AuthenticationWorld Blog

This blog will cover an excellent resource aimed at explaining to senior managers what all fuss is about with online crime. "The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond" is produced by The US Department of Homeland Security, SRI International Identity Theft Council and the Anti-Phishing Workgroup".

It provides an excellent excecutive flyover of all the major attack vectors. If you are trying to convince your management that a problem exists to which your enterprise is at medium to high risk, then use this resource as an aid.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

So you're thinking "all these phishing and malware attacks won't affect me because I'm not a bank and we have nothing that anybody wants"...WRONG! Take a look at this story published today in Computerworld "Spam that delivers a pink slip".

The story documents the use of "spear phishing". Instead of bombarding the enterprise with foolish emails from unknown persons trying to get an employee to click on a link, spear phishing uses real enterprise addresses with email links and/or document attachments that downloads malware. In this story, a medical center in Georgia was hit by emails, coming from legitimate addresses, telling employees there would be layoffs and directing them to a supposed site that offered career counseling information.

What are the chances of your employees clicking on such a link or, opening a Word document with the fake announcement? Now imagine that the malware is more sophisticated using an attack like Blue Pill....do you see any risk to your enterprise? I"d say there's HIGH RISK.

Was this a bank that was targeted? No it was an enterprise with 3,500 employees. "Well", you think, "we only have a few hundred employees...we''re safe". What security experts have been saying for the last two years is that these types of attacks are becoming more common and they're targetting all size of enterprises. So what's the answer?

THERE IS NO SILVER BULLET! Your enterprise needs a layered defense. It starts by educating employees and workers to not click on email links. Then it moves to a series of layers of defenses outlined in my paper "Modern Network Security Strategy 2006". This includes strong authentication and transaction authentication as users progress towards higher risk applications, networks and information.

There is no one product that is going to provide your enterprise with security. You must wake up to the fact that you're in an arms race where the attacker currently has the upper hand.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

I was going back through my archived reading material the other day and I came across some articles I thought were excellent several months ago..in fact I still do. It's what I think is required reading if you're a enterprise manager trying to make sense of your security and identity architecture.

Noal Eppem, a security analyst, wrote a long article this past spring titled "Security Absurdity: The Complete, Unquestionable and Total Failure of Information Security". He methodically notes each area where security is failing against modern attacks. I agree with his observations.

Then there is the voice of wisdom from one of the original inventors of the proxy firewall, and founder of a number of security firewall and IDS companies, Markus Ranum. Markus is a man who doesn't mince words. He too, like Noal, is pretty depressed about the current state of IT security. I strongly recommend two of his articles:

Computer Security: An utter failure (scroll down the page and look for his "new stuff" then select the link under "Utter Failure".

What is "deep inspection"?, written in 2005 is an excellent history of firewall, AV, IDS and IPS development.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

How well do you think you anti-malware is doing against incoming threats? Are you thinking 90-95%...Wrong! HOW ABOUT 20-35%?!!!!!!!

Malware test labs released their 11th round of testing (September 26, 2006). It's pretty scray reading. The top vendors are missing around 80% of the attacks!

DOES THIS MAKE ANYONE NERVOUS? DON'T YOU THINK IT'S TIME FOR A LAYERED DEFENSE STRATEGY?

Guy
www.authenticationworld.com
guy.huntington@authentication.com

Here's the scenario. Either your network has been successfully breached by some spyware (which the leading vendors miss 60-80% of the time) resulting in sensitive enterprise information being sent out of the network or, you have an employee inside who is sending sensitive information out to others which they shouldn't. HOW DO YOU KNOW?

One of my nine recommended layers is to have perimeter security. One of the subsets of this layer is the use of something called network content filtering/control, network leak prevention, extrusion prevention or risk protection. What does this do?

It filters all traffic leaving a network and looks for information that the enterprise doesn't want leaving the enterprise. Sounds good?

Well it can be good as long as you have done an enterprise risk analysis first to define what kind of information meets a high or medium risk information. Then you can create policy rules and alorithms in these tools to monitor for this. Without this, you simply cannot monitor everything coming out of the network, make sense of it and identifiy the pieces that are at risk,

Yesterday in Sci-Tech Today there's an article "How well do you know your network" that speaks to this. The story notes that a large number of companies don't even have this technology on their radar screen.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

If you'd like to get a closer look at the future of malware trojans then read this blog from Symantec Security Response Weblog, October 19, 2006 "Gromozon Evolution: From Spaghetti to Lasagna". The blog shows how quickly trojans are evolving including:

* Anti-reverse engineering - uses scrambled code
* Anti-debugging - checks for presence of debugger files
* Anti-monitoring - checks for monitoring packages
* Anti-anti-rootkit - removes or blocks rootkit prevention programs
* Anti-removal - hides itself in data streams and prevents manual deletion

The code is written by professional criminals who are getting better and better at outwitting current defense strategies. As malware researchers doggedly begin to catch up, they hurl all sorts of new attack resistant strategies at the enterprise. Some recent reports note code variations in the attack software every 30 minutes!

This type of attack will increase over the coming year resulting in all sorts of enterprise security breaches.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

How secure is your enterprise against rootkit attacks? Are you relying solely upon your firewall anti-spyware vendor for your defense? If so, maybe you shouldn't...

In eWeek on Friday, they ran an interesting story "Study: Symantec Best at Removing Rootkits; Microsoft Worst". The story outlines a study (paid for by Symantec) by Thompson Cyber Security Labs, which tested the leading spyware vendors for their ability to detect and remove rootkits.

Symantec came out on top. What was most interesting however was the results displayed on page 13 of the report. The test was againt 20 rootkit attacks. Symantec could detect all 20, McAfee 17, Webroot and FSecure 15, Sunbelt 12, Trend 10 and Microsoft 5. All the vendors except for 1 missed 3 or more rootkit attacks.

Then there was the cleanup. Symantec could only clean up 16, Webroot and FSecure 8, McAfee 7, Sunbelt 5, Microsoft and Trend 3.

Bottom line: The vendors are struggling to first of all detect and then definitely remove a rootkit attack. You should not be resting on your laurels of telling your CEO that the enterprise is well defended against these types of attacks because you have an anti-spyware detection system installed. Some of the attacks are going to get through and not be detected. Worse, when they are detected, the odds are great that it won't be effectively removed.

You need a layered enterprise security defense. As I have outlined in my paper "Network Access Control Security 2006", you need to prepare to reimage your enire network if you're infected with a rootkit. This can be a very large undertaking.

Further, you also need to have layers of stronger authentication. This will help mitigate the risk of the a successful rootkit attack where the softwware deploys keyboard and screen loggers.

Then, you must assume that this type of defense too will be breached. Use transaction authentication to protect your most valuable or high risk information, network and applications.

DON'T JUST SIT BACK AND WISH THIS ALL AWAY OR THAT IT WON'T HAPPEN TO YOU. It's better to be proactive now rather than explaining to the media and your Board later why your enterprise was successfully attacked and suffered financial loss.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

In August, the FFIEC (US Federal Financial Institutions Examination's Council), released a FAQ on their upcoming end of 2006 deadline for financial institutions "Authentication in an Internet Banking Envrionment". I am referencing it here for readers who want to keep up with the regulations that US financial institutions must comply with.

Some things to note in the US:
1. Telephone banking is included in the regulations.
2. Multi-factor authentication is not required. The note says that "The use of
multifactor authentication is one of several methods that can be used to mitigate risk as discussed in the guidance. However, the guidance identifies circumstances under which the Agencies would view the use of single-factor authentication as the only control mechanism as inadequate and conclude that additional risk mitigation is warranted."

This regulation is a general wakeup call to US Financial institutions. However, the regs are very vague and it will likley not seriously slow down identity theft in the US. Many banks have already deployed transaction authentication as a means of reducing their risk.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

So what does the future hold for keyboard hacking? It's likely to be "JitterBugs".

In a paper released this past summer by University of Pennsylvania grad students titled "Keyboards and Covert Channels", they document the use of a new attack tactic called a JitterBug.

"This paper introduces JitterBugs, a class of inline interception mechanisms that covertly transmit data by perturbing the timing of input events likely to affect externally observable network traffic. JitterBugs positioned at input devices deep within the trusted environment (e.g., hidden in cables or connectors) can leak sensitive data without compromising the host or its software. In particular, we show a practical Keyboard JitterBug that solves the data exfiltration problem for keystroke loggers by leaking captured passwords through small variations in the precise times at which keyboard events are delivered to the host. Whenever an interactive communication application (such as SSH, Telnet, instant messaging, etc) is running, a receiver monitoring the host’s network traffic can recover the leaked data, even when the session or link is encrypted. Our experiments suggest that simple Keyboard JitterBugs can be a practical technique for capturing and exfiltrating typed secrets under conventional OSes and interactive network applications, even when the receiver is many hops away on the Internet."

The paper is an interesting read. By inserting code and or hardware devices that cause a slight delay between the keyboard getting touched and the computer responding to it and, by coupling this with a small packet of information buried in other packets, the attack could prove to be formible in doing attacks on uids and passwords.

Guy
www.authenticationworld.com
guy.huntington@authenticatioworld.com

In going through my archived material, I came across a report from Kapersky Labs, that I think readers need to reference. Published every six months, "Kaspersky Security Bulletin", released late September documented the malware evolution from Jan-June 2006.

The document highlights:
* the growing number of Trojans
* the decline in the number of viruses (the report says this is due to the cost of devloping a new trojan versus the cost of developing a new worm)
* a slight drop in the overall number of malware programs from the previous six months
* a steady rise in the number of criminal extortions
* a rise in the number of targeted attacks

This data agrees wtih other expert opinion mentioned throughout this blog.

Enterprise needs multiple levels of defense, including different levels of authentication, in order to adequately defend the enterprise against very costly attacks.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Readers might like to follow on a daily basis the "Month of kernel bugs" by HD Moore. Moore is announcing a different kernel bug every day for the month of November.

Personally, I feel he should be reporting these to the vendors, but nonetheless, the bugs are very interesting. Today's bug, was reported to Microsoft in 2004 and hasn't been repaired yet.

Previous announced kernel bugs address Mac's, Linux and Solaris.

Readers should also note that kernal attacks are extremely serious since the kernel is at the heart of the operating system. While the number of kernal attacks as a proportion of the existing malware attacks is low, they are gaining momentum and will be used in more targeted attacks.

Note the blog a few days ago about the effectiveness of anti-spyware vendors being able to detect rootkit kernal attacks and then remove them. The likelihood of a successful kernel attack against your enterprise is currently high.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

I personally feel that the use of biometrics for identification and authentication is way ahead of laws gauranteeing an individual's privacy. For example, the US Department of Defense was quoted in a story, "DOD Makes Red-Teaming a High Priority" November 3 in Military.com.

The story outlines the importance of biometrics to the US Military. The story says "“You can envision a time where you can collect an image at a distance, put it in a database and correlate it with other sets of information” to uniquely identify an individual, he said.

To Young, the increased use of biometrics is a reflection of 21st-century threats.

“As the war on terrorism is more about individuals than nation-states, there’s a desire to have unique technologies to be able to . . . identify an individual [and] follow [his] movements, if you need to,” he said.

A related priority is the development of technologies to tag, track and locate suspected terrorists, Young told ITP. “There [are] a lot of technology opportunities out there to look at very small devices or very unique aspects of individuals” that could help warfighters keep up with their movements, he added."

My concern are the laws pertaining to this usage and the approval required to breach the laws.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

While zero day exploits have been making headlines the last couple of years, what is slowly reaching the media are "less than zero day" flaws. For example, the story yesterday in Computerworld "Undisclosed flaws Undermine IT Defenses".

The story points out that there are many software and security holes that are unreported, to which enterprises are vulnerable to. Quoting a CTO of a telecommunications company, "Therefore, the emphasis has to be on detecting and containing the fallout from any attacks to the greatest extent possible, he added. That requires multiple layers of defenses not just at the network perimeter but behind it as well, according to Sullivan, who recommended the use of security measures such as strong user and device authentication, strict role-based access controls, network segmentation and data encryption."

The article is light on the many layers required. While it does mention perimeter security and authentication access control, it doesn't mention checking out workers before hiring, training users to not click on email links, multi-factor authentication and transaction authentication.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Here's an example of how even a legitimate company like Google can be an unwilling participant in malware. Today they announced that they had accidentally sent out an email containing a Worm virus.

Caveat emptor when receiving emails with links or attachments, even from a trusted source or colleague.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

On November 6, Postini, a leading firm in integrated message management, reported that spam email had rocketed 59% from September to November and that spam now accounted for 91% of all email. Over the past 12 months, Postini stated that spam had increased by 120%!

What make this bad situation worse is that the number of viruses is also steadily increasing in the spam email. About 1 in every 200 email contains viruses with 10 out of 12 emails being spam.

The future doesn't look bright. It seems that as organized crime takes hold of the internet, that the number and perhaps more importantly, the sophistication of attacks is growing rapidly. Experts continue to say that there is no let up in this trend for the next one to two years.

You need a layered set of defenses. Without this, your enterprise is vulnerable to breaches that will result in corporate harm.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

On November 9, Gartner Group released a study "Phishing attacks leapfrog despite attempts to stop them". In their news release, Gartner stated the following:

"The number of U.S. adults that are sure or think that they have received phishing e-mails has nearly doubled since 2004, according to a survey by Gartner, Inc. Financial losses stemming from phishing attacks have risen to more than $2.8 billion in 2006."

"The good news is that, this year, fewer people think they lost money to phishers, but when they did lose, they lost more," said Avivah Litan, vice president and distinguished analyst at Gartner. "The average loss per victim nearly quintupled between 2005 and 2006, and the thieves seem to be targeting higher-income earners who are also more likely to transact on the Internet."

"According to the Gartner survey of 5,000 online adults in August 2006, an estimated 24.4 million Americans have clicked on a phishing e-mail in 2006, up from approximately 11.9 million in 2005, while 3.5 million have given sensitive information to the phishers, up from 1.9 million adults last year."

""The anti-phishing measures some enterprises have put in place to protect their brand and their consumers are not working," Ms. Litan said. "Phishers are moving from site to site to launch their attacks more quickly than ever. The average life of phishing sites has gone from one week a couple years ago to about one hour in 2006. Within a year or so, phishing sites may be user specific — that is a single site will be set up to launch a phishing attack against a single user. It’s no wonder the detection services can’t keep up with these rapid criminal movements.""

Here then is the bottom line:
1. The number of spam emails is soaring to represent 91% of all email.
2. Phishing attacks are becoming more targeted.
3. There is no let up in sight where the "good guys" are going to be able to overcome the "bad guys" in the arms race.
4. In addition to having a strong perimeter defense layer, make sure you have a layered identity based defense system using stronger authentication couple with transaction authentication. Without this your enterprise is increasingly vulnerable to successful attacks by organized crime over the next two years.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

How sophisticated is malware getting to avoid detection? The answer is not encouraging.

Today in Computerworld "Mutate, fragment, hide: The new hacker mantra" is a story outlining the mutation techniques that are currently being deployed by organized crime. Examples given include Swizzor "a Trojan download program discovered earlier this year that repacked itself once a minute to get past signature-based tools that work only if they know precisely what to block. Swizzor also recompiled itself once every hour."

The article quotes Matthew Williamson, principal researcher at Sana Security Inc:

"The fragmented nature of such code makes it harder to write removal scripts and to know if all malicious code has actually been removed, Williamson said.

Complicating matters is the growing use of rootkits to conceal malicious code on infected systems, he said. Rootkits can be installed at the operating system level or as kernel-level modules and are used to hide malicious code and processes from malware detection tools, Williamson said.

A malicious program named Haxdoor -- a variant of which was used to steal information from 8,500 computers in 60 countries in October -- is one example. Haxdoor was used to steal passwords, keystroke information and screen shots from computers it had infected and send them to a remote server.

It was also used to disable system firewalls and concealed itself in a rootkit on the infected machines."

It is from the use of these techniques that I believe that many enterprises will be vulnerable to successful attacks. This will result in the capture of uids and passwords used for authentication. This will then be used by organized crime to access systems like payables and authorize electronic transactions to fake companies.

Get a layered identity defense security system in place using stronger authentication and transaction authentication to protect your enterprise's crown jewels.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

The use of biometrics continues to grow at an amazing rate. Yesterday, the BBC ran a story "Under the thumb?" in which it explained that to rent a car at Stansted airport now, you must give your fingerprint. The article then references the growth of biometrics for use in purchasing groceries (3 million in the US are registered).

What laws are in place to protect a digital piece of you? The answer is there isn't any that speaks to the storage security for biometrics, length of archival, your permission to give out this information nor legal recourse for when it's stolen.

While the use of biometrics is very tempting to replace passwords as the primary authentication identification mechanism in the future, at what price does it come? Ease of use does not equal lack of protection of the identity nor loss of the citizen's privacy.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

How do you spell trouble? No, it's not t-r-o-u-b-l-e. It is the increasingly sophisticated forms of cyber attacks by organized crime potentially on your enterprise. Here's how I spell it:

1. Rootkit attacks are now becoming very sophisticated. For example, the "Rustock" or "Mailbot.AZ" virus detected this past summer. It is the first in a new generation of trojan viruses that uses no system processes, which are usually monitored by your AV, ISP and IDS systems. Instead it runs its code inside a driver and kernel threads. Further, instead of being detected by the use of system processes, hidden files and hooks into API's, the virus uses alternate data streams. To make matters worse, it also evades rootkit detector checks on kernel structure integrity. Finally, the sys driver the virus uses changes its code from sample to sample. Add all this up and it means that trying to create a signature file to prevent it from passing through the firewall becomes less and less likely. More information on this can be found here.

2. Then there's the rise in sophistication of botnets by organized crime. Today, many botnets hide in legitimate sites that have been hacked. The legitimate sites send out the commands to the bots. The legitimate sites in turn receive their commands from other bots. This puts a huge challenge in front of companies and police agencies trying to find out the source of the bots. For more information on this click here.

3. Then there is attacks like Blue Pill. By using virtual memory, it is thought to be currently undetectable. For more information on this attack click here. For a recent rebuttal with AMD read here.

4. Then there is the ability to launch a rootkit attack using a PCI device containing a flashable exapnsion ROM. This type of attack is very hard to detect. To read the paper describing this attack pattern, click here.

5. Then there are the numerous MS security flaws. To read about only the latest high risk flaws click here.

6. Just to remind the readers that MS isn't the only one having troubles read the Month of Kernel Bugs page here. For insight into the author of this read the interview with him here.

7. Just to remind readers about how effective current AV tools are at removing rootkit attacks check on page 13 of this report by Symantec. In their own report, they show the test was againt 20 rootkit attacks. Symantec could detect all 20, McAfee 17, Webroot and FSecure 15, Sunbelt 12, Trend 10 and Microsoft 5. All the vendors except for 1 missed 3 or more rootkit attacks. Then there was the cleanup. Symantec could only clean up 16, Webroot and FSecure 8, McAfee 7, Sunbelt 5, Microsoft and Trend 3.

To add to this grim news, check out this test published September 26 of this year that showed the best cleanup success rate against a suite of malware taken from a honey pot was 35.71%.

8. Now consider that as cell phones become increasingly used to communicate with the enterprise digitally and download data from the enterprise systems, that these devices are seen by experts as becoming increasingly used in phishing attacks.

9. Then there is the increase in spear phishing attacks. These types of attacks are increasingly becoming more common as criminals use targeted emails, appearing as if they come from the enterprise to launch their attacks. Read my blog here on this. What happens when the attachment or the email link isn't so obvious as the pink slip spear phishing attack used in the reported story but is a realistic business document?

10. Then there is the usual high risk of an insider attack. The chances of this happening to you grow as organized crime takes on control of the attack using one of your employees, contractors or even the janitors. Their role may be to simply log onto the enterprise system behind the firewall and infect it, or to provide uid's and passwords for key positions, such as payables clerks and managers.

This isn't the sky is falling blog. HOWEVER, the sky is definitely gray and going to get darker for the next two to three years. Too many enterprises have weak perimeters or, even if they have strong perimeters, have weak layers of security behind the firewall.

My message is clear. Plan on having layers of identity based authentication, using stronger and stronger authentication as the user drills towards more sensitive high risk systems, applications or information. Put in place transaction authentication around the most sensitive high risk areas.

Without this, you are blowing around in the wind waiting for the storm to strike you. The worst part is, if you're unlucky, you may not know the storm has even struck. That's when you can really spell TROUBLE.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

How easy is it to take over a laptop using a wireless device and also using WPA2? It's not that hard to do.

This month, HD Moore, is releasing a kernal bug every day of this month. One of his releases covers a Broadcom wireless driver. This driver is used in PC's from Dell, HP, Gateway and other vendors as well as built into some devices by Linksys and Zonet.

The device driver flaw allows for a malicious person to take control of your laptop without you knowing about it. Even more scary, the flaw works whether the laptop is connected to a wireless network or not. The flaw exists in the wireless cards background scanner looking for wireless networks.

A number of patches are now available. However, trying to get the patches out to all the millions of laptops around the world won't be easy and there will likely be many, many users who don't know of this threat.

This then brings to mind the threat to the enterprise from a wireless device.

When the first wireless protocol 802.1, which was the underpinning of WEP (Wired Equivalent Privacy), was released a few years ago, it was quickly proven to be seriously flawed and easily hackable. This lead to the the industry of drive by hackings where criminals would simply drive around and find networks that were using the protocols and easily crack them.

The WEP protocol weaknesses were somewhat quickly bridged with a Temporal Key Integrity Protocol (TKIP) and then replaced in 2003 with a WiFi Protected Access (WPA) (802.11) and then again upgraded in July 2004 with WiFi Protected Access 2 (WPA2).

Against this background, there has been widespread increase in the use of wireless devices to access enterprise networks, applications and sensitive enterprise information. This trend will likely continue as it affords enterprises the ability to quickly access information and work anywhere in the world at any time.

Couple all of this with generally weak authentication used on the wireless devices i.e. uid and password. Criminal attackers are now beginning to focus in the wireless device as an easy entry into the enterprise by deploying malware on the wireless device.

So what is the answer to the use of wireless devices and the threats to the enterprise? THERE IS NO SILVER BULLET! Your enterprise needs a graded threat model to deal with the use of wireless devices.

To start with, any device using WEP should be used only for extremely low risk applications. DO NOT let your employees log on to your enterprise systems using this device and have access using the same authentication to sensitive information or applications. The ability to crack this is child's play. Read here for all the different attack mechanisms available.

All your wireless devices should be using WPA or WPA2. Read here for all sorts of information on current threats even when using these protocols.

Your enterprise security policy should have a policy enforcement point at the perimeter of your enterprise that first of all detects the software and hardware being used by a wireless device attempting to access the network. It is here that you should put all devices that don't meet the latest upgrades (such as the Broadcom driver) into a containment area until they are upgraded. Companies making this network access control appliance include Infoblox and Caymas.

Then you should only use low level authentication for low level risk networks, application and information systems. DON"T ALLOW YOUR USERS TO ACCESS HIGH RISK NETWORKS, APPLICATIONS AND INFORMATION ONLY WITH A UID AND PASSWORD! There is a rapidly growing risk these can be easily breached.

For higher risk situations require stronger authentication. While some of you may groan and say "but all this costs money to deploy things like digital certs, secureID tokens, biometrics etc." there is the associated risk. Read this for a discussion on costs of attacks.

So at this point, you've implemented a network perimeter access control device, upgraded WEP devices and eliminated the use of the protocol, have adopted WPA and WPA2, have taken precautions even when using these protocols, you've upgrade the Broadcom drivers and used stronger authentication for higher risk applications. "Now I'm secure" you think. WRONG!

Given the current state of malware attacks and the increased growth of organized crime, you should not trust all of the above to protect your enterprise crown jewels. If you're going to have a senior executive access the crown jewels using their wireless, then you should use transaction authentication.

Even after the executive has successfully logged on, the transaction authentication software looks at their hardware, IP address, geolocation, user profile, user history and time of day to determine if the person on the end of the device is who they are purporting to be. It will stop the attempts by the executive if it determines there is grounds to do it or, flag enterprise management in real time or, ask the executive all sorts of personal questions to validate themselves further.

This is what a layered wireless access security policy needs to look like. You need to have:
* Risk management analysis done for the enterprise
* Network access control appliances in place
* Single sign on security software in place
* Graded authentication strengths determined
* Stronger authentication deployed against higher risks
* Transaction authentication software in place for highest risk situations

Without it, your enterprise is running a high risk of a security breach in the near or mid-future.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

This blog will outline the current mess the digital planet is in re botnets, spam, denial of service attacks, recursive DNS and DNSSEC. I will untangle some of the threads to indicate why, in the next two years or so, there are growing threats to enterprises and that there is no silver bullet in sight. To begin, I'll start with DNS (Domain Name Service).

When the internet was first invented and then rolled out, the inventors built a naming service that would translate a web address like www.acme.com to its resulting internet address like 61.112.232.131. The domain name service (DNS) maps the name to the address. The system has been successful since it scales well. Your computer looks for the nearest DNS cache which in turn looks for the DNS name server. Since there are many name servers, there is always ways of quickly resolving addresses.

What the inventors didn't consider was the fact that the DNS ID header could be easily spoofed. For a while, this wasn't a problem. Then along came the 1990's and the first signs of trouble appeared on the horizon with IP spoofing attacks. This was quickly adopted by email spammers.

Then as the late 1990's turned into the new millennium, there began to be the idea of taking malicious software (malware) and using this in emails to take control of people's computers. Thus began the age of botnets. Today it is estimated that up to 10% of all computers on the internet are infected. Some reports, from 2004, estimate that up to 90% of all computers have spyware running on them. For a more detailed discussion read this.

Fast forward to the last year when organized crime has taken hold of using the internet to make money. Organized crime gangs have millions of bots under their control. They have recently began to hide control of the bots from easy detection. They use a decentralized command and control. Further, they have also begun to change the code running the bots every 30 minutes.

The bots then provide organized crime with all sorts of attack vectors into enterprises, THAT CAN BE SPRUNG VERY QUICKLY. Let's look at how they're using the bots.

One growing trend is to create denial of service(DoS) attacks on enterprises. In this scenario, enterprises are either forewarned of an upcoming DoS attack by criminals and asked to pay them off beforehand or, they launch the attack and then threaten to keep up the attack and bring the enterprise to its electronic knees.

Readers should note how these attacks are constructed. The criminals spoof the ip address of the victim as the requestor. They then use their botnets to forward these requests to DNS servers who are set to do recursive searches. These are DNS servers who will respond to requests for domain names for which they are NOT authoritative. The DNS recursive server then responds to the requests. Because it is estimated that over 50% of all DNS servers are misconfigured to act as recursive servers, the attack magnifies. Today, many attacks have been documented to be over several gigabits per second. This is an amount that the average enterprise server's cannot cope with.

The US-CERT is so concerned by this amount of traffic that they worry that key portions of the internet could be brought down in expanded attacks. They have issued strong recommendations to the internet community about configuration of DNS servers. However, even with these strong recommendations, the millions of DNS server owners blissfully ignore it, since there is no immediate catastrophe facing them individually. In summary then, this attack uses the weakness in DNS IP headers to spoof an IP address and the poor configuration of DNS servers coupled with criminals botnet networks.

Another attack is spam email. It has been recently documented that spam now accounts for 91% of all internet email traffic! Let's examine how spam works.

The criminals send email using someone's email as if it was them. They then have their botnets download email lists to construct the spam. The malware is very sophisticated in it's ability to change rapidly. This is why, all of a sudden, you are experiencing all sorts of spam email passing through your anti-virus filters. There is no way that an anti-virus vendor can keep up with listing the different signatures used in email attacks since they change so rapidly.

Spam works. Approximately 5% of people in the UK have bought from spam emails. Thus botnets continue to expand as malware gets downloaded when the user clicks on a link. Since there is no way to actually authenticate the sender of the email, the botnets continue to bombard enterprises with spam.

Another attack is to redirect a user to a fake site even though they enter in the correct web address in their browser. Called "pharming", this attack uses something called DNS cache poisoning to make it happen.

The criminals intercept DNS request responsed from a DNS root server and a local DNS server. They interject their false IP addresses in the response, which the local server then caches. The next time the user enters in the web address for say Acme.com, the false IP address is used by the DNS cache and the user is directed to a false site (which most often exactly resembles the real site). Pharming attacks have also been increasing over the past two years.

As an aside it has been speculated that DNS traffic this spring might slow down the internet. The reasoning is that when Microsoft introduces Vista, it has the ability to run IPv6 and the oder versions of IP. The thinking is that Vista will do parallel inquiries on DNS servers. Microsoft says no and has apparently made some changes such that parallel inquiries will not be done. We will see come this spring.

Amongst all this mess, is there any solutions? The honest answer is NO NOT IN THE IMMEDIATE FUTURE.

One way to slow down the amount of spam and DoS attacks is to use some more advanced way of digitally authenticating a DNS lookup. About 10 years ago, it was proposed that digital certificates be used to sign DNS answers (DNS Security or "DNSSEC").

This attempt has bogged down since then for a number of reasons. These include:
* root key management
* root key rollovers
* no real economic reason for millions of DNS server owners to change their practice
* arguments that there are other methods higher up the stack which are better
* concerns over scalability
* concerns overs memory and performance when using digital certificates on high volume DNS server

A recent survey found that there is only 1 in 100,000 DNS servers which is DNSSEC compliant. Bottom line: There is likely no good news re deploying DNSSEC in the next one to two years (unless there is a huge internet outage caused by a DoS attack which would prompt everyone into action in adopting DNSSEC despite all its short comings).

Most experts agree that for the next one to two years the problems are going to get worse before they get better. Botnets will continue to proliferate. Malware will continue to quickly evolve and outstrip existing defense tactics. DoS attacks will continue to grow. Pharming will continue to grow. Spam will continue to be a big problem.

What can you do about it?

1. Configure your DNS servers properly. Significantly reduce the ability of your DNS servers to do recursive lookups.

2. Put in place a layered defensive system. Assume that even with best efforts your anti-virus, firewall, IPS and IDS systems will be successfully breached. Put in place internal increasingly strong authentication systems to contain the damage when a breach has occurred and someone is masquerading as your user with their uid and password.

3. Use transaction authentication from vendors like Bharosa and RSA for your most sensitive enterprise networks, applications and information. Assume that over the next two years that even strong authentication mechanisms can be breached. Use the computer hardware, IP address, geolocation, user profile, user history and time of day to validate a successful authentication request.

Start paying attention to the DNS layer of your enterprise. Deep down in the bowels of the internet there are some stomach aches happening that might come back to haunt you.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Note: In the first published version of this blog I erroneously stated that 20% of people in the UK have bought from spam. The story I was referring to stated that the click through rate was 1 in 20 or 5%. I have updated the blog accordingly.

FEAR, UNCERTAINTY AND DOUBT. These are the trade of people selling security products. They don't make sales by telling you that all is well. Given the shrill voices at the moment on enterprise security, what is the realistic risk that your enterprise will be successfully breached over the next two years and, if so, what are the resulting costs?

THE ATTACKERS:
In the old days of two to three years ago, most enterprises were relatively safe hiding behind their firewalls, anti-virus, intrusion detection systems and intrusion prevention systems. Commercial for profit crime was mostly targeted against financial institutions and there were always stories and criminal prosecutions against "hackers" trying to gain access to military systems. The chances that a "hacker" would try to access your enterprise were relatively small. What has changed since this time period?

There are three concurrent factors that has sharply raised the level of enterprise risk:
1. Organized crime has entered the internet
2. Botnets have been created
3. Malware has grown very sophisticated

Organized Crime
The entrance of organized crime to the internet has changed the security game. Criminals have realized there is easy money to be made, on a recurring basis, from the internet and from successfully breaching enterprises. They have developed three general markets:
* Consumer identity theft via email - criminal fraud
* Enterprise breaches - corporate theft
* Enterprise denial of service attacks - essentially criminal ransom or blackmail

This is not the normal gang operation where a gang has a few hundred members around the world and targets just big business. Today, these "gangs" have several thousand members. They have thousands of programmers hired to design successful criminal software, tailored to breach a specific type of defense. They operate globally and locally. As recent as last month, enterprises with only a few thousand employees have been targeted including hospitals.

Botnets:
Organized crime has developed a series of computers which they have taken control over, unknown to the computer owners. Called "bots", organized crime is busily developing a vertical market.

First, they make money by sending out spam email. Today, 91% of all internet email is spam. The spam goes out to most digital citizens. In the UK, it has been documented that up to 5% of people have bought from spam emails.

When the organized criminals make money, they quickly launder it using "mules" who operate out of their homes. The money is moved around the world and then reinvested in criminal and legitimate businesses.

The clicking by citizens on the email links offers the criminals the ability to create more bots. Malicious software is downloaded into the user's computer taking over the computer.

The next step up the vertical market ladder is to now take the bots and use them to attack enterprises. It has been estimated that around 10% of all computers are infected. One recent study estimated that 89% of citizens computers were infected with spyware.

Organized crime uses bots in two general ways:
1. To launch successful denial of service attacks on enterprises
2. To quickly launch malware attacks against enterprises

Denial of Service Attacks:
The denial of service attacks on enterprises are rising. It's hard to document exact numbers since most enterprises don't want to publicly admit they were attacked. However, evidence shows it is rising. Authorities believe that only a few enterprises in every hundred attacked are reporting. Regardless, criminals can bring about huge attacks by using bots that are big enough to even shut down portions of the internet! (Read the US-Cert Advisory here and the presentation this past spring on the size of attacks here.) Faced with this type of attack, most enterprises are forced to quietly pay off the attackers.

Enterprise Breaches:
There has been a documented, growing trend over the last two years in general enterprise attacks. The use of the bots has enabled organized crime to quickly take a new attack and "get it out" to attack millions of enterprise computers within a few days. There are two general patterns emerging for these attacks:
* Spam type email which if your employee clicks on it downloads malware into your enterprise
* Targeted attacks - this type, commonly known as "Spear phishing" is growing rapidly. It is this type of attack you should be worried about. I'll refer to this later in this blog.

The message here is that by using their botnets, criminals can quickly get an attack going against most enterprises. Since your enterprise uses email, you are prone to these types of attacks.

Malware:
The third fundamental change over the last two years has been the evolution of malicious software (malware). Organized crime has put thousands to hundred of thousands of programmers to work developing attack code. As I have documented in numerous blogs (read here and here), the attack code is very sophisticated. Today, the code comes with it's own built in:
* anti-spyware code (to keep out other competing malware as well as to protect itself from enterprise anti-malware)
* the ability to hide amongst the operating systems rootkit kernels (making it extremely hard to see and even harder to get rid of once detected)
* code changes every 30 minutes (this makes the current vendor anti-spyware methods of keeping a list of the "bad guys" obsolete since the "signature" for each attack changes every 30 minutes)

It has been repeatedly shown that existing anti-virus, IPS and IDS defences are becoming more easily bypassed in the face of this malware. As bad, it has also been documented that getting rid of the malware, once it's detected by the anti-spyware software, is very poor (a study this past September against a suite of malware taken from a honey pot found that the best rate amongst a suite of vendors for spyware removal was around 38%).

In summary then, organized crime has arrived big time on the internet. They are quickly developing their own vertical markets by using spam, botnets and malware. Most experts agree that this is a real "arms race" with the advantage currently with the attackers, likely for the next TWO TO THREE YEARS!

Your enterprise firewalls are constantly being attacked by bots. The firewalls operate on the basis of allowing everyone in except for the bad guys who are maintained on a list. This type of defense is proving to be easily breachable. The pace of attack change to to your enterprise is on the order of a couple of days from when a new attack is devised to 30 minutes.

YOUR ENTERPRISE RISK
Given all the above, here are my general postulates:
1. Even with the best firewalls, anti-virus, intrusion detection and prevention services, the chance of your enterprise being breached over the next two years is very high due to botnets.
2. As a result, the chances of your workers uids and passwords being in the hands of organized crime is also high since the malware will successfully capture this and export it back out through your firewall.
3. Targeted enterprise attacks will also rise. These will involve combinations of external attacks and internal workers, janitors, temps and others.

To evaluate your risk, first let's look at your enterprise from a criminals point of view. They want to make money and not get caught. What is in your enterprise that would appeal to a criminal?:
* payables system
* data that's valuable
* products that you make

Payables:
My own personal view is that over the next two years, organized crime will go after weakly protected payables systems with poor reporting processes. Why?

It's easy money. If done properly, it can be a regular cash cow for the criminals spewing out payments every month. Here's what criminals need to do to accomplish this:
1. Identify the type of software you use for payables
2. Determine the approval process and separation of duties for:
a). Creating electronic accounts
b). Approving invoices
c). Approving payment of the invoices electronically
d). Invoice approval limits
3. Determine the individuals involved in the above
4. Obtain their uids and passwords
5. Create the electronic accounts masquerading as the employees
6. Create and submit the electronic invoices
7. Approve the invoices masquerading as the employees
8. Approve the electronic payment masquerading as the employees

While all this might seem like a lot of work, it's actually not that hard to do. If criminals are smart they will target industries. For example, universities. Generally most universities use either Banner, PeopleSoft or SAP. By having the local organized crime do the footwork it won't be hard to obtain the people involved in the process and determine the approval limits. Then the rest is a matter of setting up the process such that it can be done remotely in the off hours. If the reporting process is poor and, if the invoices are kept relatively small, this can go on for a very long time before it's detected.

Data that's valuable:
Credit cards are one prime choice. This involves getting the uids and passwords of the person who administers the database. If the data is unencrypted it is child's play to take the data and then use it elsewhere to the criminal's benefit.

Other data that might be valuable is competitive information. For example, recently in Canada, WestJet airlines used scheduling data data from Air Canada's system to offer more attractive flight schedules and rates. This involved access to Air Canada's scheduling system from an ex-employee.

Products that you make:
There was another Canadian story last year about a company that had been successfully infiltrated by criminals and where invoices were created and products shipped to fictitious companies. This will become more common as criminals look for low hanging fruit in manufacturing companies.

Given the above, what is the risk to your enterprise?

If you continue to use uids and passwords for sensitive networks, applications and information behind the enterprise firewall, I say that your risk is high that you will be on the criminals hit list if you are an enterprise with over several hundred employees. Once you're this big, the chances are better for the criminal that they can operate amidst your bureaucracy and your internal business processes electronically without being noticed for quite a while.

If you have weak payables processes and use electronic payments, then the risk is also high. It's much easier for criminals to rob you than take on a bank. A little local on the ground footwork coupled with payables system knowledge means you can be easy prey.

If your internal databases holding credit card information is poorly protected, then you are also at high risk for an attack. The best part of it is for the criminals is that you might never realize you have been attacked or, it will take you months or years to realize it. The pubic cost of admitting this disclosure is high. Read here for an analysis of the cost of a security breach.

If you do manufacture products, and your business processes for approving shipment and payment are weak (using uids and passwords to approve), then you too can expect a high risk of attack over the next two years.

The general costs of these types of attacks will be in the hundreds of thousands to millions of dollars depending on the numbers of identities stolen (and disregarding the amounts lost from payables or product loss). If you have to publicly report the attacks, then the enterprise cost is much higher due to bad publicity, stock price hits, customer relations, etc.

HOW TO MITIGATE THESE RISKS
THERE IS NO SILVER BULLET. There is no one product you can buy that will magically prevent these types of attacks from happening. Instead, you need three components to prevent or mitigate the risk from such attacks:
1. Security architecture using layers of identity based security
2. Operational infrastructure to quickly detect problems in the making
3. Good solid business processes to prevent such attacks from happening or, to quickly realize an attack has happened and shut it down quickly.

Security Architecture:
As I have documented in a couple of white papers (read here and here), enterprises need to have multiple layers of security. This ranges from training users to not click on email links, through to a robust perimeter, to the user of stronger authentication as the user drills towards more high risk areas to deployment of transaction authentication protecting the enterprise crown jewels.

Get your head around protecting what's behind the firewall with all sorts of layers. Start imagining organized crime behind your firewall. Think of targeted spending to reduce the risk by deploying layers of stronger authentication.

Operational infrastructure to detect problems in the making:
This is hard to deploy in larger enterprises. You need to cross over internal enterprise silos and create teams of people and systems to detect attacks in the making. This must involve the network security, IT security, payables, customer marketing, finance and shipping. You need to have cross team meetings, reporting systems and detection systems at all levels of the enterprise working together. If you don't, then it's quite likely you will be prone for a successful attack.

Business processes:
You need to tighten up business processes. Think like a criminal. Identify areas where your business processes are weak and could be low hanging fruit for organized crime. Tighten them up. If you do so, you will likely either prevent these types of attacks from happening in the first place or, determine it is happening early on and contain the damage by quickly closing the hole.

CONCLUSION:
The high level of FUD out there is currently justified. It is not just more scare talk by security sales people to generate sales.

Don't believe that one product is going to solve your enterprise risk problems. The challenges involved require layers of security coupled with good business processes. This will be hard to sell in the enterprise since it means that you've got to cross silos to create a successful solution that will minimize your risk.

Your CFO, CEO, COO, CIO, CSO and VP Marketing all need to be on the same page re understanding that the security game is quickly changing with organized crime entering the digital fray. Tell them that the attack patterns are changing, your existing defenses likely are breachable, the potential costs are in the millions of dollars and that it's better to spend a penny now than a pound later.

I realize that this is a tough sell to senior management. However, the main message from this blog is:

THE INTERNET IS NOW A TOUGH DANGEROUS WORLD.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

The data is in for anti-malware vendors testing against a honey pot as of November 21,2006 at malware-test.com. What is shows is a MAJOR FAILURE IN THE ABILITY OF ALL MAJOR ANTI-MALWARE VENDORS TO PROTECT YOUR ENTERPRISE.

The best cleanup success rate was 49.64%. In other words, the best software would have missed 50% of the attacks!!!!

What is even worse, THIS TREND HAS BEEN MORE OR LESS THE SAME SINCE SEPTEMBER.

The scene is grim as we approach the end of 2006. Organized crime has much better tools to attack an enterprise than do the "good guys". By using their botnets and their malware, criminals are staying ahead of the best efforts of anti-malware vendors.

This is not just a little problem. It's a serious BIG problem in that too many enterprises are almost t