Articles
May 24th, 2007Part 1: Security Absurdity The Complete, Unquestionable, And Total Failure of Information Security.
http://www.securityabsurdity.com/failure.php
Follow up: Community Comments & Feedback to Security Absurdity
http://www.securityabsurdity.com/comments.php
Part Two: Coming Soon.
Attackers Evade Detection Using New Method
March 2nd, 2007Further exposing the weaknesses of signature-based detection, cybercriminals have developed a new method to hide malicious code to evade detection.
Called dynamic code obfuscation, the method alters virus code using a different set of functions, parameter names and encryption keys for each user! For example, if two people visit a malicious Web site at the same time, each person will get a different encrypted or obfuscated code, generated on the fly.
“Security vendors that post security updates to their customers will need to theoretically create millions of signatures for their customers.”
– Yuval Ben-Itzhak,
Chief Technology Officer, Finjan Inc.
Article: “Attackers hide malicious code using new method“
Internet Root Servers Attacked
February 6th, 2007In a very significant attack, cybercriminals launched a large Denial of Service attack against the internet’s 13 root servers, and briefly disabled 3 of them, including one that handles the US Defense Department network.
This is not the first time the 13 root servers have been targeted. In October 2002, a hour-long ping-flooding DDoS attack temporarily crippled 9 of the root servers.
The root servers are part of the Domain Name System (DNS), a worldwide distributed database that is used to translate worldwide unique domain names such as www.google.com to other identifiers. The DNS is an important part of the Internet because it is used by almost all Internet applications. The root name servers publish the root zone file to other DNS servers and clients on the Internet. The root zone file describes where the authoritative servers for the DNS top-level domains (TLD) are located; in other words: which server one has to ask for names ending in one of the TLDs, such as ORG, NET, CA, etc.
The attack is significant because the domain name system comprises one of the few logical single points of failure within the Internet. The root of the Internet namespace is held in 13 geographically distributed root name servers operated by nine independent organizations. In a worst case scenario, loss of all 13 of the root name servers would result in significant disruption to Internet operation as name to address translation (and vice versa) would no longer function
NYTimes: Attack of the Zombie Computers Is Growing Threat
January 8th, 2007The New York Times has an article discussing the difficulty security researchers face in combatting botnets, and how botnets are threatening the safety of the internet.
Some highlights from the article:
* What is new is the vastly escalating scale of the problem — and the precision with which some of the programs can scan computers for specific information, like corporate and personal data, to drain money from online bank accounts and stock brokerages. “It’s the perfect crime, both low-risk and high-profit,” said Gadi Evron, a computer security researcher for an Israeli-based firm, Beyond Security, who coordinates an international volunteer effort to fight botnets. “The war to make the Internet safe was lost long ago, and we need to figure out what to do now.”
* Last spring, a program was discovered at a foreign coast guard agency that systematically searched for documents that had shipping schedules, then forwarded them to an e-mail address in China, according to David Rand, chief technology officer of Trend Micro, a Tokyo-based computer security firm. He declined to identify the agency because it is a customer.
* Although there is a wide range of estimates of the overall infection rate, the scale and the power of the botnet programs have clearly become immense. David Dagon, a Georgia Institute of Technology researcher who is a co-founder of Damballa, a start-up company focusing on controlling botnets, said the consensus among scientists is that botnet programs are present on about 11 percent of the more than 650 million computers attached to the Internet.
* The data in the file had been collected during a 30-day period, according to Rick Wesson, chief executive of Support Intelligence, a San Francisco-based company that sells information on computer security threats to corporations and federal agencies. The data came from 793 infected computers and it generated 54,926 log-in credentials and 281 credit-card numbers. The stolen information affected 1,239 companies, he said, including 35 stock brokerages, 86 bank accounts, 174 e-commerce accounts and 245 e-mail accounts. Sensor information collected by his company is now able to identify more than 250,000 new botnet infections daily, Mr. Wesson said. “We are losing this war badly,” he said. “Even the vendors understand that we are losing the war.”
* According to the annual intelligence report of MessageLabs, a New York-based computer security firm, more than 80 percent of all spam now originates from botnets. Last month, for the first time ever, a single Internet service provider generated more than one billion spam e-mail messages in a 24-hour period, according to a ranking system maintained by Trend Micro, the computer security firm. That indicated that machines of the service providers’ customers had been woven into a giant network, with a single control point using them to pump out spam.
* Computer security experts warn that botnet programs are evolving faster than security firms can respond and have now come to represent a fundamental threat to the viability of the commercial Internet. The problem is being compounded, they say, because many Internet service providers are either ignoring or minimizing the problem. “It’s a huge scientific, policy, and ultimately social crisis, and no one is taking any responsibility for addressing it,” said K. C. Claffy , a veteran Internet researcher at the San Diego Supercomputer Center.
2006: “The Year of Computing Dangerously”
December 28th, 2006The Washington Post has an article calling 2006 the “year of computing dangerously.”
Here are some excerpts from the article:
* “Computer security experts say 2006 saw an unprecedented spike in junk e-mail and sophisticated online attacks from increasingly organized cyber crooks. These attacks were made possible, in part, by a huge increase in the number of security holes identified in widely used software products. … Few Internet security watchers believe 2007 will be any brighter for the millions of fraud-weary consumers already struggling to stay abreast of new computer security threats and avoiding clever scams when banking, shopping or just surfing online.”
* “One of the best measures of the rise in cyber crime this year is spam. More than 90 percent of all e-mail sent online in October was unsolicited junk mail messages, according to Postini, a San Carlos, Calif.-based e-mail security firm. The volume of spam shot up 60 percent in the past two months alone as spammers began embedding their messages in images to evade junk e-mail filters that search for particular words and phrases.”
* “Data showing that criminal groups have shifted their activities from nights and weekends to weekday attacks, suggesting that online crime is evolving into a full-time profession for many.”
* The world’s largest software maker, Microsoft Corp., this year issued software updates to fix 97 security holes that the company assigned its most dire “critical” label, meaning hackers could use them to break into vulnerable machines without any action on the part of the user. … In contrast, Microsoft shipped just 37 critical updates in 2005.”
* “Some software security vendors suspect that a new Trojan horse program that surfaced last month, dubbed “Rustock.B” by some anti-virus companies, may serve as the template for malware attacks going forward. The program morphs itself slightly each time it installs on a new machine in an effort to evade anti-virus software. In addition, it hides in the deepest recesses of the Windows operating system, creates invisible copies of itself, and refuses to work under common malware analysis tools in an attempt to defy identification and analysis by security researchers.” … “This is about the nastiest piece of malware we’ve ever seen, and we’re going to be seeing more of it,” said Alex Eckelberry, president of Clearwater, Fla. based security vendor Sunbelt Software.”
http://www.washingtonpost.com/wp-dyn/content/article/2006/12/22/AR2006122200367.html
Community Comments & Feedback to Security Absurdity Article
November 22nd, 2006Six months ago I wrote Part One of my Security Absurdity article. The article was written to spark off dialogue, discussion and debate on the significant security challenges we face. Thankfully the article received quite a bit of attention and generated discussion on various sites, blogs and forums.
I want to highlight some of the comments that the article generated.
Read it here: Community Comments & Feedback to Security Absurdity Article - the Good, the Bad and the Ugly.
Is the anti-virus industry improving or just getting worse?
October 17th, 2006A analysis by Eugene Kaspersky, Head of Russian Kapersky Lab Virus Research, reveals some disturbing problems that are inherent in the antivirus industry. The greatest problem with antivirus software is that the majority of products available are unable even to guarantee up to 90% protection to users. According to Kapersky, many antivirus companies are unable to cope with the increasing numbers and varieties of malicious programs and are “losing this virus arms race“.
Kaspersky’s analysis was delivered on November 21 2005. Have things improved at all since then? Sadly no.
Malware-test.com tests the Malware Cleanup Success Rate for many major AntiMalware vendors. The results current as of August 26,2006 are as follows:
* Trend Micro Anti-Spyware: 71.17%
* Sunbelt CounterSpy: 68.47%
* Webroot Spy Sweeper: 65.77%
* ewido anti-spyware: 62.16%
* McAfee antispyware: 62.16%
* PC Tools Spyware Doctor: 59.46%
* Norton Internet Security: 54.05%
* Computer Associate Anti-Spyware: 49.55%
* BitDefender Internet Security: 48.65%
* Microsoft Windows Defender: 44.14%
* F-Secure Internet Security: 44.14%
* a-squared Anti-Malware: 43.24%
* SpywareTerminator: 41.44%
* ZeroSpyware: 41.44%
* Lavasoft Ad-Aware: 39.64%
* Panda Platinum Internet Security: 38.74%
* ZoneAlarm Anti-spyware: 38.74%
* Spybot S&D: 38.74%
* SUPERAntispyware: 36.94%
* Arovax AntiSpyware: 35.14%
* Ashampoo AntiSpyWare: 33.33%
* Kaspersky Internet Security: 32.43%
* NOD32: 30.63%
* Agnitum Outpost Firewall Pro: 22.52%
* Comodo AntiVirus: 18.02%
* Aluria Anti-Spyware: 9.00%
“The most popular brands of antivirus on the market have an 80 percent miss rate. So if you are running these pieces of software, eight out of 10 pieces of malicious code are going to get in,” claimed Graham Ingram, general manager of Australia’s Computer Emergency Response Team (AusCERT).
A Patch-Friendly Boot Mode?
September 10th, 2006In my Security Absurdity article, I mentioned the window of exposure which occurs when new, unpatched computers connect to the internet for the first time before they have a chance to download required patches.
In 2003 I mentioned the idea of a Patch-Friendly Boot Mode in the Patch Management mailing list as a possible solution to address this window of exposure.
I wrote, “One possible solution is a Patch-Friendly Boot Mode. Similar to booting into Safe-Mode, there could be an option to boot into a Patch-Friendly Boot Mode. During this mode, the computer would boot into a minimalist mode - or even DOS mode with all non-essential services disabled. The hard drive could boot in read-only mode, except for a single writable directory [to store the patches].
During this boot mode, the computer would connect to windowsupdate or a local patch management server (to minimize the time required to be connected to the internet) and then retrieve all the necessary patches. The patches could then be installed upon next reboot when the hard drive is back into read-write mode and prior to establishing a connection to the internet.”
Has such a solution ever been proposed? What are the potential downsides of this solution? What other solutions/workarounds are there to address the patch window of exposure?
2006 Stupid Security Competition
August 28th, 2006Privacy International has announced their 2006 Stupid Security Contest.
The Stupid Security Competition aim to highlight the absurdities of the security industry. Privacy International’s director, Simon Davies, said his group had taken the initiative because of “innumerable” security initiatives around the world that had absolutely no genuine security benefit. The awards were first staged in 2003 and attracted over 5,000 nominations. This will be the second competition in the series.
“The situation has become ridiculous” said Mr Davies.
“Unworkable security practices and illusory security measures do nothing to help issues of real public concern. They only hinder the public, intrude unnecessary into our private lives and often reduce us to the status of cattle.”
Privacy International is calling for nominations to name and shame the worst offenders. The competition closes on October 31st 2006. The award categories are:
* Most Egregiously Stupid Award
* Most Inexplicably Stupid Award
* Most Annoyingly Stupid Award
* Most Flagrantly Intrusive Award
* Most Stupidly Counter Productive Award
The competition will be judged by an international panel of well-known security experts, public policy specialists, privacy advocates and journalists.
A Computer Is Always Vulnerable, Even When Turned Off
August 28th, 2006The SANS Internet Storm Center’s tip of the day says that a computer can not be compromised while turned off.
There are services that can still run when the computer is turned off. For example, Intel’s new Active Management Technology (AMT) which will be built into future processors, allow remote management capabilities even when the computer is turned off. AMT also allows administrates to remotely turn on the computer.
This provides potential attacks vectors which can be used even against computers that are turned off. For example, if an attacker can gain access to a single administrator machine on a network, it could potentially access every computer on the network using the built-in AMT-enabled chipset.
While there are currently no known vulnerabilities in AMT, a worm exploiting an AMT vulnerability could potentially infect computers regardless of if they are turned on or not.
In addition to turning off a computer, it is recommended that you disconnect from the network completely. If you use a laptop, the wireless card and services such as Bluetooth should be completely disabled as well. At this year’s BlackHat, Jon Ellch and David Maynor demonstrated it is possible to remotely exploit a laptop with a vulnerable wireless card even if it is not currently connected to a network.
With a computer completely disconnected from the network, the last remaining security concern is physical security. Physical desk locks, strong passwords and data encryption should be used. (Confidentiality and Integrity). As well as secure, remote data backups. (Availability)