About February 2007

This page contains all entries posted to AuthenticationWorld Blog in February 2007. They are listed from oldest to newest.

January 2007 is the previous archive.

March 2007 is the next archive.

Many more can be found on the main index page or by looking through the archives.

« January 2007 | Main | March 2007 »

February 2007 Archives

February 2, 2007

Criminals exceed capacity of antivirus vendors

Yesterday, Computerworld ran a story "Call the cops: We're not winning against cybercriminals". In it, Kaspersky Lab's CEO admits that they can't keep up with the criminals. ""We don’t have the solutions," says Natalya Kaspersky, CEO of the company. "We thought it was possible to do antivirus and that was adequate protection. That time is gone."

Their CTO says "The company dedicates 50 engineers to analyzing new malware samples and trying to find ways to block them, but with about 200 new samples per day and growing, it's an uphill fight, he says."

Further, the CEO states "Police have made efforts to prosecute the people behind the malware, but success has been limited. In 2004, there were 100 arrests worldwide. That number rose to a few hundred in 2005, then dropped back to about 100 again in 2006, Kaspersky says. "The stupid guys got jailed," he says. "The smart guys -- it's very difficult to find them.""

Their conclusion? There is a need for international police coordination and legal prosecution.

This article merely confirms the statements made last summer at an international conference in Montreal that criminals would have the upper hand for the next 2-3 years.

Bottom line: Make sure you have multiple layers of identity defenses using stronger and stronger authentication and make sure that you're on top of your security game or you may be very sorry.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

February 5, 2007

$5 one-time password token introduced

Entrust today has announced the introduction of one-time password tokens at $5. This is substantialy below the existing prices offered by competitors such as RSA and Vasco Data Security.

Bearing in mind that one-time password tokens don't stop phishing attacks, this offering however is still very good news. Most enterprises still use passwords as their main form of authentication. As has been well documented, passwords are very insecure. Therefore, enterprises need to consider different forms of authentication. The historical cost of one-time password tokens has been an impediment to wide-spread adoption of this method.

Enterprises considering Entrust's new one-time password offering however, need to consider the use of these as only part of a more in-depth enterprise authentication strategy. As the user drills towards more sensitive information, applications of building access, multi-factor authentication needs to be used.

Even with the use of multi-factor authentication, enterprises must assume that these methods too may be bypassed. Therefore, for protecting the enterprise crown jewels, they should deploy transaction authentication which in addition to the use of strong authentication, checks the user's physical hardware, their IP address, geolocation, time of day and past user history profile before letting the user in.

There is no one silver bullet in authentication. While the Entrust offer makes the use of one-time passwords more affordable, it is only one of many tools an enterprise must use to properly defend itself against attacks from organized crime.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Swiss Cheese - Another high risk security hole appears in MS Office

On Friday, Microsoft confirmed yet another high risk security flaw in one of it's MS Office products, Excel. The hole allows malware to be deposited in the user's computer by merely opening the Excel file. The normal method is to attach this to an email requesting the user to open the file.

This brings to the total of five unpatched high criticality flaws in MS Word and Excel. Several of the Word flaws have been known since early December and as yet remain unpatched.

MS Office resembles Swiss Cheese with all of its security holes. Vista won't stop these types of attacks.

Caveat emptor. Think on it before you click on it for MS Office attachments in your email.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Site authentication may not provide additional security in practice

Brad Stone of the New York Times today wrote a story "Study Finds Web Antifraud Measure Ineffective". The article quotes results from a joint Harvard/MIT study on the security effectiveness from using a site authentication stating that the effectiveness out of 60 people worked for only two.

Site authentication is where the user preselects an image to be displayed at login when they are supposed to enter in their uid and password. The technology developed by Passmark in 2004 (which was acquired by RSA) and also produced by several other competitors, is based on the theory that if the user comes to a phishing site and doesn't see their image, then they should be alerted to the fact the site is not real and therefore not enter in their uid and password. However, the study didn't prove this out. Only two people refused to enter in their uid and password while 58 others entered it in despite their being no image.

Changing end user behavior is hard to do. People are used to entering in their uid and password and disregard security mechanisms like the site authentication. I am fairly confident that Microsoft's Vista anti-phishing technology where the tool bar goes green for supposedly safe sites will meet the same kind of response from end users.

Enterprises wanting to secure themselves internally, should take heed from the study. There needs to be stronger authentication in addition to uid and password as the user drills towards more sensitive information and applications. Don't expect one method to provide your security or you'll be sorry.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

February 6, 2007

Vista's Live One-Care Fails the Test

The BBC today reported the Microsoft's Vista's Live One-Care failed a test recently done by Virus Bulletin. The article states "While Live OneCare did manage to spot 100% of the macro viruses it was tested against, it missed some wild viruses, polymorphic programs and file infectors.

Live OneCare caught 99.91% of the known active viruses it was tested against. This left it vulnerable to 37 separate malicious programs.

Other anti-virus products that failed the tests included G-Data AntiVirusKit, McAfee VirusScan Enterprise 8.51 and Norman Virus Control 5.90."

This test was against known viruses, bots and worms. The article then quotes John Hawes from Virus Bulletin ""Although many improvements have been made, Vista cannot fend off today's malware without help from security products," he said."

I would argue that even with the use of other anti-virus vendors' products, tests from Malware-test.com suggests that most vendors are missing 50% of the malware.

Caveat emptor. Don't rely upon what the vendor's marketing spiels tell you.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Time to secure smartphones

Today in Searchcio.com Shamus McGillicuddy wrote an article "SMARTPHONES EASY TARGET FOR HACKERS, EXPERTS WARN". The article explores the risks from executives who are increasingly using smartphones to access and download sensitive applications and information.

The article quotes Stan Schatt, vice president and research director at ABI Research in Oyster Bay, N.Y. "Schatt said at least 30 forms of malware written specifically to exploit smartphone operating systems have been identified during the past two years. He estimated that as many as 90% of smartphones are exposed and unsecured right now."

The danger is that malware on a smartphone will capture the uid and password authentication most commonly used as a security mechanism. With this the criminals then have access to the applications and information the executive who uses the smartphone.

The answer is to have a layered identity authentication architecture. For general low risk access, continue to use the uid and password. As the executive drills towards sensitive apps and information, use stronger authentication such as one-time password tokens, bimoetrics, voice recognition etc. Then place transaction authentication around the enterprise crown jewels.

If you're not doing this, your enterprise is at high risk of a major security breach.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Hackers take down 3 of 13 servers critical to managing internet traffic

Today, hackers successfully attacked 3 of 13 servers critical to managing internet traffic according to CNN. In "Hackers hit key Internet traffic computers" the article states "Hackers briefly overwhelmed at least three of the 13 computers that help manage global computer traffic Tuesday in one of the most significant attacks against the Internet since 2002. Experts said the unusually powerful attacks lasted for hours but passed largely unnoticed by most computer users, a testament to the resiliency of the Internet."

It goes on to state "Experts said the hackers appeared to disguise their origin, but vast amounts of rogue data in the attacks were traced to South Korea."

It is great that the internet didn't go down during the attempt. However, it is still very worrying that 3 of the critical servers went down.

I have blogged repeatedly on DNS attacks and in one blog "Partnering with criminals" said that enterprises must give some thought to partnering with criminals to protect themselves from DNS attacks until the international authorities and the technology catches up. I have also blogged on possible interim strategies for preventing DNS attacks.

What chance does a mid-size enterprise, with a small IT department, have against these types of attacks that can successfully take down 3 of 13 critical internet servers?

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

200,000 new virus variants projected for 2007

Computerworld ran an article today "RSA: New threats could make traditional antivirus tools ineffective" that stated "Signature-based technologies are now "crumbling under the pressure of the number of attacks from cybercriminals," said Art Coviello, president of RSA Inc., the security division of EMC Corp. This year alone, about 200,000 virus variants are expected to be released, he said. At the same time, antivirus companies are, on average, at least two months behind in tracking malware. And "static" intrusion-detection systems can intercept only about 70% of new threats."

The article quotes Amir Lev, president of Commtuch Software Ltd. "New server-side polymorphic viruses threats like the recent Storm worm, however, contain a staggering number of distinct, low-volume and short-lived variants and are impossible to stop with a single signature, Lev said. Typically, such viruses are distributed in successive waves of attacks in which each variant tries to infect as many systems as possible and stops spreading before antivirus vendors have a chance to write a signature for it.

Storm had more than 40,000 distinct variants and was distributed in short, rapid-fire bursts of activity in an effort to overwhelm signature- and behavior-based antivirus engines, Lev said.

By the time a signature is released for one variant, it has often already stopped circulating and has been replaced by several other variants, he said. "

This confirms the many blogs I have written stating that relying upon existing anti-virus and intrusion detection systems as the primary enterprise defense is not enough. Have in place layers of authentication security or you might be a victim rather than a healthy survivor of a criminal attack.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Weak passwords are still a real threat to enterprise security

Computerworld published an article today "Study: Weak passwords really do help hackers" in which a study at the University of Maryland had four computers online for 24 days. There was 270,000 intrusion attempts (roughly one every 39 seconds). Approximately 825 attacks were successful.

Most of these attacks used dictionary scripts. Thus weak passwords were usually quickly guessed. The project leader, Michel Crukier, stated "Weak passwords are a real issue," Cukier said."

Enterprises still using passwords must strengthen their passwords users choose in order to help mitigate the threat from password attacks.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

February 7, 2007

Hacking intranet sites

Robert Vamosi posted an interesting blog today on CNET "Hacking intranet web sites from the outside". He attended an RSA presentation by Jeremiah Grossman, CTO of White Security. The blog describes the attack on an intranet:

"In several live demonstrations, Grossman showed how it was possible, by appending the URL in a victim's browser with a call to remotely hosted JavaScript to see a victim's browser history or learn an internal IP address. With such information, he was then able to scan the internal network and locate any valid servers operating inside the corporate firewall. He showed how an attacker could mask all this by creating a simple iframe over the legitimate browser screen, so the victim could use the browser to surf the Net, unaware that JavaScript was running in the background. For fun, the attacker could send messages to the victim that would appear as alert dialog boxes."


Perhaps as ominous, the blog continues on to describe these types of attacks being initiated from web enabled printers or web enabled UPS strips. What is worrisome is that these types of attacks won't be picked up by anti-virus or other malware detecting devices.

There are so many relatively easy attack vectors into an enterprise. The bottom line is to have multiple layers of identity authentication strength behind the firewall, the anti-virus and intrusion detection systems.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

February 11, 2007

The future of passwords

On Friday, the BBC published an interesting article "Keeping secrets from web spies". The article gives a reasonable overview of the use of passwords as well as the risks from things like keyboard loggers and other malware.

Passwords are the weakest form of security. While the article mentions things like keyfobs that contain one-time passwords, it doesn't mention that these too are subject to phishing attacks.

The article also doesn't mention how to remember complicated passwords. It is only through the use of memory tricks that complicated, longer passwords can be memorized and recalled in the user's brain.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Vishing attacks growing

Brian Krebs has an interesting blog this past week on Vishing "Cell phones: the new phish food". Becoming more common is the use of 1-800 numbers sent out in emails to lure the unsuspecting user into calling a bogus number and inputting sensitive identity information which the criminals use.

The best way to avoid this attack is:
1. Never click on any email links unless you are expecting it.
2. Google the 800 number and see if it is owned by the company in question.
3. Call up the company on a phone number listed on the company's website which you find from Google and ask them if the number is valid.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Virtual perils growing

Last fall, I published a series of blogs on a new form of attack called "Blue Pill" using virtual hardware to create what is thought to be a currently indefensible form of attack and one to which the new Vista would also be susceptible. I was thinking of this when reading a recent blog by Brian Krebs of the Washington Post titled "Perils in Parallels?".

He was quite concerned about virtual software. In his blog he described how he had installed the Vista operating system on top of Mac OS X using "Parallels" a virtual machine program. What bothered him was that Vista could rewrite and delete any files in the Mac operating system running underneath it.

While I agree that this is serious, I expect the manufacturers to remedy this. What came to my mind was the increasing use of virtual machine software and Blue Pill. By using Blue Pill the criminals can move the entire operating system into a virtual machine without the system admins even knowing about it.

This type of attack is ready for prime time. Beware of the use of hardware virtual machines.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

February 12, 2007

Wireless Hacking Gets Easier

At RSA last week, a small US company called Immunity rolled out a new product "Silica" that allows hand held penetration testing for wireless devices surreptitiously. The sleek hand held device allows:

"* Tell SILICA to scan every machine on every wireless network for file shares and download anything of interest to the SILICA device. Then just put it in your suit pocket and walk through your target's office space.
* Tell SILICA to actively penetrate any machines it can target (with any of Immunity CANVAS's exploits) and have all successfully penetrated machines connect via HTTP/DNS to an external listening port running Immunity CANVAS Professional.
* Mail SILICA to your target's CEO, then let it turn on and hack anything it can as it sits on their desk.
* Have SILICA conduct MITM attacks against people on a wireless network."

The CEO of the firm, the former CIO of Bloomberg, is quoted in eweek's article "Wireless Hacking Tool Makes Splash at RSA":
"The former CIO cooked up the idea for the mobile hacking device while at Bloomberg, where she was constantly worried about the use of rogue access points and unprotected wireless networking systems.

Whether being used to carry out man-in-the-middle attacks against unguarded wireless users or to seek out file shares sitting on people's desktops, the device is a convenient platform for proving the need for stronger access protection, according to the executive.

"People can ship this to their operations anywhere in the world to help test the vulnerability of their corporate networks," the CEO said. "We think there's a real market for this type of device."

I think that not only should enterprises use the device to test their network but also be aware that hacking their untested wireless devices just got a lot easier. It's time to strengthen the authentication on enterprise wireless devices.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Bandit, Higgins and Pamelaware create new identity authentication wave

Last week at RSA, a joint presentation was given that demonstrated the interoperability of different mulit-platform and mutli-protocol identity authentication standards. The presentation "Open Source Identity Services - Multi-platform and Multi-protocol interoperability with Bandit, Higgins and others" can be found here. The presentation was proof that there is a hope for meshing together different identity and authentication technologies already in place in most enterprises. Let's look at the three components in the presentation to understand the significance of what they demonstrated.

Higgins is an extensible, platform-independent, identity protocol-independent, software framework that can support existing and new applications. It does this via:
* An identity attribute service (IdAS) that supports multiple identity context providers abstracting information from LDAP, SAML, OpenID, Infocard and RDF
* An Infocard provider and Security Token Service (STS) which uses IdAS from multiple identity providers
* Ability to use multiple forms of agents such as web-based and client-side card managers, browser extensions, and user interface (infocard selectors)

Higgins has been referred to as the Switzerland of identity. By being a neutral state it effectively allows different identity standards to inter-operate.

Bandit is an open-source project sponsored by Novell that implements open standard protocols and specifications such that identity services can be constructed, accessed and integrated from multiple identity sources. One of it's goals is to provide enterprises with consistent identity services for authentication, authorization and auditing.

Bandit does this by using the following:
* Identity attribute service from Higgins (IdAS)
* Authentication services (CASA) which uses client credential store and authentication services, simple security token service with Kerberos support, server side authentication modules (JAAS, JACC and mod-CASA).
* Role engine (leveraging Sun's XACML)
* Audit record framework (ARF) which uses a event submission framework using standard structured format for identity data

The Pamela Project champions robust, open source relying party code development and integration for information card technologies. Developed by Pam Dingle of Nulli Secundus, the demonstration showed a plugin for Wordpress. Pam is an awesome identity analyst and an Inforcard specialist.

What the demonstration did was the following:
1. Accessed a wiki through a gateway using username and password (in this case it came from a user account in a Novell Account Manager (NAM) and NAM acting as the gateway acting as a Liberty Alliance Service Provider.)
2. Generate managed card from a personal card (received it's identity data from NAM using Higgin IdAS and LDAP)
3. Access wiki through gateway with card (managed card link from personal card and NAM acting as the relying party)
4. Access wiki directly with the card (authorization and audit based on card data using Bandit components)
5. Accessed Pamela Project WordPress blog with card

This is the fore-runner of what typical identity transactions will look like in the near future in most enterprises. Hats off to the Higgins, Bandit and Pamela project members!

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Number of mobile attacks rises in the last year

Computerworld is running a story today "Mobile attacks jumped fivefold in 2006, study says" in which it quotes a newly released McAfee study claiming a fivefold increase in the number of security attacks reported on mobile devices.

The article states "According to data gleaned from more than 200 mobile operators worldwide, an overwhelming majority -- 83% -- said that their subscribers have been hit by some kind of mobile device infection. "This research clearly demonstrates that mobile security is moving quickly up the industry agenda, with the number of malware incidents rising," Victor Kouznetsov, McAfee's senior vice president of mobile security, said in a statement."

The article also states "Predictions of widespread mobile device attacks -- while made annually by security vendors and analysts -- have not yet been borne out. That was backed up by the survey, which noted that attacks involving between 1,000 and 100,000 devices accounted for just 15% of all reported security events."

So, the future is unfolding more or less as predicted. With the rise in use of mobile devices comes new attacks on them. Make sure your mobile is secure. Enterprises must consider using layers of identity stronger identity authentication. Also make sure that your NAC ensures that the mobile devices all have the most recent patches before allowing connection to your network.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Out of band authentication - part of a authentication solution?

Last week, Andrew Rulfe in E-Commerce Times wrote an article "Out-of-Band Authentication Protects Online Financial Data". In the article Andrew, VP of Authentify, states that financial institutions need to use out of band authentication methods, such as the telephone, to reduce risk to the enterprise and the financial institution's customers.

He states in the article:
"Here's how it works: During the attempt to transfer the funds out of the account, the online criminal would have been required to answer a telephone associated with the account in order to complete the transaction. The automated call consists of voice prompts directing the account owner to speak a confirmation number displayed in the Web browser.

Since completing the transaction depends on the user's ability to answer the phone number the account owner has given the bank and to successfully speak the confirmation number displayed in the browser, a person attempting to make a transfer without access to the out-of-band network (the account holder's phone) is denied.

Simply said, hackers can be armed with much, if not all, of a user's personal information, but that does not allow them to answer the user's phone or replicate the user's voice.

The phone works particularly well as an out-of-band authentication network. Along with being easy to use, it has the ability to produce an audible record of the transaction. The transaction record can include a .wav file recording of the user speaking the confirmation number, the record of the number dialed and answered, time stamps from the telephone network or even real-time voice biometric comparison."

Generally speaking, I believe he is heading down the right road. The use of the phone is a valuable weapon in reducing the risk of financial fraud. However, it needs to be part of a transaction authentication solution.

As Bruce Schneier constantly points out, most authentication mechanisms can be bypassed in phishing attacks. He says that authenticating the transaction is where the energy should be placed.

Therefore, the financial institution needs to have filters in place for every transaction. At low withdrawal amounts, the uid and password may be accepted. The financial institution may accept the risk that there is a fraud but that the cost of managing it with out of band authentication is more than the potential loss.

The transaction software also monitors the frequency and time of day for withdrawals. Therefore, when the transaction software sees frequent withdrawal amoiunts, at low dollars, it may then step in and either alert the bank or proceed with the use of out of band authentication.

For higher risk dollar withdrawals, the transaction software will automatically proceed to the use of out of band authentications since the risk now outweighs the cost of the out of band transaction.

For even higher amounts, the transaction software may monitor the user's physical computer, it's IP address, geo-location, time of day and user pattern. Then based on what it sees, the transaction software may use the out of band authentication with even more authentication mechanisms as well as possibly alerting financial institution's managers in real time before allowing the transaction to proceed.

This is the future for financial institutions as well as for most other enterprises. When the risk outweighs the cost it is time to use transaction software coupled with out of band authentication such as the telephone.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Criminals battling for control of botnet market share while industry and police can't compete

Computerworld today ran an article titled "'Storm Trojan' ignites worm war". The article states:
"Symantec Corp. researchers said that the "Storm Trojan," aka "Peacomm," is now spreading via AOL Instant Messenger (AIM), Google Talk and Yahoo Messenger.

An alert to some Symantec customers pegged the new infection vector as "insidious" because the message -- such as the cryptic "LOL ;)" -- and the included URL can be dynamically updated by the attacker. Even worse, according to Alfred Huger, senior director of Symantec's security response team, "it injects a message and URL only into already-open windows. It's not just some random message that pops up, but it appears only to people [you are] already talking to. That makes the approach very effective."

Moreover, the server from which the malware is downloaded to the victim's PC can be quickly changed by the attacker using the Trojan's peer-to-peer (P2P) control channel. "Everything can constantly change," said Huger. "

This is the second time since January that the Trojan worm has struck. Then, it used storm warnings in the message titles about massive European storms. The article also documents the vicious nature of the malware by containing within it denial of service attack modules:

"Among the multiple second-stage components downloaded to Windows PCs compromised by Peacomm, said Stewart, is a DDoS module that can be enabled at will by the attacker and aimed at any site. The January target list included spamnation.info, which was knocked offline for eight days starting Jan. 12. The better-known spamhaus.org was an indirect victim, too.

Systems hijacked by Peacomm have also conducted DDoS attacks against at least five domains used by the creators of the noted Warezov (or Stration) worm. After a busy September and October, Warezov was credited by some analysts as the genesis of 2006's massive fourth-quarter spike in spam volume. "

The article also concludes that most of the DDos attacks are against other crminal malware trying to gain control over the bots.

So there you have present day reality. Criminals are now fighting each other for control over bots while industry and police agencies are so far behind it isn't even funny.

Make sure your enterprise is prepared for IM based attacks. Then assume that some will be successful and have multiple layers of authentication strength behind the firewall.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

February 13, 2007

Microsoft issues BIG fix

Today Microsoft finally issued patches covering the majority of their major security flaws. The high criticality flaws reported in December concerning Word have been patched. This means that it took nearly two months from the time of report until a patch was available.

The issued security patches is one of their largest ever.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Saving the internet...

Computerworld ran an interesting article yesterday titled "Spam, viruses, botnets: Can the Internet be saved?" The article is based upon the premise "The most sanguine of observers say that even if the Internet is able to avoid some kind of digital Armageddon brought on by spammers, hackers, phishers and cyberterrorists, it nevertheless will drown in a flood of mobile gadgets, interactive multimedia applications and Internet-enabled devices, including phones, cars, home appliances and radio frequency identification tags."

Then it begins to review the state of rethinking the internet from a clean slate including:
* FIND (Future of Internet Design) - A number of different projects funded by the NSF. One of which is "Ethane":
- Ethane - "which centralizes security rather than putting it all around the network in firewalls, virus scanners and the like. With Ethane, all communications are turned off by default. A host joining the network must get explicit permission from a centralized server before it can connect to anything except that server. And the server won’t grant permission unless it is able to determine the location and identity of the requestor."

* GENI - a $300-400 million dollar NSF project. "The Global Environment for Networking Innovation, or GENI, will be a giant test laboratory stretching across the U.S., complete with wired and wireless computers, routers, switches, management software and subnets of wireless, cellular, sensor and radio devices. It will include a fiber-optic backbone and tail circuits to some 200 universities."

However, if you're looking for an answer soon...THERE ISN'T ONE.

For example, the Ethane project leader is looking at a 15 year horizon. This means that we will have to deal with the onslaught of security risks we have now for a long time to come. You'll have to use layers and layers of stronger authentication security until new systems arrive to help you out.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

February 14, 2007

New way of viewing laptop security

Last week Wired News ran a story about a different approach to laptop security for the $100 laptop in the One Laptop Per Child project whose purpose is to give a laptop to every child in the developing world. The interesting thing about the story was the security approach taken.

The article states the following:

"Instead, the XO will premiere a security system that takes a radical approach to computer protection. For starters, it does away with the ubiquitous security prompts so familiar to users of Windows and antivirus software, said Ivan Krstic, a young security guru on break from Harvard who's in charge of security for the XO.

"How can you expect a 6-year-old to make a sensible decision when 40-year-olds can't?" Krstic asked in a session at the RSA Conference. Those boxes simply train users to check "yes," he argued.

Krstic's system, known as the BitFrost platform, has only one user prompt (turning on the camera) and imposes limits on every program's powers. Under BitFrost, every program runs in its own virtual machine with a limited set of permissions. Thus a picture viewer can't access the web, so even if a hacker comes up with an exploit that lets him control the program, he couldn't use it to grab all the photos on the laptop and upload them to the internet.

"Applications can no longer run rampant," Krstic said. "Spyware becomes very, very hard. It can't spy on the keyboard. You can only spy on how a user uses their program."

Krstic contrasts this approach to Microsoft's Windows XP where every program, including Solitaire, has the right to access the web, turn on the video camera, open spreadsheets and send e-mail.

Programs downloaded to the computer can't "request a set of permissions that let (them) do bad things," Krstic said, unless that software has been certified by a trusted authority, which will be either One Laptop Per Child or one of the countries signed onto the project. Users can, however, manually assign more power to a particular program through the security control panel.

Krstic's objectives are to attack the problem of malware by removing the economic incentive to attack, and to make security usable."

This approach is worthy of following. It may actually limit the effectiveness of malware attacks going after the uid and password authentication.

How it fares when out there in the world remains to be seen. If and when there is an economic incentive to attack the laptop, the real test will be seen. So far however, the approach looks good.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com


The inside dope on stealing your authentication

Wired Magazine produced a very interesting story on February 2 of this year. Called "Steal this download" it contains a 25 page PDF file story about David Thomas, a high tech criminal who for several years ran a website on behalf of the FBI selling credit cards and other identity theft type crimes.

To put credit card theft into perspective the story says:
"The full scope of the problem is hard to judge, but nonetheless staggering. U.S. banks lost $546 million to debit card fraud in 2004, according to banking research firm Dove Consulting, and credit card fraud losses were estimated to be about $3.8 billion globally in 2003 according to The Nilson Report."

The story documents the arrest of Shadowcrew, a much publicized credit card gang, in other stories documented as having 5,000 members. The story is interesting not because it gives an insider view into one view of credit card crime but because of what it states towards the end of Thomas's story. The story states:

"The Shadowcrew bust was touted as a major success by law enforcement. Since the initial action, subsequent arrests in Operation Firewall have brought the total number of carders nabbed to 38 globally. Authorities say the suspects trafficked in more than 1.5 million stolen credit card numbers, resulting in losses estimated to be at least $4 million. The sting also netted more than 8.5 terabytes of forensic evidence -- the equivalent of 2.2 billion pieces of paper -- and involved more than a dozen criminal task forces in the United States and elsewhere."

"But the long-term effects of the operation on curbing criminal activity have proven to be almost nil. It wasn't long after Shadowcrew went down before new carding sites, such as CardersMarket and the International Association for the Advancement of Criminal Activity, or IAACA, popped up to take its place. And the bust opened the way for new problems as well."

"Amir Orad, executive vice president of security company Cyota (now owned by RSA Security), which has a command center in Israel from where researchers monitor the carding boards, says Operation Firewall made it more difficult for law enforcement to track carders. Once Shadowcrew went down, the community morphed from a small number of large carding sites to a larger number of small sites that have become harder to trace and infiltrate. And many of the most serious criminals have disappeared from the boards altogether, taking their activities further underground."

""What we see clearly is that taking down ... one group doesn't solve the problem, it creates multiple small problems," Orad says. "(We) haven't seen a major impact of those arrests besides maybe the publicity and the awareness that this whole crime costs."

Others have also disputed law enforcement's characterization of the significance of Shadowcrew's role in cybercrime, saying the website was more a sandbox for kiddie criminals than a virtual Cosa Nostra, and that those who were arrested were mostly low hanging fruit."

What this story documents is the inefficiency of the law to catch and substantially diminish organized crime. Let's take a low average of $500 million lost by credit card fraud to US banks every year since 2004. That makes 1.5 billion for the last three years. The Shadowcrew amounted to $4 million. Let's assume that's only what the government can prove and be generous and say that the amount they stole was 10 times or even 100 times that. Where are the prosecutions for the other $1 billion?

And remember, that's only the US we're talking about. There was reported to be $3.8 billion stolen globally in 2003. Using this number for each of the successive years that amounts to a staggering $11.4 billion over the last three years.

Make no mistake. It is well organized crime that is behind the majority of the authentication theft going on and they are not being arrested. As the wired story notes, it's only the new age script kiddies and relatively low lifes like David Thomas and Kim Taylor who are getting caught and imprisoned.

People like these were paying $1000 per day to hackers to to crack banks and card processing databases. What is worse is that most security experts agree that organized crime is now attacking non-financial enterprises using targeted attacks. Imagine the arsenal that the real organized crime has who has literally billions of dollars in revenue can spend to crack enterprise security systems? What protection do you have in place against this?

Make sure you use layered strong authentication security or you will be sorry.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com


Cisco Routers Have More Vulnerabilities

Yesterday, Cisco announced in an advisory that its routers using the Cisco Internetwork Operating System (IOS) beginning with "12.3" and "12.4" have flaws that allow a hackers to potentially circumvent the Intrusion Prevention System (IPS) with malware and also allow routers to crash. This is very important to take note of since many enterprises deploy these routers. Patches and upgrades are available.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Beware Valentine Day's email

Sophos today issued a press release "Heart attack: Valentine virus strikes at email inboxes" claiming that a widespread worm posing as a St Valentine's Day greeting has represented over 76% of all malware at Sophos's global network of virus monitoring stations.

The press release states:
"Subject lines used in the attack are many and varied, but all pose as a romantic message. Some of them include "A Valentine Love Song", "Be My Valentine", "Fly Away Valentine", "For My Valentine", "Happy Valentine's Day", "My Lucky Valentine", "My Valentine", "My Valentine Heart", "My Valentine Sunshine", "Send Love On Valentines", "The Valentine Love Bug", "The Valentines Angel", "Valentine's Love", "Valentine's Night", "Valentine Letter", "Valentine Love Song", "Valentine Sweetie", "Valentines Day Dance", "Valentines Day is here again", and "Your Love on Valentine's".

Attached to the emails are files called flash postcard.exe, greeting postcard.exe, greeting card.exe, or postcard.exe which contain the worm.

"This new Valentine attack is spreading hard and fast across the net, accounting for over three quarters of all the malware we've seen at email gateways around the globe since February 14 began," said Graham Cluley, senior technology consultant. "People will be truly love sick if they let the virus run on their PC." "

Don't open any email and click on a link or attachment unless you are expecting the email, even if it's from someone you know. Otherwise, you may suffer loss of your authentication credentials and also have your computer become a bot.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

February 15, 2007

Swiss Cheese gets bigger holes.

Microsoft, after yesterday receiving security patches fixing four critical security holes in Word, today announced yet another Word security hole. The Microsoft Security Advisory says the attack can be launched by merely opening the document.

This means that since early December there hasn't been one day when Word has been open to a highly critical malware attack. That's a comforting thought isn't it? The Microsoft Office Swiss Cheese has wide gaping holes that seem to be growing.

As always, deploy layers of stronger identity authentication security to mitigate the enterprise risk.

Guy
www.authenticationworld.com
guy.huntngton@authenticationworld.com

February 16, 2007

Default passwords = Drive By Pharming

There are over 30 million Cisco routers out there in the planet. Then add several more million for D-Link and Netgear each. That's one whole lot of routers busy routing IP packets. Many of them are now used in homes and small businesses. Now for the bad news.

Many of them are installed using the default passwords and id's like "Admin". A paper published in December by researchers at Indiana University called "Drive by pharming" , outlines how this can be easily used to create pharming attacks. Here's how it works.

A criminal creates a webpage that contains JavaScript and Java Applets. This script works with several of the leading router vendors. If the script finds out that you haven't changed the default router id and password settings, it then takes control of your router. It then changes the DNS settings.

For example, let's say that you are trying to get to your financial website "bank.com". You enter this in the browser url bar. However, the browser is taken to a phony bank.com website via the router. Unbeknown to you, if the website is well done, which is the current usual phishing sites, then you proceed to log on to the phony bank.com website, entering in your id, password and other stronger authentication mechanisms like tokens. Now the criminals are in control and can milk your bank account. This same methodology can be used in non-financial enterprises.

Most people don't look at the url bar after typing in an address. If so, they might notice the change to the address to bank-phoney.com. Therefore this type of attack will work.

Furthermore, the underlying cause for this is the installation of the default router id and password. For most small business enterprises, all of this stuff is mumbo-jumbo. They simply install the router and get on with their business.

This type of attack then makes use of poor authentication at two levels: the router and the user at the browser. Don't get caught in the eyes of this attack!

Make sure that you change the default settings on the router. Always pay attention to the url's displayed in the browser after typing in addresses. If you don't then you may become victim to a drive by pharming.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

IE and Firefox users beware...there are currently some serious flaws

Ryan Narine yesterday wrote a blog titled "Browser beware: Unpatched holes in Firefox, IE 7". This blog demonstrates a serious security hole in IE browsers as well as Firefox. Readers should take note.

In IE browsers the user's keystrokes when entered for say a blog, captcha, web chat etc. It then can use the typed information to go read sensitive files on your computer. For a live demo, go here.

Firefox has different problems. The browser has problems that could allow the browser to be connecting to a bank but instead is communicating with the criminals. For an example, click here.

Be very careful when using your browser. A NoScrip plugin can be used in Firefox until a patch is issued. Instructions for this are provided on the demo Firefox page link given above.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Vendors fixing security holes

Many people complain about the time it takes vendors to first of all formally recognize a security hole exists in their product, develop a patch, properly test it to make sure it is compatible with previous product versions and then release it. Especially with Microsoft, where so many security holes exist, and where so many users around the world can be affected, their monthly update patch schedule means that hackers have a month or in some cases, two to three months between when a patch appears after a high risk security hole is found.

Many IT executives are not entirely unhappy with Microsoft's monthly update. Ryan Narine recently did a series of interviews with executives about this. The comments range from being mostly happy with the monthly schedule to growing fears about the enterprise becoming vulnerable to attacks in between patches.

Personally, I feel that the coupling together of botnets with organized crime having very large financial resources to pay hundreds or thousands of programmers over $1,000 per day to develop attacks, means that many small and for sure mid-size enterprises are now becoming at risk of an attack in between patches. The programmers produce the code, the criminal gang may then set up a local strategy to use a combination of social engineering and code attacks, the botnets can be used to deliver the code and all of a sudden the enterprise is under attack. The chance that a mid-size enterprise has sophisticated intrusion prevention beyond the usual anti-virus and firewall is low. Thus, in my own opinion, these types of attacks will have growing rates of success.

An inside story from the vendor's perspective can be found by reading Alan Hargreaves Sun Blog on their recent fast track for fixing a telnet attack. This attack was a huge hole but was relatively easy to fix.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

February 17, 2007

More Cisco woes

In addition to the medium to high risk Cisco router security holes I earlier blogged about this week, Cisco has reported more security problems affecting its Pix 500 series security appliances, its 5500 series of adaptive security appliances, and its firewall services module. The security holes allow hackers to crash a networking appliance and bypass security policies. Additionally,a related vulnerability could be used to corrupt access control lists. This could allow traffic that should be blocked to pass into the corporate network.

Check the Cisco site to confirm whether or not your Cisco products can be affected. Fixes are available.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

February 19, 2007

Mac patches four month of security bugs holes

Late last week Apple issued four patches for security holes found during the Month of Apple Bugs (MOAB).

In a Computerworld article "Apple fixes four 'Month of Bugs' flaws" they described the fixes:
"Two of the vulnerabilities affect iChat; the most serious of the pair could be used by attackers to introduce malicious code onto a compromised Mac. "By enticing a user to access a maliciously crafted [AOL Instant Messaging] URL, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution," Apple reported in an advisory.

The other two patches plug bugs in the Finder and in the operating system's UserNotification feature. The Finder flaw, said Apple, could be used to hijack a Mac by duping a user into mounting a malicious disk image; the latter might let attackers overwrite important system files, crippling the machine. "

Other bugs reported in MOAB remain unpatched. Like other operating systems, Apple's Mac has security flaws. As the market share increases, expect more attacks on the platform.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Social engineering attacks using smokers

An interesting story ran late last week in Computerworld "Smokers may be the weak IT security link". It describes how a penetration tester in the UK used a door that smokers used for a cigarette break to enter the enterprise without any identification and then made it into a meeting room and logged onto the enterprise's VOIP network.

This is another example of where the weakest link in the security chain, often humans and human nature, can be used to bypass expensive security infrastructure. Bottom line: Train employees continuously and also have layers of stronger identity authentication when the networks are successfully penetrated.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

PowerPoint under attack...uncomfirmed

Last week, Symantec reported a security flaw in PowerPoint that would allow malware to be deposited on a user's computer by merely opening a PowerPoint file. If Microsoft confirms the security hole, it will mean that there are two high security risks in the Office product suite after just releasing a major patch to fix five others.

Users beware. Only open MS Office attachments for which you are expecting. Otherwise o not open documents in email attachments. As always, enterprises must use layers of stronger authentication to mitigate the risk of successful malware attacks internally from applications that contain malware.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

A debate about Vista Security - UAC and security risks

Joanne Rutkowska early this month published a blog called " Running Vista Every Day!". In it, while generally supporting Microsoft's Vista, siad that she had found what she considered to be a major security flaw in Vista. The flaw centered around the User Account Control (UAC).

Joanne generally likes UAC. As she describes it "User Account Control (UAC) is a new security mechanism introduced in Vista, whose primary goal is to force users to work using restricted accounts, instead working as administrators. This is, in my opinion the most important security mechanism introduced in Vista. That doesn’t mean it can not be bypassed in many ways (due to implementation flaws), but just the fact that such a design change has been made into Windows is, without doubt, a great step towards securing consumer OSes."

However "One thing that I found particularly annoying though, is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges. So, when you try to run such a program, you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all. That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing e.g. to load kernel drivers! Why Tetris installer should be allowed to load kernel drivers?"

She further states the following: "
To get around this problem, e.g. on XP, I would normally just add appropriate permissions to my normal (restricted) user account, in such a way that this account would be ale to add new directories under C:\Program Files and to add new keys under HKLM\Software (in most cases this is just enough), but still would not be able to modify any global files nor registry keys nor, heaven forbid, to load drivers. More paranoid people could chose to create a separate account, called e.g. installer and use it to install most of the applications. Of course, the real life is not that beautiful and you sometimes need to play a bit with regmon to tweak the permissions, but, in general it works for majority of applications and I have been successfully using this approach for years now on my XP box.

That approach would not work on Vista, because every time Vista detects that an executable is a setup program (and believe me Vista is really good at doing this), it will only allow running it as administrator… Even though it’s possible to disable heuristics-based installer detection via local policy settings – see picture below:

Picture

that doesn’t seem to work for those installer executables which have embedded manifest saying that they should be run as administrator.

I see the above limitation as a very severe hole in the design of UAC. After all, I would like to be offered a choice whether to fully trust given installer executable (and run it as full administrator) or just allow it to add a folder in C:\Program Files and some keys under HKLM\Software and do nothing more. I could do that under XP, but apparently I can’t under Vista, which is a bit disturbing (unless I’m missing some secret option to change that behavior). "

She then describes the overall security threat: "
Still, even though that might look like a secure configuration, this is all just an illusion of security! The whole security of the system can be compromised if attacker finds and exploits e.g. a bug in kernel driver.

It should be noted that Microsoft has also implemented several anti-exploitation techniques in Vista, the two most advertised are Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). However, ASLR does not protect against local kernel exploitation, because it’s possible, even for the Low IL process, to query system about the list of loaded kernel modules together with their base addresses (using ZwQuerySystemInformation function). Also, hardware DEP, which works only on 64-bit processors, is not applied to the whole non-paged pool (as well as some other areas, but non-paged pool is the biggest one). In other words, the hardware NX bit is not set on all pages comprising the non-paged pool. BTW, there is a reason for Microsoft doing this and this is not due to compatibility issues (at least I believe so). I wonder who else can guess... ;)

UPDATE (see above): David Solomon, pointed out, that Hardware DEP is also available on many modern 32-bit processors (as the NX bit is implemented in PAE mode).

It’s very good that Microsoft implemented those anti-exploitation technologies (besides ASLR and NX, there are also some others). However the point is, they could be bypassed by a clever attacker under some circumstances. Now think about how many 3rd party kernel drivers are typically present in an average Windows systems – all those graphics card drivers, audio drivers, SATA drivers, A/V drivers, etc... and try answering the question how many possible bugs could be there? (BTW, it should be mentioned that Microsoft did a clever step by moving some classes of kernel drivers into user mode, like e.g. USB drivers – this is called UMDF).

When attacker successfully exploits kernel bug, then all the security scheme implemented by the OS is just worth nothing. So, what can we do? Well, we need to complement all those cool prevention technologies with effective detection technology. But has Microsoft done anything to make systematic detection possible? This is a rhetoric question of course and the negative answer applies unfortunately not only to Microsoft products but also to all other general purpose operating systems I’m aware of :( "

This article has stirred up the beginnings of a great debate on Vista security. Ryan Naraine published a blog last week "Hacker, Microsoft duke it out over Vista design flaw" where he had the response to Joanne's blog from Microsoft and an email discussion with Joanne about their response.

The blog concludes with these final comments from Joanne: "
There are two different things, which should be distinguished:

1. The fact that UAC *design* assumes that every setup executable should be run elevated.

2. The fact that UAC *implementation* contains bugs, the one noted in the original blog entry that allows a low integrity level process to send WM_KEYDOWN messages to a command prompt window running at high integrity level.

I was “pissed off” not because of #1, I was “pissed off” because Microsoft employee — Mark Russinovich — declared that all *implementation* bugs in UAC are not to be considered as security bugs (see fact #2).

True, I also don’t like the fact that UAC forces users to run every setup program with elevated privileges (fact #1), but, I can understand such a design decision (as being a compromise between usability and security) and this was not the reason why I wrote my follow up titled “Vista Security Model - A Big Joke”. "

Bottom line: Vista is a significant improvement over previous MS OS's. However, it has a major possible flaw in the way UAC is implemented. The successful use of malware in kernel drivers can be the way to bypass most of Microsoft's Vista security.

Stay tuned for more discussions on this.

Guy
www.authenticationworld.com
guy.huuntington@authenticationworld.com

More Firefox phishing woes

Michal Zelewski, a Polish hacker, has uncovered a flaw in Firefox 2.0.0.1 that allows for phishing attacks. Examples of the attacks can be found here.

Mozilla is actively considering patches to address this.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Successful denial of service attack against anti-phishing site

Ryan Naraine blogged late last week "Massive DDoS attack KOs CastleCops" on a successful denial of service attack against CastleCops, a high profile anti-phishing community website. The attack was so successful, it brought down their ISP.

The DDoS attacks continue. Two weeks ago 3 of 13 critical internet servers were taken down (with no impact on overall internet service). Then last week, this attack.

Medium enterprises should be actively worrying about DDos ransom ware attacks and working with their ISP's to prepare adequate defenses to mitigate this risk.

Guy
www.authenticationworld.com
guy.huntington@uthenticationworld.com

February 20, 2007

More on Vista UAC and a potential attack

Ryan Naraine today wrote a blog "Symantec: Vista’s UAC prompts can’t always be trusted" in which he documented a proposed attack by Symantec on Window's new Vista. The attack focuses on Vista's UAC (User access control) which I blogged about yesterday.

Here is the proposed attack in Naraine's blog: "
* The user gets infected by malicious code running as a restricted user – Trojan or exploit are two likely vectors
* This malicious code drops a malicious CPL file to disk in a location that the restricted user can write to
* The malicious code then calls RunLegacyCPLElevated.exe with the malicious CPL as a parameter
* The user is presented with a UAC prompt that claims that Microsoft Windows needs to elevate permissions and not a third party application
* The user authorizes and the malicious code obtains administrative privileges"

A little disconcerting was that the blog stated that when Symantec approached Microsoft with this attack, they were directed to "best-practices document (.doc) that makes it clear that UAC prompts should not be viewed as a security boundary because they don't offer direct protection."

This follows statements made in an earlier Naraine blog by Microsoft's Mark Russinovich in which he discussed the tradeoffs between application compatibility and ease of use, explaining the weakness as a "design choice."

Mark said: "Because elevations and ILs don’t define a security boundary, potential avenues of attack , regardless of ease or scope, are not security bugs. So if you aren’t guaranteed that your elevated processes aren’t susceptible to compromise by those running at a lower IL, why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption."

Bottom line: Microsoft's UAC is a good idea poorly implemented. It is no longer a "security boundary" according to Russinovich. It's simply a warning mechanism that will likely be ignored by the user and, in the case demonstrated above by Symantec, will grant a higher level admin privileges to malicious code.

To make matters worse, Joanna Rutkowski has demonstrated the following:""UIPI, introduced in Vista, is for the rescue. UIPI basically enforces the obvious policy that lower integrity processes can not send messages to higher integrity processes."

"Interestingly, UIPI implementation is a bit “unfinished” I would say… For example, in contrast to design assumption, on my system at least, it is possible for the Low integrity process to send e.g. WM_KEYDOWN to e.g. open Administrative shell (cmd.exe) running at High IL and gets arbitrary commands executed."

"One simple scenario of the attack is that a malicious program, running at Low IL, can wait for the user to open elevated command prompt – it can e.g. poll the open window handles e.g. every second or so (Window enumeration is allowed even at Low IL). Once it finds the window, it can send commands to execute… Probably not that cool as the recent “Vista Speech Exploit”, but still something to play with ;)"

So, the number of attack vectors on Vista is opening up. Are the advantages of upgrading your enterprise OS to Vista to take advantage of UAC offset by the way it is implemented? Time will tell.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com


February 21, 2007

Phishing using Google Maps?!

It seems that criminals are keeping pace with the times. In a story published yesterday in ComputerWorld Australia "Local banks scammed by PM scare", it describes how a false news report that the Australian PM had a heart attack. Emails were sent out stating the false news with a link on it. When users click on the link, they are taken to a web page stating that there was a 404 error. Unbeknown to the user the web page downloads malware into the computer.

What makes this phishing attack unique is that the malware contains a trojan as well as software to tell the criminals what geolocation the IP address is using Google Maps. Experts fear that this will aid the criminals in conducting identity theft.

Bottom line: Think on a link before you click on it. Otherwise you may see you identity authentication information and your location flow out the electronic front door.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

What happens when your intrusion protection system is hackable?

Two stories within the last week illustrate serious trouble with intrusion prevention systems. The first was the problems with Cisco routers which I blogged about. The router's intrusion prevention system was open to attack from criminals.

Then, on Monday of this week, it was reported and confirmed that a widely used open source intrusion detection software "Snort" was hackable as well.

Both of these incidents indicate the many attack vectors that criminals have to attack an enterprise. These types of attacks are very serious in that they are the very frontline of the enterprise firewall. If this is penetrable unknown to the enterprise, the front door is essentially either somewhat or wide open depending on the hole that is created.

What could be more proof that enterprises must deploy multiple levels of identity authentication within the enterprise? Like the castle defenders of old, it was realized that eventually attackers would find ways to overcome the moats, drawbridges and the first outer walls. This lead to the implementation of inner walls, twisting staircases that were hard to attack, etc.

You need to have multiple layers of identity authentication getting stronger and stronger as the user drills closer towards high risk data and applications. Then assume that this too will be breached.

Use transaction software to protect your crown jewels and as a last resort, filter all outgoing traffic through your firewall looking for sensitive information. Otherwise you may be telling your workers, customers and shareholders some bad news.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Google as an open door to your computer...

Watchfire this week released a paper documenting an extremely serious flaw with Google Desktop. The flaw allows a criminal to use Java script cross-site scripting to read a user's computer files. A great demonstration is available here.

Google has addressed the issue. User's must ensure they are running the latest version or they will be susceptible to this attack.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

How would you like to tell your customers and shareholders you've been stolen from for the last four years?

TJX is still in the news with even more bad news. A story today on CNET "T.J. Maxx probe finds broader hacking" claims the retailer has discovered that its customers' credit card data was stolen since 2003! Just imagine what damage that will have to the share price, their customers and credit card companies who must now reissue cards for millions and millions of their customers! I bet their management team and board is wishing they were a lot more interested in enterprise security several years ago.

UPDATE: Since I wrote this blog further press reports indicate that data was stolen from 2003 but that the attacks stealing this were from early 2005.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Using RSS to distribute malware

A very interesting story today on Computerworld "Read RSS, get hacked". The story describes the likely increasing use by criminals of RSS feeds to widely distribute malware containing trojans which will capture user authentication information, etc.

Personally, I believe that this is a trend that will continue since many enterprises use RSS. They don't normally check the RSS feeds for malware. The article concludes with these comments: "Given the number of RSS readers being downloaded every day and the number of Web sites that aggregate and publish RSS feeds, it's easy to see why feed injection could become an even bigger nuisance than spam, Dickenson said."

"An analysis of malware samples with embedded URL links showed that hackers are already turning to blog feeds in a big way, Dickenson added. Of the 60,000 malware samples studied by Authentium recently, more than 1,000 had URL links with the word "blog" in them, he said."

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

February 22, 2007

Elaborate pharming attack on 50 banks

Computerworld today is running a story "Elaborate 'pharming' attack targeted 50 banks". It documents an elaborate pharming attack targeted at 50 banks. Here's how it worked:

1. The victim was lured to a website.
2. When the victim arrived at the website, the website took advantage of a weakness in Windows documented last April and for which a patch was released. If the victim's computer wasn't patched, then malware was automatically downloaded into their computer from Russia.
3. When a user then went to visit any one of the 50 targeted banks, their computer was redirected to a false website, even though they typed in the correct url for the bank. The malware was doing a pharming attack.
4. The user then entered in their identity information through the false website which then logged in as the user on the real website.
5. The user then was able to do their banking. However, the criminals were now logged on as the user and could withdraw funds after the user thought they had logged off.

The malware also installed code on the victim's computer turning it into a "bot". Reverse engineering of this code found that the controller contained statistics of infected computers. More than 1,000 computers per day were being successfully infected.

Always check the url for the website you end up on. If it doesn't exactly resemble the url you typed in, then don't enter any identity or authentication information.

Guy
www.authenticationworld.om
guy.huntington@authenticationworld.com

Korean bots ordered from Germany in denial of service attack

The Korea Times reported on Tuesday that a recent attack on main servers managing the entire internet used Korean computers but was directed out of Germany. "Korea becomes haven for hackers" states that 61% of the computers used in the attack were Korean. However, it also states that a host server in Germany ordered the attacks.

The article further states:"

"Korea has long been touted as a hotbed for hacking activity because the country has a wide-ranging interconnected network, a necessity for creating zombie computers.

Roughly 14 million out of the nation's 15.5 million households are hooked up to the always-on high-speed Internet to mark the world?s highest broadband penetration rate.

``The envied broadband infrastructure was abused by hackers so the United States regarded Korea as the major source of the DOS attacks,'' Lee said.

``Things have become aggravated because many Korean computer users did not patch up their security holes, making them vulnerable to the secret raids of zombie specialists,'' he said.

Indeed, the download rates for Windows operating system patches are much lower in Korea than elsewhere in the world, according to Microsoft, the maker of the Windows software. "

The article then states "The government plans to increase the speed of the Internet to 100 megabits per second (Mbps) by 2010, about 50 times faster than the current 2Mbps." It concludes that "``We are concerned that the BcN network may give a machine gun to zombie computer controllers instead of the traditional handguns,'' the official stated."

I have blogged repeatedly about denial of service attacks. While this attack was high profile, the concern is for medium sized enterprises who don't expect to be attacked and then are held to ransom with an attack in progress. The attacks are so large that they can bring down the enterprise's internet service provider. A recent attack on a anti-phishing group took down their ISP.

All enterprises need to work with their ISP on an effective strategy to combat denial of service attacks. Failure to do so may result in very unpleasant pain.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

February 23, 2007

More browser high criticality security holes

Two more high criticality security holes have been found, one each in Firefox and IE. Ryan Naraine reports that Michael Zalewski is conducting an "unofficial month of Firefox bugs".

The Firefox hole that crashes the browser and allows criminals to take over the PC. A demo of it is available here.

Ryan goes on to describe the IE hole quote Zalewski:

"He described the IE 7 issue as a “combination-type vulnerability” that allows the attacker to:

a) Trap the visitor in a Matrix-esque tarpit webpage that cannot be left by normal means (this is a known brain-damaged design of onUnload Javascript handlers),

b) Spoof transitions between pages so that the user thinks he actually managed to leave the affected site, and so that the URL bar displays other addresses we didn’t actually go to.

“This opens a plethora of spoofing/phishing scenarios,” Zalewski warned. A demonstration page is available for testing purposes."

Take care when using your browser. No patches are yet available for these holes.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Phishing crimeware reaches highest level in December

In early February, the Anti-Phishing Working Group published the report for December 2006. The report summarizes the following:

* The number of recorded crimeware applications saw a major increase of 110 variants in December reaching 340,the greatest number recorded by the APWG – and the largest single-month increase ever recorded by the group.

* The number of phishing spoof sites dropped considerably to 28,531 in December 2006. This is significantly lower than November (37,439), but it is perhaps due to phishers taking their usual holiday vacation.

* APWG saw a total of 146 brands being hijacked in December, a rise of 26 brands and the fourth highest recorded by the APWG.

* This month saw a substantial decrease in time-live for phishing sites to just 4 days, down from 4.5 days in November and down from 5.3 days in December 2005.

The use of phishing continues to grow as a primary means of obtaining identity authentication information and then fraudulently using it.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

February 26, 2007

Something to be very nervous about

In December 2006, F-Secure researcher Kimmo Kasslin wrote a paper "Kernel Malware: The Attack from Within" and a presentation that outlined the growth of rootkit malware attacks. What made these very interesting and worrisome were the following:

1. While rootkit attacks still only make up a small percentage of overall attacks, they are growing very quickly.
2. He indicates in his paper that most anti-virus and other malware detection solutions are either incapable of detecting the rootkit or, if they do detect are very weak in removing the rootkit.
3. He also indicates the extreme damage that the rootkit can do to an enterprise.

This warning also fits in with a blog I wrote in the fall "Finding and removing rootkit attacks - How secure do you feel?". That blog was based on tests Symantec released comparing itself to other vendors re rootkit attack detection and removal.

The enterprise firewall, intrusion prevention and identity authentication schemes can be relatively easily bypassed via rootkits. Take note!

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

February 27, 2007

More ways to penetrate a wireless network

Ryan Narain had an interesting blog earlier this week "Hacking with Metasploit on a Nokia N800". In it, he describes how for only $399 hackers can use a wireless exploit penetration testing tool, Metasploit, in a covert manner. This type of attack is relatively easy to do and can be done by someone walking around with a backpack and a Nokia Tablet PC inside it running Metasploit.

The result can be penetration of your wireless networks, the insertion of malware, the capture of identity authentication information and the resultant loss of enterprise information. Ensure your networks are properly defenced against this type of cheap and effective attacks.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Storm crashing on a blog near you

CNET today ran an interesting story "Storm Worm variant targets blogs, bulletin boards" indicating a new variation of the Storm Worm is in effect. The story states:

"The new Storm Worm variant attacks the machines of unsuspecting users when they open an e-mail attachment, click on a malicious e-mail link or visit a malicious site, said Dmitri Alperovitch, principal research scientist at Secure Computing."

"But the twist comes when these people later post blogs or bulletin board notices. The software will insert into each of their postings a link to a malicious Web site, said Alperovitch, who rates the threat as "high." "

"The danger in this most recent case, he added, is that the user is actually posting a legitimate blog or bulletin board notice, unaware that a malicious link has been slipped into the text of the posting."

This is another attack vector for criminals looking to capture your identity and authentication information. Before you click on any link, think on it first. Then, when posting to a blog, review your posting to ensure that a malicious link hasn't been inserted into your text posting.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com