Alert – Financial Processes Targeted

I normally avoid spreading word about specific attacks, as it is better for overall security to continuously strengthen your defenses and keep an eye out for strangeness.  Focusing on attack types and general security practice tends to have a better overall result then trying to play whack-a-mole and knock down individual people or pieces of malware.

That said, there is a current threat that people should know about, so I want to do my part to boost the signal.

At issue is a specific piece of malware that is targeting people with access rights to financial systems.  It generally arrives in the form of a targeted email (spear phishing) which then installs the malware.  Once installed, the malware monitors the computer for financial transactions and will then make some additional ones.

What’s different here is that small businesses are being singled out.  This is largely because they tend to have weaker security and audit controls when compared to the larger firms.  So, though the larger firms tend to have more money to steal, stealing a smaller amount from a great many other business can net just as much.  And after, a dollar is worth a dollar, no matter who it’s stolen from.

To protect against this attack, you have to keep one thing in mind — there is no guaranteed way to prevent it.  All you can do it do your best to protect yourself and check transfers regularly to make sure that you’ve not been hit.  In short, if your account people are not doing all of the below, your business is facing some serious risk:

  • Using a two-factor authentication system (RSA tokens are the most popular) to login to the banking system.
  • Using a dedicated workstation for financial transfers.  This system should not have any email client installed and be firewalled to only access the necessary web systems.
  • Enter into an agreement with your bank so that all transfers must be confirmed.  A verbal confirmation originating from the bank is best, as that way the attackers cannot initiate a transfer and then call the bank to confirm it.  If they cannot do that and you have to stay with them, look into email or SMS-based confirmation systems.
  • Using a bank-enforced 24-48 hour hold on transfers.
  • Check your accounts regularly and reconcile all transactions.

Check out the following links for more information:

I would like to thank Rob Lee for alerting many of us to this situation.

Small Business Defense – Web Filtering

The term Web Filtering has many connotations.  On one side, employees (often younger ones) view it as a form of censorship.  On the other, business owners do have the right to require that employees spend their time doing what they are paid to do.  As is often the case, the best answer doesn’t really match either extreme.

Filtering technologies come in many flavors.  They range from highly simplistic technologies that block specific domains to complex deployments that set rules for each user, matching them against a set of categories to block or allow.  They can also give fine-grained control over operations like file downloading and updates.

The costs vary too.  Generally, the more control you want, the more it will cost.  While there are some open source solutions that you could deploy for free, they tend not to be robust enough to work well in enterprise environments.  The dedicated appliances work well, but often require rearchitecting the network for implementation.  Lastly, there are modules that can plug into your existing network equipment, but they may be a bit more expensive than you would like.

Of course, the challenge of using such a technology is often not technical.  The problem is primarily a social one.  Do you have the political environment where it is acceptable to monitor Internet traffic?  Will users allow you to block access to sites that they’re used to visiting?  Will management have a problem with you knowing the browsing habits of your fellow employees?

As usual, it’s best to start with a policy that specific controls what you will be doing and how the technology should work.  Then you can start implementing the technology using the policy as a guide.  At a minimum, you will want to define:

  • which types of sites are to be permitted and which are not.
  • which types of downloads are to be permitted (if any).
  • what to do when employees are regularly found to be attempting to visit blocked sites.
  • what “regularly found” may mean.

Lastly, before you implement the technology, it may be good to identify which types of applications you are using.  Some of these filters support a “transparent” mode but some must be run as a proxy.  Both methods work fine, but some applications may not be proxy-aware.  This can determine both the solution selected and the mode of deployment.

Small Business Attack – Web Browsing

As much as we dislike it, a part of most people’s jobs these days involves waiting.  Though they keep making computers faster and faster, there is still a bit of downtime involved.  While in the past, this time might have been spent talking with coworkers, these days it is more likely to be spent online.

There are many ways to spend your time online, from shopping to reading news to social media.  While there is nothing inherently wrong with being online, there are some concerns.  From a business perspective, managers may be concerned about productivity.  From a legal perspective, H.R. may be concerned about “inappropriate” sites.  And, of course, from a security perspective, we would concerned that sites could be the source of a compromise of user data.

At issue is the fact that, while most malware runs directly on the computer, web malware can run inside the browser. If it doesn’t run locally, and is sourced from a web site, it cannot be blocked with traditional anti-malware (though newer malware is aware of this attack vector). If all the malware accesses is data, there isn’t a good way to identify valid data access from unintentional leaks.

So, how to you protect against this particular threat vector without completely banning employees from accessing the Internet? How do you manage to classify which websites are OK and which ones are not?

Security Lessons from Nature – Cacti

Recent research has shown that some species of cactus manage to grow on bare rocks with the help of bacteria.  Basically, the bacteria breaks down the rock to give the roots crevices into which to grow as well as provide nutrients to the cactus.  In turn, the cactus likely shelters the bacteria and allows it to grow and spread.

There are two items of interest in the article.  First, there is the basic observation that, though neither plants nor bacteria are capable of living exposed on bare rock (well, mostly), through combining forces, they manage to live in an inhospitable environment.  Since the environment is also inhospitable to many competitors, they can expend more energy towards growth and less towards defense.  Second is the realization that the cacti have managed to shelter the bacteria within their seeds.  This way, not only do the cacti themselves manage to thrive but their children get the same benefit.

From a security perspective, it’s important to remember that the ultimate goal of security is to maximize protection while minimizing resource expenditure.  Commonly, this is done by erecting barriers and monitoring them to make sure that only the right people can get through.  However, alternate methods do exist.  Taking a lesson from the cacti, one would look for business niches that difficult for other businesses to thrive within.  Then, one would seek out business partnerships to make it easier.

Such a path would not be for everyone, and after all, live as a cactus may be a tad… prickly. However, if you are starting a new business, this sort of partnership may allow you to protect your business simply by making it more difficult for competitors to gain a foothold, and allow you to focus more directly on growth.

Mythic Monday – Brünnhilde Sleeps

In Wagner’s Ring Cycle, Brünnhilde is cursed by Odin for fighting on the wrong side of a battle. She is put into a coma and hidden behind a wall of impenetrable fire until a rescued by a brave hero. (For those that want more detail, but don’t want to spend 15 hours listening to an opera, look here.) As is always the case in myths and legends, the hero shortly arrives, gets through the fire alright and rescues the “damsel” (who was truly a Valkyrie).

Now, the Ring Cycle is amazingly complex and even this tiny little bit lends itself to a great many security-focused interpretations (firewalls, penetration testing, identity theft), but today I want to look into encryption and steganography.

Essentially, when Brünnhilde upset Odin, he hid her inside a mortal woman (steganography) and isolated her from access to all but one person (the encryption key). Just as in business, there are risks inherent to Odin’s plan. If the encryption is too weak, Brünnhilde might be rescued by someone other than Siegfried, her intended. On the other hand, if it is too strong, or Siegfried happens to fall upon some trouble prior to the rescue, she might never be freed.

Luckily for aficionados of myth and fifteen hour long operas, literary convention protects us from a story involving Brünnhilde roasting behind a wall of flame for millennia or one in which she is rescued by Fred the Handyman. Alas for us though, literary convention does not protect businesses.

When a business protects it’s data with encryption, it takes the risk the the keys may be lost. If they are, it’s all up to the level of encryption used. If the encryption is too strong, the data is effectively lost (Brünnhilde sleeps forever). If, however, it’s too weak, the data may be recoverable by you (or your competitor, Handy Fred).

Similarly, Odin’s plan of hiding his Valkyrie within the form of a mortal woman is quite clever. However, it’s only useful so long as it is rare. If every mortal woman (or even a reasonably large percentage of them) were truly an otherworldly warrior woman, someone who wished to engage in the practice of uncovering the Valkyrie within (never wise) would simply need to get a decent sample of mortals and start decryption activities. In business, this would be like an attacker checking every file on a website for evidence of steganography. Once found, they would know which ones to check out for hidden data.

There are two main lessons to learn from this myth. First of all, if you encrypt something, be sure to have a key. If you think that there is a reasonable risk that your key may be lost (Siegfried did have a troubling habit of battling dragons and otters), it may make sense to make backup copies. Though having a stash of emergency backup heroes would make for a pretty poor myth, it is essential in the business world.

Quite to the opposite, while steganography works well in myth, it’s less effective in the business world. If you hide your vital data (or Valkyries) in other files (or mortals), it’s only useful so long as you remember where it’s hidden. If you want to share the vital data, you have to let others know where it’s hidden… and a shared secret is only good so long as both parties keep it and no third parties listen in. After all, if you have a secure channel through with to share the existence of the steganographic file, you might as well just share the data. Heck, even in the myth, the fact that we know that Odin hid Brünnhilde within a mortal means that the secret wasn’t kept.

That’s not to say that steganography is useless, but it is quite limited within a traditional business environment. Better, perhaps to focus on the encryption side and make sure that the data cannot be read even if found. Then you don’t have to worry about supporting back channels and can devote all your resources to protecting known data rather than trying to hide it. (On the defense side, being aware of steganography as a back channel is very useful, but protecting against it and using it operationally are very different things.)

So, in the end, it would be wise to use encryption where you can, not be distracted by steganography, and avoid Norse sagas as they never really work out well for anyone involved.

Site Review – LinkedIn

Who doesn’t know about LinkedIn by now?  This business-focused social networking site has been around seemingly forever (2003 is forever ago, right?).  There are even blogs dedicated to helping you maximize your use of LinkedIn.  Really, what more can I add?

You probably already know the basics.  If you have an account on LinkedIn, you can add all the businesses associates you know to your account.  This gives you a sort of online Rolodex that you can access from anywhere.  Digging deeper, you can use groups to find the contact info for people you know, but perhaps not well.  You can ask and answer questions and try to use the network to find contacts deeper within an organization.

It’s very useful for sales people and job hunters… and since everyone will likely be one or the other at some point in their career, most people are on it.

However, like all systems, there is a dark side. Many security practitioners constantly caution about putting personal information online. This information can be used in social engineering attacks against a business or to engage in identity theft. If someone manages to get your LinkedIn credentials, they also get access all of your contacts. For a sales person, this can result in loss of competitive advantage. Moreover, if someone untrustworthy manages to link into your network, they can see everyone you know. This information can be used to target existing clients or uncover information about the structure of yours and related companies.  On the other hand, this same design allows legitimate people in your network to leverage your extremely valuable connections, which can strengthen your relationships to all parties involved.

This is a fairly typical risk management problem. If you put data into the system, you run the risk of its being misused. But if you do not, your competitors can leverage their networks better than you. What can you do?

The solution that most people take is to simply ignore the risk. They assume that everyone is who they claim to be and will link willynilly to all and sundry. Some of them even claim to be LIONs (LinkedIn Open Networkers) and will link to anyone who expresses an interest, often attempting to link to complete strangers.  (In the physical world, we use a different word to describe this behavior, but that veers from the topic at hand.)

Another solution is to ignore the site altogether. If your data isn’t online it can’t be compromised. Many in the security community approach it this way. It is the most secure solution, but you also lose all the benefits.

Of course, there is a middle ground. By using out of band techniques, you can have a reasonable assurance of a person’s identity. For example, if you receive a LinkedIn invitation, you should first check out their profile and make sure that it matches what you expect. Then, you should send them an email or give them a call outside of the LinkedIn system and make sure that they intended to send you the request. If they say “yes”, then you know that they are legitimate and you can add them to your network if you know them to be trustworthy. This doesn’t address all of the risks, but it does hit the major ones while still allowing you to use the system to your advantage.

Small Business Defense – Anti-spam

There are many anti-spam solutions in the market.  They tend to fall into a handful of types.  However, all of them must do the same thing:  somehow determine which emails are legitimate and which ones are not.  There are many ways to do this, and most of them use differing combinations of the same techniques.  Thus, the main distinguishing characteristic is where the antispam solution fits into the network.

Client Software

A common solution is to use software that plugs into the email clients.  This gives the user direct control over spam handling at the cost of requiring the spam to completely traverse the system and end up on the final computer.  Thus, the risk exists that any malicious software may exploit the client and then run directly on the target.  Additionally, the server must handle the additional load of processing spam and the administrator has no direct control of the anti-spam system.

This solution is generally not a good fit for businesses, though it can be quite effective for home-based users or businesses small enough so as to lack an I.T. department or contracted service.

Server Software

A traditional solution is to purchase anti-spam software for the server.  This gives the email administrator direct control over the way that the anti-spam system operates.  The users typically see an email folder that contains “known safe” spam messages.  Thus, the users are protected against problematic emails but still able to inspect the acceptable ones if they choose to do so.

This is the standard solution for businesses, and works fairly well, though it does result in emails still traversing the system and adding load to the mailserver.  As spam traffic increases, the resources of the server must be scaled up.  Since there is no control of the spam until it reaches the server, the business still risks denial of service by choosing this solution.

Appliances

One way to solve problem of the limitless scaling of server resources is to shift spam protection to an appliance.  In this solution, a dedicated device is placed between the Internet and the mail server which serves only to filter spam.  It is more complicated for the email administrator to manage, but it does keep everything within the control of the business.

Some of the larger businesses use this method.  It still requires email to enter the network, but it does protect the core systems against exploitation and limits the amount of email that the end users must sort through.

Cloud Solutions

Though “cloud” solutions are getting a lot of market buzz these days, some have been around for a long time.  In the anti-spam world, in particular, a cloud solution is often a good one.  With this solution, spam need not ever enter the business network.  The business is protected against malicious software and denial of service attacks.  The users don’t have to deal with spam at all.

However, nothing is perfect.  The main drawback to the cloud solution is that it inevitably delays email delivery.  In short, you are adding an additional layer of processing and network transport, so every single email is going to be slower. While email administrators often state that “email is not instantaneous”, the delays are often noticeable with this sort of solution.

Conclusion

As always, a balance must be struck.  You can emphasize usability — giving control to your users and risking both direct exploitation and the consumption of internal resources.  You can emphasize security — making email administration more difficult and delaying email delivery.  You can pick a solution anywhere along this spectrum, but no solution will ever be perfect.

What you can’t do, however, is nothing.

Small Business Attack – Spam

We’ve been battling spam for many years now.  We all know that the problem exists, and that it can be annoying… but sometimes it seems like the constant complaining of email administrators is even more annoying.  Is spam really such a big problem?

Let’s look at it for a minute…  The influx of email can slow the mail servers.  Manually sorting legitimate email from spam can reduce employee productivity.  In some environments, the adult nature of spam can cause HR issues.

So sure, spam can be annoying, but is it really a serious problem?

Though I try to keep this blog from getting overly technical (after all, there are technical security blogs far better than mine), I am afraid that I have to dig a bit into the labyrinthine mess that is SMTP.  The Simple Mail Transfer Protocol dates back to 1971 and is the method still used to transfer email today.  (Though it has been extended and tweaked many many (many) times.)  These days, it is far from simple but it is still deeply flawed.

At it’s heart are three problems:

First of all, the protocol is plain text.  This means that anyone who can read the network traffic as it flows from the sender to the receiver can read the message.  This allows attackers to read or alter messages as they go by, thereby preventing the receiver from knowing for certain that the messages are private or even reliable.

Secondly, the protocol is honorary.  Just as anyone can drop a letter into a mailbox and put on whatever return address they wish, anyone may send an email and forge any From addresses they want.

There are numerous technical measures that can be put in place to limit these two problems.  However none of them work perfectly and each them make the maintenance of the system increasingly complex.  If too many of them are implemented, you run an increasingly greater risk of email being greatly delayed or simply getting through at all.

Then, we have the final problem.  Though it doesn’t relate directly to SMTP, the fact is that email is not human readable (by most humans, anyway), so recipients have to use email clients. As always occurs, a handful of email clients have become the most popular and are analyzed by attackers for problems. Then, email messages can be forged and sent containing malicious code that will exploit a flaw in the email client.

So what does all this mean?

Basically, in addition to spam being annoying and the extensions we’ve built around it making the actual system work poorly, we have a situation where attackers can target specific people and run their own software directly on the targeted workstation.

So how do we protect against it?

Security Lessons from Nature – Anachoresis

Anachoresis.  The word can mean many things referring to hermitages, animals or bacteria.  Now, as interesting as the medical definition is, I am more interested in the zoological context today.  When the word is used in reference to little critters, it describes the habit of hiding in crevices to avoid predators.  If you’re a mouse, such a strategy works great.  You just scurry about eating seeds all day and when it’s time to sleep, you find a nice little hole and hide from all the cats that hunt at night.

The strategy, of course, is less effective when implemented by elephants.

As with most security strategies, this one works better for some animals than for others.  The same applies to businesses.  The equivalent strategy in the small business space is to try to “fly under the radar”.  Much like mice hiding in holes, this strategy is only effective so long as there are other mice around for the predators to pursue.  As soon as the easy prey is eaten, predators start learning other techniques to get at the more difficult prey. Lizards may lose their legs and evolve into snakes.  Mammals became more slender and supple and grew into weasels.

True, in the business space, an attacker would be much happier to take control of a multi-million dollar business than a sole proprietorship. However, if all the big attackers are pursuing the bigger prey, the smaller attackers are free to go after all the little businesses hiding out in holes… and they’ve been busy.

Just like snakes and weasels, worm-based malware will crawl around the Internet looking for the little cracks and crevices in the security around small businesses. Like shrews, automated malware spread and look for juicy targets, which, when found, can be targeted by all. Similarly, like biological viruses, digital viruses can infect a small business and just wait for the right conditions to execute a payload.

The point of this isn’t to scare you. Realistically, small businesses don’t face the same threats that large enterprises do. However, that doesn’t mean that they don’t face any. It’s one thing to use that justification to avoid spending large amounts of money on expensive protection that you may not need, but it’s quite another to think that just because there are fewer threats that you are safe. No matter how good it is at hiding, a mouse is not safe from a snake. Just as a mouse uses more than one security technique, businesses of all sizes should consider how much of a target they are, who wants to attack them and take appropriate action.

Hiding in the sand will only take you so far.

Mythic Monday – Superhero Teams

Some may call them movies for kids that never grew up, others may call them mythic legends of our time.  Whatever your stance, you might have noticed that superhero movies have been quite popular in recent years.  The most recent resurgence started with your basic theme of “ordinary person becomes a super hero at about the same time that an ordinary person becomes a super villain” (Spider-Man and Batman Begins).  More recently, it has morphed into “superheroes teaming up to fight against teams of super villains” (Spiderman 3 and X-Men: The Last Stand).

While the literary quality of such films is debateable, the big security lesson here is that when you’re being attacked on many fronts, it helps to team up. At present, there are threats from all fronts. Uncountable authors release numerous malicious software packages every day. The malware adjusts its own code to avoid detection and spread. Moreover, the majority of companies are often under direct attack by foreign nationals and direct competitors. All of these attacks are growing more subtle, so the challenge is not just in foiling the attackers but also in detecting them. In order to stand a chance, we have to team up too.

So how does this work in practice?

One way is to do what you’re doing now, spend a bit of time each day reading security news from various sources. These can be blogs, podcasts or news sites. Another way is to join groups, whether they are local or online. Local groups tend to meet once a month. The online groups, in contrast, usually do not have a specific meeting time but are very issue-focused. One member may post a question and others will step forward and help to answer it. Some groups are a combination of the above.

Just as being a member of a superhero team isn’t a weekend job, there has to be an ongoing commitment to be successful in a security group. In many cases, it doesn’t really matter which particular group you join so long as you are committed to it. While different groups have their own respective foci, any of them will be better than nothing.

The following are groups that I personally use in my day-to-day work:

  • ISSA Des Moines – A business-focused group focusing on education of the members.
  • Iowa Infragard – An information-sharing effort between the FBI and businesses. Local chapters exist in other areas.
  • SANS Advisory Board – Online group that assists its members with existing issues and helps guide the SANS certifications.
  • Central Iowa Area Linux Users Group – Iowa-based group focusing on Linux and Open Source technologies.  Other LUGs exist in other regions.
  • Agile Iowa – Iowa-based business-focused group to discuss Agile development practices.  It’s always good to get other points of view regarding what you are actually protecting.

There are, of course, others that I visit on the occasional basis, such as the Des Moines Web Geeks, and the Central Iowa Bloggers and The Virtualization User Group, but I realize that I have a limited amount of time, and it’s better to focus where I can be most effective.  Over time, I may have to narrow my commitments even further.

We may not have an security-focused Justice League or Avengers team, but we also don’t have many lone-wolf security superheroes.  So those of us that work in this field have to work together.  I hope to see you there.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.