According to this ThreatPost article the main web site for apache.org was hacked earlier today through an SSH key compromise where the intruder was able to gain root access to Apache's server. The current apache.org site has been redirected to one of its European mirrors while the other server has been taken offline.
While on the machine the attacker was able to replace the ssh (Secure Shell) client and server applications with versions that would log the usernames and passwords of those who were to access that machine.
Although the Apache folks believe that they identified and remediated the vulnerability quickly, and that no software available on the site was compromised, if you have recently downloaded software from the Apache web site, you might want to take a cynical approach and remove and reinstall the software from the uncompromised site that Apache has up now.
Information is still slowly coming out about this story, and we will likely know more in the coming days. It is important to note at this point that although Apache believes that they identified and fixed the problem quickly, the possibility remains until we hear otherwise that this server may have been compromised by hackers for some time and that many software downloads had potentially been affected if any publicly available software was modified.
My advice: Be over-protective. Keep a close eye on the traffic coming in and going out of your network to look for anything suspicious. With over 50% of the web server installations worldwide, Apache is a potential high-value target for criminals as any infected software downloads could lead to backdoors in systems that install binaries with embedded trojans.
It looks like the Hack du Jour, Twitter, has had another high profile data breach.
It seems like we have been around the block on this topic before on a couple of occasions, haven't we?
According to TechCrunch the cause of this most recent data breach isn't stolen Twitter account credentials because of ClickJacking exploits or people who have given up their logins because of look-alike Twitter application sites. This exploit was far more elementary and one that Twitter could stand to learn a lesson from on their own account signup form: weak passwords. According to the TechCrunch article, the password to some of Twitter's publicly facing servers was "password". Maybe they thought that was too easy for people to guess and that nobody would actually try a password as simple as "password" ? Either way, this is another example of how Twitter needs to take its own security and the security of its users much more seriously. Strangely enough repeated lapses in judgment does not appear to have slowed their growth.
The portion of the MSNBC article that I linked to in the first paragraph that irked me the most was in the section titled "Dangers Highlighted" where the author states that "The techniques used by the hackers to obtain access to Twitter highlight the dangers of a broader trend promoted by Google Inc. and others toward storing more data online, instead of on computers under your control." I couldn't disagree more with this statement. The missteps by Twitter that have caused their recent compromises are not a result of a lack of standards or good security practices by cloud computing, SaaS, or other off-network service providers. They are a result of Twitter's poor security practices and Twitter's alone.
Any service provider, construction outfit, or home business who has their own network equipment needs to ensure that they have taken proper precautions to secure those devices. That includes changing default passwords and identifiers (like SSIDs on wireless access points) all the way through to keeping those devices up to date on security patches and application updates. These are not practices that are relevant to Cloud Computing providers alone. To insinuate such in an effort to spread FUD against these types of services is downright irresponsible, in my opinion. We're talking about best practices that need to be employed by everyone in all industries and form factors. Perhaps if we did that instead of just talking about it and always looking to point the finger at someone when they make a mistake we would have less people to point fingers at.
I am guessing that most people are suffering from Conficker information overload today! As such, it is very important to be able to separate the Conficker Facts from the FUD. In case you have not yet seen it, I blogged last week about what I believe will (not) happen when the Conficker.C variant activates tomorrow, April 1st. Up to this point we still have not yet seen anything that would lead me to believe anything contradictory to that statement.
I read a couple of places yesterday about a flaw in the C variant of the Conficker worm that identifies infected machines on your LAN differently than machines that are not infected. According to Dan Kaminsky's blog, this flaw causes a function named NetpwPathCanonicalize() to work differently in the infected version than the version in either the patched or unpatched versions of the Windows OS. This different behavior is what folks like McAfee, Nessus, Qualys, and others are using to key on to develop a scanner to identify infected hosts.
Although a tool is great to identify machines already infected with the Conficker worm, it is more important to emphasize and re-emphasize the importance of patching and multiple defense layers (from out in the cloud all the way down to the network endpoints) to mitigate these types of infections to begin with. In the interim, if you believe that machines on your network may currently be infected with the latest Conficker variant download the proof of concept scanner and put together a quickly actionable plan to clean these machines up.
Word is spreading of a botnet called Psyb0t that is going around and compromising the home routers of people who have not changed the default login password on those devices. According to published numbers around 80,000-100,000 Linksys and Netgear routers have been affected by Psyb0t. It is important note there are a couple of criteria that must be met before your router can be exploited via Psyb0t. First, the router must be a MIPS device (x86 devices are not vulnerable to Psyb0t). Second, it has to be configured to be administered remotely (from the internet, not the local LAN), and third it needs to be using the default password that the device was originally configured with (a common insecure practice).
Although Psyb0t is the first botnet alleged to be exploiting home routers, the concept of compromising routers with default passwords is not a new one. One of the things that I have the honor of doing as part of my job is a quarterly section for SC Magazine called the "Threat of the Month". The piece that I submitted for their February 2009 issue was on the topic of "Drive By Pharming". Essentially what drive by pharming entails is the compromise of home routers that have the "Remote Administration" port enabled so that you can modify their settings from the internet. If the factory password is still set as the password used to login to the device it is trivial for an attacker to get in, modify your settings to point you to a malicious DNS server such that traffic to legitimate sites gets repointed to sites setup to phish passwords or inject malware. That is only one possibility. Another is that a new version of firmware could be uploaded to turn the device into a bot.
At their core, these home routers are mini computers, susceptible to attack and infection if proper precautions are not made to protect them. Default passwords for just about every router made are trivial to find on the internet. In fact, there are sites setup, like routerpasswords.com, that allow you to select the manufacturer of the router and it will tell you the default password based on their known models. Be sure to secure all layers of your home or business (plenty of SOHO businesses use standard Cable/DSL modems for their internet connectivity) network. Never assume that this is being done by someone else or that it is someone else's responsibility. The default settings on most of the gear that you will buy are setup such that initial access and administration of the device is easy (reduces support costs and angry customers). From there it is up to you to make sure best practices are followed to keep your network and data secure from outside intrusion.
Recently, SC Magazine posted an article that quotes a report by Forrester Research which claims that security spending will be higher for both SMBs and Enterprises in 2009. This makes sense to me.
As businesses are looking for ways to cut costs across every department security remains one of, if not the most, important IT matter they still need to be sure is addressed over the course of 2009. As such, matters like inbound spam, viruses, application level intrusions, data leakage protection, web threats, archiving, and compliance will still need to receive top priority as cyber criminals are not feeling the same effects of a downturned economy as everyone else is. As such, their efforts will not be slowed which means that businesses of all sizes need to be as diligent as ever. Organizations are looking to outsource some of their daily tasks that are outside their core competencies so that they can refocus their IT resources towards the company's business objectives, typically at less cost and more effectively than can be accomplished internally.
2009 will certainly be an interesting and exciting year for security as network and application threats become more undetectable and uncleanable by existing technologies and businesses look for ways to protect their intellectual property. The definition of the "network endpoint" has become more and more unclear with mobile and social networking technologies becoming the norm rather than the exception. This creates a large burden as companies try to come to grips with how much of their confidential, proprietary information is floating around freely on the web. As such, IT security spending will be a more prominent a budget line item than in years past. If it isn't, then a company's level of risk increases exponentially.
I wanted to take a few minutes and post a follow up to my blog the other day about an article written by Lance Winslow that was originally written in 2005 and reposted here by ezinearticles.com with the date of December 31, 2008 making it appear as if the content was written recently by Lance.
Businesses do have a lot of choices when making decisions about protecting their network infrastructures. They can choose to do it in-house using a number of open source solutions or commercial desktop software. They can also purchase a network based appliance which also typically has to be maintained in-house or businesses can look to in-the-cloud solutions using a Managed Service like MX Logic (I'll reiterate my partiality to Managed Services :) ). No matter which type of solution you prefer for your organization, most all are effective at stopping spam. Some of the bigger questions that must be answered by any company when making these decisions is how much control they want to have, how much risk they deem to be acceptable in the event of a large outbreak from a bandwidth perspective and what they want their internal resource allocation to be to managing these solutions.
Overall, spam rates are still down about 45% from their most recent peak in August to now as a result of the McColo shutdown. Despite the movement to the web as a primary malware delivery vehicle and with occasional peaks and valleys in mail flow over short periods of time, spam volumes historically continue to increase and will continue to do so. The biggest reason for these historical increases are improved attack precision (i.e. more targeted attacks and less en masse spam campaigns) and refined social engineering which dupe users into opening attachments and visiting web sites that enlist their PC into botnets.
I do agree with Lance's point with respect to the efforts already put forth by the FTC as being largely fruitless. There have been few arrests since CAN-SPAM went into effect 5 years ago. At the end of the day, spammers are criminals and should be arrested, but cooperation is needed by many others outside of law enforcement like the upstream bandwidth providers and domain registrars if we are really to make a dent in the spam problem.
At the end of the day whether spam volumes are up or down, cyber crime is both a criminal as well as a social problem. I think the criminal part is pretty self-explanatory, but the what drives people to cyber crime? Money. Lots of it. WIth the relatively few arrests that have been made in comparison to the number of spammers trying to fill our inboxes on an everyday basis, cyber crime is considered to be a low risk, high reward venture. Considering the difficult economic times we are now in the middle of where companies are tightening their belts as much as possible and unemployment is rising on a daily basis it would not be surprising if you see more people getting involved in cyber crime activities.
So, to come back to my original point before going on a bit of a tangent: Is an article written back in 2005 about spam volumes, tactics, and defenses entirely relevant today? I would say both yes and no. Although tactics have evolved and businesses are feeling more and more pressure every day to find ways to keep their mail servers online and prevent confidential data from leaking out of their networks, there are a lot of options available. Businesses need to evaluate which type of solution provides them with the options and features that best suit their business and compliance needs.
An MXL co-worker (Thanks, Grant!) directed me to this blog posting by a guy named Lance Winslow titled "SPAM Killing Small Business Productivity". It is no surprise to anyone that any small business that has not taken steps to protect their infrastructure with some kind of anti-spam/traffic shaping/traffic control device or service (I am partial to the managed service form factor, BTW :) ) is feeling the effects of the amount of spam flying over the internet on a daily basis. So, in that respect Lance hasn't started off his post with anything revolutionary.
Then things start to get weird...
Lance states "...the Federal Trade Commissions; FTC’s war on SPAM is killing small businesses and flooding their inboxes with junk mail". What?! Last I checked, a LOT more people than just who are involved in the FTC are fighting spam on a daily basis and doing a pretty decent job of it. I work with many of them on a daily basis both at MX Logic and at our many competitors. Secondly, how is the FTCs war on spam killing small businesses and flooding inboxes with junk mail? Last I checked, that was the spammers who were responsible for that....oh yeah, and the infected PCs that they use to do their dirty work. I'll concede that CAN-SPAM hasn't done much, but spam hasn't increased as a result of CAN-SPAM. Spam has increased due to money chasing criminals using spam as a vehicle to make money.
Lance then goes on to say "America Online indicated that it culls 75% of the incoming SPAM thru filters and many other companies are able to do this too. But what if you are a small business which does not have such features on your website? What do you do then? You cannot do a thing." Strike 2! Firstly, I know quite a few of the anti-spam folks over at AOL personally and I'll be more than happy to publicly defend them and say that I am sure they are catching more than 75% of incoming spam. If that were MX Logic's catch rate I surely would have been fired years ago! It certainly hasn't been my looks that has gotten me by! :) Further, how can Lance ascertain that there is nothing you can do if you do "not have such features on your website"? I am going to guess that he is really referring to inboxes here and not web sites (as web sites are a bit of a different animal than what he originally started out his post with). Has he ever looked into the cost of a Managed Security Service or a network appliance? Anyone can deploy anti-spam defenses at fairly low cost per user. The cost can even be free if you are willing to do the work yourself to maintain your own installation of a software based service like Spamassassin.
His final paragraph states "A concocted report from MX Logic purports that SPAM is down a whopping 9%? If you believe that you are on drugs just like the FTC. If you are a small business getting 300 junk mails per day, obviously this is not going to help you in the least as it still means you are getting over 275 junk mails a day. Worse the figure of nine-percentile is said to be a complete misrepresentation and convenient fabrication." Perhaps Lance should do a bit more reading about the decline in spam volumes since the shutdown of McColo back on November 11th (although I do appreciate that he is reading our report!). Although the botnets that were originally debilitated as a result of the McColo shutdown are back online, spam volumes overall are still down from where they were pre-McColo. Now, I will agree with Lance's point where he said that if you were getting 300 spam emails per day and are still getting anywhere from around 275 per day, you are still getting deluged (perhaps our sales folks should try to sell Lance an anti-spam solution :) ). At a micro level this doesn't seem like a big deal, but when looked on a much more macro scale in an environment like ours and other major ISPs who process hundreds of millions of emails per day, the effects are dramatic.
I'm curious as to what authority he stands on or interviewed to make the statement that drops in spam volume are a "complete misrepresentation and convenient fabrication" ? How is saying that spam volumes are down convenient for us? In our business, spam sells. The more there is, the better sales numbers grow as businesses become more aware of the inadequacies of their own systems in trying to manage spam themselves. They realize that they NEED an alternative so that they can focus on their core competencies and not just on keeping their mail servers online. As a result, crises and large spam events like the CNN outbreak from back in August are great for our sales numbers. It certainly makes selling the need for a solution easier on them. I've been accused during media interviews by less tech savvy reporters of trying to spread FUD because "I have to say that spam volumes are up because fighting spam is the business that we are in", but never that I'm lowering numbers for convenience. I don't quite see how that argument makes any sense.
The closing of his post is the coup de gras: "If you have innovative thoughts and unique perspectives, come think with Lance." I would certainly say that Lance's perspectives are unique (and completely uninformed), but his thoughts are not quite so innovative (however quite imaginative!).
According to this RWW (Read Write Web) article posted on Saturday, a recent cyber war simulation revealed that the United States is not equipped to handle a major attack against its computer networks.
This news is not new.
Other articles have been published (example from Signal Online here) about the vulnerability of the United States to a cyberterrorism attack, but we are not alone.
Be sure to understand that this is not potentially just a United States issue, it could be a world-wide issue. South-East Asia is vulnerable according to this article from DarkNet. Microsoft claims that Europe is also a likely target for attack. Siliconindia.com wrote last Thursday that India is also vulnerable to cyberterrorism. Many other countries surely are as well.
If such an attack were to happen (and to be honest, I am not entirely convinced that this would actually happen, but I am certainly not discounting the need for increased security awareness regardless of its potential effects either) on any of the major economies, its effects would be experienced at a global level.
One of the many items that Obama is being pressed on as he puts together his new administration is the creation of a National Office for Cyberspace that is headed by a new Cybersecurity Czar. I believe that this is a good idea if the right appointment is made, but neither that person nor the Cyberspace Office can act in a silo. They need to coordinate with other nations and create uniformity in establishing policies and procedures. An obvious question that then arises out of all of this is "Are the policies enacted by the National Office for Cyberspace going to be compulsory for Government Agencies or on the Finance, Telecom, and Energy industries only?" Secondarily, if these policies will also be required for small businesses and enterprises, what will be the cost to them?
The RWW article also asks the question on whether or not the White House is the right entity to be coordinating this effort for the United States. A good question considering their track record in addressing issues like spam via the CAN-SPAM act, which just celebrated its fifth birthday. Despite that negative mark though, I'll ask the question for discussion as to who else could coordinate this effort and achieve the necessary involvement from the EU, India, South-East Asia, et al? If there is such a group, let them step forward.
There are clearly a lot of questions that are as of yet unanswered and likely will not be answered for the foreseeable future. Here's to hoping that the Obama administration will be taking the cybersecurity initiative as a whole (not just from the cyberterrorism angle) seriously and that he also solicits the opinions and ideas of the security industry when making any decisions. We have a lot of ideas and recommendations that should be seriously considered.
Care to Share?
MX Logic is always looking to find out more about the folks we serve, so we can do a better job at helping to make life just a little easier for IT Managers the world over. To that end, we've just put together a simple, short survey for IT professionals that will provide a better picture of spam and email security concerns facing businesses.
Care to share your opinion? It will only take 2-3 minutes. Once we have enough responses, we'll share the results here on the MX Logic IT Security Blog.
Many thanks!
According to this story posted on Wired yesterday, a keylogger has been found on laptops being used in the space station. The reported malware, W32.Gammima.AG (see here for description on Symantec's web site), has been around since August 2007 and steals passwords from a few (rather obscure here in the United States) online games.
You are thinking "So what? What risk does an online game keylogger pose to a laptop on the space station? Why should I care?"
As you know, we like to think bigger picture here.
Let's start with the obvious question of why the anti-virus software running on the laptop didn't immediately identify and stop a one year old virus? I don't know about you, but that sends up lots of red flags to me! This obviously begs the question of how long this keylogger has actually been resident on the laptop and if there are other, yet undetected, rootkits and keyloggers on those machines? Also, what other computers were potentially exposed to these infected machines that this virus could have propagated to? What information has been exposed to theft or compromise either from the laptops or from other exposed machines on the NASA network? What was done with these laptops once the virus was detected? Were they merely cleaned to the virus scanners standards (which clearly aren't that high!) or was the computer completely taken out of commission so that it could be wiped to Department of Defense specifications and re-imaged before it was redeployed?
Obviously there are a lot of unanswered questions in relation to this story, and of course NASA will never make the answers to those questions public, but this certainly calls into question the validity of the security measures employed by one of the most important programs of the 20th and 21st centuries. Where else within the federal government does the potential for similar security breaches exist? Are potential data leakages like this something that the Department of Homeland Security is focused on preventing? If not, they should be! Let's be sure we aren't aiding and abetting the bad guys by giving them the exact information we are looking to protect!
Every few months another story comes out that talks about the vulnerability of the United States to a cyber-terrorism/warfare/attack. Today, CNN.com posted another one of these stories.
The fact of the matter is that cyber-warfare is occurring every day. Every day the network infrastructures of internet service providers, organizations, and every connected network node in the United States and around the world are under siege from network attacks. Could they all be the type of attack that could bring down a network and cause hundreds, thousands, or millions of dollars in lost productivity? To some degree, yes. Botnets hold enormous distributed computing power that, when fully harnessed, are capable of launching distributed denial of service attacks that could overwhelm any network and bring it to its knees. Everywhere infrastructures are overbuilt in part to manage growth, but in larger part to attempt to protect server farms from becoming overloaded and unresponsive in the event of an attack.
Spam (the most popular use for botnets) costs in the United States alone are estimated to be in the $200B (with a B) realm for 2008. That's just email! That doesn't take into account the number of web sites that are now hosting malware (both sites that were setup for the sole purpose of malware hosting and now legitimate web sites also) with keylogger payloads which leads to problems like identity theft
and corporate espionage which only add to that $200B figure.
The cyber war is being fought every day with attacks originating from all over the globe aimed at equally dispersed targets. Although it is true that many of the networks and service providers in the United States can better handle an attack than some in the former Soviet republic of Georgia, bandwidth is still finite and if a botnet launches an attack against you that is larger than your pipes and servers can handle, you have problems and that isn't just a United States issue.
Don't be fooled....
According to this TechTarget article, Microsoft has a few tools that they recommend people use to address SQL injection attacks.
Don't be fooled by what is meant by "address" in this context. Let's be clear on what these tools do and what they don't do.
They DO:
-- Scan web sites and identify potential SQL injection vulnerabilities. Even Erik Peterson, a senior director of products for HP's application security center states that Scrawlr (one of the tools identified) falls short the functionality provided many commercial tools.
-- Analyze source code for potential vulnerabilities, however the source code analyzer that is recommended only supports ASP code written in VBScript.
Seems like we are quickly narrowing down the number of web sites these recommended tools will even function on.
They DON'T:
-- Provide protection against any attacks
-- Solve the real root of the problem which is ensuring programmers are following safe coding practices to protect the sites that they develop from SQL injection vulnerabilities.
If you use any of these tools that Microsoft is recommending, don't be lulled into the false sense of security that they can provide. As we can see, many free scanning tools have all kinds of limitations that will only provide the most basic of testing or only work provided that very specific technology conditions and phases of the moon exist.
I am glad to see that Robert Westervelt, the author of the article linked at the beginning of this post wrote up this clarification today. I like Robert and actually did an interview with him back in January related to PDF spam which posted to his blog, but I think his original article not only missed the mark, but could very well have generated a lot of confusion with junior security researchers and management folks on effective ways to detect SQL injection vulnerabilities.
According to this article posted on CSO Online, a security researcher named Sebastian Muniz has created a rootkit that will work on "several different versions of IOS."
One of the concepts that I have been throwing out there since we originally started talking about drive-by pharming (aka DNS Rebinding attack) is the potential of similar vulnerabilities being exploited in an effort to move malware infections out closer to the network edge and create a "router bot" whereby a compromised router could potentially be used for the distribution of spam, viruses, and malware similar to how PCs are used today. This would be even more difficult to detect than a PC based malware infection, however as I do not believe that there are any network device based rootkit/malware detection engines that even exist right now (please do correct me if I am wrong here) although this may certainly create a market for them. Would you be able to easily detect if your router was being used to distribute spam if it wasn't affecting your web browsing or normal internet usage? Not likely.
One of the things that concerned me from the article was the quote from EuSecWest conference organizer Dragos Ruiu where he said that "nobody thought you could actually build exploits for Cisco." This is a dangerous attitude to have for any software application. I like to say "Where there is software, there are vulnerabilities." This is often followed by "Where there are vulnerabilities, there are exploits" although far more vulnerabilities exist than there are exploits written for them.
One should never assume that software is hacker-proof. It very well may be (however unlikely), but even making the assumption or suggestion is when you've conceded that your guard has been let down. Always remain diligent in your pursuit of security!
Ok, I'll step off my soapbox now. Have a great weekend!
I wanted to take a moment to respond to the New York Times article that appeared on their website on May 10th with respect to mobile phone spam.
Largely up to this point the United States has missed the boat as it relates to mobile phone spam. This is largely because the problem pales in comparison in the US to the rest of the world. When it is more of an issue here, however it will definitely become more problematic for consumers. In the United States your cell phone number very much becomes tied to your identity. If you change your cell phone number it is a real pain to have to make sure you notify everyone in your contact list (family members, friends, colleagues, etc) that you can no longer be reached at your old number. This combined with cell phone number portability that was introduced a few years ago makes it simple to even switch carriers and keep your number, which hadn't previously been possible. In some other countries, like Japan where mobile spam is a huge problem, cell phone numbers are throwaway. When the Japanese start getting spam on their cell phone, they change numbers until the new number starts getting spammed. Rinse and repeat.
In the United States there has mostly been a wait and see mentality as it relates to mobile spam, but few who have gotten spam on their mobile phone would disagree that it isn't an issue that needs to be addressed.
Let's look at it from the carrier's perspective first though. The article states that "Communications companies say they are not interested in spam as a profit center." I would say that "publicly" this is true, but if you look at it from a sheer numbers perspective, they carrier's are already making big money as a result of mobile spam. Let's use the following statement from the article: "getting as few as 10 unsolicited text messages a month at 20 cents each would cost an extra $24 a year".
Here is where the numbers game really kicks in.
If you assume 10 unsolicited text messages per month (which is a lot in my opinion!) this equates to $2 per month (using their pricing model). Surely some people will wait on the phone on principle alone in order to fight this additional $2 charge on their bill every month, however many will say that the long telephone waits in order to fight the charge and get it removed is simply not a productive use of their time and will leave it alone. This, of course, begs the question what the breaking point is? At what point do the lines cross whereby it is an efficient use of time to fight the charge. The answer to that question will lie with each individual consumer.
Where was I? Oh, yes! Security!
The article mentions that "The carriers regularly adjust spam filters to block offending messages. At Sprint, more than 65 percent of all text messages sent over its network are identified and blocked as spam before they reach customers." Spammers are aware that spam filtering for SMS spam is still not very mature. As such, it is a target that is more easily exploited than spam over email. To look at this as a cynic, is this also something that cell phone companies are putting considerable money towards stopping considering the amount of revenue being generated?
I as well as many others across the security industry have been predicting the wider scale movement of spam to mobile devices for the past couple of years now and have also discussed how much easier that movement is becoming due to the inbox and the personal computer becoming a lot more mobile. I wouldn't yet say that we have turned the corner as it relates to mobile spam nor would I say that we are on the verge of an epic increase, but the problem definitely continues to grow as the filtering technology lags behind. Mobile malware continues to grow also, albeit not nearly at the same rate as personal computer based malware. Now that most phones are coming with internet access, however the protections on those devices need to be at least on par with what is being provided for PCs.
According to Peter Gabriel's web site sometime on Sunday Night or Monday Morning their web servers were stolen from their data center.
I wonder if they broke in with a Sledgehammer? Or if they were Quiet and Alone? I wonder if the RIAA will sue the thieves for stealing music?
Ok, enough jokes....
Kind of makes you wonder how they got in....or does it? I've been speaking to several colleagues lately who either currently perform social engineering engagements or did them in previous lives and it is amazing to me the areas of buildings that they have been able to access and the confidential information that they have uncovered just by every day, common techniques that we all do: tailgating, acting like you misplaced your access badge, or just looking like you belong somewhere.
Then once they were in the data center, how did they access the cabinet that the servers were in? Many cabinets go from the floor to the ceiling or have safeguards in place to prevent the cabinet from being compromised from on top. They should also have at minimum either a keylock or combination lock (or both), not to mention that the data center should also have security cameras covering every square inch of floor space.
We talk about proofs of concept very frequently where the occurrence of one crime is a finger pointing towards the potential occurrence of something much more damaging. This is definitely one of those types of crimes. If it can happen at this data center, what is to say that this same thing couldn't happen at any number of others as well? What security policies does your data center have? How well do they follow them?
We make a lot of assumptions with regards to the security of data centers, but all the technology controls in the world don't make a bit of difference if they can easily be bypassed.
Whether it is iPods being shipped with malware, digital picture frames, navigation systems, or hard drives, the number of incidents of electronic equipment being shipped from the manufacturer with malware is disturbing!
How does this happen? This is typically a by-product of PCs that are used for things that are outside their intended business purpose. For example, if a computer's primary business function is to load software onto a digital picture frame or to test the ability of a computer to connect to and transfer files to the frame, then those should be the only parameters by which that machine is used. It should not be used to plug in external USB drives, download videos and music off of the internet, or to surf porn sites. Any of these activities are vectors of unnecessary risk and could end up infecting the PC with malware which will subsequently get passed onto other devices.
As the line between what is known as a PC and what actually runs the same type of software as your PC continues to blur you can expect to see more of these types of incidents occurring. This is unfortunate because as we have become more dependent on technology in our every day lives and as the devices that we used have become more advanced, our level of confidence in those devices to function in a safe, secure, stable manner has declined significantly. These sorts of compromises represent one of the biggest new threats to corporate networks and will be another one of the avenues used more prevalently by cyber criminals to steal sensitive, confidential, and personal information as malware continues its evolutionary process.
Over the last few weeks we have seen a significant increase in what is known as Google Spam in the Threat Operations Center; sometimes peaking at almost 5% of our overall spam volume.
Google spam is defined as spam that abuses the Google PageRank system by artificially inflating the ranking of a spam site. Once a spam site has been ranked on the top of the Google search engine based on certain keywords, spam blasts are sent out which craft URLs that query on these keywords and emulate the Google "I'm Feeling Lucky" button which automatically redirects users to the query's top ranking site.
Most of the Google spam that we have seen thus far redirects to different variations of pharmacy sites pushing pills and enhancement products, typical to most health related spam.
One element of Google spam that hasn't received much attention, however is the potential for attachment based malware distribution via this tactic. The potential for drive-by malware download as a result of malicious javascript or iframes is obvious and well documented, but another potential threat vector is the possibility of Google Spam directing a user to a malicious PDF.
Many users by default have their PCs setup to automatically open common attachment types like PDFs without so much as a confirmation box asking the user whether or not they are sure they want to open the file. This convenient feature is a wide open hole for malware injection, especially considering the PDF exploits that have been published over the last several months.
To better protect themselves users should not be allowing any attachment type to be opened by default, no matter how common. Although it might be an inconvenience to have to click a button on a confirmation dialog every time we open file types that we are used to using and that we may open 50 times per day, it at least puts one more step between ourselves and potentially malicious downloads. Allowing any file to be opened on your PC without your prior knowledge and consent enables a level of trust from an untrusted network that should never exist.
I ran across this article this morning which states that according to Deloitte that human error is the leading cause of security threats. I agree with this to a point.
I thought it was important to mention this concept as it is also a major point in the Security Awareness presentations that I do. Where my opinion differs is that I believe that human error is the leading cause of *insider* security threats, but not the leading cause of all security threats.
Perhaps I am being myopic because of the type of company that I work for, but I view intrusion as the result of public server vulnerability, virus infection, and social engineering to be a much larger issue.
That isn't however to take away from the importance of the insider threat. When I say "insider threat" am I referring to employees who are going out of their way to do something malicious or to try to access data that they know they shouldn't have access to? Yes, but I am also referring to employees to who stumble upon information due to lack of proper security controls or the maintenance thereof. For example, if you work in your Customer Support department and happened to stumble upon a spreadsheet named "Executive Salaries 2008.xls" somewhere out on a network share, that you had permission to view, would you open it? Perhaps you would report it, but I'll bet you a nickel that you would look at it first, maybe save a copy for yourself, or print it out on the closest printer to show your friends. These are examples of insider threats just as much as the over-eager security novice who is attempting cross site scripting attacks against your production systems in an attempt to learn.
According to the 2006 E-Crime Watch Survey insiders were responsible for 27% of all security incidents and 55% of respondents reported at least one incident that was the result of insider activity. That's more than 1 in 4 security incidents that happen as a result of an internal employee! That's a lot, especially in an age where most of what you read about in security publications talks about the latest worms, keyloggers, and other maladies looking to steal your financial data.
The article also states that "Another security worry is many line-of-business executives' tendency to see information security as solely IT's problem." If your company puts the responsibility of security solely with the IT department, they are missing the boat. Security should not rest with IT for the same reasons that it should not rest with Production Operations or Quality Assurance or any other department; they have their own agendas and their own core competencies to focus on. Adding "make sure we are secure" to that mix is a certain recipe for failure. Your security program implementation, maintenance, and enforcement should be handled by an independent (could be internal) source whose *main responsibility is the security program*.
The article concludes by making a statement in regards to the implementation of a corporate security program, "A prerequisite for effective information security is the implementation of a proactive information security strategy that is closely linked to the company's overall business strategy, business requirements, and key business drivers." This is completely true. One thing I would add onto it is "...and has the full support of the company's executive team." Without the support of the people who run the company, your program will barely get off the ground.
Hardly a day goes by anymore where there isn't some sort of breach of confidential data. Whether it is the exposure of almost 40,000 Social Security Numbers of Georgetown University alumni, faculty, and staff or the theft of 35,000 records of current and former customers of T. Rowe Price, or even the well documented theft of over 45M credit and debit card numbers from TJX, data theft is rampant and we still haven't learned our lesson.
No matter how much education you do on security best practices and even if 99.99% of your company follows those practices, it only takes one person making one mistake to cause a potential breach. Although some data breaches are the result of large scale infrastructure weaknesses, a large number of them are also the result of the indiscretion of one person. One person who didn't properly secure an open PC or who didn't properly secure a hard drive with sensitive data can cause the loss of millions of records which can result in untold numbers of identity thefts!
We've said this before, but I absolutely believe it to be 100% true: protect your personal information and monitor your bank accounts and credit cards like the data has already been compromised (because it likely has. The real question is whether or not someone is going to use YOURS). As with many things in life, early detection gives you the best possibility of recovery. You may not be able to prevent damage to your credit or reputation from happening, but there is a lot we can do to mitigate it once it happens.
....or so networking equipment vendor 3Com would have you believe.
Today's blog entry is based off of an article posted by The Star Online which states that (when comparing the risks associated between wired and wireless networks) "the risks are the same as those posed to wired networks � the typical computer virus infection and odd worm-intrusion incident". Last I checked, worms and viruses, although significant risks in and of themselves, are far from the only risks facing wireless and wired networks.. What about the hacker next door who sets up a wireless sniffer to try to crack the encryption key used on your wireless network? Or the one who is just casually looking for completely open wireless networks to attach onto?
The article also states: "What�s even more interesting is that some of these organisations did not face any security threats and have found that the security of their networks either improved or remained unchanged when they moved to wireless" This has nothing to do with the deployment of wireless. There are three main encryption technologies used on wireless networks today: WEP (Wired Equivalency Protocol), WPA (Wi-Fi Protected Access), and WPA2 (version 2 of WPA) which actually consists of two versions: WPA2-Personal and WPA2-Enterprise. Nowhere in any of these acronyms is the word "security" used. Why? Because they do not provide "security". They provide encryption (which can be cracked) and some level of access control, but not "security". In this instance, as part of the deployment of wireless to the organization's internal network resources they may have employed some additional safeguards such as requiring authentication to a VPN after successful wireless connection, but this is an architectural change and is not related to the security of the wireless network.
The article also mentions that consumer-grade wireless networking equipment is less secure than enterprise grade equipment. Not true. Generally consumer and enterprise grade wireless access points support all of the current encryption protocols mentioned above. Unfortunately, not all of the equipment that is connecting to these access points (predominantly laptops) support these new protocols. This is especially true in organizations that deploy older, bargain basement type laptops whose internal wireless adapters may not even support encryption beyond basic WEP. Nevertheless, this is not a factor of the security of the access point. This is a factor of the capabilities of the machines connecting to the network. The security itself of the wireless access point is not lacking because it is a D-Link you bought for $75 from a local retailer versus a Cisco access point that may have cost several hundred.
Why am I being so hard on this article? Mainly because I keep hearing people trying to make the connection between wireless networks and security. In this case they are trying to make the connection between wireless deployment and _increased_ security! As I mentioned earlier, there are certainly some best practices that you can deploy as an organization if you are looking to go wireless, but again these are not security functions of the wireless network or the wireless network equipment itself, rather functions of your own architecture and safeguards put into place such that you limit what a potential criminal has access to even if they do manage to successfully get onto your wireless network.
Wireless is a wonderful technology and I am a big proponent of it (I use it all day between work and home), but wireless does not equal security. Please don't confuse the two!
It's going to be a wild last 3 months of the year for ISPs of all kinds.
Over the last 2-3 months we have seen over a 60% increase in mail traffic (mostly attributed to the Storm Worm and its many variants). Since the Christmas marketing season will soon be upon us I would not be surprised if internet email traffic at least doubled on top of where it is now before the year is out.
If you don't believe that you are equipped to handle this kind of additional load, NOW is the time to act!
Protect your mail infrastructure!
Protect your network!
Most of all, protect your business!
(We now return you to your regularly scheduled programming)
Another part of my role here at MX Logic in addition to being in charge of our Threat Research group is that of our security officer. This includes not only security education, but also implementation and enforcement of our internal security policies and procedures.
One of the things that I have been putting a lot of thought into lately is the security implication of telecommuting. Telecommuting is becoming much more commonplace among many different types of organizations now that more and more companies are adopting mobile computing practices. This often comes at the cost of security, however. In an effort to make employees more productive when they are away from the office (either traveling or working from home), the security implications of opening up your network in this way are not always considered...or if they are considered, they are set aside for the trade-off of getting more out of your workforce.
So, what's the big deal? So what if Jane wants to work on her desk PC at home when she telecommutes instead of using her laptop?
There was an article posted recently on darkreading.com that said that 94% of Federal CISOs do not believe that telework/telecommuting programs are a threat to security. It also stated that 83% of Federal CISOs are "interested" in mobile endpoint certification for compliance with the Federal Information Security Management Act. Being interested means that they aren't doing it yet, but think it is a good idea.
These numbers don't add up to me. How can you not be concerned about the security implications of telecommuting, but at the same time haven't even certified that your own equipment is in compliance with your own Information Security Management Act?
Let's discuss some best practices that companies can use when implementing a work from home policy:
-- Setup access control so that only your company authorized PCs are allowed to connect to your VPN. If Jane has been connecting her work laptop to her own home unsecured wireless network or to the local Starbuck's Wi-Fi network, you still can't guarantee that she won't be trying to spread a virus across your corporate infrastructure, but you have more control over this PC than you do Jane's home PC that she shares with her two teenagers.
-- Implement as many defense-in-depth strategies on your company PCs as possible. This includes at least one anti-virus product and some kind of Host-Based Intrusion Prevention System (HIPS).
-- Disable ports on the PC which allow users to plug in external storage devices like USB drives. Not only are these devices handy if someone wants to steal your corporate secrets off of your corporate intranet, but they are an easy injection point for malware.
-- Turn off the wireless radio when the PC is going to be hard wired to the network. It will prevent accidental connection to a potentially rogue wireless network. A nice side effect is that it will increase battery life on a single charge as well since the radio is such a wear on the battery when it is on.
As with anything technology related, technology solutions are only part of the answer. User education is also a large piece of this pie as well. One of the most important jobs of a security officer is security awareness and making sure that security is part of the consciousness of every employee at an organization. It is one thing to put policies and technology in place which enforce security, but it is another entirely to make sure everyone in your company is also aware of those policies and knows and understands how to follow them. The backend technology should be in place to enforce those policies, but it is the end user's responsibility to try to not put themselves into a vulnerable position and that is done through education, education, and more education.
|
