I attended the IDG / CIO (and CSO) seminars night called “CSO Night Vision” yesterday and it was a good one.

Seminars were held by reps from Ernst & Young, Combitech and Rittal and all were interesting. I also picked up two books, “Stress vid kriser” (eng. “Stress during crisis”) by Peter Jonsson and “Våldsam aktivism och terrorism” (eng. “Violent activism and terrorism”) by Jan Kallberg as they were handed out.

Looking forward to reading Kallbergs book as I’m interested in knowing what style he writes in. When he moderated and participated in the “Security policies of 2020″ debate during Internetdagarna he was very straightforward and clear and I’m hoping that this book is as good read as that debate was to listen to.

Other than this I talked to the IT-manager at Företagsuniversitetet. He was currently using F-Secure (and happy about it) and we discussed the difference of solutions on the market during the night.

All in all, a well spent evening…

Recieved a package today from SIG Security with an early Christmas gift, the book “Säkra ditt företag” (in english “Secure your company”). For those not working in InfoSec in Sweden, SIG Security is:

a non-profit organization with about 1700 members. The board is appointed by the members at the annual meeting. SIG Security — founded in 1980 — is a community for people working within the information security area, and the members come from all different parts of society.

The author of the book is Nicklas Lundblad (European Policy Manager, Google, see earlier post) and the books audience is upper-level management rather than technicians. I wouldn’t argue the value of technicians exploring others points of view though.

Thanks for the book guys, it’s a given ‘hand-over’ to our CEO

Photo: tricky ™ on Flickr.

Found an interesting article by Martin McKeay through “Security Bloggers Network” which discusses PCI compliance and the implications of hosting applications and data in the cloud.

He boils everything down to one simple point; If you store/transmit/handle cardholder data in a service provider’s network, that network becomes part of the cardholder data environment and needs to be PCI compliant:

“So I made several comments on the post, most of which boil down to referencing PCI requirement 12.8: If you’re sharing cardholder information, i.e. credit card numbers, with a third party service provider, you need to have a clause in your contract that makes the service provider responsible for the PCI compliance of their systems. With the example given, Amazon’s EC2, the chances of getting such a clause in your contract are almost non-existent.”

A subject similar to this has been of interest for me before as Panda MalwareRadar is a cloud service where files deemed interesting are ‘fingerprinted’. Those fingerprints are then communicated to our Collective Intelligence servers in order to be analyzed deeper. For more info on CI, see this whitepaper by Panda Research.

In other words no complete files ever leave the client’s network, but some clients that are in the process of becoming PCI compliant are unsure of what implications services such as this might have. Their general feeling is that they aren’t 100% comfortable handing out fingerprints of possibly malicious processes or files, as it might (theoretically at least) be a false positive. This will lead to unforeseen information disclosure to a third party (PandaLabs and CI servers). We also do inventory of the current patchstatus with the same tool and the same thing goes for that.

I trust our systems with the information gathered, but I understand their position as well as they have to be able to prove compliance. But is there any need to worry?

It all seems to come down to two questions; “Can you trust your security vendor?” and “What requirements in PCI DSS might be implicated by this type of services?”.

Personally I think that some level of trust must exist between a security vendor and their customers so for me the answer to the first one is Yes. Many security products and services are placed in such sensitive locations that it would be impossible to use them otherwise (not only talking about anti-malware here).

I’m unsure about the second one though and would appreciate any comments on this. From what I’ve been able to find information on, there really shouldn’t be any problems. The one thing that might be troubling is the patchstatus information, but the information sent can be anonymized to not include data such as computernames or IP-adresses so that you only get an overview of the current situation (same goes for the malware detections).

Any PCI DSS experts that feel like commenting on what their experiences are with Collective- or Herd-intelligence technologies and services such as this?

EDITED TO ADD: Mike at Aegenis comments below and recommends reading his follow-up post.

The debate on what internet security would look like in the year 2020 at Internetdagarna ‘08 made me think.

What will the malware landscape look like in 12 years?

Well, if we look at our history it’s quite hard to see a larger trend as our selection really doesn’t range that long back. Viruses and worms has been present ever since people started networking computers, and some ever longer. However, there has always been a very opportunistic area and the “bad guys” has adapted quite easily to the different challenges we’ve put them up to.

Previously the attacks were almost always aimed at being large scale and make as much noise as possible. We had the CIH virus, Loveletter, Melissa, Blaster, Sasser and so on. This type of malware did a lot of damage, caused a lot of headache, made people cry over lost images and cost companies millions of hours in overtime.

But still no one was really hurt. There wasn’t any money missing and everyone kept their identity for themselves. The game was more or less “See mee! PLZ!” and “1′m 4 b3773r VX-coder than you, mother*beep*, our cr3w rule the w0rld!!!1!!!“. Media attention was the holy grail.

This has changed though.

Some years ago (~5 yrs?) we started seeing targeted, financially motivated, malware and organizations that profited from these directly. Back then the malware authors were still learning and a lot of mistakes could be observed. We may have laughed at their worms that had bugs earlier but today it’s not that funny. They’ve learnt from their mistakes and today their cashflow enables them to do real Quality Assurance on their code.

Today almost all types of malware circulating is financially motivated in one way or another. They are adapting their methods of infection and follow world and market trends to identify the times at which hard distribution is most effective.

As my colleague Sebastian Zabala puts it; “For them it’s ‘Money talks and bullshit walks‘“. In other words, if it does not generate immediate cash return it is not the least interesting and terms as ARPIU (Average Revenue Per Infected User) are being used. This has been the single most dominant motivator for the malware evolution that we’ve seen in the past couple of years.

Several prominent groups has been mapped over the last four-five years, and one of them is the notorious Russian Business Network. They seem to have relocated now, but at one point last year (2007) a very large portion of the malware being distributed was coming from their network. This is probably the same now but from other, more separated, locations that isn’t as easily distinguished.

The methods of distribution was previously very direct and the bad guys were satisfied with the distribution method of one host infecting another but this has also changed a lot. Much of this change is probably motivated by their need to continuosly modify the malware to keep as much code as possible out of AV-vendors signature files. Today, a very large percent of infection happens through web browsers that get exploited by trusted websites. These websites has been hacked in one way or another in order to add HTML that loads malicious code through invisible iframe’s or scripts.

These attacks are made possible by insecure server-side code which enables attackers to do SQL injections for example. We are also starting to see signs of social networking applications being exploited for the same purpose and a possible method of infection here is XSS (Cross-site scripting). There’s a myriad of different attacks on the same theme, but it’s the same thing here really, insecure server-side code with a twist making the client essential. All in the true spirit of Web 2.0.

But the method of infection really isn’t that important. There will always be vulnerabilities waiting to be exploited. If not in insecure code, then in user behavior. Just look at the latest waves of fake security products. These often use social engineering to get installed on it’s victims computers, such as faking a windows desktop and tricking the user to click OK or taking other actions to install the malware. These applications alone are estimated to bring in multi-million numbers to the guys behind them this year.

A couple of years back, malware on the windows platform also started to come packed with rootkits and other methods of concealment. These technologies has been more widely deployed during the last year and we are seeing them being used in layers. For example, the droppers that first reach the systems often do not come with rootkit functionality but load (injects dll’s) themselves into system processes in order to stay hidden. The malicious software pack that is later downloaded more often than not come with real rootkits often in the form of system drivers. My guess is that this is meant to make users believe that once they’ve managed to clean out the malware they are in the clear, but only hours later the dropper sucks down another pack of crap and installs it.

From our (AV-vendors) point of view we are seeing steep increases in the number of samples (different versions of the same malware) being distributed and to cope with this problem we are inventing different technologies that either make our signature less important or help us analyze samples. For example Panda has TruPrevent for behavioral analysis and Collective Intelligence for malware identification and faster analysis.

This race will continue. When we establish an effective countermeasure to their latest move, they will change their business model or malware structure. When they do so, we will change our take on the problem.

So… What will the malware scene look like in 12 years?

Well, I don’t really know… I don’t think anyone really knows.

As technology evolves so will the parasitic creatures that feed upon it. My guess is that the malware will be more user tied and that more of the malicious code will be built upon pre-built frameworks that enable faster development. Maybe this already exist?

The Storm botnet that followed us from 2007 into 2008 and still is alive and well is a good example of what the future will have in store. The malicious code relies heavily on social engineering for distribution and installation, and the underlying structure is both stable and agile. They use fast DNS fluxing and double-fluxing in order to keep it alive and also varies communications method between IRC, P2P (eDonkey) and HTTP.

I’m not saying we’ll see more of the same, but rather more malware being based on the same thoughts; Great stability, Good control, Improved anonymity and excellent networking.

Platform independence will probably become more and more important for malicious software as well, as the array of different units used to access the internet is getting bigger every day. By platform I mean both hardware and software.

The challenge for us anti-malware vendors is to keep up. How we’ll be doing that is based on future experiences but in an ideal situation we come as close as we can to a silver bullet for every new twist that the bad guys throw at us. Our real challenge here is to be equally adaptable to new situations as they are. We need to be able to react quickly and hard without impacting the stability of our customers it-systems.

I also think that the user knowledge angle will be more and more important and this will have a big effect on malware distribution. Today I’m seeing younger people just laughing when they stumble upon a strange website and fire up ProcessExplorer to see if something bad happened. This would not have happened five years ago and it changes the way that malware authors have to think.

Hopefully we are up for a cleaner internet tomorrow, but there are no guarantees.

In a worst case scenario the internet might be clogged with garbage, which forces ISPs and national institutions to do filtering in order to isolate the countries that cannot control the organizations behind the malware. This is not something that we want to see and I hope it never goes that far with all of my heart.

Please comment with your thoughts on what the future has in store for us

Cheers,

The second day of Internetdagarna (22/10-08) was spent in the Security track as well, except for the last seminar where I switched to the society track.

The first seminar was “Pålitlig e-post / Anti-spam” which translates to “Reliable e-mail / Anti-spam”. The moderator for this seminar was Jörgen Eriksson from .SE.

First speaker out was Amar Andersson from TeliaSonera and he spoke about “Spam-protection that undermine their own goals”. I can honestly say that I did not follow this good enough as I was very tired this first seminar and I kind of regret it now. However, the main problem presented by him was the lack of coordination and standards in anti-spam prevention methods. He mentioned blacklisting in general and the DUL-blacklist in particular, hostname “naming” (reverse lookups which results in a name conatining either “static” or “dynamic”) and how to make sure your e-mails got delivered in this day and age where the requirements for delivery can vary quite much from server to server (correct HELO/EHLO messages, correct reverse lookups, SPF and other DNS related issues).

Next speaker up was Bengt Carlsson from Blekinge Tekniska Högskola that just announced a new project between .SE and BTH. The project name was “säker e-post hantering bland illsinnad programvara” which translates to “Secure e-mail management amongst bad software”.

After this Rickard Bondesson from Linköpings Universitet took the stage to present his research on DKIM, DKIM-milter and DNSSEC implementations. This was a quite long and very informative presentation which stepped through his research in a comprehensive way under the following bullets; Forged e-mail, Prevention of forged e-mail, DKIM, Reliability within DNS, Implementation, Tests, Statistics, Experiences.

After this there was a small moderated panel debate on the topic of Reliable e-mail.

The next seminar was “Parasitekonomin på Internet” which (roughly) translates to “The parasitic economy on the internet”. Stefan Görling from KTH moderated and had one presentation, and the other speakers were two representatives from Lavasoft (you know, the guys behind Ad-Aware) and Martin Boldt (IT-security researcher from BTH).

Görling started out by picking at affiliate systems and the easy of exploiting these services for profit and he worked out from a site that supposedly uses this format in a legit way. He did not go into the malware point-of-view very much but he touched the subject when talking about “mis-spelled domain names default pages” which contain only affiliate links.

The guys (they were two) from Lavasoft then held their presentation which more or less detailed the different types of spyware they had included during the year, and also gave a strange remark saying the TeliaSonera was gaining money from the malware circulating on the internet (as they’re an ISP, they supposedly make profit when having their bandwidth used… hrrm…). This little remark came back to bite them in the ass when a (quite upset) TeliaSonera security employee demanded that they would take that statement back during the Q & A at the end of the session.

Following this Martin Boldt from BTH that discussed reputation systems and automatic EULA analysis. He had researched these areas and they were at this moment involved in creating web browser plugins and applications to enable users to share their thoughts and score on specific applications (binary files). See their project website at www.softwareputation.com for more information. He also noted that this project is still in Alpha stage. The ideas they’re having kind of looks like Panda Security’s Collective Intelligence, except it is user generated not automatic.

When it came to EULA analyzing they’ve taken a harder route than SpywareGuide’s EULA analyzer and they used many different bayesian and similar algorithms in order to define if an EULA is “good” or “bad” with a high level of success. Ideas for the future was to make this automatically integrated into system so that any EULA boxes could be automatically read and scored.

After this there was a Q&A session and Lavasoft’s statements was quite heavily scrutinized both by the TeliaSonera employee and Netnod’s CEO Kurt-Erik Lindqvist (I think it was him but I only heard the voice, so don’t quote me on this). It seems like Lavasoft’s statement was just illustrating and that they based their assumptions on an US ISP that had misbehaved and in some ways had profited on bad software.

Here I switched room and joined the “Infrastructure and society”-line of seminars. The one I was interested in was “Integritet och övervakning” which translates to “Integrity and surveillance”.

This seminar was moderated by Johan Hallsenius (editor for Computer Sweden) and the debate panel was only populated by pro-Integrity people as none of the invited politicians and FRA-people had turned up even though they were invited. The panel members was Oscar Swartz (debater, writer and blogger), Patrik Fältström (Cisco), Fredrik von Essen (Swedish IT and Telecom Industries) and Daniel Westman (Juridicum, Stockholms University)

The focus of the debate was of course the FRA-law but also dangerous EU-directives and other laws that affect impede personal integrity. It was an interesting debate, but as “the other side” was missing no hard questions could be discussed. I talked briefly to Oscar Swartz before the seminar and he described it as a “non-debate”, as there was only one point of view from all participants (with small diversions). He wrote a post on “Internetdagarna” on his blog in which he breifly mentions this debate.

It was also to hear what Fredrik von Essen from the Swedish IT and Telecom Industries had to say on this issue.

Unfortunately I had to leave before the Q&A session that followed, so I’m looking forward to the sound recording that are to be released here.

Some pictures from this day:

Integrity debate:


Martin Boldt (from BTH):

Back from the first day of Internetdagarna ‘08 (The Internet Days) where I followed the IT-security line of seminars.

So what did I get home with me, apart from the orange swag-bag above, from the different seminars?

The first seminar was “Hotbilden - organiserad brottslighet, cyberterrorism och industrispionage” which translates to something like “The threat landscape - organized crime, cyberterrorism and industrial espionage” and was moderated by security interested journalist Tomas Gilså from Techworld. The participants were Tomas Djurling (DSI), Vesa Virta (FRA), Svante Nygren (KBM) and Stefan B Grinneby (SITIC).

First a presentation was held by Tomas Djurling which discussed the different threats against swedish companies and organizations and where those were coming from. Tomas is a former FRA employee and as such the seminar was a bit colored by international military and paramilitary threats. He also said that Islamistic terrorists are getting funding through internet crimes such as CC stealing botnets and so on. No references were given during the presentation and this was new to me (!) so it’ll be interesting to see if this is going to be discussed further in the industry (and if its true). Of course, if FRA is his source we will never know as their business are classified.

After his presentation there was a moderator lead debate in which the audience could submit questions on paper notes. I’m not going to comment on what was said here at this time but there was some interesting things discussed. The sound recording of this debate will be published later and I need to get some facts straight before commenting on what was said here.

The next seminar was “Incidenthantering i praktiken” which in english is “Practical Incident management” and was moderated by Anne-Marie Eklund Löwinder from .SE. Three speakers participated and those were Stefan B Grinneby (SITIC), Annica Bergman (Dataföreningen) and Michael Anderberg (Microsoft).

Stefan from SITIC talked about practical incident management under the theme “Incident management, firefighting or oil sanitation” and it actually worked It was a good introduction to the process of both preparing for incidents and practical hints on what to do in case of an emergency. His presentation was very clear and it made me want to steal parts for my seminars We’ll see about that though

Annica Bergman from Dataföreningen talked about a large scale incident that took place in the beginning of 2008, when the hacker group “Vuxna Förbannade hackare” broke in to their member services using SQL injection attacks and stole their whole member list (26000 members) including e-mail addresses and passwords. These details were later published on Flashback with a huge media storm as a result. She described the 90 days following the incident and discussed what her experience had been like and it was interesting listening to it. I wrote about another intrusion made by this group in this post.

Michael Anderberg from Microsoft talked about SDL (Secure Development Lifecycle) and how it’s applicable not only to software development, but also to incident preparation and management with CodeRed/Nimda as examples. For those interested he also gave a reference to this book as a source of additional information.

Last but not least were “Debattt: Utmaningarna” which translates to “Debate: The challenges” which was a debate about what the internet would look like in the year 2020 policy- and security-wise. The participants were Jan Kallberg (legal expert, also debate moderator), Nicklas Lundblad (Policy Manager, Google Europe) and Kurt-Erik Lindqvist (CEO Netnod).

This seminars started out with all speakers takign turns to present their primary views on how the internet would look like and what implications that might have in the year 2020 (12 years from now).

After this there was a moderator lead debate in which the audience also got to pose questions or statements that the panel commented on. The debate was both entertaining, informative and extremely straightforward. A lot of the discussions were either directly or indirectly relating to the surveillance debate we are seeing all over the world and it was great to see the panel tackle both the philosophic angle and the practical angle of this. This was, for me, the most intellectually stimulating seminar of all. Great perspectives presented by great thinkers.

Tomorrow Internetdagarna ‘08 continues and I’ll be back with more information.

Here are a few of the photo’s I took during the day (didn’t take many, focused on listening;) ):

Internetdagarna ‘08 posters

My colleague Rickard Uddenberg (Marketing Manager, Panda Security)

A Free Software Foundation rep. that also gave me a tip of gNewsense (the really free (as in freedom) Linux distribution)

The Free Software Foundation poster behind him…

The World Internet Institute (The Swedish part of World Internet Project) poster.

Photo: EricGjerde on Flickr.

Weren’t going to comment on this really, but after reading up on all the different posts on the issue I’m feeling that some things are being missed. Specially if looking at Secunias CTOs (Thomas Kristensen) last blog post.

What I’m reacting to are these comments:

Our point is not that Internet Security Suites are useless (they are quite useful for most users). Instead, our point is that they protect insufficiently against hackers and that it is better to prevent attacks by patching rather than relying on other security measures alone.

When have we (the anti-malware vendors) said that our users do not need to patch? Sure we have protections that will catch things pro-actively, but that is meant for 0-day exploits etc. and is not meant as replacement for patches.

Also, our products (Panda Securitys) for home-users will scream bloody murder with annoying (but configurable) pop-ups if you do not have all MS patches installed. And I know that other vendors do this as well. Our corporate products also contain MalwareRadar which by default (not configurable) does inventory of installed patches and includes it in the report.

Next comment from Secunias CTO:

In my opinion it would serve the security industry well if AV-vendors would admit that the security provided by their products rely on a reasonably updated and well administrated system. If they really could protect systems without patches, then I’m quite confident that software vendors would stop making patches and instead provide these fabulous security solutions themselves.

Again, who said we do not need patches? Let me translate this to what I’m actually reading (my parody below):

In my opinion it would serve you guys in the anti-malware business good if you could tone down the “we take all proactively”-attitude so that we could make some money out of helping people see what needs to be patched. Also, plz be quick or Microsoft will start pushing this attitude as well and then I’m pretty much screwed.

But a bit more seriously. This is a publicity stunt and there’s no point in discussing it further. A company that publishes a report promoting their solution to a problem that has been incorrectly researched.

And when it comes to the test itself I think the other commentators have been too nice.

The methods used for testing illustrates great lack of knowledge on how to test client security solutions these days, and the worst thing is that I think they knew it. I can’t imagine the testers at Secunia being so stupid, when they’ve shown such skill before, that they didn’t realise that their methodology was flawed.

I mean, testing by scanning a bunch of exploit files? What are they after? That we detect their specific exploits by signature? Who would have anything to gain from that?

They then move on to say that we should detect exploits in a more generic way… Alright, how do you want us to do that? Look for shellcode in the files? Look for format exploit strings in the files? This is a false positive waiting to happen.

If we were to look for exploits (still, KNOWN EXPLOITS) we would have to first include a lot of new crap in the signature (as if it were not enough) and then implement detection routines that span whole files as we do not know where the crap might be. Good-bye CPU and memory, I’ll see you when your done…

The report really shows a total lack of understanding on how AV’s work today and the problems that we face with signatures.

What we and other has done INSTEAD is to create protections that “see” when an application does something it shouldn’t do or if it does something suspicious. These protections also monitor network traffic and can pro-actively detect and block traffic that shouldn’t bee there.

This is why a test against 300 files lying on your hard-drive do not give any accurate results whatsoever. Our protection stops genuinely active malicious code or applications that are being actively exploited by looking at the system and stopping things that does not look normal.

Ah well… Long story short this kinda ruins Secunia for me as an information resource.

For several years I’ve been using their web-based resources for unbiased information, but I guess that’s over now.

PS. Tired as hell now, so please excuse any linguistic or grammatical errors in the text above. .DS

Found a great article where Bill Seiglein (on csoonline.com) discusses the differences of being compliant and being secure.

Favourite quote;

I use the analogy that there might be a requirement for a door and so we install a door. Unfortunately the door is pointless without a lock but the requirement did not ask for a lock and so we did not get one

Wonderful analogy, really hits the spot and identifies the problems that appear when you try to use a compliance sheet as a checklist. You might miss things that are quite basic, while over-investing in controls that doesn’t do much to overcome the real problems.

A good example of this, to tie into my previous standards posts, might be companies using WEP in older wireless implementations. Insecure as hell but it is still considered “compliant” when the audit goes down.

Read the full article here!

And remember, being compliant does not mean that you’re secure.

PciAnswers.com (Aegenis Group) posted today on the differences in PCI DSS version 1.1 and 1.2.

For me personally as a consumer, I appreciated seeing deadlines being set for WEP usage.

* New implementations of WEP are not allowed after March 31, 2009
* Current implementations must discontinue use of WEP after June 30, 2010

WEP is seriously dead and dangerous technology and should not be used in or within reach of a network containing cardholder data. Remember some years ago, when people used to sit outside WalMart and sniff CC-data?

The deadlines seem to be a bit too far into the future though, but my guess is that the time is needed for the larger merchants in order to change legacy devices. On the other hand, this should already have been done years ago.

When it comes to Requirement 5, the anti-virus one, they note something I discarded in earlier posts:

* At first glance it appears that version 1.2 reverts to an older form of the standard by mandating “anti-virus software applies to all operating system types” but it quickly clarifies the intent still as those systems “commonly affected by malicious software.” Although the reference to UNIX is removed, it does state that companies should deploy on such systems “if applicable anti-virus technology exists.”

Requirement 10 has also been modified and now mandates that you retain your logs for at least one year, with the last three months available for immediate analysis. In other words you can rotate away your logs to an archiving facility after three months and just keep the current data in your live logservers.

For me, and all Panda Security business & enterprise customers, this means modifying the variables for the built-in log retention even further. Previously we’ve extended the period only to three months to prevent excessive information in the console (which makes it sluggish) together with syslog logging which has been rotated according to the company at hand’s internal routines.

A lot of more news was presented and is available in an easily readable format at pcianswers.com.