There has been quite a bit of press over the last day or two with respect to a design flaw with SSL that could allow an attacker to forge a security certificate such that it circumvents the built-in authentication methods within your browser. This means that your browser could believe that a malicious, look-alike web site for your bank could authenticate to your browser as your real bank web site if this attack is carried out correctly. See this story from CNET that has a graphical proof of concept example using Bank of America.
If you are not familiar with MD5, essentially it is a 128-bit hashing algorithm that is used by many security applications. For example, an MD5 hash is commonly used as a checksum by system integrity validators (SIV) to ensure that key binaries on your system have not changed their default composition (if they have, this could indicate a trojan or rootkit has been installed on your system).
MD5 checksums have been known for some time to not be completely secure as it is typically expressed as a 32-bit hexadecimal number. This means that there are only a finite number (2^128) of potential hash possibilities. This has been considered to be good enough for many applications, but with the power of today's clustered computing environments (also including botnets), it has been found that the time it takes to generate a targeted MD5 collision has been greatly reduced. According to the CNET article, performing the initial forgery proof of concept took about 2 weeks on a cluster of 200 Playstation PS3s. This kind of computing power is infinitesimal compared to most botnets. Quite a few articles on the web (do a Google search for "md5 collision example" and some will yield source code) already discuss how easy it is to create an MD5 collision.
Web site forgeries are only one example of how MD5 collisions can be used to circumvent security technologies. My friend Adam O'Donnell from Cloudmark points out in a Twitter update that an MD5 collision could also be utilized to make malicious software look legitimate. Take our SIV example from earlier. If a malicious version of a binary was created with the same md5 checksum as its legitimate counterpart, your security checks may never identify that the original executable was modified if your PC were to get infected with some type of trojan or rootkit. This could also cause AV companies to have to rethink how they do some of their own scanning methods also.
What all of this really highlights is the fact that MD5 is no longer a "good enough" (and in reality hasn't been, but that hasn't stopped people from using it) hashing algorithm if your intention is to create a hash that will be used as part of any kind of security/authentication system. I agree with Paul Kocher's statements from the CNet article in that although this is certainly not one of the biggest security issues facing us right now. Between all of the other application based attacks that exist, this one could be potentially very dangerous as it is another one of those that we have discussed that do not require elaborate social engineering to be carried out effectively (at least for web site forgeries) as the redirection to a malicious site can be carried out at the network level.
This is not one of those types of attacks that is likely to occur on a large scale against many widely used web sites (like the Bank of America proof of concept) as it would likely get sniffed out very quickly, but if used for smaller, more localized attacks could prove to be effective.
Ireland is tired of spam and is putting legislation into law that will fine spammers up to 250,000 Euros if convicted according to this siliconrepublic.com story. The story does not go into specifics of the law or what an email needs to contain in order to be in compliance (e.g. CAN-SPAM has several rules that marketers must follow in order to be compliant), but references "spammers" as a general term.
Lost in the noise of all of this let us not forget the difference between a "spammer" and a "spam message".
Spammers are people who send nothing but spam 100% of the time. Spammers utilize botnets to conceal the original message sender and utilize networks that they otherwise have no right or license to use.
Compare this to a (accidental) sender of a spam message.
Most ESPs occasionally sign up customers whose intentions are to use the ESPs network to send out email to purchased lists or to people who did not specifically opt-in to receive that mail. Of course, this is unbeknownst to the ESP until the email goes out and the complaints roll in about spamtrap hits, unknown user rates, and users hitting the "This is Spam" buttons in their webmail clients. The good ESPs will shut those folks down immediately and make them go troll their email elsewhere. Does this make these ESPs spammers? No. Are they culpable under this new law? Not sure yet, but those details will certainly come forward.
I can respect what Ireland is trying to do here, but I hope they can take a lesson from the United States and not repeat the same mistakes of CAN-SPAM. If not implemented correctly (i.e. enforce policy on the true spammers and the ESPs who are not making good faith efforts to remove bad customers from their systems) the only people they may end up hurting are the legitimate email marketers who occasionally have an "oopsie" from a bad customer while the true spammers continue their practices unfettered.
According to this RWW (Read Write Web) article posted on Saturday, a recent cyber war simulation revealed that the United States is not equipped to handle a major attack against its computer networks.
This news is not new.
Other articles have been published (example from Signal Online here) about the vulnerability of the United States to a cyberterrorism attack, but we are not alone.
Be sure to understand that this is not potentially just a United States issue, it could be a world-wide issue. South-East Asia is vulnerable according to this article from DarkNet. Microsoft claims that Europe is also a likely target for attack. Siliconindia.com wrote last Thursday that India is also vulnerable to cyberterrorism. Many other countries surely are as well.
If such an attack were to happen (and to be honest, I am not entirely convinced that this would actually happen, but I am certainly not discounting the need for increased security awareness regardless of its potential effects either) on any of the major economies, its effects would be experienced at a global level.
One of the many items that Obama is being pressed on as he puts together his new administration is the creation of a National Office for Cyberspace that is headed by a new Cybersecurity Czar. I believe that this is a good idea if the right appointment is made, but neither that person nor the Cyberspace Office can act in a silo. They need to coordinate with other nations and create uniformity in establishing policies and procedures. An obvious question that then arises out of all of this is "Are the policies enacted by the National Office for Cyberspace going to be compulsory for Government Agencies or on the Finance, Telecom, and Energy industries only?" Secondarily, if these policies will also be required for small businesses and enterprises, what will be the cost to them?
The RWW article also asks the question on whether or not the White House is the right entity to be coordinating this effort for the United States. A good question considering their track record in addressing issues like spam via the CAN-SPAM act, which just celebrated its fifth birthday. Despite that negative mark though, I'll ask the question for discussion as to who else could coordinate this effort and achieve the necessary involvement from the EU, India, South-East Asia, et al? If there is such a group, let them step forward.
There are clearly a lot of questions that are as of yet unanswered and likely will not be answered for the foreseeable future. Here's to hoping that the Obama administration will be taking the cybersecurity initiative as a whole (not just from the cyberterrorism angle) seriously and that he also solicits the opinions and ideas of the security industry when making any decisions. We have a lot of ideas and recommendations that should be seriously considered.
Happy 5th Birthday to the CAN-SPAM Act (The Controlling the Assault of Non-Solicited Pornography and Marketing Act) of 2003! The CAN-SPAM Act was the brainchild of Senators Burns of Montana and Wyden of Oregon in April 2003 before undergoing some revision and being signed into law by President Bush on December 16th, 2003 (ok, so the real birthday was yesterday). The CAN-SPAM Act took effect on January 1, 2004.
Although a standard for how ESPs enforce compliance on the part of their customers, it has largely been ignored by spammers. MX Logic has been tracking adoption of the CAN-SPAM Act since its inception and even at its peak only about 3% of all spam was in compliance. This was in May 2004. Compliance has typically hovered around 0.2-0.3% since 2005. As a result, many have resorted to calling it the U-CAN-SPAM Act.
If you are not familiar with the CAN-SPAM act it imposes a number of requirements on commercial email:
-- Ensure that the "FROM" line clearly reflects the sender's identity
-- Include subject line text consistent with message content
-- Include the advertiser's valid postal address
-- Contain a working opt-out mechanism as a way for the consumer to decline to receive further commercial email from the sender
As part of the CAN-SPAM Act the FTC was also authorized to create a "Do Not Email" registry, much like the existing "Do Not Call" registry for telemarketing.
We blogged back in October about a loophole that auspiciously exists in the CAN-SPAM Act which does not disallow the mass sending of unsolicited political email, due to its non-commercial nature. This opinion drew quite a bit of both positive and negative comments from both sides of the aisle.
So, as we move forward into 2009 and you toast in the New Year, be sure to raise a glass to the CAN-SPAM Act. Five years of reducing spam to nobody!
For the last two out of three months Microsoft has released an out-of-band patch to fix a critical vulnerability in one of its applications. Today they are releasing an update to patch a critical vulnerability within Internet Explorer. The patch addresses an XML handling bug within the browser that would allow an attacker to inject malware onto an unsuspecting user's computer merely by visiting a compromised web site.
Back in October Microsoft also released an out-of-band patch to address a vulnerability in the "Server" service which affected many versions of Windows XP and Windows Server 2003. This new update is right on the heels of a record setting Patch Tuesday on December 9th where an incredible 28 patches were released with 23 of them carrying a "Critical" rating.
Since I have had a couple of people ask me the question, I figured it was appropriate to address the question here. That question is "What does an out-of-band patch mean?" In this context I am referring to an update that is released outside of Microsoft's typical update schedule. The second Tuesday of every month is widely called "Patch Tuesday." This is when Microsoft releases its software/application updates for the month. Many of these patches are security related. When a patch is released on a day other than Patch Tuesday, like today, it is then considered "out-of-band."
This is an especially critical vulnerability to patch as soon as possible as exploit code has been available and hackers have been taking advantage of this vulnerability for about a week now. Typically following "Patch Tuesday" is another common term called "Exploit Wednesday" (which is likely when this exploit was released into the wild). Exploit Wednesday is when new exploits are commonly released which either address new vulnerabilities brought about by the code that was patched or take advantage of existing code issues with the knowledge that Microsoft is typically slow to react to release a patch outside of its normally published schedule.
Test and deploy this patch immediately or encourage your users to use a different browser (such as Firefox or Chrome) until you can deploy the fix.
*** UPDATE 12/18/2008 9:15am MST *** More information here written by SC Magazine which re-emphasizes the importance of rapid patch testing and deployment due to the number of active exploits.
It has been one month since McColo had its upstream bandwidth cutoff by Global Crossing and Hurricane Electric. What has changed since?
As we've previously reported ( here and here), immediately after the McColo shutdown we saw a 50-60% decline in spam volume. This drop carried on for about 9 days even though in the middle of all of this McColo was briefly brought back online by TeliaSonera. During this brief uptime the Rustock botnet was able to update itself and point its bots to different command and control hosts. It wasn't until 4 days later that Rustock came back with a vengeance and resumed its normal spamming activities.
Since that time we have also seen the Mega-D botnet come back online as well. The current net result is still positive as spam volumes are still about 40% lower than what they were prior to McColo. This is largely due to the fact that the Srizbi botnet still only shows minor signs of life despite reports that Srizbi is back in the hands of its original owners.
I am still surprised that these botnets were so easy to cripple to begin with, even if only temporarily. What this will end up leading to, however is the bigger, better botnet which will have more redundancy built in, have command and control centers that are live on multiple networks having bandwidth provided by multiple providers and fast fluxes both its nodes and nameservers to create a truly interconnected network that can only be taken down by effectively removing all of the connected, infected machines. Add in encrypted channel communication between the nodes and some of the DDoS defense mechanisms incorporated by botnets like Storm and your botnet is bulletproof.
As defenses improve, attack tactics evolve. Just like when Word macro writers realized that they had to move on to the next generation of infection, those who are diligently working on new botnet communication technology are working on the next generation botnets (yes, plural). Get ready.
Back in May of this year we blogged about the increased use of Calendar Spam - unsolicited calendar invites being sent by spammers to deliver content to your inbox. These are particularly annoying for several reasons:
-- Some phones (like the iPhone) will automatically wake up when you receive a new calendar invite and display the details of the invite on screen
-- The default behavior of the most commonly used calendar applications is to automatically display events that you have been invited to on your calendar regardless of whether you have accepted the invitation or not, and in many cases will even block out the reserved time on your calendar as "Tentative"
-- If you ignore the invite and it was sent with a reminder attached to it, the message will notify you again shortly before the proposed meeting is scheduled to take place
-- If you decline the invite, you have essentially validated your email address to whoever is the recipient of the notification that you refused the meeting
Earlier this week myself, my boss, and our CTO received an unsolicited calendar invite from the folks over at Nimsoft (sorry, you spammed so you get called out in public) alleging that they have made several unsuccessful attempts to contact us via telephone (they never called me!) and want to setup a demo of their new monitoring solution. That same day my boss received an email advertising this concept of In-Calendar "Marketing" (ironic that they sent a spam email to advertise their calendar "Marketing", no? :) ):
So, In-Calendar "Marketing" is essentially riding on the coattails of tactics spammers use to attempt to increase deliverability into the inbox. Their primary intent is to attempt to circumvent spam filters because they know they aren't sending legitimate or wanted content.
It's a clever tactic because it increases the stickiness of the message as well. If you get a Viagra email in your inbox and you delete it, no harm and no foul. With calendar spams, the time may get reserved on your calendar and appear to others as if you are scheduled for a meeting thus reducing your own productivity as well as remind you of the unwanted invitation before the demo/sales call/whatever was scheduled to begin.
I can certainly understand why these marketers (a term I am using very loosely in this case) are doing whatever they can to increase their own deliverability rates, especially in tough economic times, but instead of resorting to tactics that are clearly being used as a copycat spammer tactic maybe they should try following published best practices instead. A novel concept....
It looks like Apple has finally changed their tune as it relates to using security software on their PCs and is now telling their users to make sure they have antivirus software installed. See article here.
This move was inevitable. At some point Macs would gain enough market share for them to become more of a target for hackers and cyber criminals. Most security researchers have been saying that for a long time, and I applaud Apple for finally coming to that realization also, even though it really should have been said some time ago. Now the Mac users who have long been saying that they don't need to worry about malware "because they run a Mac" really don't have a leg to stand on as even the manufacturer of their computer has come out and contradicted that claim.
From a timing perspective this announcement comes at a good time as well. As IT managers are working on their 2009 budgets, this is now something that they need to include as another line item to allocate money for early in the year. If your Mac does not already have some kind of antivirus software installed, the time is now to get it. Apple's personal computer market share continues to increase which means its prevalence as a target will also continue to rise. Don't be left holding the bag either as a personal Mac user or as a corporate user. Macbots are coming. iPhones and iPods will not be far behind.
*** UPDATE 12/2/2008 4:42pm MST *** So it looks like I need to recant a little bit. If you look at Apple Knowledge Base Article 4454, you notice the last updated date of December 2, 2008. This article was originally published back on June 8, 2007. Unfortunately, the existence of this article hasn't changed most Mac user hubris in their invulnerability to malware because the fact of the matter remains that many Mac users still don't use antivirus software on their machines. The time is still now to change that. A widespread Mac virus could be a devastating event!
Happy "Cyber Monday" - what is widely considered to be the official start of the online shopping season. After eating too much turkey, gravy, mashed potatoes, and stuffing on Thursday (and probably Friday, Saturday, and Sunday too!), then spending way too much time in line for Black Friday shopping deals that probably weren't worth getting up at 3am for, today is the first day back at work after the long holiday weekend. As such, today is also the day that many people start buying presents online.
According to comScore, spending on Cyber Monday has historically reflected overall holiday season spending. The question that I have though, "Is Cyber Monday relevant anymore?" Many retailers now offer the option, even on Black Friday, to order items via their web site to get the same deals. So, many of the specials that people were standing in line for on Friday could have been purchased online, at home, in your pajamas.
From a security perspective, Cyber Monday is the start of a season where we attempt to educate users as much as possible as it relates to being aware of the "too good to be true" deals that may arrive in your inbox and have typically offered a couple of pointers to keep yourself safe online:
-- Shop only with vendors that you already know and trust. Don't give your credit card information away to someone that you don't already have some kind of pre-existing shopping relationship with.
-- Avoid clicking on what appear to be links to legitimate web sites in an email or IM. If you want to go to the Land's End web site to shop, go to the URL directly. The link may actually go to a look-alike site setup solely to steal information.
-- Ensure that web sites that are accepting credit card information and/or that you have to log into have SSL encryption on the pages that are processing this data. This should be a given and a standard nowadays, but the lack of existence of encryption of your sensitive data should be your first red flag that your business should likely be taken elsewhere.
-- Look for seals from organizations from privacy enforcement organizations like TrustE and BBBOnline. Although this isn't a guarantee that their site cannot be compromised, cooperation with these organizations means that they do not ask for sensitive information like social security number without explicitly explaining in their Privacy Policy why they are collecting it. So you can at least be certain going in why you are being asked for something that you wouldn't normally provide. You can then make an informed decision as to whether you want to take your business to another merchant.
These tips are not just important for Cyber Monday though. They are relevant to the entire holiday season and for the entire year. Sometimes with the rush and hurry to find the best deals for that must-have gift we let our guards down or think that it is too inconvenient to go through some of these extra steps. The question then comes down to, whether you want to take a few extra minutes to make educated decisions about who you are giving your credit card data to now or risk spending a lot more time trying to clean up an avoidable mess later.
Here's to a fun, safe, and secure holiday season. Cheers! :)
|
