Vuln Behind The Curtain and will feature discussions on topics including "the security veil of virtualization and process isolation."

Microsoft organizers said that the event will also offer talks on Windows Mobile and automated exploit creation using researcher HD Moore's Metasploit tools.

There will also be a meeting to discuss a specific domain name system (DNS) pinning design issue that ca be used to demonstrate how the software giant's Internet Explorer browser can be turned into a virtual private network (VPN) concentrator. Other discussions will debate the security issues of Microsoft Office, binary instrumentation, visualization and the economics of security.

The software maker officially describes BlueHat as "an internal event at Microsoft where outside security researchers are brought in to share their knowledge and expertise of the security threat environment with Microsoft senior executives and software engineers." Members of the press are not invited, however.

Andrew Cushman, director of the Microsoft Security Response Center (MSRC), the company's vulnerability and attack response group, has already posted a blog about the upcoming meeting on the company's Web site.

"As we reflect back on the 10 years of evolution in security at Microsoft, it’s fascinating to watch the deepening of relationships between Microsoft and the security ecosystem, and consider how these relationships tie into larger, longer term initiatives," Cushman writes. "Hearing from the people doing cutting edge research helps Microsofties understand the external research community’s focus and motivations, and helps us build better products and offerings."

Among the goals for the event that Cushman cites are:

-To expose senior product leaders and front line engineers to the threats and attack tools and methodologies used in the real world

-To increase people/s real-world understanding of attacks

-To connect executives and engineers at a "visceral" level

-To expose security researchers (and the security community) to Microsoft engineers and business leaders

"BlueHat gives us a chance to open up on our home turf and gives the researchers an opportunity to interact with all levels of the organization," said Cushman. "They too get to experience first-hand that Microsoft does have smart, passionate engineers that do care about security."

While BlueHat remains a "closed-door" affair, Microsoft is promising to share details of the conference as it moves along. Stay tuned.

And, hey, who knows, maybe next year we'll even get an invite… after all, Cushman's list of goals pretty much describes the job of anyone whose responsibility is trying to explain IT security trends to business leaders.

You know, sort of like the job of us tech reporters.

Posted by Matt Hines on September 24, 2007 07:56 AM

September 18, 2007 | Comments: (0)

CompTIA: Data breaches growing in severity

TAGS: Security

Data leakage events continue to become more serious, with the types of information that companies are losing or having stolen becoming increasingly strategic and valuable, according to the Computing Technology Industry Association (CompTIA).

Based on the latest data breach study published by the consortium of IT companies -- which currently claims over 22,000 corporate members in over 100 countries around the world -- the businesses it polled regarding their information leakage incidents rated the value of the lost content a 4.8 on a 1-to-10 scale, compared to 2.3 in 2006 and 2.6 in 2005.

The report serves as evidence that while companies are doing more than ever to prevent breaches, targeted attacks on valuable data such as credit card and social security information are likely ramping up.

"This suggests that while the number of security breaches has stabilized, the breaches that are occurring are having a greater impact than ever on organizations," said Brian McCarthy, chief operating officer of CompTIA.

The survey also found many security breaches originate internally, with 23 percent of respondents reporting that they had experienced a data loss incident that was carried out by insiders.

CompTIA reported that there were no "significant differences" exposed in its study regarding the nature of breaches experienced by different sized companies, however, those smaller organizations surveyed did report marginally less-severe returns.

According to the research, the average cost of a security breach across all companies was $369,388, a figure that the group said was skewed by a handful of companies who indicated leakage-related expenses over $10 million.

For roughly 50 percent of respondents, the cost of security breaches in the last 12 months was $10,000 or less, the report said.

CompTIA also asked companies to elaborate how they were allocating resources to respond to a breach. Respondents said there were spending as such:

-Dealing with employee productivity impact: 35 percent
-Handling server or network downtime: 21 percent
-Managing the impact on revenue-generating activities: 20 percent
-Dealing with the impact on physical assets: 17 percent
-Paying related legal fees and/or fines: 8 percent

Posted by Matt Hines on September 18, 2007 02:08 PM

September 17, 2007 | Comments: (0)

Malware moves from scattershot to honeypot

TAGS: Security

End users were far less likely to receive malware programs in their in-boxes and far more likely to get attacked as they visited legitimate Web sites over the first six months of 2007, as threats continue to shift from widespread campaigns to distribution via targeted outlets, according to researchers at Symantec.

Whereas attackers have traditionally utilized far-ranging schemes that sought to find their way onto as many desktops as possible through ubiquitous communications channels including e-mail and IM, hackers and cyber-thieves are rapidly transitioning to socially-driven threats that seek to use news events or popular topics to reel-in their victims online.

While the shift has been happening for the last several years, authors of Symantec's latest Internet Security Threat Report, published on Monday, said that the move was more evident during the first six months of 2007 than ever before.

"I think this truly represents a big change, we've started to see attacks shifting away from going after the end users to the use of targeted outlets as the primary infection point," said Dean Turner, senior manager of Symantec's Security Response Team and executive editor of the report, which is published twice annually.

"Almost all the malware code we're seeing is on the Web, and much of it on trusted sites, so the victims are coming to the bad guys versus the old days where it mostly went the other way around," he said.

Overall, Symantec observed some 212,101 new malware attacks during the first half of 2007, a dramatic 185 percent increase over the second half of 2006. Of those threats, the company said that Trojan viruses accounted for 73 percent of the top 50 malicious code samples, a 60 percent increase compared to the previous six months.

A growing number of attackers are also utilizing widely-available and increasingly-sophisticated malware-authoring toolkits such as MPack -- which has been used to assail large numbers of financial services companies and their customers, and is believed to be supported by Russian cyber-thieves -- to stay on top of the latest browser vulnerabilities and find new legions of victims, Turner said.

The professionalism of the toolkits is making for a subsequent increase in the complexity of common attacks and making it harder for webmasters to keep their sites from being hijacked, according to the expert. The expense of the code is also heading downward, with MPack widely-sold on underground markets for roughly $1,000, the company said.

Turner said that browser plug-ins remain a popular format for sneaking code onto people's PCs, with ActiveX-based plug-ins representing the lion's share of the infected applications being doled out to unsuspecting Internet users. Over the first half of 2007, Symantec documented 237 vulnerabilities in Web browser plug-ins, a significant gain over the 74 it discovered during in the second half of 2006, and the 34 it unearthed in the first half of 2006.

Some 89 percent of all the nefarious plug-ins observed by Symantec over the first two quarters of 2007 involved ActiveX exploits. By comparison, ActiveX threats accounted for only 58 percent of plug-in vulnerabilities in the second half of 2006.

"The toolkit development is becoming a real industry with all the money that is being made, and the Web browser remains the biggest security hole for most end users and organizations," Turner said. "It's simply easier for the criminals to do business this way; if they can take over a site and redirect all the users to a malware server, they can't be caught by intrusion detection or intrusion prevention systems."

In addition to tricking specific types of people, attackers are also being more aggressive about watching out for those that might be pursuing them, said the researcher. The criminals are also using techniques to avoid serving their exploits to machines or IP addresses that are known to be used by security companies and law enforcement officials.

Another ongoing shift in malware activity involves the increasing regionalization of threats, Turner said. A larger number of threats are being written in languages including Chinese and German to help lure victims in those regions, according to the report.

In Asia, for instance, more attacks are being written that are aimed to break into massive multiplayer online role-playing games and steal users' information since the Web-based networks have become so popular with people in the region.

"Instead of focusing on a global attack pattern, these people know they can focus on specific regions," said Turner. "We're seeing a particular increase in regionalization in areas where broadband use is growing and there are whole new groups of potential targets coming online all the time."

However, according to Symantec, the United States was the leading location for "underground economy servers," or those controlled by known criminals, during the first six months of 2007, accounting for 64 percent of all systems tracked by the firm.

On those sites, credit card data was the most commonly-seen asset for sale, making up 22 percent of all goods advertised on the underground markets. Symantec said that it found 8,011 distinct credit cards being advertised for exchange on underground servers, with 85 percent of those accounts issued by U.S. banks.

Symantec said that the regionalization of threat activity was particularly evident in the distribution of certain types of malicious code.

For instance, 44 percent of all Trojan attacks tracked by the company were reported from North America, while 37 percent were reported from Europe, the Middle East and Asia (EMEA). By contrast, the EMEA region harbored 43 percent of all worms, while North America only accounted for 23 percent.

Posted by Matt Hines on September 17, 2007 02:15 PM

September 13, 2007 | Comments: (0)

Russian hackers corrupt U.S. consulate site

TAGS: Security

Ah, lovely St. Petersburg, known for its art, architecture, culture, commerce… and cyber-thieves.

If close proximity to hackers and organized crime is to be considered as a contributing factor to having your site get owned -- which isn't always likely to be the case in this world of distributed attacks -- than IT workers at the office of the U.S. Consulate General in St. Petersburg shouldn't feel too badly that it happened to them, as embarrassing as it might be.

According to those ever-vigilant researchers over at Sophos, based on their examination of some cached Web page data, that's exactly what happened earlier this week.

In the incident that the AV company is reporting, which it identified as part of a larger campaign the hijack vulnerable Web servers based in Russia, hackers were able to load malware code onto the consulate site for an undetermined amount of time before someone discovered the problem and fixed it (to their credit).

Sophos reported that by scanning cached versions of the consulate's site, it found that cyber-criminals of some kind had planted a malicious program known as Mal/ObfJS-C on the site that then subsequently attempted to load additional malware from a remote server using the program.

The attack reportedly included an additional piece of malware script that attempted to exploit several Web browser vulnerabilities to install a Trojan horse program on the computers of site visitors that could potentially be used to steal data.

In total, more than 400 Web pages worldwide have been attacked in a similar fashion in only the last week, according to Sophos' estimates.

Sophos chief analyst/research guru Ron O'Brien noted that government agencies are coming under fire from malware attackers on a more frequent basis these days.

"Over the last few months we have seen a multitude of high profile organizations and government agencies come under attack by cyber-criminals; the frequency of these attacks is alarming and signifies that any organization, no matter the size or stature, is a target for hackers and malicious activity," he said in a research summary.

After hearing Xerox security mastermind David Drab's stories about his time working for the FBI in eastern Europe during the 1990s and the flood of hacking talent he saw move from the KGB and other former Soviet intelligence agencies into organized crime, it's not that surprising that the region has become a malware hotbed, but St. Petersburg, formerly Leningrad, is truly making a name for itself as a sort of capital for this type of activity.

Most notably the area has become known as the home of the ever-industrious Russian Business Network, a group of professional hackers who reportedly operate out of an office building in the city much like a legitimate company would.

RBN is believed to be the group behind the creation, or at least the rapid distribution, of the MPack malware development toolkit. MPack has become one of the most widely-used toolkits on the underground market, according to researchers, and has recently been linked to attacks on banking sites in India and the massive attack on over 10,000 Italian Web sites dubbed by analysts as the "Italian Job."

So, here's hoping that U.S. consulate workers can find a way to prevent such attacks from taking over their sites in the future. But, at the end of the day, the big story has to be that someone needs to stop RBN and the other St. Pete hacker gangs from taking over the world (wide Web).

Posted by Matt Hines on September 13, 2007 12:00 PM

September 12, 2007 | Comments: (0)

Reducing secondary data exposure

TAGS: Security

Sometimes there just isn't enough time.

I have to give my colleagues here at IDG credit for running a great Security Standard conference in Chicago this week, but I suspect that many attendees (like myself) could have done with less of the self-promotion from Cisco and Microsoft, and more time with Global Security Management CTO Paul Williams.

As I noted in my blog on his Monday presentation on real world attacks, Williams is a master showman and he likes to make all sorts of fantastic claims and bold observations about the nature of enterprise security and hacks.

Some people like to theorize about the pervasive nature of threats, the involvement of organized crime and nation states in attacks, and the woeful shortcomings of most companies' IT security strategies -- mostly in broad terms and generalizations.

Williams will look you in the eye and tell you that his company is actively chasing down attacks from foreign nation states against the world's largest businesses and United States government entities and the unbelievable lengths attackers are going to. For real.

GSM specializes in security training and post-incident computer forensics. From what they claim, the company knows how to do a lot of bad things to get onto your network and has developed a number of techniques for addressing the issue.

While his claims sometimes seem to border on the outrageous (such as that companies can "profoundly" improve their security -- by as much as 90 percent -- merely by working harder to configure networking infrastructure), the truth is that I walked away believing just about everything that he had to say. And so did most of the conference attendees that I spoke to.

In his second thirty minute installment at the show, Williams shifted gears from the ubiquitous presence, variety and efficacy of sophisticated and targeted security attacks to some of his concepts for improving enterprise security.

One of the primary tenets of his advice revolves around the strategy of reorganizing network assets and data to reduce "secondary vulnerability exposure."

The idea is simple: design your network like the Navy builds its submarines, i.e. -- with sealed-off compartments to prevent a small breach from taking down the whole shebang.

Hackers or more invasive criminals will be able to break into your network no matter how good you are at security, he said -- whether by intercepting remote workers' passwords or subverting your trusted administrative assistants with large sums of money to get a foot in the door, or by any other means they can devise.

The key is to keep different silos of data disconnected or partitioned away from each other sufficiently enough to prevent hackers from running wild on your network once they break in.

"Hackers aren't the problem, it's really us, the organizations, and how we approach information management," Williams said. "We don't worry about hackers, we worry more about what people [read as enterprise IT shops and business users] are doing."

For instance, even if your assistant isn't being paid by ex-KGB spies to let them into your sensitive database (the wildest story he told in the meeting was about someone who parachuted onto the roof of a DoD installation to install listening devices for the purpose of spying), they are probably leaving their computer open to Web-based attacks or even physical exploitation -- such as by leaving their machine unprotected when they go away from their desks to retrieve your coffee. (I've never had an admin, and it shows, eh?)

Williams is big on the idea of real human facilities infiltration by scumbags in the name of carrying out attacks. Scary stuff indeed.

Anyway, a watered-down version of his concept is that companies need to do as much as they can to strictly partition sensitive data away from other resources and limit access to it by line-of-business applications.

It sounds simple enough but the expert contends that the largest companies in the world still don't get it and allow applications developers to build tools for business users that leave significant opportunities for anyone who gets on a network to access an organization's most sensitive data.

"The networks we see day-after-day in [the world's largest companies] are almost entirely perimeter-based defenses with very little protection on the inside, if someone gets through that they're typically almost unlimited in the things they can do," said Williams. "At [today's] level of attack there's no way to stop experts from getting through, so, you need to mitigate risk on the inside so when someone gets in the damage can be compartmentalized."

In addition to re-architecting networks so that sensitive data is kept under lock-and-key and connected to only those applications that must have access to the information, Williams said that companies need to build alert systems that tell them whenever anything else tries to access the information.

The CTO blames the push to get business apps up-and-running fast as the biggest enemy of this type of approach.

"This is the root cause of almost all the risk we have today, it's a constant battle to get operational data out over departmental boundaries; this is the problem companies need to solve first to set the stage for success," he said.

"Conflicting ideas over business risk are at the heart of the matter, with everyone trying to protect their own turf, and solutions tending to be borne of what has done before [even when apps are built in an insecure fashion]," he said. "IT workers don't have the ability to qualify risk to business people and everyone is speaking their own language; the endgame is a series of compromises that undermine security for years to come."

In addition to drastically shifting sensitive data storage and the ability for applications to access it, Williams advised that firms should engage in some cloak-and-dagger work of their own.

Using a concept he calls "honey tokens," the expert advises that companies should create repositories of information that looks like sensitive data, leave them relatively unprotected, and then simply sit back and see what happens, and who ends up touching the info.

In addition to seeing just how they are being attacked, the system may be useful at tricking attackers into walking away with useless data, confusing them and wasting their time, Williams said.

Another piece of advice that the expert revealed was to take a truly holistic view of data protection that focuses on the most valuable information you have to protect, and building tools and policies to defend assets based on their values.

"Everyone thinks that they're doing this today but many are not; it works best to implement a strategic risk management scheme across all areas of risk at once," said Williams. "Come up with a master plan running years into the future to address all areas with one plan for securing everything; by managing risk in a long-term fashion, you can avoid nebulous response to individual attacks."

At least one of my fellow show-goers was impressed with the presentations, which Williams admittedly said were rather high-level and lacking on technical details given the amount of time he had to work with.

Lloyd Keith, the director of IT for the Psychology Department at the University of Illinois at Chicago, and a former military security officer, also thought that Williams provided a breath of fresh air in his stage shows.

He agreed that the type of process-oriented change that the CTO described is still usually trumped by decision makers' tendency to throw point products at problems instead.

"Moreso than process, in my career we always looked at buying software to prevent attacks, and in the military we used clearances to manage access, but trying to implement these kinds of changes he's talking about and get people to change their behavior is one of the hardest things to do, people don't even read your policies," Keith said. "The problem is that everyone has a knee-jerk reaction after something bad happens, unfortunately that seems to be the only way to get a wake up call out there -- trying to stay ahead of the curve is a real challenge."

Keith also found it believable that companies could probably do a lot to help themselves with little investment by working harder to move away from out-of-the box settings on their IT and networking gear, and by avoiding "conventional wisdom" type configurations to make life harder on hackers.

"We should probably increase our focus on that type of thing in IT, people take products out of the box and they just want them to work, they use the same advice as everyone for securing things and probably do as little as possible in many cases," he said. "We try to make sure we have the right help around to avoid that, but in the end just about everyone is pretty cookie-cutter in their approach on some level."

Posted by Matt Hines on September 12, 2007 12:17 PM

September 11, 2007 | Comments: (0)

Hanna - mixed grades in NAC report card

TAGS: Security

Network access control technologies are making progress, but much work remains to be done to make the authentication tools easier to use and integrate with other systems, according to NAC industry evangelist Stephen Hanna, who co-chairs the Trusted Network Connect Work Group standards effort and serves as a distinguished engineer at Juniper Networks.

Speaking to the assembled audience at the ongoing Security Standard conference in Chicago, Hanna shared his thoughts on a number of NAC trends that he sees as positive of troublesome.

"NAC certainly remains a hot topic, there's a lot of change in this area with new products and alliances being announced almost every week," said Hanna..

"It's important to keep track of these changes and the problems we're trying to solve," the security expert said.

Among the biggest problems that remain with today's NAC technologies is the ability for hackers to create methods by which they can misrepresent elements of a device's overall security standing, such as through the use of rootkits, Hanna said.

The expert conceded that the issue is a fundamental offshoot of the very nature of the device authentication tools, as the validity of a machine's stated security posture is at the center of how the technologies work.

"Lying endpoints are a classic problem with NAC, what's really very concerning is that if a machine is infected with a rootkit that's when it is most likely to lie," Hanna said. "In that sense a system that is based on asking the endpoint if it is healthy or not has some issues."

The TCG is working on a solution to the problem centered around its Trusted Platform Module (TPM) which will give NAC systems the ability to communicate security standing before their OS even boots up, eliminating the threat of rootkit interference, he said.

Intel also recently announced that its latest vPro and Centrino microprocessors will include the ability to report security data to NAC systems prior to OS booting.

"If we can't do that it will become an arms race with rootkit designers," observed Hanna.

Other challenges that Hanna detailed included:

- A lack of scalability in many existing NAC products
- Poor interoperability between tools made by different vendors
- A lack of commitment to industry standards by some vendors (namely Cisco)
- The cost of implementing systems that require drastic network reconfiguration

On the positive side, Hanna noted that:

- Security functionality in most tools has become sufficient
- Product performance is acceptable in most NAC systems
- Some vendors are achieving interoperability
- A variety of reasonably-priced products have come to market

Moving forward Hanna said that the industry will see NAC technology moving directly into endpoint systems, as it already has in Microsoft's Vista desktop OS, along with growing adherence to industry standards among vendors (even Cisco).

As he is wont to do, Hanna leaned on the industry to come together more closely on standards for the sake of benefiting end users.

"I don't think that any of us vendors has everything for everyone, all the pieces and parts need to work together for NAC to work," Hanna said. "The solution has to be open standards, otherwise things will be steered by one vendor or another."

Posted by Matt Hines on September 11, 2007 10:57 PM

September 10, 2007 | Comments: (0)

The good and bad with real world attacks

TAGS: Security

Get ready for some bold claims.

IT security technology and services provider Global Security Management sent CTO Paul Williams here to the ongoing Security Standard Conference in Chicago where he had some truly intriguing stories to tell about recent attacks that the firm has investigated.

The CTO, whose company specializes in training security and government workers to break into IT systems, among other things, offered a step-by-step walk-through of an insider job for which the company was hired to perform after-the-fact forensics. The tale highlighted the manner in which insiders can truly wreak havoc on their companies' operations -- and be paid to do so by outsiders.

According to Williams, a software developer at an unnamed U.S. banking applications specialist was busted through the investigation for planting a logic bomb in his employer's applications support systems that took the firm's services down three days after he left the company on good terms.

After interviewing the perpetrator, GSM investigators and law enforcement officials deduced that he had been paid $3 million to do so by his employer's no. 1 rival.

The CTO claims that GSM was able to identify the individual responsible for the attack based on an examination of his original resume filed with the firm -- a tactic Williams said can be used to smoke out insider attackers with great degree of success. Williams said that software developers in particular often leave explicit clues about their style of work in their resumes that can prove useful for future forensics purposes. (so hold onto those resumes HR types)

GSM figured out that it was an insider threat by setting up a clean computer and rolling its clock back to before the time that the assault was first launched and took down the affected company's systems. By recreating the scenario investigators could tell easily that the threat had not come from outside the company's walls, he said.

Williams estimates that one-third of the insider attacks his company investigates center around disgruntled software developers, including a fair amount who have been flipped by criminal groups.

In many cases the people involved are even well thought-of by their employers, making it even harder to figure out who and why a company is bring attacked, he said.

Companies make it easy for such scams to be carried out based on a lack of internal controls, according to the expert.

"Many small problems lead to attacks on this level," Willaims said. "It may appear to be secure in your company but it's probably not, we see the same things everywhere we go, including inside large companies."

Among the hallmark mistakes the banking software firm made were the implementation of poor source code controls, a lack of separation of duties, no peer review of code, and poor product image security.

"You have to consider that you're just one disgruntled employee away from going out of business," Williams said.

The CTO also recounted how many times GSM has seen data theft scams pulled off using equipment hidden in IT systems, including a number of schemes that employed cameras and microphones hidden in ubiquitous electrical power strips, such as those made by APC.

He also highlighted the fact that many government entities source IT products in their own names and have them mailed to their real addresses, making it easy for organized criminals to intercept the materials, corrupt them, and then send them along to their recipients.

Williams essentially said that today's organized criminals are getting almost impossible to stop from infiltrating companies they want to target in one manner or another.

On the flip side, the CTO said that most companies could improve their existing security standing by simply re-addressing settings of their existing network hardware and anti-malware tools. Many companies leave default settings in place, or use very predictable configurations for such equipment, making it easier for hackers to break in.

He said that the best thing a company can do to improve its security strategy is to begin attacking itself in new and unusual ways in an attempt to stay ahead of the next wave of innovative attacks.

"Before you learn how to defend a network, you have to take a walk on the wild side and see how you can break in yourself," said Williams. "However, you can improve security by up to 90 percent for almost no money; any network can be made more secure by simply mastering the guts of your infrastructure."

Posted by Matt Hines on September 10, 2007 02:32 PM

September 07, 2007 | Comments: (0)

CSIA goads feds to move faster on data sec

TAGS: Security

The Cyber Security Industry Alliance is clearly tired of waiting for the United States government to move forward and employ its significant powers to expand the nation's IT defenses.

The nonprofit industry group -- which counts a number of large security technology vendors among its members, including CA, F-Secure, IBM, PGP, Qualys, RSA and Symantec -- is renewing its call for "swift Congressional action" to secure the nation's IT infrastructure "in light of the growing evidence and increased recognition that our government and economic systems are at risk from cyber attack."

The CSIA is using President Bush's own comments as proof that legislators need to do something fast to lock down national networks to stave off outside threats.

Presenting at the annual Asia-Pacific Economic Cooperation (APEC) summit this week, Bush admitted: "I'm very aware that a lot of our systems are vulnerable to cyber-attack from a variety of places."

Boy, the depth of that insight is really mind-blowing isn't it? The president was also forced to apologize after referring to the economic hoedown as the "OPEC Summit." Brilliant!

CSIA President Tim Bennett added his support for the President's comments and said that he hopes the federal set not only bent on securing its own infrastructure -- which has been repeatedly detailed as woefully lacking in recent months, including in reports made by the Department of Homeland Security regarding its own problems in locking-down internal IT systems -- but for private industry and end users as well.

"CSIA's concern applies equally to both our economic and national security as both private and public sector information systems have proven vulnerable to cyber incidents," Bennett said.

CSIA is specifically calling for Congress to get off the fence on improving national data security laws, although some state officials would prefer that they are allowed to craft and enforce their own provisions, such as with the landmark California 1386 data breach reporting law.

"CSIA strongly urges Congress to pass a federal law requiring business and government to (1) establish and maintain a data privacy and security program to ensure the confidentiality and integrity of personal information, and (2) establish uniform notification requirements when a security breach presents a risk of harm to consumers," the group said in a statement.

While earmarking the state laws as "good intentioned," CSIA contends that the measures in some cases don't have enough teeth and in others have left businesses and consumers confused with their individual requirements.

"The time has arrived for Congress to take action to protect consumers by establishing national standards for data protection and breach notice requirements. Passing data security legislation would be an important step in what must be a comprehensive response to the growing pestilence of malicious intrusions into government and private data systems," Bennett said.

Posted by Matt Hines on September 7, 2007 01:30 PM

September 06, 2007 | Comments: (0)

McAfee predicts Windows Mobile malware

TAGS: Security

McAfee released a white paper (PDF) that highlights a handful of issues with Microsoft's Windows Mobile operating system that the security company contends will drive malware writers to target the platform in the future.

According to McAfee, hackers will soon begin targeting smartphones such as Windows Mobile devices as the handhelds become more popular and people use them to store larger amounts of valuable data.

While mobile malware attacks have been scarce thus far, and some experts -- including F-Secure wireless security guru Mikko Hypponen -- have predicted that such threats will likely never rival widespread nature of today's desktop viruses, McAfee maintains that as smartphones takeoff more exploit code will be written to target the machines.

All smartphones will likely be assaulted with malware at some point, according to the firm, but McAfee reports that a handful of Windows Mobile design features could lead to the "unintended exposure of device contents" including text messages, e-mail, documents, call records and contact lists, that could leave users of devices running the OS prone to attack.

For instance, writes Zhu Cheng, the researcher in McAfee's Avert Labs group who authored the white paper, the development API that Microsoft provides for sending and blocking text messages on Windows Mobile devices could be used by malware developers to write programs that steal users' personal information.

Cheng maintains that because the system uses a telephone number to establish a line of trust for accepting text messages from senders, someone could easily create a spoofing attack that sneaks by any onboard protections for SMS spam or phishing campaigns.

"One example is malware that uses the text-messaging APIs to send fake messages to people on your contact list. This is similar to e-mail spoofing, but this type of phishing has an even higher likelihood of success because of the victims' lack of awareness of this type of threat. If we trust an incoming message based solely on its telephone number, then we are vulnerable to anyone in our contact list who has been infected by a virus, which can easily send spoofed messages. Users will find it hard to tell if the SMS is malicious," Cheng writes.

"It's reasonable to assume similar attacks will occur against Windows Mobile devices as these devices become more popular. It wouldn't be difficult for a malware writer to create a new threat. According to the Windows Mobile Software Development Kit, an application developer could write code using the sample code MapiRule and load it to implement text message blocking. Because Microsoft already provides a MapiRule framework in the SDK, all that a developer has to do is modify it a bit for use as a DLL."

"After installation, MapiRule becomes a filter between short messages and the text mail program. So, a programmer could interrupt the short message handling process by deleting or forwarding messages, or by performing other operations while acting as the man in the middle. Malware could use this feature to install a DLL in the user's smartphone to block the short message and disturb normal communication, give responses to messages, or forward messages. If SMS was used for corporate communications, it would create an avenue for intercepting corporate data."

Cheng goes on to day that using Microsoft's APIs, attackers could conceivably take control of a Windows Mobile device's camera and use it to snap pictures, or simply hack into users' saved photo and video content and steal it. (Somewhere teen hackers are dreaming that Paris Hilton buys a Windows Mobile smartphone.)

In another example, Cheng said that using Microsoft's mobile voice-recording API, a virus writer could conceivably cook-up an attack that allows them to record phone calls.

"Microsoft applies the Waveform Audio Functions to record and play Wav files, according to the Windows Mobile SDK. Because of the comparability between Windows Mobile and Windows, many recording APIs and codecs used by Windows can be applied to Windows Mobile—and serve as a reference for mobile malware authors. When we tested the Dopod smart phone, for example, we found that the recording quality was very high—even when the mobile was in a user's pocket. "

While the research paper fails to highlight any real vulnerabilities in Windows Mobile, and there remain experts who doubt that hackers will move aggressively to infiltrate smartphones -- especially since so many other types of systems can be more easily cracked today -- it provides interesting food for thought.

The cited threats are pure proof-of-concept material, and would seem likely to affect devices running on other OS software, but Cheng said that McAfee is merely hoping to push smartphone users to be wise about securing their devices (since there's no bad blood between McAfee and security software newcomer Microsoft, after all).

The point of it all, the researcher said, is to prepare for the attacks that will come.

"Right now we're in the early stages of what is likely to become a longstanding trend. We can't let our guard down," Cheng said in a report summary. "It is essential to exercise caution when using your smartphone."

Posted by Matt Hines on September 6, 2007 08:18 AM

September 05, 2007 | Comments: (0)

Crimeware kit use spikes in August

TAGS: Security

Researchers at security gateway specialist Finjan are highlighting a rise in the number of attacks carried out during the month of August that were built using widely-available malware authoring toolkits -- further illustrating the growing clout of the underground malware code sales market.

According to data gathered from its research efforts and the many sensors it has distributed among its clients, Finjan reported that at least 10 different crimeware toolkits were in heavy rotation in August alone. The company maintains that most of the virus-development platforms are being sold on the black hat underground for only a few hundred dollars apiece.

The toolkits specifically identified during the month included the well-known MPack, NeoSploit, IcePack, WebAttacker, WebAttacker2 and MultiExploit toolkits, as well as several newer malware toolkits such as Random.js, Vipcrypt, Makemelaugh and Dycrypt.

Finjan maintains that much like legitimate software programs, the malware authoring tools are being updated frequently by their distributors to include new exploits and "anti-forensic techniques" that allow them to continue to have effect and evade detection by traditional security technologies.

Further, each of the individual kits is being used to create hundreds of variations that will tax the intelligence of most security systems, the security firm claims.

Using its SecureBrowsing technology -- it's rival to McAfee's SiteAdvisor Web site reputation testing system -- Finjan reported it has also been able to track use of the MPack toolkit, believed to be developed by hackers in Russia, by at least 58 different individuals.

Those attackers were able to infect an estimated 500,000 unique users during the month, the company said.

Among the types of legitimate sites that the malware distributors were able to foist their MPack-derived programs on were those operated by financial services companies and government entities, along with many Web 2.0 user driven content sites.

Finjan said it identified at least 300 unique profiles on the popular MySpace Site alone during August that were dishing out MPack-bred threats.

The security company said that at least six online advertising affiliate networks were clearly paying Web site owners for infecting visitors with hacks -- iframedollar, iframebiz, iframe911, iframestat, Neon and Vera. Each of the affiliates in turn recruited hundreds of new sites to use to deliver malware, according to the firm.

The use of tools meant to cloak attacks from anti-virus systems has also ramped up, said Finjan, with over 90 percent of the attacks it tracked during August employing such obfuscation techniques.

Posted by Matt Hines on September 5, 2007 02:21 PM