About November 2006

This page contains all entries posted to AuthenticationWorld Blog in November 2006. They are listed from oldest to newest.

October 2006 is the previous archive.

December 2006 is the next archive.

Many more can be found on the main index page or by looking through the archives.

« October 2006 | Main | December 2006 »

November 2006 Archives

November 1, 2006

Excellent malware management resource

This blog will cover an excellent resource aimed at explaining to senior managers what all fuss is about with online crime. "The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond" is produced by The US Department of Homeland Security, SRI International Identity Theft Council and the Anti-Phishing Workgroup".

It provides an excellent excecutive flyover of all the major attack vectors. If you are trying to convince your management that a problem exists to which your enterprise is at medium to high risk, then use this resource as an aid.


November 2, 2006

Spear phishing - The attack sophistication grows

So you're thinking "all these phishing and malware attacks won't affect me because I'm not a bank and we have nothing that anybody wants"...WRONG! Take a look at this story published today in Computerworld "Spam that delivers a pink slip".

The story documents the use of "spear phishing". Instead of bombarding the enterprise with foolish emails from unknown persons trying to get an employee to click on a link, spear phishing uses real enterprise addresses with email links and/or document attachments that downloads malware. In this story, a medical center in Georgia was hit by emails, coming from legitimate addresses, telling employees there would be layoffs and directing them to a supposed site that offered career counseling information.

What are the chances of your employees clicking on such a link or, opening a Word document with the fake announcement? Now imagine that the malware is more sophisticated using an attack like Blue Pill....do you see any risk to your enterprise? I"d say there's HIGH RISK.

Was this a bank that was targeted? No it was an enterprise with 3,500 employees. "Well", you think, "we only have a few hundred employees...we''re safe". What security experts have been saying for the last two years is that these types of attacks are becoming more common and they're targetting all size of enterprises. So what's the answer?

THERE IS NO SILVER BULLET! Your enterprise needs a layered defense. It starts by educating employees and workers to not click on email links. Then it moves to a series of layers of defenses outlined in my paper "Modern Network Security Strategy 2006". This includes strong authentication and transaction authentication as users progress towards higher risk applications, networks and information.

There is no one product that is going to provide your enterprise with security. You must wake up to the fact that you're in an arms race where the attacker currently has the upper hand.


November 3, 2006

Required reading

I was going back through my archived reading material the other day and I came across some articles I thought were excellent several months ago..in fact I still do. It's what I think is required reading if you're a enterprise manager trying to make sense of your security and identity architecture.

Noal Eppem, a security analyst, wrote a long article this past spring titled "Security Absurdity: The Complete, Unquestionable and Total Failure of Information Security". He methodically notes each area where security is failing against modern attacks. I agree with his observations.

Then there is the voice of wisdom from one of the original inventors of the proxy firewall, and founder of a number of security firewall and IDS companies, Markus Ranum. Markus is a man who doesn't mince words. He too, like Noal, is pretty depressed about the current state of IT security. I strongly recommend two of his articles:

Computer Security: An utter failure (scroll down the page and look for his "new stuff" then select the link under "Utter Failure".

What is "deep inspection"?, written in 2005 is an excellent history of firewall, AV, IDS and IPS development.


How good is your firewall anti-malware....(hint it's not looking very good)

How well do you think you anti-malware is doing against incoming threats? Are you thinking 90-95%...Wrong! HOW ABOUT 20-35%?!!!!!!!

Malware test labs released their 11th round of testing (September 26, 2006). It's pretty scray reading. The top vendors are missing around 80% of the attacks!



November 4, 2006

Watching what goes out the network door

Here's the scenario. Either your network has been successfully breached by some spyware (which the leading vendors miss 60-80% of the time) resulting in sensitive enterprise information being sent out of the network or, you have an employee inside who is sending sensitive information out to others which they shouldn't. HOW DO YOU KNOW?

One of my nine recommended layers is to have perimeter security. One of the subsets of this layer is the use of something called network content filtering/control, network leak prevention, extrusion prevention or risk protection. What does this do?

It filters all traffic leaving a network and looks for information that the enterprise doesn't want leaving the enterprise. Sounds good?

Well it can be good as long as you have done an enterprise risk analysis first to define what kind of information meets a high or medium risk information. Then you can create policy rules and alorithms in these tools to monitor for this. Without this, you simply cannot monitor everything coming out of the network, make sense of it and identifiy the pieces that are at risk,

Yesterday in Sci-Tech Today there's an article "How well do you know your network" that speaks to this. The story notes that a large number of companies don't even have this technology on their radar screen.


Gromozon and the future of malware trojans

If you'd like to get a closer look at the future of malware trojans then read this blog from Symantec Security Response Weblog, October 19, 2006 "Gromozon Evolution: From Spaghetti to Lasagna". The blog shows how quickly trojans are evolving including:

* Anti-reverse engineering - uses scrambled code
* Anti-debugging - checks for presence of debugger files
* Anti-monitoring - checks for monitoring packages
* Anti-anti-rootkit - removes or blocks rootkit prevention programs
* Anti-removal - hides itself in data streams and prevents manual deletion

The code is written by professional criminals who are getting better and better at outwitting current defense strategies. As malware researchers doggedly begin to catch up, they hurl all sorts of new attack resistant strategies at the enterprise. Some recent reports note code variations in the attack software every 30 minutes!

This type of attack will increase over the coming year resulting in all sorts of enterprise security breaches.


November 5, 2006

Finding and removing rootkit attacks -How secure do you feel?

How secure is your enterprise against rootkit attacks? Are you relying solely upon your firewall anti-spyware vendor for your defense? If so, maybe you shouldn't...

In eWeek on Friday, they ran an interesting story "Study: Symantec Best at Removing Rootkits; Microsoft Worst". The story outlines a study (paid for by Symantec) by Thompson Cyber Security Labs, which tested the leading spyware vendors for their ability to detect and remove rootkits.

Symantec came out on top. What was most interesting however was the results displayed on page 13 of the report. The test was againt 20 rootkit attacks. Symantec could detect all 20, McAfee 17, Webroot and FSecure 15, Sunbelt 12, Trend 10 and Microsoft 5. All the vendors except for 1 missed 3 or more rootkit attacks.

Then there was the cleanup. Symantec could only clean up 16, Webroot and FSecure 8, McAfee 7, Sunbelt 5, Microsoft and Trend 3.

Bottom line: The vendors are struggling to first of all detect and then definitely remove a rootkit attack. You should not be resting on your laurels of telling your CEO that the enterprise is well defended against these types of attacks because you have an anti-spyware detection system installed. Some of the attacks are going to get through and not be detected. Worse, when they are detected, the odds are great that it won't be effectively removed.

You need a layered enterprise security defense. As I have outlined in my paper "Network Access Control Security 2006", you need to prepare to reimage your enire network if you're infected with a rootkit. This can be a very large undertaking.

Further, you also need to have layers of stronger authentication. This will help mitigate the risk of the a successful rootkit attack where the softwware deploys keyboard and screen loggers.

Then, you must assume that this type of defense too will be breached. Use transaction authentication to protect your most valuable or high risk information, network and applications.

DON'T JUST SIT BACK AND WISH THIS ALL AWAY OR THAT IT WON'T HAPPEN TO YOU. It's better to be proactive now rather than explaining to the media and your Board later why your enterprise was successfully attacked and suffered financial loss.


November 6, 2006

FFIEC authentication questions and answers

In August, the FFIEC (US Federal Financial Institutions Examination's Council), released a FAQ on their upcoming end of 2006 deadline for financial institutions "Authentication in an Internet Banking Envrionment". I am referencing it here for readers who want to keep up with the regulations that US financial institutions must comply with.

Some things to note in the US:
1. Telephone banking is included in the regulations.
2. Multi-factor authentication is not required. The note says that "The use of
multifactor authentication is one of several methods that can be used to mitigate risk as discussed in the guidance. However, the guidance identifies circumstances under which the Agencies would view the use of single-factor authentication as the only control mechanism as inadequate and conclude that additional risk mitigation is warranted."

This regulation is a general wakeup call to US Financial institutions. However, the regs are very vague and it will likley not seriously slow down identity theft in the US. Many banks have already deployed transaction authentication as a means of reducing their risk.


Future of keyboard hacking - jitterbugs

So what does the future hold for keyboard hacking? It's likely to be "JitterBugs".

In a paper released this past summer by University of Pennsylvania grad students titled "Keyboards and Covert Channels", they document the use of a new attack tactic called a JitterBug.

"This paper introduces JitterBugs, a class of inline interception mechanisms that covertly transmit data by perturbing the timing of input events likely to affect externally observable network traffic. JitterBugs positioned at input devices deep within the trusted environment (e.g., hidden in cables or connectors) can leak sensitive data without compromising the host or its software. In particular, we show a practical Keyboard JitterBug that solves the data exfiltration problem for keystroke loggers by leaking captured passwords through small variations in the precise times at which keyboard events are delivered to the host. Whenever an interactive communication application (such as SSH, Telnet, instant messaging, etc) is running, a receiver monitoring the host’s network traffic can recover the leaked data, even when the session or link is encrypted. Our experiments suggest that simple Keyboard JitterBugs can be a practical technique for capturing and exfiltrating typed secrets under conventional OSes and interactive network applications, even when the receiver is many hops away on the Internet."

The paper is an interesting read. By inserting code and or hardware devices that cause a slight delay between the keyboard getting touched and the computer responding to it and, by coupling this with a small packet of information buried in other packets, the attack could prove to be formible in doing attacks on uids and passwords.


Reference report on malware

In going through my archived material, I came across a report from Kapersky Labs, that I think readers need to reference. Published every six months, "Kaspersky Security Bulletin", released late September documented the malware evolution from Jan-June 2006.

The document highlights:
* the growing number of Trojans
* the decline in the number of viruses (the report says this is due to the cost of devloping a new trojan versus the cost of developing a new worm)
* a slight drop in the overall number of malware programs from the previous six months
* a steady rise in the number of criminal extortions
* a rise in the number of targeted attacks

This data agrees wtih other expert opinion mentioned throughout this blog.

Enterprise needs multiple levels of defense, including different levels of authentication, in order to adequately defend the enterprise against very costly attacks.


Month of kernel bugs

Readers might like to follow on a daily basis the "Month of kernel bugs" by HD Moore. Moore is announcing a different kernel bug every day for the month of November.

Personally, I feel he should be reporting these to the vendors, but nonetheless, the bugs are very interesting. Today's bug, was reported to Microsoft in 2004 and hasn't been repaired yet.

Previous announced kernel bugs address Mac's, Linux and Solaris.

Readers should also note that kernal attacks are extremely serious since the kernel is at the heart of the operating system. While the number of kernal attacks as a proportion of the existing malware attacks is low, they are gaining momentum and will be used in more targeted attacks.

Note the blog a few days ago about the effectiveness of anti-spyware vendors being able to detect rootkit kernal attacks and then remove them. The likelihood of a successful kernel attack against your enterprise is currently high.


Biometrics and US Department of Defense

I personally feel that the use of biometrics for identification and authentication is way ahead of laws gauranteeing an individual's privacy. For example, the US Department of Defense was quoted in a story, "DOD Makes Red-Teaming a High Priority" November 3 in Military.com.

The story outlines the importance of biometrics to the US Military. The story says "“You can envision a time where you can collect an image at a distance, put it in a database and correlate it with other sets of information” to uniquely identify an individual, he said.

To Young, the increased use of biometrics is a reflection of 21st-century threats.

“As the war on terrorism is more about individuals than nation-states, there’s a desire to have unique technologies to be able to . . . identify an individual [and] follow [his] movements, if you need to,” he said.

A related priority is the development of technologies to tag, track and locate suspected terrorists, Young told ITP. “There [are] a lot of technology opportunities out there to look at very small devices or very unique aspects of individuals” that could help warfighters keep up with their movements, he added."

My concern are the laws pertaining to this usage and the approval required to breach the laws.


November 7, 2006

Undisclosed flaws and a layered enterprise defense

While zero day exploits have been making headlines the last couple of years, what is slowly reaching the media are "less than zero day" flaws. For example, the story yesterday in Computerworld "Undisclosed flaws Undermine IT Defenses".

The story points out that there are many software and security holes that are unreported, to which enterprises are vulnerable to. Quoting a CTO of a telecommunications company, "Therefore, the emphasis has to be on detecting and containing the fallout from any attacks to the greatest extent possible, he added. That requires multiple layers of defenses not just at the network perimeter but behind it as well, according to Sullivan, who recommended the use of security measures such as strong user and device authentication, strict role-based access controls, network segmentation and data encryption."

The article is light on the many layers required. While it does mention perimeter security and authentication access control, it doesn't mention checking out workers before hiring, training users to not click on email links, multi-factor authentication and transaction authentication.


November 8, 2006

Oops...I accidentally sent out an infected email to 50,000 customers!

Here's an example of how even a legitimate company like Google can be an unwilling participant in malware. Today they announced that they had accidentally sent out an email containing a Worm virus.

Caveat emptor when receiving emails with links or attachments, even from a trusted source or colleague.


November 9, 2006

Spam increasing dramatically

On November 6, Postini, a leading firm in integrated message management, reported that spam email had rocketed 59% from September to November and that spam now accounted for 91% of all email. Over the past 12 months, Postini stated that spam had increased by 120%!

What make this bad situation worse is that the number of viruses is also steadily increasing in the spam email. About 1 in every 200 email contains viruses with 10 out of 12 emails being spam.

The future doesn't look bright. It seems that as organized crime takes hold of the internet, that the number and perhaps more importantly, the sophistication of attacks is growing rapidly. Experts continue to say that there is no let up in this trend for the next one to two years.

You need a layered set of defenses. Without this, your enterprise is vulnerable to breaches that will result in corporate harm.


Phishing attack victims lose more

On November 9, Gartner Group released a study "Phishing attacks leapfrog despite attempts to stop them". In their news release, Gartner stated the following:

"The number of U.S. adults that are sure or think that they have received phishing e-mails has nearly doubled since 2004, according to a survey by Gartner, Inc. Financial losses stemming from phishing attacks have risen to more than $2.8 billion in 2006."

"The good news is that, this year, fewer people think they lost money to phishers, but when they did lose, they lost more," said Avivah Litan, vice president and distinguished analyst at Gartner. "The average loss per victim nearly quintupled between 2005 and 2006, and the thieves seem to be targeting higher-income earners who are also more likely to transact on the Internet."

"According to the Gartner survey of 5,000 online adults in August 2006, an estimated 24.4 million Americans have clicked on a phishing e-mail in 2006, up from approximately 11.9 million in 2005, while 3.5 million have given sensitive information to the phishers, up from 1.9 million adults last year."

""The anti-phishing measures some enterprises have put in place to protect their brand and their consumers are not working," Ms. Litan said. "Phishers are moving from site to site to launch their attacks more quickly than ever. The average life of phishing sites has gone from one week a couple years ago to about one hour in 2006. Within a year or so, phishing sites may be user specific — that is a single site will be set up to launch a phishing attack against a single user. It’s no wonder the detection services can’t keep up with these rapid criminal movements.""

Here then is the bottom line:
1. The number of spam emails is soaring to represent 91% of all email.
2. Phishing attacks are becoming more targeted.
3. There is no let up in sight where the "good guys" are going to be able to overcome the "bad guys" in the arms race.
4. In addition to having a strong perimeter defense layer, make sure you have a layered identity based defense system using stronger authentication couple with transaction authentication. Without this your enterprise is increasingly vulnerable to successful attacks by organized crime over the next two years.


November 10, 2006

The malware arms race continues

How sophisticated is malware getting to avoid detection? The answer is not encouraging.

Today in Computerworld "Mutate, fragment, hide: The new hacker mantra" is a story outlining the mutation techniques that are currently being deployed by organized crime. Examples given include Swizzor "a Trojan download program discovered earlier this year that repacked itself once a minute to get past signature-based tools that work only if they know precisely what to block. Swizzor also recompiled itself once every hour."

The article quotes Matthew Williamson, principal researcher at Sana Security Inc:

"The fragmented nature of such code makes it harder to write removal scripts and to know if all malicious code has actually been removed, Williamson said.

Complicating matters is the growing use of rootkits to conceal malicious code on infected systems, he said. Rootkits can be installed at the operating system level or as kernel-level modules and are used to hide malicious code and processes from malware detection tools, Williamson said.

A malicious program named Haxdoor -- a variant of which was used to steal information from 8,500 computers in 60 countries in October -- is one example. Haxdoor was used to steal passwords, keystroke information and screen shots from computers it had infected and send them to a remote server.

It was also used to disable system firewalls and concealed itself in a rootkit on the infected machines."

It is from the use of these techniques that I believe that many enterprises will be vulnerable to successful attacks. This will result in the capture of uids and passwords used for authentication. This will then be used by organized crime to access systems like payables and authorize electronic transactions to fake companies.

Get a layered identity defense security system in place using stronger authentication and transaction authentication to protect your enterprise's crown jewels.


November 14, 2006

Who owns your biometric?

The use of biometrics continues to grow at an amazing rate. Yesterday, the BBC ran a story "Under the thumb?" in which it explained that to rent a car at Stansted airport now, you must give your fingerprint. The article then references the growth of biometrics for use in purchasing groceries (3 million in the US are registered).

What laws are in place to protect a digital piece of you? The answer is there isn't any that speaks to the storage security for biometrics, length of archival, your permission to give out this information nor legal recourse for when it's stolen.

While the use of biometrics is very tempting to replace passwords as the primary authentication identification mechanism in the future, at what price does it come? Ease of use does not equal lack of protection of the identity nor loss of the citizen's privacy.


November 18, 2006

How do you spell T-R-O-U-B-L-E?

How do you spell trouble? No, it's not t-r-o-u-b-l-e. It is the increasingly sophisticated forms of cyber attacks by organized crime potentially on your enterprise. Here's how I spell it:

1. Rootkit attacks are now becoming very sophisticated. For example, the "Rustock" or "Mailbot.AZ" virus detected this past summer. It is the first in a new generation of trojan viruses that uses no system processes, which are usually monitored by your AV, ISP and IDS systems. Instead it runs its code inside a driver and kernel threads. Further, instead of being detected by the use of system processes, hidden files and hooks into API's, the virus uses alternate data streams. To make matters worse, it also evades rootkit detector checks on kernel structure integrity. Finally, the sys driver the virus uses changes its code from sample to sample. Add all this up and it means that trying to create a signature file to prevent it from passing through the firewall becomes less and less likely. More information on this can be found here.

2. Then there's the rise in sophistication of botnets by organized crime. Today, many botnets hide in legitimate sites that have been hacked. The legitimate sites send out the commands to the bots. The legitimate sites in turn receive their commands from other bots. This puts a huge challenge in front of companies and police agencies trying to find out the source of the bots. For more information on this click here.

3. Then there is attacks like Blue Pill. By using virtual memory, it is thought to be currently undetectable. For more information on this attack click here. For a recent rebuttal with AMD read here.

4. Then there is the ability to launch a rootkit attack using a PCI device containing a flashable exapnsion ROM. This type of attack is very hard to detect. To read the paper describing this attack pattern, click here.

5. Then there are the numerous MS security flaws. To read about only the latest high risk flaws click here.

6. Just to remind the readers that MS isn't the only one having troubles read the Month of Kernel Bugs page here. For insight into the author of this read the interview with him here.

7. Just to remind readers about how effective current AV tools are at removing rootkit attacks check on page 13 of this report by Symantec. In their own report, they show the test was againt 20 rootkit attacks. Symantec could detect all 20, McAfee 17, Webroot and FSecure 15, Sunbelt 12, Trend 10 and Microsoft 5. All the vendors except for 1 missed 3 or more rootkit attacks. Then there was the cleanup. Symantec could only clean up 16, Webroot and FSecure 8, McAfee 7, Sunbelt 5, Microsoft and Trend 3.

To add to this grim news, check out this test published September 26 of this year that showed the best cleanup success rate against a suite of malware taken from a honey pot was 35.71%.

8. Now consider that as cell phones become increasingly used to communicate with the enterprise digitally and download data from the enterprise systems, that these devices are seen by experts as becoming increasingly used in phishing attacks.

9. Then there is the increase in spear phishing attacks. These types of attacks are increasingly becoming more common as criminals use targeted emails, appearing as if they come from the enterprise to launch their attacks. Read my blog here on this. What happens when the attachment or the email link isn't so obvious as the pink slip spear phishing attack used in the reported story but is a realistic business document?

10. Then there is the usual high risk of an insider attack. The chances of this happening to you grow as organized crime takes on control of the attack using one of your employees, contractors or even the janitors. Their role may be to simply log onto the enterprise system behind the firewall and infect it, or to provide uid's and passwords for key positions, such as payables clerks and managers.

This isn't the sky is falling blog. HOWEVER, the sky is definitely gray and going to get darker for the next two to three years. Too many enterprises have weak perimeters or, even if they have strong perimeters, have weak layers of security behind the firewall.

My message is clear. Plan on having layers of identity based authentication, using stronger and stronger authentication as the user drills towards more sensitive high risk systems, applications or information. Put in place transaction authentication around the most sensitive high risk areas.

Without this, you are blowing around in the wind waiting for the storm to strike you. The worst part is, if you're unlucky, you may not know the storm has even struck. That's when you can really spell TROUBLE.


November 20, 2006

Wireless attacks, strong authentication and good security policies

How easy is it to take over a laptop using a wireless device and also using WPA2? It's not that hard to do.

This month, HD Moore, is releasing a kernal bug every day of this month. One of his releases covers a Broadcom wireless driver. This driver is used in PC's from Dell, HP, Gateway and other vendors as well as built into some devices by Linksys and Zonet.

The device driver flaw allows for a malicious person to take control of your laptop without you knowing about it. Even more scary, the flaw works whether the laptop is connected to a wireless network or not. The flaw exists in the wireless cards background scanner looking for wireless networks.

A number of patches are now available. However, trying to get the patches out to all the millions of laptops around the world won't be easy and there will likely be many, many users who don't know of this threat.

This then brings to mind the threat to the enterprise from a wireless device.

When the first wireless protocol 802.1, which was the underpinning of WEP (Wired Equivalent Privacy), was released a few years ago, it was quickly proven to be seriously flawed and easily hackable. This lead to the the industry of drive by hackings where criminals would simply drive around and find networks that were using the protocols and easily crack them.

The WEP protocol weaknesses were somewhat quickly bridged with a Temporal Key Integrity Protocol (TKIP) and then replaced in 2003 with a WiFi Protected Access (WPA) (802.11) and then again upgraded in July 2004 with WiFi Protected Access 2 (WPA2).

Against this background, there has been widespread increase in the use of wireless devices to access enterprise networks, applications and sensitive enterprise information. This trend will likely continue as it affords enterprises the ability to quickly access information and work anywhere in the world at any time.

Couple all of this with generally weak authentication used on the wireless devices i.e. uid and password. Criminal attackers are now beginning to focus in the wireless device as an easy entry into the enterprise by deploying malware on the wireless device.

So what is the answer to the use of wireless devices and the threats to the enterprise? THERE IS NO SILVER BULLET! Your enterprise needs a graded threat model to deal with the use of wireless devices.

To start with, any device using WEP should be used only for extremely low risk applications. DO NOT let your employees log on to your enterprise systems using this device and have access using the same authentication to sensitive information or applications. The ability to crack this is child's play. Read here for all the different attack mechanisms available.

All your wireless devices should be using WPA or WPA2. Read here for all sorts of information on current threats even when using these protocols.

Your enterprise security policy should have a policy enforcement point at the perimeter of your enterprise that first of all detects the software and hardware being used by a wireless device attempting to access the network. It is here that you should put all devices that don't meet the latest upgrades (such as the Broadcom driver) into a containment area until they are upgraded. Companies making this network access control appliance include Infoblox and Caymas.

Then you should only use low level authentication for low level risk networks, application and information systems. DON"T ALLOW YOUR USERS TO ACCESS HIGH RISK NETWORKS, APPLICATIONS AND INFORMATION ONLY WITH A UID AND PASSWORD! There is a rapidly growing risk these can be easily breached.

For higher risk situations require stronger authentication. While some of you may groan and say "but all this costs money to deploy things like digital certs, secureID tokens, biometrics etc." there is the associated risk. Read this for a discussion on costs of attacks.

So at this point, you've implemented a network perimeter access control device, upgraded WEP devices and eliminated the use of the protocol, have adopted WPA and WPA2, have taken precautions even when using these protocols, you've upgrade the Broadcom drivers and used stronger authentication for higher risk applications. "Now I'm secure" you think. WRONG!

Given the current state of malware attacks and the increased growth of organized crime, you should not trust all of the above to protect your enterprise crown jewels. If you're going to have a senior executive access the crown jewels using their wireless, then you should use transaction authentication.

Even after the executive has successfully logged on, the transaction authentication software looks at their hardware, IP address, geolocation, user profile, user history and time of day to determine if the person on the end of the device is who they are purporting to be. It will stop the attempts by the executive if it determines there is grounds to do it or, flag enterprise management in real time or, ask the executive all sorts of personal questions to validate themselves further.

This is what a layered wireless access security policy needs to look like. You need to have:
* Risk management analysis done for the enterprise
* Network access control appliances in place
* Single sign on security software in place
* Graded authentication strengths determined
* Stronger authentication deployed against higher risks
* Transaction authentication software in place for highest risk situations

Without it, your enterprise is running a high risk of a security breach in the near or mid-future.


A BIG MESS: Spam, Denial of Service Attacks, Botnets, Recursive DNS and DNSSEC

This blog will outline the current mess the digital planet is in re botnets, spam, denial of service attacks, recursive DNS and DNSSEC. I will untangle some of the threads to indicate why, in the next two years or so, there are growing threats to enterprises and that there is no silver bullet in sight. To begin, I'll start with DNS (Domain Name Service).

When the internet was first invented and then rolled out, the inventors built a naming service that would translate a web address like www.acme.com to its resulting internet address like The domain name service (DNS) maps the name to the address. The system has been successful since it scales well. Your computer looks for the nearest DNS cache which in turn looks for the DNS name server. Since there are many name servers, there is always ways of quickly resolving addresses.

What the inventors didn't consider was the fact that the DNS ID header could be easily spoofed. For a while, this wasn't a problem. Then along came the 1990's and the first signs of trouble appeared on the horizon with IP spoofing attacks. This was quickly adopted by email spammers.

Then as the late 1990's turned into the new millennium, there began to be the idea of taking malicious software (malware) and using this in emails to take control of people's computers. Thus began the age of botnets. Today it is estimated that up to 10% of all computers on the internet are infected. Some reports, from 2004, estimate that up to 90% of all computers have spyware running on them. For a more detailed discussion read this.

Fast forward to the last year when organized crime has taken hold of using the internet to make money. Organized crime gangs have millions of bots under their control. They have recently began to hide control of the bots from easy detection. They use a decentralized command and control. Further, they have also begun to change the code running the bots every 30 minutes.

The bots then provide organized crime with all sorts of attack vectors into enterprises, THAT CAN BE SPRUNG VERY QUICKLY. Let's look at how they're using the bots.

One growing trend is to create denial of service(DoS) attacks on enterprises. In this scenario, enterprises are either forewarned of an upcoming DoS attack by criminals and asked to pay them off beforehand or, they launch the attack and then threaten to keep up the attack and bring the enterprise to its electronic knees.

Readers should note how these attacks are constructed. The criminals spoof the ip address of the victim as the requestor. They then use their botnets to forward these requests to DNS servers who are set to do recursive searches. These are DNS servers who will respond to requests for domain names for which they are NOT authoritative. The DNS recursive server then responds to the requests. Because it is estimated that over 50% of all DNS servers are misconfigured to act as recursive servers, the attack magnifies. Today, many attacks have been documented to be over several gigabits per second. This is an amount that the average enterprise server's cannot cope with.

The US-CERT is so concerned by this amount of traffic that they worry that key portions of the internet could be brought down in expanded attacks. They have issued strong recommendations to the internet community about configuration of DNS servers. However, even with these strong recommendations, the millions of DNS server owners blissfully ignore it, since there is no immediate catastrophe facing them individually. In summary then, this attack uses the weakness in DNS IP headers to spoof an IP address and the poor configuration of DNS servers coupled with criminals botnet networks.

Another attack is spam email. It has been recently documented that spam now accounts for 91% of all internet email traffic! Let's examine how spam works.

The criminals send email using someone's email as if it was them. They then have their botnets download email lists to construct the spam. The malware is very sophisticated in it's ability to change rapidly. This is why, all of a sudden, you are experiencing all sorts of spam email passing through your anti-virus filters. There is no way that an anti-virus vendor can keep up with listing the different signatures used in email attacks since they change so rapidly.

Spam works. Approximately 5% of people in the UK have bought from spam emails. Thus botnets continue to expand as malware gets downloaded when the user clicks on a link. Since there is no way to actually authenticate the sender of the email, the botnets continue to bombard enterprises with spam.

Another attack is to redirect a user to a fake site even though they enter in the correct web address in their browser. Called "pharming", this attack uses something called DNS cache poisoning to make it happen.

The criminals intercept DNS request responsed from a DNS root server and a local DNS server. They interject their false IP addresses in the response, which the local server then caches. The next time the user enters in the web address for say Acme.com, the false IP address is used by the DNS cache and the user is directed to a false site (which most often exactly resembles the real site). Pharming attacks have also been increasing over the past two years.

As an aside it has been speculated that DNS traffic this spring might slow down the internet. The reasoning is that when Microsoft introduces Vista, it has the ability to run IPv6 and the oder versions of IP. The thinking is that Vista will do parallel inquiries on DNS servers. Microsoft says no and has apparently made some changes such that parallel inquiries will not be done. We will see come this spring.

Amongst all this mess, is there any solutions? The honest answer is NO NOT IN THE IMMEDIATE FUTURE.

One way to slow down the amount of spam and DoS attacks is to use some more advanced way of digitally authenticating a DNS lookup. About 10 years ago, it was proposed that digital certificates be used to sign DNS answers (DNS Security or "DNSSEC").

This attempt has bogged down since then for a number of reasons. These include:
* root key management
* root key rollovers
* no real economic reason for millions of DNS server owners to change their practice
* arguments that there are other methods higher up the stack which are better
* concerns over scalability
* concerns overs memory and performance when using digital certificates on high volume DNS server

A recent survey found that there is only 1 in 100,000 DNS servers which is DNSSEC compliant. Bottom line: There is likely no good news re deploying DNSSEC in the next one to two years (unless there is a huge internet outage caused by a DoS attack which would prompt everyone into action in adopting DNSSEC despite all its short comings).

Most experts agree that for the next one to two years the problems are going to get worse before they get better. Botnets will continue to proliferate. Malware will continue to quickly evolve and outstrip existing defense tactics. DoS attacks will continue to grow. Pharming will continue to grow. Spam will continue to be a big problem.

What can you do about it?

1. Configure your DNS servers properly. Significantly reduce the ability of your DNS servers to do recursive lookups.

2. Put in place a layered defensive system. Assume that even with best efforts your anti-virus, firewall, IPS and IDS systems will be successfully breached. Put in place internal increasingly strong authentication systems to contain the damage when a breach has occurred and someone is masquerading as your user with their uid and password.

3. Use transaction authentication from vendors like Bharosa and RSA for your most sensitive enterprise networks, applications and information. Assume that over the next two years that even strong authentication mechanisms can be breached. Use the computer hardware, IP address, geolocation, user profile, user history and time of day to validate a successful authentication request.

Start paying attention to the DNS layer of your enterprise. Deep down in the bowels of the internet there are some stomach aches happening that might come back to haunt you.


Note: In the first published version of this blog I erroneously stated that 20% of people in the UK have bought from spam. The story I was referring to stated that the click through rate was 1 in 20 or 5%. I have updated the blog accordingly.

November 21, 2006

FUD and a Realistic Review of Your Enterprise Risk

FEAR, UNCERTAINTY AND DOUBT. These are the trade of people selling security products. They don't make sales by telling you that all is well. Given the shrill voices at the moment on enterprise security, what is the realistic risk that your enterprise will be successfully breached over the next two years and, if so, what are the resulting costs?

In the old days of two to three years ago, most enterprises were relatively safe hiding behind their firewalls, anti-virus, intrusion detection systems and intrusion prevention systems. Commercial for profit crime was mostly targeted against financial institutions and there were always stories and criminal prosecutions against "hackers" trying to gain access to military systems. The chances that a "hacker" would try to access your enterprise were relatively small. What has changed since this time period?

There are three concurrent factors that has sharply raised the level of enterprise risk:
1. Organized crime has entered the internet
2. Botnets have been created
3. Malware has grown very sophisticated

Organized Crime
The entrance of organized crime to the internet has changed the security game. Criminals have realized there is easy money to be made, on a recurring basis, from the internet and from successfully breaching enterprises. They have developed three general markets:
* Consumer identity theft via email - criminal fraud
* Enterprise breaches - corporate theft
* Enterprise denial of service attacks - essentially criminal ransom or blackmail

This is not the normal gang operation where a gang has a few hundred members around the world and targets just big business. Today, these "gangs" have several thousand members. They have thousands of programmers hired to design successful criminal software, tailored to breach a specific type of defense. They operate globally and locally. As recent as last month, enterprises with only a few thousand employees have been targeted including hospitals.

Organized crime has developed a series of computers which they have taken control over, unknown to the computer owners. Called "bots", organized crime is busily developing a vertical market.

First, they make money by sending out spam email. Today, 91% of all internet email is spam. The spam goes out to most digital citizens. In the UK, it has been documented that up to 5% of people have bought from spam emails.

When the organized criminals make money, they quickly launder it using "mules" who operate out of their homes. The money is moved around the world and then reinvested in criminal and legitimate businesses.

The clicking by citizens on the email links offers the criminals the ability to create more bots. Malicious software is downloaded into the user's computer taking over the computer.

The next step up the vertical market ladder is to now take the bots and use them to attack enterprises. It has been estimated that around 10% of all computers are infected. One recent study estimated that 89% of citizens computers were infected with spyware.

Organized crime uses bots in two general ways:
1. To launch successful denial of service attacks on enterprises
2. To quickly launch malware attacks against enterprises

Denial of Service Attacks:
The denial of service attacks on enterprises are rising. It's hard to document exact numbers since most enterprises don't want to publicly admit they were attacked. However, evidence shows it is rising. Authorities believe that only a few enterprises in every hundred attacked are reporting. Regardless, criminals can bring about huge attacks by using bots that are big enough to even shut down portions of the internet! (Read the US-Cert Advisory here and the presentation this past spring on the size of attacks here.) Faced with this type of attack, most enterprises are forced to quietly pay off the attackers.

Enterprise Breaches:
There has been a documented, growing trend over the last two years in general enterprise attacks. The use of the bots has enabled organized crime to quickly take a new attack and "get it out" to attack millions of enterprise computers within a few days. There are two general patterns emerging for these attacks:
* Spam type email which if your employee clicks on it downloads malware into your enterprise
* Targeted attacks - this type, commonly known as "Spear phishing" is growing rapidly. It is this type of attack you should be worried about. I'll refer to this later in this blog.

The message here is that by using their botnets, criminals can quickly get an attack going against most enterprises. Since your enterprise uses email, you are prone to these types of attacks.

The third fundamental change over the last two years has been the evolution of malicious software (malware). Organized crime has put thousands to hundred of thousands of programmers to work developing attack code. As I have documented in numerous blogs (read here and here), the attack code is very sophisticated. Today, the code comes with it's own built in:
* anti-spyware code (to keep out other competing malware as well as to protect itself from enterprise anti-malware)
* the ability to hide amongst the operating systems rootkit kernels (making it extremely hard to see and even harder to get rid of once detected)
* code changes every 30 minutes (this makes the current vendor anti-spyware methods of keeping a list of the "bad guys" obsolete since the "signature" for each attack changes every 30 minutes)

It has been repeatedly shown that existing anti-virus, IPS and IDS defences are becoming more easily bypassed in the face of this malware. As bad, it has also been documented that getting rid of the malware, once it's detected by the anti-spyware software, is very poor (a study this past September against a suite of malware taken from a honey pot found that the best rate amongst a suite of vendors for spyware removal was around 38%).

In summary then, organized crime has arrived big time on the internet. They are quickly developing their own vertical markets by using spam, botnets and malware. Most experts agree that this is a real "arms race" with the advantage currently with the attackers, likely for the next TWO TO THREE YEARS!

Your enterprise firewalls are constantly being attacked by bots. The firewalls operate on the basis of allowing everyone in except for the bad guys who are maintained on a list. This type of defense is proving to be easily breachable. The pace of attack change to to your enterprise is on the order of a couple of days from when a new attack is devised to 30 minutes.


Given all the above, here are my general postulates:
1. Even with the best firewalls, anti-virus, intrusion detection and prevention services, the chance of your enterprise being breached over the next two years is very high due to botnets.
2. As a result, the chances of your workers uids and passwords being in the hands of organized crime is also high since the malware will successfully capture this and export it back out through your firewall.
3. Targeted enterprise attacks will also rise. These will involve combinations of external attacks and internal workers, janitors, temps and others.

To evaluate your risk, first let's look at your enterprise from a criminals point of view. They want to make money and not get caught. What is in your enterprise that would appeal to a criminal?:
* payables system
* data that's valuable
* products that you make

My own personal view is that over the next two years, organized crime will go after weakly protected payables systems with poor reporting processes. Why?

It's easy money. If done properly, it can be a regular cash cow for the criminals spewing out payments every month. Here's what criminals need to do to accomplish this:
1. Identify the type of software you use for payables
2. Determine the approval process and separation of duties for:
a). Creating electronic accounts
b). Approving invoices
c). Approving payment of the invoices electronically
d). Invoice approval limits
3. Determine the individuals involved in the above
4. Obtain their uids and passwords
5. Create the electronic accounts masquerading as the employees
6. Create and submit the electronic invoices
7. Approve the invoices masquerading as the employees
8. Approve the electronic payment masquerading as the employees

While all this might seem like a lot of work, it's actually not that hard to do. If criminals are smart they will target industries. For example, universities. Generally most universities use either Banner, PeopleSoft or SAP. By having the local organized crime do the footwork it won't be hard to obtain the people involved in the process and determine the approval limits. Then the rest is a matter of setting up the process such that it can be done remotely in the off hours. If the reporting process is poor and, if the invoices are kept relatively small, this can go on for a very long time before it's detected.

Data that's valuable:
Credit cards are one prime choice. This involves getting the uids and passwords of the person who administers the database. If the data is unencrypted it is child's play to take the data and then use it elsewhere to the criminal's benefit.

Other data that might be valuable is competitive information. For example, recently in Canada, WestJet airlines used scheduling data data from Air Canada's system to offer more attractive flight schedules and rates. This involved access to Air Canada's scheduling system from an ex-employee.

Products that you make:
There was another Canadian story last year about a company that had been successfully infiltrated by criminals and where invoices were created and products shipped to fictitious companies. This will become more common as criminals look for low hanging fruit in manufacturing companies.

Given the above, what is the risk to your enterprise?

If you continue to use uids and passwords for sensitive networks, applications and information behind the enterprise firewall, I say that your risk is high that you will be on the criminals hit list if you are an enterprise with over several hundred employees. Once you're this big, the chances are better for the criminal that they can operate amidst your bureaucracy and your internal business processes electronically without being noticed for quite a while.

If you have weak payables processes and use electronic payments, then the risk is also high. It's much easier for criminals to rob you than take on a bank. A little local on the ground footwork coupled with payables system knowledge means you can be easy prey.

If your internal databases holding credit card information is poorly protected, then you are also at high risk for an attack. The best part of it is for the criminals is that you might never realize you have been attacked or, it will take you months or years to realize it. The pubic cost of admitting this disclosure is high. Read here for an analysis of the cost of a security breach.

If you do manufacture products, and your business processes for approving shipment and payment are weak (using uids and passwords to approve), then you too can expect a high risk of attack over the next two years.

The general costs of these types of attacks will be in the hundreds of thousands to millions of dollars depending on the numbers of identities stolen (and disregarding the amounts lost from payables or product loss). If you have to publicly report the attacks, then the enterprise cost is much higher due to bad publicity, stock price hits, customer relations, etc.

THERE IS NO SILVER BULLET. There is no one product you can buy that will magically prevent these types of attacks from happening. Instead, you need three components to prevent or mitigate the risk from such attacks:
1. Security architecture using layers of identity based security
2. Operational infrastructure to quickly detect problems in the making
3. Good solid business processes to prevent such attacks from happening or, to quickly realize an attack has happened and shut it down quickly.

Security Architecture:

As I have documented in a couple of white papers (read here and here), enterprises need to have multiple layers of security. This ranges from training users to not click on email links, through to a robust perimeter, to the user of stronger authentication as the user drills towards more high risk areas to deployment of transaction authentication protecting the enterprise crown jewels.

Get your head around protecting what's behind the firewall with all sorts of layers. Start imagining organized crime behind your firewall. Think of targeted spending to reduce the risk by deploying layers of stronger authentication.

Operational infrastructure to detect problems in the making:
This is hard to deploy in larger enterprises. You need to cross over internal enterprise silos and create teams of people and systems to detect attacks in the making. This must involve the network security, IT security, payables, customer marketing, finance and shipping. You need to have cross team meetings, reporting systems and detection systems at all levels of the enterprise working together. If you don't, then it's quite likely you will be prone for a successful attack.

Business processes:
You need to tighten up business processes. Think like a criminal. Identify areas where your business processes are weak and could be low hanging fruit for organized crime. Tighten them up. If you do so, you will likely either prevent these types of attacks from happening in the first place or, determine it is happening early on and contain the damage by quickly closing the hole.


The high level of FUD out there is currently justified. It is not just more scare talk by security sales people to generate sales.

Don't believe that one product is going to solve your enterprise risk problems. The challenges involved require layers of security coupled with good business processes. This will be hard to sell in the enterprise since it means that you've got to cross silos to create a successful solution that will minimize your risk.

Your CFO, CEO, COO, CIO, CSO and VP Marketing all need to be on the same page re understanding that the security game is quickly changing with organized crime entering the digital fray. Tell them that the attack patterns are changing, your existing defenses likely are breachable, the potential costs are in the millions of dollars and that it's better to spend a penny now than a pound later.

I realize that this is a tough sell to senior management. However, the main message from this blog is:



November 22, 2006


The data is in for anti-malware vendors testing against a honey pot as of November 21,2006 at malware-test.com. What is shows is a MAJOR FAILURE IN THE ABILITY OF ALL MAJOR ANTI-MALWARE VENDORS TO PROTECT YOUR ENTERPRISE.

The best cleanup success rate was 49.64%. In other words, the best software would have missed 50% of the attacks!!!!


The scene is grim as we approach the end of 2006. Organized crime has much better tools to attack an enterprise than do the "good guys". By using their botnets and their malware, criminals are staying ahead of the best efforts of anti-malware vendors.

This is not just a little problem. It's a serious BIG problem in that too many enterprises are almost totally reliant upon their firewall, anti-virus and their intrusion detection and prevention systems WITH LITTLE SECURITY BEHIND IT.

CAVEAT EMPTOR! Make sure that you have multiple layers of strong authentication behind your firewall. If you don't, you might as well hang a sign on the enterprise front door saying "COME ON IN, THE DOOR IS UNLOCKED AND OPEN".


November 23, 2006

Spyware - A Significant threat

Spyware used to be software that was secretly installed on your computer to track your click habits and send this information to advertisers. Then it morphed into malicious software (malware) able to deploy rootkit and other forms of attacks able to export uids and passwords. This blog will explore the extent of the spyware problem to enterprises.

Why should you worry about spyware? How big a threat is it? What kind of defenses can you use?

Out in the non-enterprise world, it was recently estimated that 89% of computers are infected with spyware. The study referenced here estimates that 31% of computers are infected with Trojan viruses. Bottom line, outside the enterprise firewall there is a huge problem with spyware. So what about within the enterprise?

In this eweek article written November 13, 2006 "Spyware threat marches on", it quotes a recent report by Ponemon Institute. Here is the grim news in their interviews with 500 North American IT professionals:

* 47% of respondents indicated that their companies were incapable of removing spyware from their networks once detected
* 40% believed their enterprises were able to ward off spyware attacks with frequent success
* 83% had full-time anti-spyware initiatives in place
* "Of the technologies being used to fight spyware, 48 percent of respondents said they are only using software that seeks out the attacks at the desktop level, while another 18 percent are using only network-based defenses. Only 21 percent of the companies involved in the research said they are using both types of applications, with 13 percent using no spyware-specific protections at all."
* 98% indicated their firewall is the primary line of defense

My summary of the above is that while 83% have anti-spyware in place, I think they are all living in a state of denial. Why?

Take a look at the latest test from malware-test.com. IT INDICATES THAT ANTI-SPYWARE SOLUTIONS FROM VENDORS DOES NOT WORK. The best success rate against a suite of spyware taken from a honey pot is 49.64%. This means that for the top vendor, it is missing 50% of the attacks! Worse, this trend has been more or less the same since September.

Since many of the spyware attacks are rootkit attacks, let's look at the state of the rootkit detection. In this study released by Symantec this fall, it examined the ability of Symantec and its competitors to first of all detect and then secondly, to successfully remove the rootkits.

The test was againt 20 rootkit attacks. Symantec could detect all 20, McAfee 17, Webroot and FSecure 15, Sunbelt 12, Trend 10 and Microsoft 5. All the vendors except for 1 missed 3 or more rootkit attacks. Then there was the cleanup. Symantec could only clean up 16, Webroot and FSecure 8, McAfee 7, Sunbelt 5, Microsoft and Trend 3. In other words, from one vendor, comes the admission that they cannot even remove three of the attacks.

Here is some more anecdotal evidence that supports the above. In this blog, it reports Steve Ballmer, head of Microsoft, trying to fix a friend's computer. He couldn't do it so he took it into Microsoft. There a team of engineers found the computer was infected with more than 100 pieces of spyware. They were unable to successfully remove all of it.

What does this mean to your enterprise?

1. You are highly likely to be successfully breached by spyware.
2. There is an excellent chance you will not be able to know you've been breached.
3. The malware will then commence to trap user uids and passwords.
4. This information will be passed out through the firewall.
5. You are therefore at risk of some serious internal attacks.
6. Even when you find the spyware, there is a strong chance you will be unable to remove it.


What more evidence does an enterprise need that they are under continuous attack for which their firewall defenses will not withstand the attack?

Put in place a layered identity based, strong authentication defense. Read my papers here and here.


November 24, 2006

Partnering with criminals

When criminals have a bigger stick than do authorities who are powerless do defend you, then it's time to worry. Read this archived story "Attack of the Bots" from Wired Magazine of this year.

The story describes the demise of a company called Blue Security. Blue Security was a company with 500,000 customers. It's purpose was to defend companies against spam. Every time it's customers received spam, A Blue Security bot would email the spammer. It was using "good" bots to defend itself against "bad" bots sending spam.

What happened in May of this year is that botnet criminals decided to take down Blue Security. To do so, they emailed Blue Security customers letting them know that if they continued to use Blue Security, they would receive 20-40 times more spam and be involved in Denial of Service attacks. Blue Security responded with press releases telling the world that it was an effective deterrent from spam.

The story then takes the reader on a step by step story of how Blue Security and other companies associated with it, came under huge denial of service attacks. The attacks were so large that the companies in the end admitted defeat and WENT OUT OF BUSINESS.

The story quotes ""We used to call the Internet a sort of Wild West," "Now it's more like Chicago in the 1920s with Al Capone".

What did authorities do? Nothing. The attacks come from computers controlled all over the world. Therefore, it currently crosses international law for which there is nothing in place to effectively protect against a denial of service attack.

As I have documented in a previous blog, the underlying DNS problems with recursive servers, with approximately 50% of DNS servers being recursive, enables these attacks by bots. Further, the ability to spoof DNS ID headers also enables the bots to spoof the victims address in a DNS request. Finally, the size of these types of attacks can bring down whole portions of the internet.


What should a company do to protect itself against this type of attack? From my own personal perspective, I think the only answer at the moment is to PARTNER WITH CRIMINALS and pay them off to protect your enterprise against these types of attacks by threatening other criminals with a bigger stick. If your business relies upon the internet for a significant amount of your business, there is no other choice at the moment. The police can't stop these attacks. They can only do a limited amount of prosecution.

It is time for international laws to be put in place with teeth to prosecute criminals doing Denial of Service attacks. This on it's own won't prevent these types of attacks until recursive DNS servers are almost eliminated and DNSSEC (a technology with lots of problems but a better solution than having nothing) is implemented.

The chances of this happening are slim to non-existent in the next two years. It is time to tell politicians and internet regulatory authorities know that this situation must change such that we don’t have to partner with criminals to keep our internet doors open.


November 25, 2006

More on protecting against recursive denial of service attacks

After my blog of yesterday "Partnering with criminals" in which I recommend that enterprise having a significant portion of their revenue from the internet consider partnering with criminals to protect themselves from a denial of service attack, I received a number of phone calls and emails.

One phone call was from a friend who works with credit unions on the east coast of the US. He told me that recently he has personally witnessed a denial of service attack against a credit union. The attack came from Japan and effectively shut down the credit union for 24 hours. The criminal incentive for the attack was that the criminals emailed out fake notices to the credit union customers letting them know the site was down and then recommending that customers click on a link to confirm their login information. This was then a combined denial of service and a phishing attack. I was told that it was only after Homeland Security got involved that the site was able to recover from the attack 24 hours later.

In a email I received, I was asked that instead of recommending that enterprise's partner with criminals, that I should be telling blog readers steps to take to protect themselves.

I believe that that most medium enterprises are at risk from a distributed denial of service (DDoS) attack because they on their own cannot do that much to thwart a sophisticated recursive denial of service attacks. The answers to stopping or mitigating this form of attack lie further upstream of the victim's servers.

To illustrate this, please refer to the "ICAAN Security and Stability Advisory Committee's SSAC Advisory SAC008 DNS Distributed Denial of Service (DDoS) Attacks", March 2006. This is an excellent document that outlines how a reflective denial of service attack works, followed by specific recommendations on how to mitigate or prevent these attacks.

The document notes that attacks exceeding 7 gigabits per second have been documented. Since this report has been written, I have read that attacks exceeding 12 gigabits per second have been documented.

The report then proceeds to make a number of recommendations. They include:
"Respected security organizations and advisory groups worldwide [1, 18] encourage name
server operators to adopt measures to disable open recursive DNS and to protect their
infrastructures against DDoS attacks. SSAC joins these organizations and makes the
following recommendations:

Recommendation (1): For the long term, SSAC recommends that the most effective
means of mitigating the effects of this and numerous DoS attacks is to adopt source IP
address verification.

Recommendation (2): SSAC specifically recommends that each ROOT and TLD name
server operator should:
i. Document operational policies relating to countermeasures it will implement to
protect its name server infrastructure against attacks that threaten its ability to
offer service, give notice when such measures are implemented, and identify the
actions affected parties must take to have the measures terminated.
ii. Respond faithfully and without undue delay to all questions and complaints about
unanswered traffic, and
iii. Act with haste to restore service to any blocked IP address if the owner of that IP
address can demonstrate that it has secured its infrastructure against the attack.

Recommendation (3): SSAC recommends that name server operators and Internet
Service Providers consider the possible remedies described in Section 3 of this Advisory.
In particular, SSAC urges name server operators and ISPs to disable open recursion on
name servers from external sources and only accept DNS queries from trusted sources to
assist in reducing amplification vectors for DNS DDoS attacks."

The report specifically makes a number of recommendations for ISP and name service operators including:
* Source address validation as per BCP 38 and RFC 2827
* Securely configure DNS servers
* Disabling open recursive DNS
* Implement blocking and filtering

The challenge is that most enterprises are not their own ISP. So, while there are some things enterprises can do, such as reducing their own recursive servers and having their own internal DNS separate from their outside DNS server, these will not stop a DDoS attack.

Enterprises who are concerned with this type of attack must work very closely with their ISP provider and DNS and network providers upstream of the ISP. Enterprises such as Microsoft, the US Federal Government and large commercial banks have done this to mitigate the risk of a DDoS attack.

My point is that most enterprises do not have control of the upstream infrastructure under their control and are therefore at very high risk of a DDoS attack. Further, the size of the attacks are capable of brining down much of the upstream infrastructure with it. The threat to a business that relies upon the internet for a significant portion of its revenues means that if the enterprise cannot influence their ISP and the other providers upstream of their ISP, that there is not many other alternatives other than partnering with criminals to wave a bigger stick over the attackers heads than the few weak limbs the enterprise currently has in its hands.


November 28, 2006

Why multi-factor authentication ISN'T the silver bullet for phishing

Two days ago, the SecuriTeam, a well respected security group out of Israel, published a blog that shows a step by step analysis of how to thwart multi-factor authentication. They referenced this link out of Spain. If you click on the link, it will show you exactly how the keyboardless entry of the bank pin is captured.

Now think for a moment about your enterprise internal security. As people like myself recommend, your enterprise should be using stronger and stronger authentication for higher risk networks, applications and information. But what happens when a targeted phishing attack occurs on your enterprise ("spear phishing")? The authentication mechanism can likely be captured.

This is why I also strongly recommend that for your enterprise crown jewels, you also deploy transaction authentication. Even if the user successfully authenticates, the ip address, computer hardware used, time of day, user profile information, etc. is all used to validate the authenticity of the user. This is the final line of defense.

There is no silver bullet in security. No magic technology is going to make you safe. Implement layers of security to mitigate your enterprise risk.


Cheap and dirty anti-malware idea

I attended a local security conference in Vancouver this morning. I sat in on a presentation from Rob Slade, a well known anti-virus expert. He gave a presentation on cheap and dirty malware detection.

Essentially, his presentation was based that a few known viruses and malware make up the majority of the attacks on enterprises. His idea was to put at the gateway to the enterprise, a device to filter out the known AV's thus leaving more time for the AV, IDS and IPS systems to process for the more unique malware. This eliminates a lot of processing time spent on knowne existing malware.

He indicated that one Vancouver company is trying this idea out. He didn't yet have the data to support his hypothesis but it sounded like a great idea.

I have blogged this for readers to contact Rob if they are interested in pursuing this idea with him.


EU urges members to take action against spam... but will it work?

There were several news stories the last few days about the European Union (EU) releasing a study demanding that its members do more to protect the user against spam. Readers can find the report "On fighting spam, spyware and malicious software" here.

The report outlines the initiatives it wants the member states to take. However, the proof is in the electronic pudding. While the report sights the Netherlands with a Euro 570,000 equipment investment reducing spam by 85%, I am much more skeptical.

First we had Bill Gates and others two years ago telling us spam would be dead by 2006. In fact, the opposite occurred. Today over 90% of internet email is spam.

Further, the economic model for organized crime is very good using spam. According to Spamhaus, an organization devoted to fighting spam, approximately 80% of spam is created by 200 criminal gangs.

I personally feel it is going to take at least a year or two before governments get their legislative acts together and countries join together to track down and eliminate botnet operators (i.e. the criminal gangs).

While the Netherlands makes for a nice story, will it remain that way over the next year or two? How will they prevent targeted spam from penetrating enterprise networks?

The EU is taking the right steps in beginning to request member states to do something. However, it's going to take a lot more than that to stop spam. Meanwhile, enterprise face rising risks of malware attacks from the botnets who not only spread out spam, but also worms and other malware attacks that can significantly harm an enterprise.


Scotland Yard victim of identity theft

Richard Steinnon, a well known former Gartner Analyst, sent out an email the other day with interesting stories about laptop threats. One of the stories was about Scotland Yard.

The story in ThisisLondon.co.uk titled "Laptop thief lands the bank details of 15,000 policemen" describes how personal identity information on 15,000 Scotland Yard officers was obtained in the theft of three laptops. The identity information includes their national insurance numbers.

What was more interesting than the titillating aspect of Scotland Yard's finest having their identities stolen, was the fact that the information was contained on three laptops AND that those laptops were owned by the company LogicaCMG. This is a company that together with Paymaster has been awarded a seven year contract to administer the payroll and pension for the Metropolitan's (Met) 46,000 staff.

My point in this blog is that security is only as good as the weakest link. While enterprises may take extraordinary efforts internally to secure themselves, this will be undone if they have other parties who have weaker security systems.

In this case, the onus is on the Met to specify security standards for the sensitive data. Then it should have ensured that the data was encrypted. Further, they should also have specified that the database could not be kept on a laptop. Assuming that they did this, they should be doing regular audits to ensure the contract and security conditions are being met.

READERS TAKE NOTE. You need to do a risk assessment on all enterprise information and data. Then follow the hands in whom the data is administered by or accessed by. If you find that sensitive data is being administered or accessed by outside parties, then put in place contractual requirements, accompanied by strong security, with regular audits, to ensure the information is being kept secure. Otherwise, you too may be like Scotland Yard with egg on its face and your identity information potentially in the hands of criminals.


November 29, 2006

Why strong authentication alone isn't enough

Two days ago, Bruce Schneier, the industry security guru, wrote a blog titled "Fighting Fraudulent Transactions". In the blog he again repeats that using stronger authentication by the banks won't stop attacks. He points out the increase in "Man in the middle attacks" and "Trojan" attacks and then points to a great story in CSO "Success Factors" that outlines the use of transaction authentication as part of a strong authentication program.

The point of my blog is to point out that in your enterprise you should be thinking the same even though you're not a financial institution. Why?

Let's say that due to all the press about passwords being insecure and dead, you have invested heavily in secureID tokens, smartcards and biometrics. Now you're feeling really secure....right? Wrong.

Let's say that organized crime targets your enterprise. They quickly are able to insert a trojan malware program behind your firewall (this isn't hard to do...read my blogs on spear phishing and others on the state of anti-malware protection).

The trojan is smart, just like the one's used to phish the banks. It waits until you've logged on using your biometric, smartcard and/or secureID token. Then the trojan software takes over your access to your most sensitive applications, databases or whatever. The criminals can then extract information, change settings or whatever to make money from you or sell the information to others.

How hard is this for the criminals to do? They have to do some research on your enterprise. The rest is simply adjusting existing Trojan code to suit your enterprise's strong authentication and then implementing the Trojan malware inside your enterprise.

Bottom line: Don't rely one one technology or vendor to protect your enterprise. The firewall, AV, IPS and IDS solutions are only the first layer. The reduced or single sign on systems requiring stronger authentication as the risk rises are only another layer. Use transaction authentication as yet another layer protecting the enterprise crown jewels.

If you don't, you may end up like the bank customer who watches their account emptied after using the two factor authentication.


November 30, 2006

97 million US identities stolen since 2005!

How bad is identity theft? If you go to PrivacyRights.org you'll see a running tally of total US identities stolen since 2005. The number is a staggering 97 million.

Many of the identity thefts involved stolen laptops. However, there are some zingers like a hospital database being hacked releasing more than 200,000 identities, credit card and billing information to criminals.

Part of the answer lies in setting and enforcing security polices relating to all identity information being encrypted, especially on laptops (refer to an earlier blog this week on the loss of identities by Scotland Yard).


SMiShing - a new sophisticated form of SMS attack

Last August, McAfee research David Rayhawk published a blog where he identified a new form of attack using SMS messages. It is definitely worth reading since this form of attack is predicted to rise in 2007 as cell phones become increasingly used.

The criminal sends your cell phone a SMS message. In this example, it was letting the customer know that they have been subscribed to a dating service at $2/day unless the customer cancels their order by going to a website. The cell phone customer then panics, goes to their computer, logs on and goes to the website in the SMS message. There, they are prompted to download a program which contains a trojan horse virus which turns their computer into a zombie and thus part of a botnet.

Today, many enterprises use SMS internally. Now imagine a spear SMiShing attack that is targeted at your enterprise. The SMS message will be pertinent to your business and appear to come from a colleague. It will then direct you to a webpage where malicious code will be downloaded behind your firewall.

This is yet another reason to have multiple layers of security, using layered identity strong authentication behind your firewall to contain the damage when a successful breach is made.

In a future blog I will cover possible vulnerabilities with Blackberry's.


Hacking Blackberry's and gaining access to your enterprise

Last August, a presentation "Blackjacking - Owning the Enterprise via Blackberry" was made at the Las Vegas Defcon concerning a researched ability, not yet detected in the wild, to successfully hack a Blackberry. What made the hack so special was that this gave the attacker a way to bypass enterprise IDS (Intrusion detection systems) since the attack occurred over the encrypted RIM network. A typical enterprise installation of Blackberry creates the Blackberry device as essentially a network node. Therefore, the hack depositing a trojan horse gained access to the entire enterprise.

Blackberry immediately responded with some papers describing how to avoid these types of malware attacks.

There are two main areas of prevention. One is to put the Blackberry on its own network segment and keep it separate from the other enterprise network segments. The other is to require administration approval for installing programs on the Blackberry. The ability in install programs by the user on the Blackberry was used in the Defcon presentation to install a trojan horse by installing a tic-tack-toe game.

If you or your enterprise uses Blackberry's, download the papers and then implement their recommendations. If you don't make these changes then your enterprise is open to malware attacks from the Blackberry. Finally, make sure that your enterprise has layers of identity strong authentication security to mitigate the risk of these kinds of attacks should they get through your perimeter defenses.