AuthenticationWorld Blog

In yesterday's eWeek, Ryan Narine wrote a story "Cracking the Blackberry with a $100 key". This story covers the use of a $100 API key to then use it to open doors to attack.

While much was made of the Symantec blog being quickly withdrawn, it seems to me that this is exactly what is in the Defcon presentation I referred to in an earlier blog. In the Defcon presentation, the proposed attack used a prepaid card to purchase the API and then to lauch the trojan horse attacks. In the blog, I also referenced Blackberry's response to this type of attack.

Make the enterprise changes as per the Blackberry recommendations to mitigate this high risk.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

I recommend that you read the story "Banking on security" published Nov 29 in Dark Reading. The story outlines how a penetration testing team successfully penetrated a bank posing as a copier repair person and then quickly obtained uids and passwords for the banks senior management after successfully accessing their network.

The article shows how relatively easy it is to penetrate an enterprise physically and then obtain internal network access. Then criminals have a variety of tools at their disposal to use including malware, masquerading, etc.

The enterprise needs to have a layered enterprise defense using strong authentication as the user drills to higher risk applications, information and networks. Many of the layers must occur behind the enterprise perimeter. Additionally, employees need to be continually trained to watch out for social engineering attacks. If you don't, someone might literally walk in the front door and leave with all sorts of enterprise secrets and access privileges.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

During the middle of November, Forrester and Finjan put together a webinar titled "How to Defend Your Organization from Web-Based Threats while Hackers Move into Business Mode". The webinar is an hour long. So, if you don't have time to listen to it, here's the point of this blog.

The Forrester analyst, Paul Stamp, describes a recent spear phisihing attack on a medium sized enterprise. He described how the enterprise had issued a press release announcing the hire of a new COO. A few days later, the new COO received a email purportedly from the firm that does the enterprise's travel bookings. He was requested to click on the link and make sure his details were accurate.

The executive did and ended up at a official looking website for the travel agency. There he found that the travel agency already had all his personal details in the database, so it looked good. He was then requested to download some software that would link his Outlook email to the travel agency's booking systems. The COO did this. Unbeknownst to the COO he was actually downloading trojan horse malware which then rapidly spread through his new enterprise.

What can we learn from the above story?

1. This was a medium sized enterprise and not a large bank. Therefore, criminals are targeting enterprises wherever they think they can make a buck. So, if you're not a large company, don't think that you won't be targeted.

2. The criminals are using public information to quickly construct the attacks. They used the press release to get wind of a new hire. They then obtained the new hire's email address. The finally put together a database on the victim from publicly available information.

3. The attacks are very sophisticated. This isn't something that a "hacker" or "script kiddie" puts together. It's done by organized crime. They have the talent to construct the emails, trojan malware and fake websites. They do their homework. The use employees only as a vecotor into the enterprise. THEY'RE SMART.

This type of attack has been forecasted by most major analysts to increase over the next year. Simply relying upon your perimeter to bail you out of these types of situations won't work on their own. You need to have multiple layers of identity based strong authentication defense behind the firewall to control the damage when these types of attacks occur.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

There are new tools on the horizon that will help enterprises fight malware as well as provide trajectories for new malware attacks. If you listen to this podcast a security architect for Intel discusses their new hardware virtualization.

The advantages given in the presentation include:
* ability to embed intrusion detection deep packet inspection directly in the hardware, thus avoiding the need for separate appliances
* the ability to ensure that all machines on the network have minimum security configurations
* the ability to wake up machines in sleep or down mode, scan the system, deliver updates and put them back into sleep or down mode
* prevent rootkit attacks from a response perspective, isolate the system and use the out of band management channel to remotely clean the system

What wasn't mentioned was the new types of attack vectors that hardware virtualization brings...i.e. Blue Pill type attacks. Currently, there are no defense barriers to this type of attack.

Further, the interview portrays the ability to have "deep packet inspection" as the main way to deter malware attacks. The problem with current attacks is that the attack signature patterns are changing every 30 minutes. Thus no matter how deep the inspection goes, if only signature patterns are used, this type of defense on its own won't prevent malware attacks from succeeding.

Generally, the overall management of the enterprise's security systems should be helped by the ability to update patches quickly regardless of whether the computer is off or in sleep mode. Further, the ability to embed security intrusion detection systems in the hardware will also reduce operating costs long term.

BUT, the rest of the spiel is just that, a sales spiel. There is no one technology that is going to provide a silver bullet. In fact, the new technologies come with their own challenges. Therefore, you need to have multiple layers of strong identity authentication security behind the firewall to contain the damage when attacks pass through the perimeter.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Over the last couple of days, the press is having a field day with a new zero day exploit in Word. Simply opening the document releases the malware into the computer. There are no known work-arounds for this until Microsoft issues a new patch.

This follows another security advisory from Microsoft this past June about PowerPoint. Then too Microsoft was warning users to not open any MS Office document they weren't sure of.

While all this is potentially very bad, it is much worse given the current trends in malware. Organized crime is now doing more and more targeted spear phishing attacks. They select key individuals in an enterprise and then target them with email directing them to phishing sites or, attach to the email legitimate looking MS Office document attachments. The emails now appear to come from a trusted colleague in the enterprise.

Microsoft will eventually fix this new hole. However, more will continually to appear since there is so many lines of code in MS Office with unexposed weaknesses.

What's my point? These flaws have been in MS Office for years. Organized crime has thousands of programmers who are being paid to uncover the flaws. When they do, they are QUIETLY using these flaws to attack enterprises. They're only uncovered when some researcher stumbles across them or, when an attack becomes public.

DON"T LEAVE YOUR ENTERPRISE'S DEFENSES ONLY AT THE PERIMETER. There is too much risk currently and for the foreseeable future. While putting in strong perimeters as well as monitoring what goes out the firewall, put in layered strong authentication identity defenses behind the firewall. Without this, you may never know you were attacked or, figure it out many months after a successful attack or attacks have occurred.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

I read an interesting story today on BBC "Criminals 'target"tech students'". The story outlines how organized crime is now actively recruiting IT students. They graduate them from spam type activities, through to botnets and then into more sophisticated attacks. The story also states that organized crime is now paying for IT students university fees and then when they graduate, they offer them full time jobs.

The study also references a report released by McAfee this past July "Virtual Criminology Report". The report outlines the development of organized crime into the internet.

What observations can be drawn from the news story and the report?

1. Organized crime is here to stay on the internet. It is now a "mature industry" for criminals to make money.

2. Criminals are organizing virtual gangs in large numbers to attack medium and large enterprises. You don't have to be a Fortune 1000 company to be targetted.

3. The criminals have large dedicated talent pools to draw upon. For medium enterprises, I think this is worrying. Your small IT departments are trying to handle keeping the IT systems up while at the same time handling IT security. Those few individuals you have dedicated to IT security are reliant upon defense tools like antivirus and intrusion detection and prevention. Facing you are thousands and even perhaps hundreds of thousands of programmers who are dedicated to cracking your defenses.

4. The coupling of local organized crime with the cyber gangs is also very worrisome. The local people can target medium enterprises, obtain information and then contract out the IT work to the cyber gangs. This means that over the next two to three years, you're likely to see more sophisticated attacks on your enterprise using a combination of local people and malware.

5. Not wanting to be a pessimist, buy I can't see the increasing trend of organized crime diminishing any time soon. It will take years for governments to craft laws, increase their policing resources, coordinate across international boundaries and prosecute enough criminals to make them think twice about doing it.

There are dark clouds on the enterprise security horizon. A storm is brewing for the next two years. Time to get ready and deploy a multi-layered security strategy before the storm strikes you.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Well, Microsoft is keeping out front of the game...no I don't mean Vista. Yet another serious Word flaw has been reported, the second in the past week. This means that in the past week and a half there have been three serious Microsoft breaches reported (the two Word and one in Windows multimedia).

At the current time, it doesn't look like Microsoft is going to rapidly address the two Word flaws in its next security patch. That should be reassuring news for enterprise security folks.

So, here's the picture. Your enterprise is running its AV, IPS and IDS systems. Then along comes a Word document attached to an email. You let the document in. Unfortunately the document contains malware rootkit trojans. If it's one that your AV, IDS and IPS don't pick up then you are fodder for the criminals.

Remember, these types of flaws have been in Word for the past few years. Smart criminals aren't going to advertise that they've found one. They've probably found these and other Office defects long ago. Therefore, stop waiting for Microsoft to clean up its act. Assume the documents will carry malware. Further, assume that the malware will pass under the radar screen of your enterprise perimeter.

NOW START MAKING PLANS TO USE LAYERS OF STRONG AUTHENTICATION BEHIND THE FIREWALL!

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Adobe this past week has announced a serious vulnerability in Adobe Reader that allows an attacker to take control of the user's system. This affects all versions of the existing Adobe Acrobat version 7 readers. Users must upgrade to Version 8 in order to prevent the attacks.

When you couple this announcement with the Microsoft woes blogged earlier, how many reasons do you need to have a layered identity strong authentication defense system behind the firewall?

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

There are three Computerworld stories today Ihat should give you pause as you prepare for the holiday season.

The first is "Wireless growth in Asia leads to security woes". It documents the fast rising number of attacks on wireless networks in Asia that are growing much faster than those in fixed line countries. This is because Asia has a much more advanced wireless infrastructure than North America. Therefore, what you see happening in Asia will soon be arriving in Europe and then latterly North America where the wireless infrastructure is well behind.

The article briefly mentions layers of security but doesn't go into details. I believe that these layers must include network access control to quarantine any wireless device without proper patches, network authentication to the device MAC, reduced sign on with security policies requiring stronger authentication as the user drills towards applications from the wireless device than if they were inside the enterprise, reduced hard drives on the wireless device, monitoring of what is going out the firewall to the wireless device to prevent sensitive information leaving and finally transaction authentication around enterprise crown jewels.

The next article is "Breach at UCLA exposes data on 800,000". The article documents that attacks were going on sensitive databases, expressly looking for identity information, since October of 2005.

While universities have been targeted this way over the last few years, they are not alone. In an earlier blog, I documented that over 97 million US identities have been stolen since 2005. Now that number has grown by nearly another million from just UCLA alone. What can be learned from this?

All sensitive identity information needs to be encrypted on the database. Further, as in another blog covering the loss of Scotland Yard's own identities, encryption must be maintained when identity data is managed by non-enterprise employees as well as identity handling processes and audits. Finally, perimeter monitoring on information leaving the enterprise needs to be in place to detect sensitive identity data being exported out through the firewall.

Then there is the story " 'Rock Phish' blamed for surge in attacks". It documents how a group called "Rock Phish" is thought to be responsible for $100 million in losses against financial institutions from phishing attacks. The article describes the increasingly sophisticated measures the attackers are using. Perhaps even more telling was the fact that many researchers didn't want their names mentioned in the article out of fear from personal harm.

This last article is in my opinion the most worrying. It indicates the growing size of organized crime on the internet. Further, it also indicates the sophistication that organized crime is using to attack enterprises. While not mentioned in this article, I believe that this is due to the numbers of personnel organized crime is now bringing to bear to attack enterprises.

While you should indeed be celebrating the holiday season, you should also keep in mind that the next two years spell lots of trouble for IT departments and enterprise security. There is a big storm blowing in.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

eWeek yesterday ran this story "Third MS Word Code Execution Exploit Posted". It describes the third Word document exploit in a week. There are no current fixes to the other two.

In sports, three strikes and you're out. Microsoft has stood at the plate so many times swinging at the ball and missing it from a security perspective, and they're still not out. While Vista will be an improvement over their existing previous operating systems, there are so many other holes from Office products.

These attacks can be launched by simply opening the document. Therefore the security risk is very high.

Don't stand around waiting to see if Microsoft will ever hit the security ball. Make plans knowing they don't and likely that they won't. Put in place many layers of security to mitigate the risk that your enterprise will receive unwanted malware presents delivered by the MS Office suite.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com