security

You are currently browsing the archive for the security category.

Doubleplusgood Kaspersky…

October 20, 2009 in democracy, security by Daniel Nyström | No comments

Eugene kaspersky have some very strange ideas on what would be good for the Internet:

Q: That’s it? What’s wrong with the design of the Internet?
A: There’s anonymity. Everyone should and must have an identification, or Internet passport. The Internet was designed not for public use, but for American scientists and the U.S. military. That was just a limited group of people–hundreds, or maybe thousands. Then it was introduced to the public and it was wrong…to introduce it in the same way.

I’d like to change the design of the Internet by introducing regulation–Internet passports, Internet police and international agreement–about following Internet standards. And if some countries don’t agree with or don’t pay attention to the agreement, just cut them off.

Emmm.. OK. Speechless. Overall it’s a very bad idea. I’m guessing it’s some kind of russian way of looking at society, mixed up with some orweillian influences.

Doing this would make identity theft so much easier, and also more fun & profitable for “the bad guys”… It would not solve a thing, just make it worse and probably bring more AFK violence into the picture.

What is it about some corporate leaders and politics? Something that they might want to consider is to pay at least some respect to the bigger picture, and to try to propose solutions that do not only target the symptoms but the root of the problem.

In this case, people from the eastern block (Russia, Ukraine etc.) that make millions on malware…

I agree with Paperghost… just a terrible idea. More discussion over at The Register as well.

UPDATE:

Eugene Kaspersky follows up with an article on ThreatPost meant to explain his statements. None of his arguments are valid though, and they’re shredded in the underlying comments.

I’m just going to comment on his first point, as the rest are just words without substance:

“Common users are NOT anonymous for police and governments. Today the authorities can find any person they are after easily. There is a wrong perception about Internet anonymity – very few people realize that it does not exist for ordinary users. But the worst part of the story is that the ones who are truly anonymous are professional cyber criminals, because they know what to do to hide their real identities in the Internet. That is why we have millions of malicious programs and successful network attacks every year, and we don’t know who’s behind them.”

And this will change how? Having an endpoint authenticate with (supposedly) secure credentials will not change one thing. All botnet C&C-servers, as an example, is run on other peoples machines and the authors are always bouncing through other computers on their way there. It simply will not change a thing.

All this will do is make regular Joe more vulnerable to identity theft and exposure to corrupt regimes, while still leaving the bad guys anonymous. You might even consider the bad guys more secure, as they’re hiding behind someone elses credentials. Instead of sponsoring insane schemes that would fit into a George Orwell book, try to attack the core of the problem.

If lobbying for something, a good starting point for Mr. K would probably be at home. A lot of malicious sites and campaigns are run out of Russia (and other countries in the eastern block). Try to put pressure on legislators in these countries so we can capture the criminals with good old investigative police work instead.

As it is now, police in these countries are either ignoring the problem or just do not have the resources they need.

Tags: , , , ,

Top 5 cybersecurity risks today

September 18, 2009 in security by Daniel Nyström | No comments

The Channel Web (crn.com) has listed the top 5 cybersecurity risks according to TippingPoint:

“With the number of cybersecurity attacks increasing in both frequency and sophistication, many organizations are having difficulty prioritizing which threats are most dire. A report out today by network security provider TippingPoint outlines the biggest challenges facing companies trying to secure data and systems. (Qualys, the Internet Storm Center and the SANS Institute contributed to the research.)”

Not to my surprise, number one in that list is unpatched client-side 3rd party software. They are specifically pointing to Adobe Reader, QuickTime, Adobe Flash and Microsoft Office that has been proved vulnerable and exploited in great numbers over the last year.

Patching policies and processes for these applications are often lacking or in some cases absent, even in larger companies. Many senior level IT-Directors have yet to realize how serious this situation are, and every time I have a seminar that touches on this subject I get a lot of questions on it afterwards.

There are tools to automate this kind of patching, but if upper management do not understand the implications they will not provide the funding to remedy the situation.

Second on the list is using Microsoft Windows. This risk is motivated by the current situation with the Conficker worm, but they also make connections back to the older network worms Blaster and Sasser and their remaining presence. Nothing new under the sun with this… it’s a known risk. Again, patching seems to be the focus issue, and organizations need to take it seriously.

Next item, number three, is the need to patch Quicktime vulnerabilities (CVE-2009-0007, CVE-2009-0003 and CVE-2009-0957 is highlighted) as they are being exploited in a very active manner. Concern is also expressed over the fact that the same codebases are being used on multiple operating systems, thus increasing the attack surface available to the “bad guys”. This also connects back to number one, patch your 3rd party apps that can be remotely accessed.

Number 4 focuses on the fact that web applications are one of the top targets for cybercriminals today. Why? Probably because of the fact that if you hack one web application, you can use it to exploit & infect all users of that system that are carrying outdated 3rd party applications. Web applications are also the top ranking category when it comes to number of disclosed vulnerabilities over the last couple of years.

I’d hate to offend someone ;) but it seems that most code written for the web is made only with one focus, to provide a feature. The security aspect seems to be forgotten or just not prioritized.

And the last one, number five, mentions the rise in zero-day vulnerabilities. That is vulnerabilities that the bad guys find first and use to exploit systems before there is a patch available. I have not seen many of these floating around but I know that the response time for these has not been good for any affected vendor. It might be a good thing to keep an eye out for and a motivation to enforce stricter content filtering at the perimeter (not that it would do you any good with mobile clients).

To summarize: 60% of their points clearly shows that even though patching has been the number one security problem to solve since Code Red, not many can handle it. Client-side vulnerabilities are the main focus, either directly or indirectly, as that’s where to good stuff are. Personal and financial data is the primary motivator for malware authors today and web-based vulnerabilities are the key.

If you do not have a process for ensuring your network-wide patch status, it’s time to get one. The tools are there.

If you are lacking funds, have a look at:

* OpenAudit – Great GPL’d software that enables you to do inventory of hardware and software (including versions installed).
* MBSA and WSUS – For regular MS Windows scanning and patching.

Cheers,

Tags: , , ,

Vista suffers another bullet to the chest

September 13, 2009 in security by Daniel Nyström | No comments

From Securityfocus:

An independent security consultant publicized this week the details to a critical flaw in the server message block version 2 (SMB2) component of Microsoft’s Windows Vista, Windows Server 2008, and the release candidate for Windows 7.

The researcher, Laurent Gaffié, claimed in his advisory that the vulnerability causes a Blue Screen of Death, a pernicious crash on Windows system, but other researchers have subsequently concluded that the flaw is actually remotely exploitable, a more serious issue.

And more from the same source (different article):

In December 2007, Microsoft patched the file- and printer-sharing functionality in Windows Vista to fix a medium-severity vulnerability. Unfortunately, the company inadvertently added a critical flaw, a security researcher said on Friday.

In an e-mail interview with SecurityFocus, Laurent Gaffié — the researcher that disclosed a critical flaw in Microsoft’s Server Message Block (SMB) version 2 code earlier this week — said that further research pinpointed the specific patch that added the vulnerability to Windows Vista. The patch, which fixed a remote execution flaw in SMBv2 signing, was rated Important by Microsoft because the vulnerable feature was not turned on by default. The vulnerability that the patch allegedly introduced could allow an attacker to exploit an affected system in its default configuration, which usually merits a Critical rating from Microsoft.

So, it seems that Microsoft has shipped yet another remotely exploitable security hole in their operating system(s). Hopefully it won’t be wormable to any greater extent, but we’ll find that out real soon.

This helps illustrate the point I tried to make in my last post, that no client machines can be trusted. They are all compromised sooner or later.

Also, if you are trying to be compliant with some policy, your risk ratings just peaked if you are using Vista… in particular if you have mobile workstations being carried in and out of your network. How do you manage that threat? Firewall port 139 and 445 on all clients, thereby loosing the possibility of remote administration and breaking functionality that might be needed by your business systems?

And this is just one hole… I sure hope that you have control over the Acrobat Reader’s and Flash installations on your clients ;)

Tags: , , , , ,

Mobile workforces and security, changing the way we should think of our networks?

September 11, 2009 in security by Daniel Nyström | No comments

Network segments

Administrators tasked with creating a mobile platform that’s not only is reasonably secure, but also keeps internal resources safe from it might be scratching his head. Smaller organizations also have restricted budgets that prevents them from purchasing high-end security solutions to handle this. Larger organizations often turn to solutions like Microsoft NAP to ensure the integrity of clients entering the network, but in my opinion that kind of solutions are fundamentally flawed.

NAP (as an example) just verifies that a client fullfills certain requirements such as an up to date antivirus signature, full set of patches and other (known) criterias.

So what? What does that mean to the integriy of a machine? If a machine is infected or compromised in any way, it is because the existing protection measures obviously did not work. The network is still at risk because of that client and that’s not going to change just because the machine is compliant with a policy that has been based on verifying known factors.

Keep in mind that the amount of malware now hitting viruslabs all over the world is approaching 35 million samples per year, and keeping signatures and heuristic measures fit to tackle that problem is a hard job. Some would even argue that it’s impossible (altough I would not, we’re getting closer). Security simply cannot be measured in patches and signature file dates anymore.

So what can you do to handle the threat of mobile workstations, USB-sticks, PDAs, phones and other mobile devices?

I’ve thought about this for a while and came to a pretty simple conslusion:

Just assume they’re all compromised, and design your service and security architecture based on that assumption.

Internal networks are often considered secure, or at least semi-secure, environments in which people are authorized to use certain applications and access certain data in a way that assumes that the clients are not compromised.

In this kind of environment a worm outbreak often has a severe impact as it can spread quickly throughout the network. Attacks often become more serious than they need to be because restrictions, if any, are very loose and often modified to suit “ease of use” instead of security.

And why shouldn’t they be loose, the clients are secure, right?

The idea I’m trying to get some practical tools to fit into, is to consider all network segments as compromised except the one(s) actually holding the data that you need to keep secure.

In this model you could, for practical reasons, keep the perimeter around the internal network and other segments. One might even do some or even extensive content filtering of network traffic at that point. From a data security perspective, this net should still be considered compromised though as there’s no real way to ensure its integrity.

The only part of the network to focus your security measures on would be the “Data storage and application serving”-part. How you could do this is a practical thing, but you should avoid removing any data from that environment. The practical part of handling this could of course vary, but one could serve data to users in the local network by utilizing terminal services and/or more secure solutions such as Appgate SS. Using web-based (internal) versions of CRMs and other things might be something as well.

You should still do encryption, antivirus, firewalling and possibly DLP on the clients. But that is kind of secondary as long as your application and data access structure is constructed in a secure fashion. VPN connections from the outside world (Internet etc.) would of course terminate in the local network and be subject to the same filtering as other devices in it. Maybe remote clients application availability should also be the subject of further restrictions.

I’m not exactly clear on the details but I’m getting there. An increasingly mobile world needs security measures that’s adapted to this situation, not that are stuck in the old world of stationary devices locked in a specific part of the network(s).

Many organizations do stuff like this, but often in a limited manner and not with the same philosophy in mind. For example shielding servers in one network from the clients, allowing a subset of them access to certain places. Those with access are considered trusted and the data is still spread between servers and clients.

What I’m getting at is that people should try to make their own application and data servicing work like online, “cloud based”, services such as Google Docs, SalesForce etc. instead of using applications and handling data locally. Sure, they could use those actual products, but then they’re lacking control over their data and for some that’s just as bad.

Client machines is not to be trusted, and that is important to remember.

I’ll post some more on this, and try to give some practical suggestions, when I’ve wrapped my head around this a bit more…

Tags: , , , ,

Conficker claiming 9 million victims…

January 17, 2009 in malware, security by Daniel Nyström | No comments

http://flickr.com/photos/dave-rogers/
Photo: Dave ® on Flickr. CC BY-NC-SA.

…now imagine the amount of cash you could bring in through affiliate programs with a botnet like that. Stunning.

The method for calculating the number of victims have been debated, but it’s probably not too far from the truth. More at The Register, who got the figures from the F-Secure article linked above.

My earlier posts on MS08-067 and related worms can be found here.

Tags: , , ,

Conficker worm growing…

January 9, 2009 in malware, networking, security by Daniel Nyström | 2 comments

Panda Security/work related post. This is a personal blog but from time to time I’m posting things that may relate to my employer. More info, read “About this blog”.
Pink Sherbet Photography on Flickr - http://flickr.com/photos/pinksherbet/
Photo: Pink Sherbet Photography on Flickr. CC Attribution.

Conficker, the network worm exploiting the MS08-067 vulnerability that I’ve mentioned previously, has continued to evolve and several new variants (.B/.C most prominent) has been discovered.

The impact this worm is making is becoming bigger, but here in Panda Sweden we haven’t drowned in work yet. The stories I’ve heard so far is the usual ones with users and consultants bringing infected units (or USB-sticks) into the network and then infecting unpatched machines that had previously been hiding behind the corporate firewall. So far it doesn’t seem too bad here though and I’m holding my thumbs that people learned to patch their machines back in 2004 ;)

That’s also all that it comes down to. Patching your machines. If you’re here looking for and easy solution to the mass infection in your network you’re probably too late. You should have thought about patching before you got infected. Not after. However, what you need to do now in order to resolve your situation is to:

- Patch your workstations and servers. Read MS Security Bulletin MS08-067. Patching can be done in a million ways. If you’re currently lacking a patching solution, look into Microsoft WSUS for a free (as in free beer, not freedom) solution. To identify unpatched or in other ways insecure systems, you can use the Microsoft Baseline Security Analyzer. This tool will also identify weak passwords, something that Conficker uses to spread in local networks.

- Disinfect the infected machines. Again, this can be done in several ways depending on your current situation and I would recommend contacting your anti-malware/anti-virus vendor for exact instructions. Some of us have specialized tools available for rapid deployment through scripts etc. so you don’t have change into your jogging shoes ;) A good start before you call is to make sure the machines actually have protection installed and updated though. If not, install it and make sure it’s updated. If you’re a single user you can clean your machine using online scanners such as ActiveScan 2.0. If using Panda Security solution you can find your local office here.

- Learn from your mistakes. Get a patch routine going and a monitoring system running. Make sure your anti-malware solution is up & working, and then implement a process to ensure that it’ll do so in the future as well.

Also keep in mind that Conficker, except the normal worm behaviour and what I’ve mentioned in previous posts, infects USB-sticks and other portable storage as well. It does this by placing malicious files on the media and auto-running them using the autorun and autoplay features when they’re connected to a computer.

More information: Panda Security 2, Panda Research, PC1News, Sophos, CA, Harry Waldron, F-Secure 2 3, MS Malware Protection Center, RegistryCleanerz.

Tags: , , , ,

As if warrantless wiretapping wasn’t bad enough

January 5, 2009 in democracy, security by Daniel Nyström | No comments

Hughelectronic on Flickr - http://flickr.com/photos/hughelectronic/
Photo: hughelectronic on Flickr. CC BY-NC-SA

The use of warrantless hacking is soon a reality in Great Britain. Yes, that is Police breaking into citizens computers in order to see if they’ve done something wrong or not without evidence or a court order.

From The Times (via HAX (Swedish)):

THE Home Office has quietly adopted a new plan to allow police across Britain routinely to hack into people’s personal computers without a warrant.

The move, which follows a decision by the European Union’s council of ministers in Brussels, has angered civil liberties groups and opposition MPs. They described it as a sinister extension of the surveillance state which drives “a coach and horses” through privacy laws.

The hacking is known as “remote searching”. It allows police or MI5 officers who may be hundreds of miles away to examine covertly the hard drive of someone’s PC at his home, office or hotel room.

Material gathered in this way includes the content of all e-mails, web-browsing habits and instant messaging.

Read the full article over at The Times.

This isn’t really news and the Swedish Government has similar propositions being prepared. Another step to the total control society indeed.

To protect yourself you can do several things out of which installing and using Linux (and keeping it up to date) might be the first. If you’re stuck in a Windows environment you should keep up with your patches and install an Anti-Malware (anti-virus) application that does not solely rely on signatures as some vendors agree to exclude certain states spy-tools from scanning by those. Choose one that has behavioral blocking of some sort or other mechanisms for detecting hostile code without having an exact signature. Also choose a solution which has some kind of personal firewall shipped with it so you can see the applications that tries to connect to the outside world and pay attention to its warnings.

If you are in need of a wireless network, buy an AP (Access Point) that you then connect to your router (another separate unit) in a port which is isolated from the rest of your internal network. There are guides on how to do this in your manual (if not, buy a new router) and you can also leave a comment if you need further help. I’m can also do ultra-cheap consulting for those that need help evaluating their current security during evenings and weekends.

And yes, these are the same basic instruction that I give to home users when educating them on how they can protect themselves from getting their credit cards and/or identity stolen…

What’s wrong with the people suggesting and implementing these laws?

God damned idiots…

Tags: , , , , ,

Extracting metadata from Office 2007 docs

December 23, 2008 in microsoft, privacy, security by Daniel Nyström | No comments

Found a short and interesting webcast on how to gather metadata such as usernames from documents created with Office 2007 over at PaulDotCom:


Hack Naked TV – Episode 2 – Office 2007 Metadata from PaulDotCom on Vimeo.

 
As you might know, the new MS Office format (.docx etc.) is based on a zipped structure of XML files. These XML files contain everything from the structure of the document, the data in it and of course the metadata of the document. Previous versions of MS Office has been known to divulge a bit too much information, and this webcast focuses on digging out user data that might be used in remote pen-testing.
 
The webcast only illustrates digging for usernames, but as we all know, more information might be hidden (even though it looks cleaner) ;)
 
Anyways, if you’re on windows and want investigate your own files you can just use WinZip, WinRAR or any other archiver to extract the files inside your .docx/.xlsx/etc-x files. XML files can be manually interpreted using notepad++, Internet Explorer or other more specialized tools.
 
Cheers,

Tags: ,

Handling large scale worm infections

December 3, 2008 in malware, networking, security, work by Daniel Nyström | 1 comment

Warning: Panda Security/work related post. This is a personal blog but from time to time I’m posting things that may relate to my employer. Read “About this blog”.
Lock in the grass... yup.

We’re seeing a quite large increase in Conficker.A infections (exploiting MS08-067) in Sweden right now, and computers not sufficiently patched or secured is causing a mess.

So far, most corporate network infections are making more noise than damage as people seem to have become better at patching since 2003-2004. What is causing alarm is our protections blocking the network attack proactively when it’s delivered from an infected machine or on computers without TruPrevent, when we nail it with the signature.

Anyways, I feel like being a bit proactive and recite some of the simpler lessons from 2003 in the new light of this little worm as it feels in my gut like we’re going to get taken for a ride.

What do you do once your switches start looking like Christmas trees, all lit up and warm? Well, there’s no one single recipe and there will most certainly be a twist to your specific situation. There is however some basic things you can do, and you can start by asking yourself;

Are your machines patched?
  a) I do not know
  b) Yes they are
  c) No they are not

If A, use Microsoft Baseline Security Analyzer to get a picture of the current situation. This tool can be set up on any modern windows system and should be run using domain admin credentials in order to gain total visibility. This tool will also display a lot of other crucial security information (password complexity, security policies etc. etc.).

If B, Haha, Yeah right… ;) But if you’re confident about it you can at least be calmed by the fact that you are probably exposing less attack surface internally to the worm. You will however have some clients that is not patched or incorrectly patched and if they’re not infected yet they’ll be in a short while.

If C, you should start finding out how you can easiest distribute the fix. If you’re running a smaller shop you might even have greater success doing the good ‘ol leggie around the office, but if you have a couple of hundreds or thousand clients you need to set up a deployment plan now. Possible deployment methods might everything from SMS, System center, Zenworks (Novell), Logonscripts with silent patch install, WSUS set-up and group policy configuration. It really doesn’t matter which technology you’ll use, it just needs to be done “yesterday”.

Do you know what machines are infected at this time?
  a) Yes.
  b) Nope, or some, but I’m guessing there’s more.

If A, set them straight. That is install the patch, install your protection, update that protection and make sure it’s as “clean” as it can be. Then move to B.

If B, install Wireshark on a patched computer (or why not use Linux?) and sniff the network for 15-30 minutes. This does not have to be done in promiscuous mode or using some kind of special networking equipment, as all that we want to see are computers trying to exploit/infect the computer that you are sniffing on. After stopping the traffic gathering you will have a lot of packets to analyze and what you’re looking for are SMB packet’s that look something like this:

Image by Don Jackson from SecureWorks via ThreatExpert blog.
Thanks Don Jackson from SecureWorks via the ThreatExpert blog.

The key here is identifying SMB packets that contain references to the NetPathCanonicalize function and to do this you should be able to use a filter expression like this in Wireshark (not tested atm so no guarantees):

smb.service contains "NetPathCanonicalize"

Note the source IP for all lines matching the above expression and try to identify the physical machine behind that. Usually it helps to identify the user first and to do that just click “Start menu“->”Run“, write “\\OFFENDING_IP_NUMBER\c$” and press OK. When you get the mapping up, go into “Documents and settings” and sort the listing by modification date and you’ll see what user last used the computer.

Of course, just having an updated inventory of all machines and their MAC-adresses before this happens is a bit easier. Doesn’t happen too often that this is available though.

After the machines has been identified you are to patch them, protect them and finally to update the protection. If you suspect that your protection doesn’t work like it should or that the infection itself persists and doesn’t get cleaned you should contact your AV-vendor as soon as possible so that they can collect the sample.

The approach mentioned above is not valid if you’re having more than 50 machines infected. If you are in that situation the following statements are probably true: You have a large network, The machines are not updated, not protected and if protected it’s with old software and/or definitions. This means that you’re going to have greater trouble than most resolving this situation and I’d suggest a more generic approach as a start.

1. Deploy the one patch needed (NOT ALL, that takes too long) through the software distribution tool of choice, logonscripts or whatever suits you in order to prevent re-infections after cleansing.
2. If available, deploy cleansing tool or script in the same way shortly after. Contact your vendor for more information, help and suggestions.
3. Deploy Anti-Malware protection using the same method that you used to deploy the patch above and make sure that all protections are turned on and updated.

These steps might be hard to follow during an ongoing infection, and if you are having trouble call your AV-vendor! We have more experience with this and will probably be able to see things that you overlooked.

After you’ve done these basic things you can move on to the manual methodology above in order to find any computers still infected.

And finally some suggestions on what you can do now to ease the burden if (when) you get hit:

* Secure your systems, not just patches but security policies, user- permissions , local administrator rights and so on. For inspiration, take a look at Microsoft’s SSLF policies. Just make sure to remember what LF in SSLF means while doing so.
* Install and manage your anti-malware and security solutions. Make sure that they are in the latest versions and that signature files/databases/ips filters are updated as they should.
* Strenghten your IT-policy in regards to connection of external units to the network. This won’t prevent much but it’s worth a shot. If you want to enforce directive’s such as these, take a look at Panda NetworkSecure, Cisco NAC or Microsoft NAP.

That’s all ;)

If you need any help with anything, drop me a line and I’ll get back to you as soon as possible.

Cheerios,

Tags: , , , , , , ,

CSO Night Vision (seminars)

November 13, 2008 in personal, security, work by Daniel Nyström | No comments

Hector Melo A. on Flickr - http://flickr.com/photos/chile-suecia/
Photo: Hector Melo A. on Flickr.

I attended the IDG / CIO (and CSO) seminars night called “CSO Night Vision” yesterday and it was a good one.

Seminars were held by reps from Ernst & Young, Combitech and Rittal and all were interesting. I also picked up two books, “Stress vid kriser” (eng. “Stress during crisis”) by Peter Jonsson and “Våldsam aktivism och terrorism” (eng. “Violent activism and terrorism”) by Jan Kallberg as they were handed out.

Looking forward to reading Kallbergs book as I’m interested in knowing what style he writes in. When he moderated and participated in the “Security policies of 2020″ debate during Internetdagarna he was very straightforward and clear and I’m hoping that this book is as good read as that debate was to listen to.

Other than this I talked to the IT-manager at Företagsuniversitetet. He was currently using F-Secure (and happy about it) and we discussed the difference of solutions on the market during the night.

All in all, a well spent evening…

Tags: , , ,

« Older entries