About March 2007

This page contains all entries posted to AuthenticationWorld Blog in March 2007. They are listed from oldest to newest.

February 2007 is the previous archive.

April 2007 is the next archive.

Many more can be found on the main index page or by looking through the archives.

« February 2007 | Main | April 2007 »

March 2007 Archives

March 1, 2007

Foiling rootkit detectors

Joanna Rutkowska supposedly demonstrated yesterday at the Black Hat conference in Washington DC a way to defeat malware detectors who are looking for rootkit attacks. According to a story in Dark Reading " How to Cheat Hardware Memory Access" Joanna says ""I believe that this is going to be the first public presentation of how malware can cheat hardware-based memory acquisition" "

The article goes on to state:
"Researchers and forensics investigators today rely more on reading hardware-based memory to get an accurate picture of the OS to help detect malware, mainly because it's difficult to find rootkits in today's complex operating systems."

""All rootkit detectors on the market today can be seen as more or less random 'hacks' that check only some limited number of well-known places in the OS," Rutkowska says."

"Plus if the system has already been compromised, you can't trust any programs executing on it -- not even the rootkit detector program itself, she says. So hardware-based memory access has emerged as the best way to get a real look at what's going on."

Joanna is the same person who last year presented the Blue Pill attack, using virtual memory. She has also recently been discussion her concerns re Vista's UAC.

Bottom line: The attacks get cleverer and cleverer and the tools to respond to these attacks are far behind. Have layers of strong authentication in your enterprise to mitigate the risk. Use transaction authentication around your crown jewels. Then have filters on everything digitally leaving the enterprise to catch precious information that has evaded all the other defense layers.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Phishing attacks rise against UK Banks from 40 to 1,000 a month

The BBC this week ran a story "Which? highlights phishing losses" that documents the rising increase in the number of phishing attacks against UK financial institutions. The story says "Phishing frauds against UK banks have shot up from 40 to 1,000 a month in the past two years, say banking experts.".

The story then goes on to state that the UK consumer group "Which?" is calling on banks to give automatic compensation to phishing victims. The story states:

"A spokeswoman for the banking organisation Apacs said while this was true, there were no plans to change policies soon."

""The banks have all said they may do so in the future, because it (giving away confidential details) is like giving away your door keys," she said."

""But at the moment there are no current plans."'

"She explained that banks were not planning to punish innocent victims of online fraud, but in some cases might refuse to compensate someone who had suffered losses more than once, on the grounds that their negligence was a contributory factor. "

Finally, the story ends with "The banking industry estimates that £22m was lost to phishing frauds in the first half of 2006."

Bottom line: Think on it before you click on any link in an email message. If you don't, your identity and authentication information may be stolen and you may incurr a loss which you bank may or may not cover.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

More on foiling rootkit detectors

A great article appeared today in eWeek "Black Hat Demonstrations Shatter Hardware Hacking Myths". It discusses two presentations this week at the Black Hat Conference in Washington DC that destroy some common beliefs about detecting and removing rootkits.

The article states: "
One shocker was Coseinc Senior Security Researcher Joanna Rutkowska's demonstration of a way to subvert system memory through software—in essence, the shattering of our long-held belief that "going to hardware" to secure incident response is a security failsafe.

Security professionals at the show called it the "attainment of the holy grail," particularly since the only way to fix the system's memory corruption is to reboot—thus erasing all tracks of the subversion.

It's a digital forensic team's worst nightmare. How can you figure out—and prove in court or to auditors—what people have been doing on your company's PCs, for good or evil? "

It then goes on to talk about the other presentation by John Heasman from NGSS (Next Generation Security Software) . The article states: "

Heasman chose to persist a rootkit on a PCI device containing a flashable expansion ROM. At the present time, how to detect and prevent such an attack isn't understood when the system in question doesn't contain a TPM (Trusted Platform Module).

"My thinking is if you can get a rootkit into an environment where they reimage the system daily, as in some secure systems, we could still survive," Heasman said in an interview with eWEEK. "There are no tools in pub domain that would detect that."

Heasman went on to demonstrate the abuse of PXE, the Preboot Environment developed by Intel as part of is "Wired for Management" initiative.
"

Both of these presentations together combine to present very serious challenges to enterprises in first of all detecting rootkit attacks and then getting rid of them. I am wondering (and this is just me dreaming out loud) if this is why the US Department of Commerce physically replaced over a hundred computers after being successfully attacked last year? Perhaps the US government already realized that re-imaging the disks wouldn't necessarily guarantee the elimination of the malware.

Stay tuned for more discussion on this topic.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

March 2, 2007

Vista Activation Cracked?

Reports are starting to appear indicating the Vista's activation program can be relatively easily hacked by a brute force attack. An article today in the Inquirer "Vista activation cracked by brute force" quotes Keznews which contains software and step by step instructions on how to conduct the attack. Keznews states the attack can take hours or days to be accomplished using only one PC.(on the main page a user states they got three keys in five hours). If you were to apply a cluster of PC's then the time becomes easily handled by criminals.

If this report is confirmed, it puts a very dark eye on Vista.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com


Know your Enemy: Web Application Threats

The Honeynet Project and Research Alliance early last month published a very interesting report "Know your Enemy: Web Application Threats". The report states: "

By their nature, web applications are often widely accessible to the Internet as a whole meaning a very large number of potential attackers. All these factors have caused web applications to become a very attractive target for attackers and the emergence of new attacks. This KYE paper focuses on application threats against common web applications. After reviewing the fundamentals of a typical attack, we will go on to describe the trends we have observed and to describe the research methods that we currently use to observe and monitor these threats. "

This is definitely a report worth reading. The report covers all sorts of common attacks against web servers including code injection, remote-code inclusion, SQL injections, Cross-site scripting, IP based scanning, spider based attacks, top 10 operating system commands targeted, email spam, blog comment spam, defacements, hosting files, scanning tools used, botnet recruitment, phishing and trends in evasion and anonymity including proxy servers, goolge translate, onion routing and script encoding.

The reports recommendations on how to protect web servers are worth noting: "

Web servers can be protected from threats in many ways. Firstly, we recommend that the administrator keeps an inventory of what applications are on the web server and maintains patch levels for all of them. A host-based Intrusion Detection System, such as mod_security for the Apache web server may be used to block certain common attack vectors, such as "wget" and "curl" appearing in GET and POST requests. This will not provide complete protection from remote code inclusion attacks in particular, but will block many common attacks. If the attacker can include arbitrary code in the running application, they will be able to evade most keyword filters. Alternatively, an application proxy can be deployed in front of the web server to filter out these types of malicious requests. A Host Intrusion Detection System (HIDS) program such as Tripwire may be used to monitor the integrity of critical system files.

Correct configuration of web servers such as Apache and scripting languages such as PHP is also crucial. We mentioned register_globals earlier which allows an attacker to set variables which can cause problems if the developer has not specifically initialized them. The allow_url_fopen configuration directive should be disabled if possible as this prevents remote code-inclusion attacks. The Open Web Application Security Project provides further details on securing web servers and applications.

Programmers can create more secure applications by rigorously validating all input they receive. Where 'include' statements exist in PHP there should be no way for an attacker to control the name of the file being included. If input is going to be echoed back to the user, the application must take care that Cross-site scripting (XSS) attacks cannot occur. The typical example is to disallow or escape '<' and '>' characters to prevent the attacker from entering javascript code. Ideally SQL operations should be in the form of prepared statements so that data is treated purely as data and does not have the chance to become code, as it does in an SQL injection exploit. A full treatment of this subject is beyond the scope of this article but a good reference for PHP developers is "Essential PHP Security" by Chris Shiflett and published by O'Reilly press. There is also a good set of recommendations for programmers and system administrators as part of the SANS top 20 vulnerabilities, in section C1.3. These include making use of the Hardened-PHP Project's Suhosin tool to control the execution of PHP scripts, migrating to the latest version of PHP and making use of the PHP Data Objects extension when performing SQL queries.

We also recommend that a Network Intrusion Detection System is used which should alert the administrator to events such as connections from web servers to an IRC channel outside the organisation, the port-scanning activity that will be associated with some of the worms and scanning tools, and possibly the increase in traffic that may occur if the server is sending spam email or hosting a phishing web site. Lastly, the administrators should be responsive to the postmaster and abuse email addresses at their domain, which often provide rapid warning of incidents in progress.
"

Taken all together, this is a fine piece of work and is definitely worth a read. As always, I close by noting that all enterprises should understand the numerous attack vectors open to criminals in attacking your enterprise. The reality is that some of these attacks will be successful despite your best efforts. Therefore, put in a many layered defense system using strong authentication, transaction authentication and filters on digital data leaving the enterprise to catch thieves walking out the electronic front door with your crown jewels.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

March 6, 2007

Update Quicktime to avoid malware problems

Yesterday, Ryan Naraine blogged about Apple's latest Quicktime patch update and recommended all users update. The reason why is there are several holes in Quicktime, affecting both Mac and Window users that could allow hackers/criminals to take over your computer. Some of the attacks documented can result in malware being deposited which can then capture your identity and authentication information.

Read his blog for more information and ensure you have the most recent patch available from their download site.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

More on Vista activation attack

Well, there is some doubt that the attack against Vista works. Computerworld's "Vista activation crack a 'joke,' says hacker" states that the hacker has said it was all a joke. However, some people are claiming that it does work and that the hacker is under pressure of criminal charges or litigation from Microsoft.

I am speculating that the hack does work, but albeit slowly if using one computer. I am also speculating that organized crime may use this hack in conjunction with clusters of servers to come up with activation codes that Vista/Microsoft will accept. This is pure speculation on my part. However, I believe that there is some financial gain to be had for criminals if they can quickly brute force the activation codes and thus avoid licensing costs for Vista.

Time will tell if my speculation is wrong or, if there is something here.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

eBay under increasing phishing attacks

eWeek today ran a story "What's Bugging eBay?" that is worth reading. The article documents the increasing number of sophisticated phishing attacks from "Vladuz, the Romanian impaler".

The article quotes "The eBay villagers are whispering that he can creep through eBay's internal databases and suck the lifeblood of customer accounts—log-ins and passwords—right out of their pulsing, 222 million-plus customer heart. He's putting up bogus listings as fast as eBay can take them down, and that proves he's walked through a security hole as big as a barn door."

Ebay in response, is quoted in the article "No, eBay insists, this hacker, this Romanian wiseguy who goes by the handle Vladuz, is "nothing new." He's just another phisher, says eBay spokeswoman Catherine England, one of hundreds the huge auction site has to deal with constantly."

The article then goes on to quote other sources claiming that eBay is downplaying the situation and the the criminal is making significant intrusions into eBay.

Stay tuned for more on this. As alway, protect your authentication information by thinking on it before you click on any link in any email.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

March 7, 2007

Adam Laurie cracks RFID in new UK Passports

Adam Laurie out of the UK, is yesterday reported by Computerworld as having cracked the RFID chip contained in new UK Passports. The story "Crack! Security expert hacks RFID in UK passport" documents how using a brute force technique with information gleaned about the user from the internet, Adam was able to crack the code with his program after 40,000 attempts.

While this may seem like a lot of attempts, computers are able to deliver thousands or tens of thousands of attempts per minute or even more. Therefore, the program is very quick.

Adam didn't even take the passport out of the wrapper it was delivered in.

The story quotes the British Government as responding:
""The key point ... is that the information on the chip cannot by changed, rendering the procedure described by Adam Laurie pretty pointless," wrote Peter Wilson, senior press officer, in an e-mail."

"Further, a cloned chip would have to be inserted into a forged passport, and new security measures in the passports make that "virtually impossible," the Home Office said, quoting a report released last month by the National Audit Office."

To which the story then quotes Adam "But Laurie said the new passports were marketed as enhancing security, "but so far I don't see anything about it that increases my security.""

"The greatest weakness with the passports is using relatively easy-to-find data to compose the encrypted key, Laurie said. It would be better to include more random elements that would render brute-force style programs nearly useless, he said."

Bottom line: RFID is breakable depending on the encryption scheme used. In this case, the encryption algorithm user key was poorly designed and open to brute force attacks.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com


Crime ring uses phishing and malwar to scoop up the money

Bloomberg today ran a story "Crime Ring Used TD Ameritrade, Schwab in Online Fraud " which outlined how criminals netted over $700,000 from the use of phishing and malware to capture users brokerage account uid's and authentication passwords.

I suspect this story is just the tip of the iceberg. In December there were over 28,000 phishing sites. Vinton Cerf, one of the original internet creators, recently stated that one quarter of all internet computers (150 million out of 600 million) are being contaminated with malware and are acting as bots. Therefore, the likely impact of crime is probably at least a couple of orders of magnitude greater than the amount discussed in this story.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

March 8, 2007

Code obfuscation, hackers and malware

Searchsecurity.com today has an interesting article "Dynamic code obfuscation: New threat requires innovative defenses". The article lays out the changing face of malware and the threat to enterprises.

As the article states, code is often intentionally obfuscated to prevent reverse engineering. Hackers in the past have adopted this as well. Malware detectors responded by using code signatures to detect the obfuscated code which has already been recognized. However, as the article points out, the game has gone up a notch with dynamic code obfuscation.

Today, viruses are created that are unique for every computer it infects. This effectively kills traditional malware detection approaches using signatures since every attack is now unique. It requires anti-virus vendors to instead adopt heuristic responses.

The challenge with adopting this technique is that it's very processor intensive. As the article points out, it likely means placing this technology at the enterprise gateways.

My point is that all this technology is pretty new and that in some or many cases, it is insufficient to prevent malware attacks. The advantage is currently with the criminals until we have widespread adoption of new detection techniques. This means that it is likely your outer perimeter will be successfully breached. Have in place layers of additional identity authentication security behind the firewall to mitigate the risk.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com


Quebec Healthcare goes down due to virus?

There is a very interesting story in a UnixAdminTalk discussion group that talks about the entire Quebec Healthcare system becoming infected with a virus. The virus had a denial of service attack component that effectively killed several hospital network connectivity. The blog says that some hospitals were down for three days and reverted to paper to order tests etc.

Now if there ever was a case for having layered authentication security strategy, I'd say this was it. They didn't and the result was a provincial crisis.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Vishing attacks grow in sophistication

Brain Krebb's today has a blog that outlines a smart vishing attack on Bank of America customers. The customers receive an email notifying them that they are in violation of the bank's acceptable use policy. They then give the customer a 1-800 number to dial. In this case, the message was done very well. It asked for the customer's PIN in order to validate their identity. After that, the criminal has the information to begin drawing down from the account.

Don't respond to these emails and use the phone number provided!!!! If you are concerned, look up the bank's phone number in a telephone directory or via the internet and call them up directly to talk about the email and your account. If you don't then your identity and authentication information are in the hands of criminals.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

More Swiss Cheese - Another Word Hole

Two days ago, Symantec reported a possible new hole in Word. Yesterday, US-CERT issued a vulnerability note confirming the problem. Today, Computerworld ran an article "Beware Word docs: New bug crashes Windows XP, 2000" that confirms all the above. The hole causes Microsoft Explorer to crash making Windows unusable.

As always, think on a document attached to an email before you click on it. Otherwise, the document may have malware within it, causing you to lose identity authentication information such as your uid and passwords. Always beware of Office documents since for much of the time, there are often unpatched security holes.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Identity Theft News is Gloomy

Yesterday, Network World published an article "ID theft forecast: Gloomy today, worse tomorrow". In it, the article quoted Avivah Litan, a Gartner analyst as saying the following:

* "For the year-long period that ended last August, 15 million people were burned by some kind of fraud related to identity theft"

* "That number is 50% higher than 2003 data released by the Federal Trade Commission"

* "The average identity theft fraud loss more than doubled in 2006 to $3,257 from $1,408 the year before"

* "The percentage of recovered funds dropped to 61 percent in 2006 from 87% in 2005"

* "The average loss on new-account fraud -- where criminals use the data they've stolen to open new credit card or bank accounts -- was $5,962 in 2006, a jump of 223% over 2005's $2,678."

* "...unauthorized charges to credit cards leaped nearly fourfold, to an average last year of $2,550. Unauthorized charges in 2005 averaged just $734."

Further on in the article it states ""But I really think that it will take an extreme attack of some kind and broad disruption before things change," Litan said."

This just confirms what other experts and myself have been saying i.e. there's at least two to three years of more bad news ahead before things start to get better.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

March 9, 2007

Anti-virus effectivity

The evidence continues to mount that the upper hand in the arms race between anti-virus vendors and criminals rests with criminals. Today, Brian Krebb's bloged about "Online Anti-Virus Scans: A Free Second Opinion". In the blog he referenced several sites showing that anti-virus tools frequently miss new virus variants (here and here).

If you drill down into the data in the AV Comparitives Report published February 6, 2007, you will see that most vendors have trouble detecting Backdoors, Trojans and other malware detection. Kapersky did well in this test at over 99%. However even with this rate, it means that it's missing one in a hundred. The rest of the vendors fall off the wagon with results ranging from approximately 96% to 51%. Other studies I have blogged about, show the rate to be much worse.

What this means is that some malware is going to get through your anti-virus defenses. The question is, what are you going to do about it?

If you are smart, you will have some heuristic intrusion detection system running to pick up some of the malware based on the way systems and applications operate. However, these may or may not pick up programs that trap user's uid and passwords and pass out the electronic door to criminals.

So then what? The only answer is to have layers of stronger and stronger authentication as the user accesses higher risk applications. However, once again, these too may be foiled. Therefore, you need to have transaction authentication protecting your enterprise crown jewels.

The last line of defense must be filters on everything leaving the enterprise electronically which are looking for high risk data and information.

Without this, your enterprise is at medium to high risk of being successfully breached. The worst part is, you might not know of it until several months or years later.

An alternative to the above strategy is to change your mindset at the firewall and deny all except those with permissions. This however, requires a big change in user behavior since it will restrict much of what they can do. More about this in the next blog.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Deny all except with permission

The BBC ran an interesting story today "Staying safe without anti-virus". It covers, at a high level, the elimination of the use of anti-virus software. Essentially, the article covers what I call "Deny All Except With Permission". This is an area where I believe more and more enterprises will move to over the next two to three years. Why?

Most experts agree that currently the upper hand is with criminals in the malware arms race. The existing protection technology can't keep up the many different attack vectors open to criminals. The result is that while many enterprises will adopt heuristic response detection systems, these too will never be 100% effective. As a result, the press will be full of bad news stories over the coming two years. They will document the damage and there will be a lot of hand wringing going on.

An alternative is to change the way enterprises currently work at the firewall. Today, most enterprises allow all traffic to pass through except for traffic that is on a bad list. The reasons for this are performance and user ease of use. Security is this reduced.

By switching over to deny all except with permission, the rules of the game can be tilted in favor of the enterprise and away from criminals. Only those processes you want to run will be allowed in through the firewall while everything else will be denied. This can effectively significantly reduce the exposure to existing malware.

However, this in not a panacea. The result is performance restrictions at the firewall. Further, users may not be able to have as much freedom.

I might take issue with the one man IT shop guy quoted in the BBC article on his total plan. He is still being exposed to employee actions on the internet. Getting rid of anti-virus is okay but there also needs to be intrusion detection systems behind the firewall. They need to mitigate the risk of data leaving the enterprise from things like criminals obtaining user uids and passwords through things like social engineering attacks, hardware keyboard loggers and software keyboard loggers. Further, there also needs to be detection on all traffic leaving the enterprise to prevent sensitive data from leaving the enterprise when a security breach has been successful.

Bottom line? Moving to deny all, except with permission is going to become more popular over the next two to three years. However, it too is not perfect. Always have a layered security defense system in place using stronger authentication, transaction authentication and filtering of all traffic leaving the enterprise.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

March 10, 2007

Phishing getting more clever

Yesterday, eWeek ran a article "Trojan Targeting eBay Motor Buyers" that indicates the growing sophistication of phishing attacks. The article documents how a new phishing attack against eBay car buyers works.

The user receives an email. In the email are pictures of cars for sale off the eBay website. The user then clicks on a attachment in the email. Malware is downloaded. The user then sees what looks to be the eBay site. They fill in the information and pay their money. However, the site is false and the money goes to the criminals.

Don't click on any link or attachment in an email unless you are expecting it. Otherwise, malware will likely be deposited on your computer, your uid and authentication information stolen and your money may also go along to the criminals.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

March 11, 2007

Botnet sales pitch using DNS attack?

There was a very interesting article on Friday in Dark Reading "DNS Attack: Possible Botnet Sales Pitch". The article discusses reasons for the February denial of service attack that temporarily crippled two of the internet's 13 Domain Name System Root Servers. One of the reasons being hypothesized was that this was a "sales pitch" to demonstrate the strength of a botnet.

The article goes on to describe the attack. What I found interesting was the conclusion of the article:

"To help mitigate future attacks, ICANN recommended last year -- and reiterated in the paper -- that DNS server operators verify source IP addresses, and that ISPs should only accept DNS queries from "trusted sources (i.e. their own customers)." ICANN acknowledged that the recommendations had been "met with mixed success.""

"In addition, ICANN called for educating consumers on botnet infection, and ensuring that consumers change their home router's default passwords."

"But whether the recommendations for thwarting future DNS infrastructure attacks will fall on deaf ears is unclear. "Getting ISPs to implement source filtering and turning of open-recursive lookups has been an ongoing battle for many years -- and one with only limited success," says Craig Labovitz, director of engineering at Arbor Networks. "And while reflective attacks provide an easy way for zombies to attack [and] multiply firepower, it is not clear reflection played a significant role in the most recent attacks." "

A huge problem exists with the existing DNS infrastructure. I have blogged repeatedly about DNS threats. In my mind, the threat from a large scale internet shutdown still exists. However, why would any criminal want to do this? The answer is not likely from a criminal gang since the shutdown of the internet would draw intense investigation. However, I can definitely see a country wanting to shut down the western economies and cause economic and political damage who might do this.

Meanwhile, back at the enterprise level, the threat of DNS attacks exists and can be very high. Work with your ISP to ensure that this type of attack won't cripple your business.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Yikes!

Last week Dark Side's Site Editor, Tim Wilson, wrote a blog "Firewalled - One Bite Is Not Enough" that made me very depressed. Attending last week's Visa Security Summit, he describes the current law enforcement attempts to catch the bad guys. What he wrote, while I know all this, depresses me to read.

Here are some article quotes that should make you depressed too:

"..that U.S. law enforcement agencies seldom attack computer crime in any sort of coordinated, nationwide fashion. Almost everything is still being done regionally."

"Internationally, the problem appears to be even worse. During the presentation, a discussion of the prosecution of international computer criminals quickly devolved into an explanation of jurisdictions and extradition treaties. One of the speakers essentially said that Interpol, the organization that's supposed to be coordinating cross-border crime investigations, is all talk and no action."

"All four of the speakers conceded that they investigate only a fraction of the cases that are reported, because only that fraction has a chance to result in arrest and conviction. If it's unlikely that the cops can find the criminal -- or if they anticipate having trouble prosecuting the case -- they simply don't even look into it. "We just don't have the resources," two of the speakers said."

"So the average Russian spammer today is sitting pretty. Even if U.S. or U.K. officials could find him, which is no easy task, they probably wouldn't have the resources to pursue an arrest. And even if they did find him and arrest him, they might not be able to extradite him -- or they might not be able to build a case that resulted in a prosecution in another country's courtroom."

"When we polled black hats about their attitudes last month, fewer than 3 percent of respondents said they worry about getting caught and ending up in jail. Four percent said they worry they might get caught, but they doubt they could be convicted. Five percent said they know getting caught is a possibility, but they don't worry about it."

"...it appears that today's computer cops are more bark than bite."

Bottom line: Don't expect law enforcement officials to protect your enterprise. Absolutely make sure you have a layered identity authentication defense in place.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

March 12, 2007

Italians fall vicitim to criminals

Eweek is reporting today of an event last week in Italy which reportedly saw Window's Live being taken over by criminals. As a result, whenever an Italian user input a popular search term, the website they were directed to was a fake website that contained malware. Oftentimes, the article reported that fake pop-up boxes and pages with false Window's error messages were displayed requesting that the user to install something. What the users didn't know was that was was being installed was malware.

This kind of attack is extremely hard to prevent from the user's perspective since they are trusting the integrity of the search engine. When the search engine has been compromised, the user is in severe danger of an attack.

Make sure that your users think on a link before clicking on it.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

March 14, 2007

Apple's Bix Fix - Security is still an issue with the Mac

Ryan Naraine had an excellent blog today "Apple bumper patch vindicates MOAB, MOKB hackers" on the recent massive security patch addressing 45 security holes issued by Apple. In it he documents the recent fixes due, in part, to the recent "Month of Apple Bugs" and the earlier "Month of Kernel Bug" projects. As he points out, some of the holes were high risk.

More importantly, he highlights management tasks that Apple has to do in order to put its own house in order re security. While Apple is currently running all sorts of ads and promotional material highlighting why the Mac Os is more safe than Windows, the truth it it hasn't been as severely tested by hackers and criminals as has Windows.

Read his blog since his recommendations are excellent.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Consumer's identity may be stolen and found by authoritities but the consumer remains un-notified

Brian Krebb's of the Washington Post today wrote an interesting article "Cyber-Criminals and Their Tools Getting Bolder, More Sophisticated". In it, he documents the case of one man who had his bank information stolen. However, when the man received a new bank id and password this too was stolen by the same software that stole his original passwords but this time it also took his Social Security Number and online shopping data as well.

Towards the end of the article, Brian outlines how law enforcement agencies are overwhelmed by the amount of identity theft data they come across. The article quotes make for some nervous reading:

""We're just getting overwhelmed with this [compromised] consumer data, but it's not exactly law enforcement's job to call each victim and explain the situation," said Dan Larkin, an FBI agent who heads the National Cyber-Forensics & Training Alliance in Pittsburgh."

"Credit bureaus are not required to notify consumers."

""The credit bureaus work on behalf of banks and companies that grant credit," said Ari Schwartz of the Center for Democracy and Technology, a consumer advocacy group in Washington. "They're not set up to be consumer-oriented businesses.""

"And the credit bureaus say they are not in the habit of reaching out to consumers whose private information may have been compromised."

""Normally we would not put a fraud alert on a file without a consumer being involved" or initiating it, said Maxine Sweet, a vice president with Experian, one of the three major credit-reporting bureaus. "That's just not something we generally do.""

In the US then, a consumer may have their identity information stolen. The police may come across this. However, the consumer may not know that their identity data is stolen. Worse, a credit agency might but also not notify the consumer. It's only when the consumer goes to apply for more credit that they would realize their identity information was stolen.

In other words, their is no one in the US out notifying the consumer that their identity information has been stolen! That's what I call bad.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Brian Kreb's "Tracking the password thieves"

Brian Krebb's the Washington Post today wrote a blog "Tracking the password thieves" documenting how he had backtracked a malware virus and found out that it had infected 3,221 victims in all 50 US states. The blog documents several very interesting points:

1. The virus contains a "geo-IP". This is the estimated latitude and longitude for the user. Why this in a virus? Financial institutions now are more frequently using "transaction authentication" software when you do a financial transaction. So, even though you've logged on successfully, the transaction authentication software will see what geo-location you're coming in from. So, if you're in Kansas and the identity making the withdrawl is in Russia, the transaction authentication software might refuse the transaction and notify the bank. Therefore, criminals are getting smarter. They now try and figure out where your identity lives and then have someone make the electronic transaction in the geo-location where you live.

2. Many of the victims, when contacted were keeping their computers up to date with anti-virus and Window's patch updates. What they didn't realize is that the virus had turned off the anti-virus software.

3. Many of the victims thought the anti-virus software would catch all the viruses. Brian found out that three free anti-virus tools a week later still didn't think the virus was malicious.

4. Most of these victims had clicked on an email link or document attachment to start the virus. My advice is to "think before you click on it". Don't click on any email link or document attachment unless you are expecting it.

5. Many of the victims were well computer educated people. Some were working for large companies who's internal computers were affected by the attack.

Bottom line: There are likely millions of people and thousands of enterprises who are infected and don't know it. Therefore, from an enterprise perspective, have a layered authentication strength defense to mitigate the risks.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Phishing for your enterprise

Many enterprise managers think that phishing attacks against their enterprise is low risk because they're not a financial institution. They're wrong in that assumption as the ComputerWorld article yesterday "Fish for new employees and get phished?" points out.

The article quotes a manager at a midwest US engineering services company. He has found that his company has had several phishing attacks using CareerBuilder.com. Here's how the phishing attack works:

The engineering enterprise receives an email purportedly from someone who has a job applicant. The manager must click on a link to take them to the resume (in this case from CareerBuilder.com). When the manager clicks on the link, they are taken to a false CareerBuilder.com website. There the manager will view the phony applicant's resume. Meanwhile, malware containing a Trojan is downloaded into the manager's computer.

So, you don't have to be a financial institution to fall victim to a phishing attack. Beware!

Have in place a layered authentication defense strategy to mitigate the risks of a successful attack. Meanwhile, educate your employees to not click on email links or document attachments.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

March 16, 2007

Vista Business Activation has weaknesses

Yesterday ComputerWorld ran a story "How to run Vista legally without activation ... for at least a year" that outlines how in the business versions of Vista it is possible to continually avoid having to register and activate the product for up to a year. While Microsoft is arguing that this is a "hack" others are documenting it as a legitimate "feature".

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

When the good guys start using the bad guy's tools...

Computerworld yesterday published an article "CEBIT: Malware to fight crime? AV companies say no" that documents attempts by government police agencies to adopt malware practices to catch criminals. While this story is interesting, what came to my mind when reading it is that the FBI was in court several years ago over the use of keyboard loggers. Further, the use of malware by spy agencies has been known for a long time.

Protecting the rights of the citizen against the invasion from others must trump most cases except where national security can be documented and a court order imposed to allow the use of malware. Otherwise, police agencies shouldn't be allowed to use malware.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Vista, an evloutionary improvement but still full of security holes

eWeek yesterday ran a very interesting story "Can a Rootkit Be Certified for Vista?". The article spells out the existing security holes in Vista as well as noting the significant improvements. Here are the main points of the article:

* Vista can be easily hacked by inserting bugs on drivers
* Vista can approve programs that have malware by criminals paying $500 to have programs approved for Vista
* SQL Server 2005 was applauded for it's security progress
* UAC (user access control) was thought to be a general improvement
* However, UAC is easily breachable in several different ways
* Windows defender was a good improvement to detect and remove any unwanted application
* Vista's new firewall is also a good improvement
* Windows security center is a good improvement
* Vista's installation program is a problem in that it allows installers to run with administrative privileges having full access to the file system and registry and have the ability to load kernel drivers which could allow rootkits to be downloaded
* Vista uses BitLocker Drive Encryption that encrypts Windows volume, protecting against data theft but it's available in only the Enterprise and Ultimate versions of Vista and is lacking in the Business version.
* Vista uses encrypted file systems to encrypt files and folders and rights management services to to encrypt files and and prevent emailing of them outside of the enterprise without the appropriate rights permissions
* Device controller is used to to enable better management of plug and play devices
* Vista uses PatchGuard to lock down the kernel which was immediately cracked as Vista was released
* Window's Defenders is fairing pretty poorly in anti-malware tests

Read the article. It's a good overview of the true state of Vista.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com


Google's blog software causing malware problems

Techworld.com today published an article "Google's blog software hijacked by scammers" that highlights a growing area of concern on the internet, the use of fake blogs to download malware. As the article says "According to Fortinet, Genuine-looking blogs on topics as wide-ranging as “Star Wars, school, furniture, Christmas, cars and girlfriends” are now being created to host a variety of script-initiated malware. It would be impossible for visitors to spot the danger of these sites, which now number in the hundreds, the company said. Although they look genuine, it appears that all the sites have been specially crafted to fool visitors."

""These are not legitimate blogs that were compromised. They appear to be deliberately set up to promote phishing, which is against our terms of service. We are investigating, and blogs found to include malicious code or promote phishing will be deleted," Google said in a statement to CNET."

Watch out which blogs you visit or you may find your identity and authentication information flowing out the digital front door into the hands of criminals.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

March 23, 2007

Advantage criminals...loser Anti-virus vendors

Ryan Naraine published a fascinating blog on Wednesday "Russian (Gozi) Trojan powering massive ID-theft ring". It documents the surprising discovery by SecureWorks of a Russian Trojan that has been stealing significant amounts of identity theft (5,200 homes with 10,000 records). The data stolen was being offered online for over $2 million. Worse the anti-virus vendors didn't catch it for weeks and in some cases months.

Here is what the tojan was capable of doing according to Ryan: "
* Steals SSL data using advanced Winsock2 functionality
* Users state-of-the-art, modularized trojan code
* Launch attacks through Internet Explorer browser exploits
* Users customized server/database code to collect sensitive data
* Offers a customer interface for online purchases of stolen data
* Steals data primarily from infected home PCs
* Accounts at top financial, retail, health care, and government services affected
* The black market value of the stolen data is at least $2 million
"

While this attack was mostly against home users, I suspect many enterprises would also be vulnerable if they are mostly relying upon the anti-virus vendors.

Don't have one layer of defense in your enterprise. Have multiple layers including the use of stronger authentication and transaction authentication or you will be vulnerable to successful enterprise attacks.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Reduce risk of online attacks by up to 77%

This week, Symantec released their bi-annual Internet Security Threat report that got a lot of media coverage. What wasn't mentioned in the press was one little statistic buried in the report on page 52.

The report states "During the second half of 2006, 23 percent of the 1,318 documented malicious code instances exploited vulnerabilities." As Brian Kreb noted this week in his blog concerning the report, "Buried in the report was this little gem: Only 23 percent of all malicious software created in 2006 exploited a software security vulnerability. This is a very important stat to consider: By far the most common way that people infect their own computers with malicious software is by opening a virus-laden e-mail attachment or by clicking on a Web link included in an instant message."

This means that 77% of the time online attacks are instigated by the user clicking on links or document attachments.

Many experts have derided the usefulness of educating users about not clicking on links in email and instant messaging or email document attachments. There feeling is that people are going to do it anyways and that training won't help. I disagree. It's a matter of magnitude.

For example, let's say that an enterprise has almost no training on email or instant messaging or, that the training was once given when an employee joined the company and has now been long forgotten (which is what I suspect is the case with most enterprises). The enterprise is relying almost 100% on technology to defend itself. As all sorts of studies show, anti-virus and intrusion detection systems don' t catch 100% of the attacks. The user is responsible for up to 77% of initiating these attacks. Therefore the enterprise will likely be breached when the malware slips under the radar screen.

Why not reduce the risk of initiating these attacks by reminding workers on a regular basis of the threats? This can be done in only a few minutes of training at the worker's desktops.

The results? If the enterprise can get workers wary about clicking on unexpected email or instant message links or document attachments, then the chances of a successful security breach drop.

Does this stop all malware attacks? No. However, it does aid in reducing the chances of attacks. Given that the current advantage in technology lies with the criminals, it seems to me that enterprises need to train workers better, more often, to reduce their risk and cost of recovering from malware attacks (generally estimated at an annual cost of $100-150 per PC user).

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Vista possibly exploited by Windows Mail

Cnet today is reporting that there might be a possible way to exploit Vista by having a user click on a link in a Microsoft mail message. This has yet to be confirmed by Microsoft.

Yet another reminder to think on it before you click on it or you might see your identity and authentication information be in the hands of criminals.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Skype Trojan Horse Attack

Yesterday, Websense Security Labs issued an alert that Skype users may be susceptible to a revised version of a Trojan commonly known as "Warezov/Stration". The user clicks on a link which takes them to a web page. There, if the user runs a file, this then activates the code. The code then constructs emails to everyone on the Skype list.

Don't click on email links unless you are expecting the email message and the link. Otherwise...you'll be sorry.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Girl aged 6 cracks UK MP House of Commons computer

This is an interesting story. A young girl aged six went through security checkpoints and then places a hardware keyboard logger on a MP's computer. Everyone was embarrased. Well they should be.

The use of hardware keyboard loggers has been known for a long time. I wrote a paper on this "Why your use of ID and password is likely a joke". The use of passwords as the main form of authentication is absolutely no longer valid. Does this mean they shouldn't be used?

No. They can still be used for low risk authentication where if the authentication is stolen and used in a masquerade, it won't hurt the enterprise. As other papers I've written have described, what is required are layers of stronger authentication applied to areas where enterprise risk increases. However, this alone is not enough.

Enterprise crown jewels need to be protected by the use of transaction authentication. This assumes that even the strong multi-authentication might also be breached.

Finally, as a last resort, the enterprise should have filters on all information digitally leaving the enterprise through the firewall. This should be set up to recognize keywords, etc. and allow the door to be closed before the enterprise loses its valuable information.

Why wait for a young girl or a janitor to put keyboard loggers on your computer, which are undetectable unless you're looking at the back of the computer, to find out your security has been breached?

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

By Hook or By Crook

Dark Reading columnist Steve Stasiukonis has a great column "By Hook or By Crook". It details how they successfully penetrated an enterprise network. After unsuccessfully trying to find a dial in number they resorted to visiting the building, getting themselves into a conference room and then inserting an inexpensive wireless access device.

There are so many different attack vectors. If they had more time, I'm sure they could have used social engineering attempts to get people's id and passwords.

Read the article and take note of your existing security arrangements.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

March 25, 2007

The dangers of WiFi

The LA times last week ran a good story on the dangers of WiFi "Ensnared on the wireless Web". It outlined the any ways that criminals and hackers can capture your identity information. Too many people become victims using wireless trusting the security of the connection. The result is frequently the loss of their identity information and authentications used for banking and work.

The end of the article has a number of general best practices for using WiFi. This should become part of your enterprise training for all employees who use wireless.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Malware miscellany

Viruslist, a weblog run by analysts at Kaspersky Labs this past week ran an interesting blog "A malware miscellany". It's a collection of interesting facts about malware. Here is what they said:
"
1. Greediest Trojan Targeting Banks - this month, it’s Trojan- Spy.Win32.Banker.zd, which targets the clients of 33 banks. And just as we keep saying, the number of Trojans which target more than one bank is growing all the time.

2. Greediest Trojan Targeting E-payment Systems - The winner in this category is Trojan-Spy.Win32.Banker.z. This Trojan targets three plastic card systems, but also steals finance-related data from the customers of many banks. Apparently, its author prefers a comprehensive approach to making money.

3. Greediest Trojan Targeting Plastic Cards - The top malicious program in this category is Backdoor.Win32.Neodurk.13, which searches for access data for three plastic card systems, in addition to providing cybercriminals with remote control of victim computers, which is its main function.

4. Stealthiest Program - This category's winner is a modification of Backdoor.Win32.Rbot.gen, which is packed by eight different compression utilities in the hope that this will prevent antivirus programs from detecting the malicious code.

5. Smallest Malicious Program - This category of malware was won by Trojan.BAT.DeltreeY.af, which is just 19 bytes in size. This is a primitive Trojan, which (as its name suggests) deletes folders on infected computers. Its targets include the Windows system directory; of course, if this gets deleted, you may end up with some serious problems.

6. Biggest Malicious Program - February’s “giant” is Trojan-Spy.Win32.Bancos.rv. It is 13 MB in size, and is a bit of an oddity - you might expect extensive functionality, which this Trojan doesn't actually have.

7. Most Malicious Program - The winner from this category uses numerous methods to effectively combat antivirus protection installed on computers. February’s leader is Backdoor.Win32.Aebot.e, which uses a variety of methods to disable protection, including terminating processes in memory, stopping services and blocking updates. The malicious program terminates protection utilities by the dozen, including all kinds of firewalls, system monitoring utilities, antivirus products, etc.

8. Most Common Malicious Program in Email Traffic - In February 2007, the winner was Email-Worm.Win32.NetSky.t. Although this is a relatively old email worm, it still accounts for about 15% of all email traffic.

9. Most Common Trojan Family - We talk a lot about how the number of Trojans is on the increase. And Backdoor.Win32.Hupigon is a great example - in a single month we detected 368 modifications of this family.

10. Most common virus\ worm family - In February, the Warezov family was the most widespread among all virus and worm families. Samples of 118 different modifications were found in February alone.
"

The malware battle continues.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Hijacking your enterprise network

Researchers yesterday at ShmooCon announced the possibility of hijacking networks with Windows PC's. In an article published on CNET "Windows weakness can lead to network traffic hijacks" it explains how an attacker can effectively hijack a network. The announcement is important for enterprises since the attacker needs access to the network. Thus, what follows is easily possible for an insider or, someone who has access to the enterprise network.

The article states: "
"The upshot of it is that I can become your proxy server without you knowing about it," Chris Paget, director of research and development at IOActive, said in an interview after his presentation on the problem. "I can put up the equivalent of a detour sign on your network and redirect all the traffic."

An attacker can set up that "detour sign" because Internet Explorer on Windows PCs by default searches for a proxy server using the Web Proxy Autodiscovery Protocol, or WPAD, Paget said. It turns out that an attacker can easily register a proxy server on a network using the Windows Internet Naming Service, or WINS, and other network services including the Domain Name System, or DNS, he said.

"When IE starts up, it will ask the network where its proxy server is," Paget said. "It is really easy to put up your hand and say: 'Here I am.'"

Microsoft acknowledges the problem in a support article published Saturday on its TechNet Web site. "If an entity can surreptitiously register a WPAD entry in DNS or in WINS…clients may be able to route their Internet traffic through a malicious proxy server," Microsoft said in its support article.
"
Further, the article concludes with the following recommendation from Microsoft: "In its support article, Microsoft lists steps for network administrators to address the WPAD problem. The steps reserve static WPAD DNS host names and to reserve WPAD WINS name records. As a result, an attacker's malicious WPAD name will no longer work, which will foil the malicious proxy trick, Paget said."

Bottom line: Make sure that you are using static WPAD DNS and WPAD WINS.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

March 26, 2007

UK Online banking fraud increases from £23.2m in 2005 to £33.5m in 2006

The UK Payments Association released this month a press release outlining the changes in fraud over the last year. The press release said "Online banking fraud increases from £23.2m in 2005 to £33.5m in 2006".

While other types of fraud are falling (e.g. Total card fraud losses fall from £439.4m in 2005 to £428.0m in 2006 and Card fraud losses at UK retailers fall by 47%) this was one of the areas that was significantly rising along with Card ID Theft (up 5% to £31.9m).

Online fraud still represents slightly less than 10% of total Card fraud. However, the trend is increasing significantly and will likely continue to do so as phishing attacks get more clever. Be very careful of the links you click on or you may find your bank authentication information in the hands of criminals.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Guy

Game over and verifiable operating systems

Joanna Rutkowska today published a VERY INTERESTING blog "The Game is Over". In it, she examines the challenges of determining "Verifiable Operating Systems". The bog is definitely worth a read.

She examines the current alternatives to determine if your operating system kernel has been compromised or not by a rootkit malware attack. She proposes three ways of doing this:

"1. One generic solution is to build in a prevention technology into the OS. That includes all the anti-exploitation mechanisms, like e.g. ASLR, Non Executable memory, Stack Guard/GS, and others, as well as some little design changes into OS, like e.g. implementation of least-privilege principle (think e.g. UAC in Vista) and some sort of kernel protection (e.g. securelevel in BSD, grsecurity on Linux, signed drivers in Vista, etc)."

"2. Another approach is to dramatically redesign the whole OS in such a way that all components (like e.g. drivers and serves) are compartmentalized, e.g. run as separate processes in usermode, and consequently are isolated not only from each other but also from the OS kernel (micro kernel). The idea here is that the most critical components, i.e. the micro kernel, is very small and can be easily verified. Example of such OS is Minix3 which is still under development though."

"3. Alternative approach to the above two, which does not require any dramatic changes into OS, is to make use of so called sound static code analyzers to verify all sensitive code in OS and applications. The soundness property assures that the analyzer has been mathematically proven not to miss even a single potential run time error, which includes e.g. unintentional execution flow modifications. The catch here is that soundness doesn’t mean that the analyzer doesn’t generate false positives. It’s actually mathematically proven that we can’t have such an ideal tool (i.e. with zero false positive rate), as the problem of analyzing all possible program execution paths is incomputable. Thus, the practical analyzers always consider some superset of all possible execution flows, which is easy to compute, yet may introduce some false alarms and the whole trick is how to choose that superset so that the number of false positives is minimal."

Read the blog. It's excellent thoughts on the subject from someone who has successfully shown how to penetrate the kernels with malware.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

User registration and fake passports

Last week the Gaurdian in the UK published an article "Al-Qaida gets fake papers as Home Office issues 10,000 passports to fraudsters". The story outlines how an estimated 10,000 passports have been issued last year to fraudsters.

As Bruce Schneier commented on his blog:

"This is the kind of thing that demonstrates why attempts to make passports harder to forge are not the right way to spend security dollars. These aren't fake passports; they're real ones mis-issued. They have RFID chips and any other anti-counterfeiting measure the British government includes.

The weak link in identity documents is the issuance procedures, not the documents themselves."

I agree but the challenges in doing effective user registration are only getting more complicated. Let's say that instead of writing in for a passport, I am now required to physically show up. I provide them with a driver's license and birth certificate and undergo a criminal record check. Sounds good doesn't it? Maybe not.

The birth certificate and driver's license may be forged. Okay, too counter this, the government then does an electronic check of the records. This should stop forges right? Maybe not.

In the case of terrorists, they can produce a legitimate birth certificate from another country where the records are poorly kept and/or the officials easily bribable. Armed with this, they can legitimately apply for a driver's license. Thus the security check will approve them, assuming of course they don't have a criminal record.

Then there's else to consider that may sound outlandish at first glance...human clones. We are already cloning other mammals. It is to be expected that human clones will appear on the planet in the near future (i.e. 5-10 years). How then does the registration process deal with this?

I wrote a paper two years ago proposing that a national DNA database be established to register citizens against. Further, the database would include digital fingerprints for genetic twins (since DNA doesn't help in this instance).

I got criticism from people for creating a national database that could be susceptible to abuse. My point is that we already have national databases for births and names. This is merely an update extension of this. My proposal puts the comparison of DNA samples to the national database in the hands of the individual except for court approved cases. This is far more security than the individual has today.

There's a lot to consider when talking about user registration. The existing tokens to verify who you are don't scientifically match to the individual. It's time to reconsider the options. Otherwise, we will continue to issue valid authentication documents (digitally and paper) to people who are not whom they claim to be.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

March 27, 2007

Malware threat for non-patched IE6 Browsers

Today, Computerword ran a story "Code posted for IE6 attack" which documents a new malware attack which works for those IE 6 browsers who don't have the most recent patch update. The malware attack, documented by HR Moore last July, allows unauthorized software to be run on the computer.

So, if you want to keep your identity and authentication information safe, make sure your IE browser has the latest patch!

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Javascript coding errors...big threat!

Yesterday, Computerworld ran a story "ShmooCon: Bad Web 2.0 thinking imperils Web security" that outlines a recent presentation by Billly Hoffman, of SPI Dynamics, at ShmooCon, about the increasing threat from poorly written javascript. The article is worth serious note since the claims are far reaching affecting most common enterprise web sites.

"The proposed threat is centered on the prevalence of JavaScript errors and insecure use of so-called Web services programming languages such as AJAX -- which combines asynchronous JavaScript with XML -- in many popular Web sites and applications."

""In the last two years, we've seen JavaScript go from stealing cookies to doing key-logging, screen-scraping and all sorts of phishing attacks," Hoffman said. "JavaScript used to be something that was more annoying than anything, but now it's being used in port scanning, to create self-propagating malware and to steal browser histories.""

""The researcher, who said that JavaScript vulnerabilities are present in sites maintained by everyone from well-known online retailers to large financial services companies, demonstrated a proof-of-concept exploit based on a JavaScript flaw on CNN.com, and how it could be used to manipulate content on the news site's pages."

"The issue was reported in security forums several months ago, and sent to CNN by researchers, but it still hasn't been fixed, Hoffman said.""

The use of cross site scripting is noted in the article:
"One of the newer wrinkles of AJAX-based attacks is the ability to create XSS threats that are self-propagating, according to Hoffman. Whereas the threats were traditionally designed only to sit on one URL and infect people who visited its location, the attacks can now be linked to Web crawling tools to find other pages that may be exploitable, specifically other sites within the same online domains."

"Using such an approach, an attacker could infiltrate businesses' corporate intranets via their public Web sites and gain access to sensitive organizational data, Hoffman said."

Enterprises need to check their websites for any use of poor Javascript. Otherwise, there's a fair chance that your site might be crawled, the website penetrated, your internal network penetrated and identity theft, authentication theft and enterprise data might result.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Along comes "smishing"

Last week, Ziff Davis published a brief piece "Smishing: An Emerging Remote Security Threat". The article says:

"As many of us are acutely aware, "phishing" is a type of attack involving spam and other malware from fraudsters pretending to be legitimate businesses such as banks. After being lured to fake Web sites, victims are conned into providing personal information such as bank account and credit card numbers which criminals can then abuse for purposes of identity theft."

"Vishing, in contrast, revolves around spam that tells users to make a phone call to a toll-free number, in order to correct some sort of purported problem with their accounts. If you dial the specified number, an automated voice system asks you to tap in your account numbers and PIN on the phone keypad. This info is then captured by the scam artists."

"Smishing is a simpler approach in which cell phones and other mobile devices are used as the delivery mechanism. Recipients receive SMS messages with fraudulent messages, sometimes telling them, for example, that they've signed up for some service they've probably never even heard of, and that they will be charged for the service unless they go to a specified URL to cancel the order they've never placed. When smishing victims visit that Web site, they are directed to download a program which then turns out to be a Trojan horse, thereby enabling remote access to their devices by cybercriminals or other hackers."

This type of attack was blogged by Symantec last July.

I think that this type of attack will become very common over the next one to two years as mobile phone use in the US increases. It's simply yet another attack vector for criminals to gain access to your authentication mechanisms, your identity information and your credit card info.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

"Is your computer a criminal?"

An excellent review of the state of security on the internet appeared today on MSNBC "Is your computer a criminal?". Written by Bob Sullivan, it accurately portrays the current security situation on the internet. Definitely read this for an excellent overview on malare, bots, etc..

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

More Shmoocon review

Brian Kreb's of the Washington Post today wrote an excellent blog on the dire strait of web coding when it comes to security. He reviews some of the most common coding errors including the lack of filtering of customer input data to filter out malware being inserted which can then penetrate back end databases.

At the end of the blog in the comments, you'll find he mentions the three most common coding flaws: buffer overflows, insufficient user input filtering, and improper integer handling.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Identity Theft Checklist for the US

There's a great resource available for anyone who has suffered identity theft in the US. You can find it at YourCreditAdvisor.com.

VirusTotal - An interesting viewpoint

The article "Is your computer a criminal?" I referred to in a recent blog, refers to a website TotalVirus.com that "...scans potential viruses using 30 top antivirus products."

On March 27, 2007 (today's date for this blog) there were 10,685 viruses submitted. Only 38 were picked up by all 30 anti-virus softwares.

My only criticism of this website is that I can't find a breakdown of the vendors on the malware. Some vendors will do better than others.

However, pushing this aside, it also means that no one anti-virus vendor is adequate to protect your enterprise. Furthermore, you need heuristic intrusion prevention software that can head off at the pass, any malware that makes it through the firewall. Yet even this is not enough.

As I continue to say in many blogs, you need a layered defense behind the firewall, the anti-virus and the intrusion prevention software. This should involve stronger authentication as the identity moves towards higher risk applications or information. Yet even this is not enough.

These types of defenses can also be thwarted. Therefore, you also need transaction authentication around your enterprise crown jewels.

Finally, at the firewall, you should also have a content filter for all outgoing traffic. This should be scanning for highly sensitive information that has evaded all the other defenses.

Without these layered defenses, your enterprise is vulnerable.

March 28, 2007

A new report shows ID theft doubles in two months

Dark Reading on Monday published an interesting article " ID Theft Doubles in Two Months". It documents a report from Cyveillance Inc. that has some scary numbers based from "its crawlers out looking for likely phishing sites, malware, and personally identifiable information".

"In December, Cyveillance found that the average number of URLs detected with malware was less than 20,000 on a daily basis. Last month, however, that average had grown to about 60,000 sites daily, with a single-day, mid-month spike of close to 140,000."

"While malware is the fastest-growing attack vector for identity theft, traditional phishing continues to proliferate as well, Cyveillance found. In fact, the number of sites targeted by phishing attacks grew 50 percent in the first two months of 2007, from 800 to 1,200."

""Where we used to see [phishers] targeting mostly large banks and popular online sites like eBay, now we are seeing smaller regional banks, credit unions, and retail sites that have never been targeted before," Bransford says. Credit unions alone saw an increase of 584 percent in the last 12 months, and associations have suffered an increase of 329 percent, Cyveillance reports."

The report is available here.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Change those default passwords

Dark Reading today has an article worth reading "The Password Is... Vulnerability". It outlines how one of the most common thing that enterprises get wrong in penetration testing is the use of default passwords.

As the article says "Many people feel that networks are secure from this issue because the only people who could exploit this are people from within the company. But due to session riding and malicious JavaScript, that's no longer the case. All a user has to do is get someone at the company that has a physical route to the device with the default configuration to visit a page that is under their control."

The article further states:

"Wireless networks are also highly subject to this sort of issue. Not only do they have default passwords, but they have default SSIDs that can help identify which default username and password to start with. War driving and using default usernames and passwords is a clear and present danger to corporations, and it's often overlooked by adding additional layers of encryption, or by disabling the broadcasting of SSIDs. While that can slow down an attacker, it doesn't do much to prevent the attack itself.

"Lastly, Web applications are also vulnerable. Not only do people tend to use the same passwords for out-of-the-box applications, but often times there are other components that can be subverted. One such issue is default credit card numbers. There is a list of default credit card numbers that can be used to buy items from Websites without paying. This sort of issue is exacerbated by the fact that security systems often ignore default credit cards as they are supposed to be only used for testing. "

All of which is excellent advice. Enterprise security is only as good as the weakest link in the chain. Change those default passwords or your enterprise may be at high risk of a successful security breach.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Spear phishing using the IT department as the lure

I just came across an article written earlier this month by Grant Buckler it ITBusiness.ca titled "Phishing lines crossed in the electronic ocean". In it, he outlines a new form of spear phishing attack which I can easily see growing in use. Here's what Grant said:
"
Clemens Martin, director of IT programs and the Hacker Research Lab at the University of Ontario Institute of Technology, recently gave a demonstration of spear phishing. Users receive an e-mail claiming to be from the company's IT department and formatted exactly like a real e-mail from IT. It says everyone has to change their passwords. In the e-mail is a link to what appears to be an internal Web site. Users click on the link and see a screen asking them to enter their old passwords, then to enter new passwords. Everything looks above board.

But the real destination of the link is not what users see in the e-mail — though it is real-sounding enough that those who spot the difference may still be fooled — and the Web site is a spoof hosted somewhere outside the company.

When a user falls for it, the phisher captures his or her user name and password, which can then be used to gain access to the company's systems.

With scams this sophisticated, fighting phishing is no longer just a matter of warning your mother to be careful about e-mail messages claiming to be from her bank.
"

I completely agree. Most enterprises are under the illusion that phishing is something that only happens to financial institutions. What they don't understand is that as organized crime rolls onto the scene, they are now using very sophisticated, targeted campaigns against many medium sized businesses. What can you do to reduce your risk?

1. Continually educate your employees about the danger of clicking on links in email or instant messages. This is how approximately 77% of online attacks start. By education, you can reduce the overall enterprise risk.

2. Continually watch for domain names that are very similar to yours. This should become a daily exercise in IT departments. When you find them, immediately let your users know that they may be subject to an attack.

3. Use many layers of authentication strength behind the firewall as risk grows.

4. Use transaction authentication around the enterprise crown jewels.

5. Use content filtering on all outbound traffic through the firewall to catch the precious jewels that are being stolen despite your best efforts.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Battling botnets

An excellent article appeared today in Computerworld "Four steps to battling botnets ... and one more that may be more than you can manage". It covers interviews with different security experts and their recommendations on how to avoid having your enterprise become infected with malware and hence bots.

The article makes four recommendations:
1. "Pare down the virus factor" - Use anti-virus software and scan your system once a day
2. "Listen to the drumbeats" -
* watch help lines for increased calls relating to poor system performance
* watch outbound activity for suspicious traffic
* watch to see if your IP address becomes part of a blacklist
3. "Scan the horizon" -
* Scan outgoing email for spam
* Use intrusion detection systems for detecting malware activity
4. "Get port authority" - block all internet ports except those few you need to run your enterprise

Finally, the article ends with a recommendation:
"Step infinity: Get smarter users" - ""We have to educate users that just as with safe driving practices there is something called safe computing practices," adds Turner, "and we have to think of Internet safety the same way we think of driving safety.""

Read the article. It's full of excellent advice to avoid loss of enterprise identity, authentication and valuable information from successful malware and bot attacks.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

March 29, 2007

Flaw in IE 6 and 7

There's been numerous reports today that Microsoft's IE 6 and 7 browsers are susceptible to drive by hacking with XP SP2 (but not with Vista). By merely visiting a web site with malware code on it or, by opening a specially crafted email, users can get infected. For more on this read Brian Kreb's post, Ryan Naraine's post or Microsoft's security advisory.

Bottom line: If you're using XP and you have IE browsers then perhaps you should consider Brian Kreb's recommendation to set up the account as a limited user. Otherwise, you face the risk of losing your authentication information and sensitive identity and enterprise information to malware from criminals.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Practical botnet defense ignored by some Fortune 500 companies

Brain Kreb's today has an interesting blog "Fortune 500s Unwittingly Become Spammers" that I think fits in nicely with a blog I wrote yesterday Battling botnets. My blog was a review of a series of recommendations from different security experts that Computerworld did on how to battle bots.

One of their recommendations was to "scan the horizon". In particular, they recommended scanning all outgoing email for spam. The reason was that when your malware defenses fail, this is one of the ways of telling it when the malware begins to send spam out through the firewall.

This is exactly what Brian Kreb's talks about in his blog that recently happened to several Fortune 500 companies including Oracle, HP Home Depot, ExxonMobil and Electronic Arts to name just a few.

My point in this blog is to point out the obvious. When companies like Oracle and HP are caught by malware infections, this is serious since these companies have pretty rigorous layered defenses. The follow on thought is that it means that most other enterprises out there are likely getting infected.

More on this in the next blog.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

43% of surveyed firms found to be infected with malware

Webroot, a provider of internet security products, yesterday reported that 43% of companies it surveyed had business disruptions due to malware infections.

According to their press release:
"According to the Federal Bureau of Investigation (FBI), the organized nature, rapid growth and severity of cybercrime has moved it to their number three priority behind only counter-terrorism and counter-intelligence. Webroot research, using its Phileas™ automated spyware research system, has discovered that 1.7 percent (4.2 million) of 250 million URLs around the world harbor malware. Almost 3 million of those malicious sites were discovered in 2006 alone."

Further, the press release states "According to Webroot's study, over 40 percent of the companies surveyed reported business losses from a variety of spyware related issues. The most unsettling finding is that 26 percent of enterprises reported that confidential information had been compromised as a result of spyware. At the heart of this alarming trend is the rate of spyware infection:

* 39 percent of companies reported Trojan horse attacks;
* 24 percent reported system monitor attacks; and,
* 20 percent reported pharming and keylogger attacks.
"
The report can be found here.

In my previous blog, I discussed how even large Fortune 500 companies are being infected by malware. Whether the number of enterprises infected is 40, 50, 60 or more percent, only time will tell. What is obvious is that the tools in the hands of criminals are passing under the radar screens of enterprise firewall, anti-virus and intrusion detection and prevention systems. So what can be done?

Remember that according to the Symantec report issued last week, 77% of malware attacks are created by your users clicking on links in email and instant messaging systems or by opening document attachments in email. The obvious starting point is to begin educating your users, on a regular basis, of the dangers of this. It's a low cost way to reduce overall enterprise risk.

Then make sure you are using a well thought out plan of layered defenses using layers of authentication for your enterprise security. Many of my blogs talk about this over and over.

You should also consider using more than one vendor for anti-virus. Right now, there's not one vendor who's going to protect you 100% of the time.

Without all of this you're like a candle in the wind.. in danger of being snuffed out by successful malware attacks.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com


Keyloggers - 500% growth in three and a half years

Kaspersky Labs has published an excellent piece of work on keyloggers. According to Kaspersky, the use of keyloggers has risen 500% from January 2003 to July 2006. "There are many more examples of cyber criminals using keyloggers – most financial cybercrime is committed using keyloggers, since these programs are the most comprehensive and reliable tool for tracking electronic information." says the article.

"One report issued by Symantec shows that almost 50% of malicious programs detected by the company’s analysts during the past year do not pose a direct threat to computers, but instead are used by cyber criminals to harvest personal user data." the article points out.

The article contains great overivew of many successful examples of keyloggers, describes the growing threats and recommends steps to take to mitigate the threat.

One thing I want to note is that the use of passwords and anything entered in by the keyboard is very insecure (read my paper "Why your use of ID and password is likely a joke"). Intelligence agencies have known this for many, many years. As a result, defense agencies have windowless rooms to thwart the capture of keyboard strokes by antennas. They also use special computers that have keyboards wired hard into the computer or, can detect when a keyboard is removed and a hardware keyboard logger is inserted between the keyboard and the computer.

Most enterprises don't have the resources, or the willpower of the military to defend itself against all forms of attacks. So, what is an enterprise to do to defend itself against keyloggers and malware?

Have a many layered enterprise defense strategy. You must assume that almost all layers will be broken...especially in today's age where the number of attack vectors internally and externally are so great.

Use stronger authentication for higher risk systems, applications, information and physical areas. I caution the reader however that these are not foolproof. There have been many times over the last year where documented reports have been found that multi-factor authentication has been bypassed. Usually this involved the criminals having software installed that lets the authentic user log on and then afterwards hijacks the session.

Use transaction authentication for protecting enterprise crown jewels.

Finally, have content filters on all outbound traffic through the firewall to catch precious things digitally leaving the enterprise that shouldn't.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

March 30, 2007

CDROMS and malware attacks

The use of USB's and CRDOMS to distribute malware has been gaining ground over the last year. Yesterday, in Australia, ZDnet.com ran a story "Phishing attack: Your keyloggers are in the mail". It documents the mailing of CDROMS to people within an unidentified Australian enterprise. Users started up the CD's on their computers, which then ran a Windows multimedia file while in the background malware was distributed that collected identity and authentication information.

Quoting Macleonard Starkey from AusCERT the article stated ""Because most users have administrative access to their machines, even in corporate networks today, it will usually be dropped straight to the Windows system32 directory, and start up from there. This is a very low-tech scam but it's also a very good one," Starkey said."

It's very important that enterprises train their employees about social engineering attacks like this. This is another form of a phishing attack where the user has to initiate the attack.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com