Small Business Attack – Backhoe

Yes, you read the headline correctly.

Several years ago, I was working as a web developer and security admin for a small development house.  We were located at one end of a nondescript building in the middle of a tiny little town.  One day I’m working and suddenly everything goes dark.

And by “everything”, I mean everything. My office was the same as the server room, it was lit by a single overhead fluorescent and the glow of a few monitors and lots of little blinky lights. When the backhoe doing sewer work hit the main line, everything went dark and I was suddenly sitting in a tiny little pitch black room rapidly rediscovering my latent claustrophobia.

Luckily for me, I had a cell phone that could double as a flashlight in such a situation. I found my way to the door and met the rest of my coworkers to find out that the entire building was without power, Internet and phone. Business was at a complete standstill.

We were dead on the Internet. No one could reach us. And all of our clients were running that day’s production.

What could we do?

Small Business Attack – Mobile Defense

As mentioned yesterday, mobile devices are a pretty big threat.  In fact, it’s so obvious to those of us in security, that we often wonder why we don’t see many attacks along this vector.  Of course, that all changed this past weekend.  Now that we’ve had one that got media attention, there will be more… and they’ll be trickier.

So how do you defend against them?

The easiest way is to forbid such devices from accessing your network.  This can be done by limiting access on the perimeter to various services.  However, this won’t do anything if someone either:

  1. Brings their device to their workstation and does a manual sync.
  2. Has proprietary data on the phone that can be accessed by an attacker.

So it’s a bit more complex than that.  Some people solve the problem by giving all employees a standard mobile device.  IT is then responsible for maintaining the device and making sure that it’s secure.  This model is pretty much the same as workstations.  It balances the business’s control against the employee’s desire to be accessible.

Others say that the mobile device is the employee’s responsibility and invests in technologies that allow greater auditing capabilities.  This way it doesn’t matter what attack vector is used, the data itself is protected.  It allows maximal flexibility for the employee, but does require that the audit technology be reasonably layered so that a failure in one spot doesn’t expose everything.

The real risk is when a business does neither. If mobile devices are allowed access, but not controlled or protected, and there is no internal audit process, an attacker can waltz right in and take what they want, all while some employee somewhere is distracted playing their iPhone Ocarina.

Small Business Attack – Mobile Attack

Despite all the humorous commercials to which I am now receiving links, you may have in your possession an iPhone. You may have even gone through the lengthly process of installing unofficial software on it. So there you are, all happy with your fancy toy and feeling smart about yourself. Then, one day, you turn it on and instead of getting your normal pretty backdrop of a baby hedgehog you get a photograph of Rick Astley… which isn’t quite the same thing, really.

It sounds far fetched, but that’s exactly what happened to a large number of iPhone users over the weekend. A worm was launched that specifically targeted iPhones and spread over the web in just a few hours. Now, in this case, the author was just trying to make a point, and the media is generally taking a light view of things… after all, Rick Astely is funny, right?

Let’s take a different view of the situation.

Suppose that, one day, you turn on your iPhone and instead of getting your normal pretty backdrop of a baby hedgehog you get a photograph of Rick Astley. You shrug, go on with life and check your email. While you check your email, you notice that things a bit slow, but hey, it all works. You put your iPhone back in your pocket and head over to work. When you get to work, you see an upset security officer standing in your office, who informs you that someone hacked into your iPhone, copied all your email when you checked it, accessed your VPN password, used the VPN password to get into your network and download all your files, including the one containing access to your company’s bank account and transferred all of the money overseas.

That’s a bit more than an amusing little attack, isn’t it? However, to be fair, it is a little bit unrealistic. Let’s take a more realistic view:

The exact same things happened, but the security officer wasn’t waiting in your office for you. In fact, the security group didn’t even know what was going on until the accounting group called and let them know… which happened after they found the problem and were able to determine that it wasn’t an accounting error… which was in excess of the normal 48 hour window and now the money is gone, the business is going under and it’s your fault because your iPhone got hacked.

The risk here is that iPhones, Blackberries, Palms, Droids and the like aren’t phones. They’re little portable computers that work just like phones. More than that, they’re little portable computers that are always attached to the Internet, have no firewall, don’t run antimalware and are often connected directly to your network.

The fact that the first big worm just changed the background proves that we’re really lucky and should view this as a wakeup call.

Are you awake yet?

Malware and Flying Cars

This blog entry collects the information from my recent presentation on Malware.

Overview

Let me start by making it clear that the world has recently changed. I’m not talking about Thomas L. Friedman, water on Mars or the 350 new species found in the Eastern Himalayas. No, I’m talking about malware.

Time was when malicious software was written by kids in the comfort of their own home. They were more interested in exploring computing technology and claiming bragging rights than in actually doing something with the systems they took over. If problems occurred, they were mostly accidental. Today it’s different. Today malicious software is written by criminals for the purpose of making money. In yesterday’s world, you could get a computer virus and then launch a cleanup tool. Then, as it removed the infection, you were free to sit and ponder the lovely flying cars that we’d have in the future. Today, you could get a computer virus and never notice, then when you check your bank balance online, all your money could be transferred overseas while you ponder the fact we still don’t have our flying cars.

A lot has been written about different classifications of malware, and the differences between worms, viruses, trojans and the like. I see no need to repeat what’s been done before. Instead, I’d like to look at how malware can get on your system, what it can do once it’s there and what you can do about it.

Vectors

One way to get malware into the world is to just toss it onto the Web. There tend to three ways this is done. The easiest is for them to just put up their own website. However, if they do this, they have the same problem you might in driving traffic there. Sure, they can do all the basic advertising and search engine optimization (SEO) techniques to drive folks there, but in the end, people just won’t go a boring website. Instead, it helps to have a hook.

Though one would think that all it would take is making a fancy website about the new flying cars out there, the more common hook that we’re seeing today is to play on people’s fears. In this case, fears of malware. Yes, we are seeing sites out there designed resemble anti-malware sites… that exist to spread malware. They’ll even try to leverage current events fears, so if a legitimate company has an issue with one of their products, you’ll probably start seeing ads appear stating things like “Problem with [Company]? Try [Fake Antivirus]!”. You hit one of these sites, and it pops up a little dialog box that there may be a problem and asks whether you’d like to run a scan. When you click “Yes” (or “No”, they’re awfully helpful), it will pretend to run a scan, pretend to find problems and then offer you a lovely little cleanup utility. You download and run it, and promptly get infected. Then, just to pour salt in the wound, you’ll likely get a bill for removal services. Sophos reports that there are 15 new sites like this discovered daily.

A more difficult, but often more successful technique is to target a popular social networking site with a good reputation (not an unpopular one with a bad reputation). Social media sites are successful because regular users can post content. So, once there, they post content and try to get people to download it. If you go to a website and see a friend’s posting something about this cool video about flying cars, you can get infected, and your account starts posting the flying car malware too. That’s when your friends get into the mix. Since the content is being posted as you, it’s viewed as “safe”, so they download it and then they also get infected. In May, there was a quite successful attack of this type that was linked to a viral (in more ways than one) video of somewhat questionable taste.

The most difficult way, but often the most rewarding attack is to take over an already popular website. Most of the big sites on the Internet are pretty well protected these days, but if they manage to get control of one, they can load it up with malware. In fact, recent analysis has shown that some website carry around 18.000 pieces of malware. These attacks go on all the time. Sometimes they are general, as in earlier this year when there was an Internet-wide attack that aimed to find flaws in backend databases. Sometimes, though, sites are specially targeted, as in April when Paul McCartney’s website was hacked and all his visitors were infected with malware that stole their online banking usernames and passwords. Thus, the more interesting you are, the more of a target you will be. (Boring people should be safer.)

Of course, there is more than just web vectors. The second most popular attack is via email. It’s important to remember that email is fundamentally flawed. It was intended to serve email just within a local campus and was neither sufficiently scalable nor secure to be used in the way it is today. One fundamental problem is that anyone can send any email to anyone from anywhere. While there are a few technologies in place that limit this, the vast majority of attacks use this flaw.

So what does that mean? Basically, if an attacker can uncover a trusted relationship between you and someone else, all they have to do is send you an email as if it were from that person. You receive the email from good old Uncle Johnny and without puzzling over the fact that he was killed in that tragic flying falling car accident, you open it and suddenly get infected. Of course, not everyone has a (poor old) Uncle Johnny, so the attackers will use whatever they can to get you to open the email. Often times, this involves riding a popularity wave. Anytime we see news about a natural disaster or a celebrity death, there will be malware-laden spam in it’s wake — earthquakes producing tidal waves of infections.

Remember, organizations like the FBI and IRS send letters, not emails. If there’s a problem with a package delivery, your customer will call you, not UPS or DHL. If you get an email from someone you don’t expect, there’s a good chance that it also contains what you don’t expect.

Of course, the traditional attacks still work, so CDs, DVDs, BluRays, Floppies, media cards and USB are still legitimate vectors. In fact, some enterprising folks have managed to infect a keyboard. The basic principle here is to take over a system through any of the avenues into it. Thus, if you use a cell phone for email or connect an mp3 player up to your system, they can be suspicious too.

Lastly, there is the ever-popular “just break in” method. Every month, Microsoft releases patches. Every quarter, Adobe and Oracle do the same. In the open source world, patches come out hourly. Each one of these fixes a known issue. Some of them are remotely exploitable, meaning that if you don’t have them in place, an attacker can waltz right in and do what they wish. If you use a firewall but don’t keep up on patches, it’s like having a machine gun turret on your flying car, but ignoring the suspension problem. It’s going to catch up to you just like it did to Uncle Johnny.

Impact

So, once it infects you, what does this malware actually do? Well, short form: anything it wants. By the time the malware is running, it’s too late. It can grab your passwords as you use them, it can search your disk for sensitive data and copy it offsite, it can wait for you to login to your banking system and start transferring all of your money overseas while simultaneously interfering with your web browser so that everything looks normal. (There’s a lot of this latter going on right now.)

More, it can just sit there and wait for orders. Often, infected machines will gang together and form a “botnet” that is centrally controlled by a small group of attackers. The attackers can use these systems to send spam, steal user names, passwords, account numbers, credit card numbers, and so on. They can also rent these “services” to others if the price is right.

Analysis

What can you be doing about all this?

In addition to basic server and network hardening (firewall, disable unneeded applications, layers of defense, etc), you should deploy a complete endpoint security solution. Unlike previous versions of anti-malware that just matched signatures, a complete endpoint solution contains multiple features. You need to consider:

Anti-virus

Even though the old style of signature matching is considered passe, all those old attacks are still out there. You have to protect against them somehow and this isn’t a bad way.

Behavior-based Profiling

In addition to signatures, anti-malware systems can also look at what applications are actually doing. This used to be called “heuristics”, but these days tends be something like “suspicious behaviour detection” or “pre-execution analysis”. The way it works is to load a small environment around each application and detect what it’s going to do before it does it. If it’s something bad, it stops it. Please note that it is very important that this functions as “pre-execution” and not “during execution”. If it runs at the same time that the application does, there is a chance that the malicious behavior will run before the anti-malware system can stop it.

Firewall

This is a different sort of firewall than your Cisco ASA or Astaro (or the kind on a car, flying or otherwise). This is a host-level firewall that protects the server/workstation itself. The problem here isn’t to duplicate what the network firewall does, it’s to protect a layer where the network firewall cannot. If an attacker manages to get in to one of your workstations, in a normal network, they can then attack all the other workstations on that network. A local firewall protects against attacks pivoting within the same zone to take over more and more of your network.

Traditionally, host-based firewalls have been difficult to manage, but modern endpoint protection systems have central management consoles that makes this easier.

Application Control

The idea behind application control is simply that a central authority can determine which applications may or may not be run on a system. In the ideal world, of course, all users would have minimal privilege levels and not be allowed to run non-approved software. However, since many Windows applications require administrative privileges you need another layer. application control is this layer.

Web Browser Helper Objects

Some malware these days never touches the disk. When you hit a compromised site in your browser, it loads the malware into memory. Once there, it can look at browser traffic, analyze what you’re doing and take over sessions. Since it never hits the disk, it’s not detectable by traditional scanning technologies. Anti-malware solutions that have a Helper Object feature can protect your browser from this sort of malware. It basically wraps the browser and analyzes the pages you visit, providing a layer of protection.

Zero Day Protection

There is necessarily a delay between the discovery of a vulnerability and the availability of a patch. If malware is released during this delay, it’s called a Zero Day Exploit. A system that offers good Zero Day protection combines heuristics with a knowledge of system vulnerability types to catch problems before they take over a system. While it is impossible to ever achieve 100% protection against Zero Day Exploits, the good anti-malware suites are tested against these. You just have to pick one that does well in the independent tests.

Optional: Encryption

Some systems are including the ability to manage local encryption. This can protect important data against casual spying and theft. It’s worth noting that if the malware can manage to run at all, it can just wait until you decrypt the data to view it. However, it does add another layer and if you typically deal with sensitive data, it is worth considering.

Optional: Network Access Control

Network Access Control (NAC) allows your anti-malware system to communicate with your network infrastructure. In the old model, all a machine has to do to connect to the network is be plugged in. With NAC, you layer additional checks such as patch status and whether anti-malware services are running. This would be like a built-in breathalyzer in a flying car. (Can you imagine the drunk driving problem we’d have there?) It’s not been widely accepted yet, but it is growing. In the near future, it will likely be standard, so it would be wise to at least select a vendor that has experience in this field.

Optional: Data Loss Prevention

This technology is aware of the type of data that you work with and will examine it when it is accessed. If there is a rule against allowing that data to leave the network, the DLP system will block access to it. It is worth noting that this technology is still quite new and new technologies generally have a few bumps on the way to adoption. If the anti-malware system includes it, great… but it’s probably not essential quite yet.

Optional: Reporting

Some industries are unregulated and can just get by doing the best business they can. Most anti-malware systems these days have decent consoles that can be used to get a snapshot of activity. This is generally sufficient for most day-to-day operations. But, within a regulated or audited business, it can be important to show trends of activity over time. For this, you need a more robust reporting capability. Sadly, most systems do not include this in the basic package. However, if you have this need, be sure to ask about additional packages. It may be available.

Optional: Lightweight, Frequent Updates

I’ll admit that I’m biased. I like the systems that give me constant updates. If I had a flying car, I’d want to always know about potential problems so I could correct for them. I wouldn’t like it when those updates are big and bring my systems (or my car) down. However, it’s not a requirement per se. If your business doesn’t access the Internet often, slower and bigger updates may work just fine for you. On the other hand, if you have a distributed environment with branch offices or remote workers, consider the impact of pushing out updates.

Time Tested

There are some interesting new approaches in the world of anti-malware. While these are always worth considering, you should also be aware that this is a lot more complex than people think. Even the big vendors have had some pretty embarrassing problems as they grew their business. By all means, check out the newer players, but keep in mind that rocky starts are common in both business and software development. Do you want these rocky starts in your security software?

Also, if you want to check out the newer players, keep in mind that attackers are creating fake anti-malware sites and filling up the search engine listings with links to them. At the very least, pull the list and links from reviews in reputable journals. The last thing you need is to think you’re evaluating anti-malware when in fact you are installing malware itself.

Company Operations

Some anti-malware companies try to reduce their pricing by reducing service levels. From a business perspective, I understand this. It allows you to pick the level of service you want and pay accordingly. However, with security software and service, there is a huge value in responsiveness and operating hours. If there is a new outbreak on the Internet, you want to know that the company is addressing it. If you have a new outbreak, you want to be able to pick up the phone and get help… not an invitation to purchase the new “Uranium Level Tech Support”. (In general I feel that metallurgy belongs in my flying car, not in my technical support.)

Home and Mobile Use

These days, the idea of having a “secure” network are gone. If you allow users to connect to the network from their home or with their various smart phones, there are far too many ways in to the network to keep it secure at the perimeter. This means that the concept of “endpoint” extends out to computers that you don’t own. Luckily, some anti-malware vendors provide “bonus” licenses to cover home PCs and mobile devices. This way you can make sure that all the systems have a level of protection, even if they’re not exactly yours. If you’re advanced enough to be running NAC (above), you can even enforce connection requirements.

Multiplatform and Legacy Issues

If you are completely on the ball, and are only running the absolute latest and greatest operating systems and vehicles, congratulations! Most of us aren’t there (and are still driving pathetic land-bound conveyances). If you have a handful of older systems or systems running different operating systems, you may have a challenge with anti-malware. Many systems still require a separate console for each OS and some of them don’t even support the older systems. Keep this in mind during your evaluations.

Conclusion

In the end, if you have money, you are a target. While running anti-malware isn’t a perfect solution, it is certainly part of a measured response to the problem. As malaware gets increasingly nasty, you have to step up your defenses. I am assuming that you already have a firewall in place and have your servers reasonably configured. The next step would be endpoint protection. Sure, there are many many steps after this, but just having these three layers will get you in a position where there are many easier targets than you… which buys you the time to get proactive about things.

This essay was originally published by Alliance Technologies

Small Business Defense – Web Disclosure

The best defense you have against an accidental data leak is to keep a clear data classification policy and invest in technology that prevents data tagged “private” (or “non public”) from being released.  However, that’s not practical for many businesses.

As an alternative, you can flip it around and run attacks against your own servers.  You can do file-level scans and make sure that the only files made public are the ones that are supposed to be.  Note though, that an attacker could always find your scanning software and use that to explore the system (as I did).

Alternatively alternatively, you could run various Google scans against your systems.  You could even schedule them to occur on a regular basis.  Of course, the scans would only be as good as the person setting them up and it would be quite possible that something could slip through.  Of course, regardless, you’re only catching things this way once Google knows about them… and then attackers might be able to get them too.

You could also just not have any public Web presense at all.  If there’s no web site, there’s no chance of a data leakage… but it would also make it difficult to get new business.  The same goes for not having any private data.  Unless you’re working strictly with open source, odds are that you’re going to have some secret.

You know, a data classification program is starting to look more appealing.

Small Business Attack – Web Disclosure

One of the flaws on a legacy server at the Iowa State University Cyber Defense Competition resulted in granting me the ability to scan the entire web directory. Normally, you’d think “What’s the big deal”, right? After all, the whole point of having a web server is to share it with the world.

In the case of the competition, some very private data was stored on the site. Sure, it was protected, but since there was the flaw that let me scan the system, it was easy enough to circumvent security restrictions and download the files I wanted. After all, I knew exactly where to look.

In the industry, we call this a “data leak”. Typically, it’s when private data somehow wanders across a boundary to the public world and someone on the outside finds it. This used to be primarily done via email or disk, but increasingly it occurs through the Web. As we combine web-based technologies into both extranets and intranets, the chance increases that something from the internal intranet world will cross over into the external extranet world.

Of course, it should be simple, right? Just keep the private stuff private… well, sorta. It turns out, not all information falls cleanly into “public” and “private” categories. Increasingly, attackers target private data, but if they can’t get it, they can leverage sorta-private data against sorta-public data. By finding, for example, the names of your board members on a public website, their mother’s maiden names from a genealogy site, and their personal associations from a search engine, an attacker is in the perfect position to start taking over accounts and working towards that more private data… and that’s just with purely public information.

Imagine if they were able to get confidential or private data…

Small Business Defense – Cross Site Scripting

Let’s start with some basic assumptions:

  1. You must have a website to do business in today’s world.
  2. Your customers have to be able to post content, either on your website or on a shared thirdparty site that you have to use to communicate with them (twitter, Facebook or LinkedIn.
  3. That communication method will be attacked.

So, you have two scenarios.  Your own website or a third party website.

If it’s your own website, you have a bit more control.  There are techniques that you can use to limit cross site scripting.  The common advice is to use a whitelist of “good” characters, and filter out everything else.  That’s not hard to do, actually.  However, the problem has to be solved at every possible entrypoint, which if you don’t design it into the system can be very difficult.

However, if it’s on a third party website, your options are a trifle more limited.  You don’t know what they allow or disallow.  You don’t know what other users are going to post, or even who they may be.  What you do know, though, is that there will be attacks.  Do you trust them?

Odds are that the answer is “no”.

The good news is that there is a simple test that works on both your own website and the third party systems.  Just log in and find what of your data you can see.  If an attacker gets in, they will run attacks as you.  If your local workstation is protected, you can probably assume that the attack will be limited to the context of the website itself.  Thus, you can limit what an attacker can get to by simply controling the data that you allow online.

So here are two good rules of thumb:

  1. If you don’t need to put pieces of data online, don’t.
  2. If the site requires information that you don’t want to give, either don’t use the site or make something up.

Small Business Attack – Cross Site Scripting

On September 23rd, LiveJournal was attacked. The attackers used flash. When the flash file was loaded, it ran within the context of the user who was logged in and made changes to recent posts. This allowed the attack to spread friend-to-friend. It also harvested email addresses.

Doesn’t sound like much, does it? After all, it’s basically a flash virus that steals email addresses, right? What’s new there?

Well, let’s look at the one thing that makes LiveJournal a successful site. At it’s core, it allows users to post content and share links with one another. In order to block the attack, the admins had to effectively break the site until they tracked it down. The one thing that LiveJournal requires is the same thing that the attacker was able to use to get in. In fact, given what it does, there may not be a way to secure the system and still give users what they want.

OK, then, suppose you accept the fact that you’re going to be successfully attacked. How do you protect yourself?

It’s interesting to note that the attackers just wanted email addresses. Odds are that they could have gotten other things too. However, since many people publish their list of friends, it would be trivial to link those email addresses to other email addresses. Now, if you have a database of email addresses and the email addresses of people that are their friends, you have just what you need to run a phishing attack.

Do you allow your customers to post content on your website? Do you use any websites that allow you or your associates to post content? How are you protecting your data?

Note: since I wrote this post, but before it was posted, Reddit was similarly attacked.

Review – Security Power Tools

Security Power Tools is one of those monstrous tomes that people buy and almost no one ever actually reads. It sits on the shelf and mocks you with the knowledge that it contains while simultaneously scaring you with the commitment it would take to actually read it. It’s 822 pages of dense techno babble.

It took me about three weeks to get through it.

In general, it contains the same information that is in SANS 504, but not quite as complete. It is, however, much cheaper than the course.

In the course, you get six days with a top-notch penetration tester and walk through all of the commonly-used tools in a standardized environment. You get lots of practice and a interactive sessions with security practitioners of various levels. In my opinion, it is the best way to learn.

However, it’s not something that everyone can do, either for reasons of budget or time. Failing that, Security Power Tools is a good alternative. It digs into scanning, reconnaissance, penetration techniques and tools, backdoors, rootkits, firewalls, encryption, service tuning, monitoring, forensics, fuzzing and reverse engineering. It’s a fairly complete book.

It is important, though, to read the book correctly. If you want to learn, really learn, how these things work, you have to approach it as self study, not just a reference guide. Before you pick it up, look at your life and decide how much time each week you can devote to the process. Reserve that time in your schedule. As you read the book, consider each section independently and think about how you might use the tool in a real world scenario. Then, build such an environment (use virtualization if it helps). Read the section again and run the tool within the environment.

That way, you actually learn how things work instead of just having a surface-level understanding.

Small Business Defense – Anti-Malware (yes, again)

Microsoft recently released their Security Essentials product. This is a free anti-malware product, and analysts seem to think that it does a pretty good job at what it does.

However, I want to point out one thing that you probably already know: You get what you pay for.

Security Essentials is intended to be a lightweight anti-malware solution that competes against other free AV solutions. It does a decent job at protecting against the average threat and is certainly better than using nothing at all. However, it is a mistake to compare it to a professional anti-malware system. As SANS says, “Think of this as the AV as it used to be in 2000 or so.”

In short, if you are a home user and don’t care enough about your system to spent $50 a year to protect it, go ahead and use Security Essentials. However, if you are in a business environment, you need something that includes firewall, behavioral detection, network access control, data loss prevention and central management (and more). Security Essentials won’t cut it.

Lastly, if you do decide that you want to try it out, be sure you download the right thing. There are search engine optimization attempts going on to make malicious software (fake antivirus) appear on the search results instead of the link you really want. The right link is http://www.microsoft.com/security_essentials/.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.