Malware and Flying Cars

This blog entry collects the information from my recent presentation on Malware.

Overview

Let me start by making it clear that the world has recently changed. I’m not talking about Thomas L. Friedman, water on Mars or the 350 new species found in the Eastern Himalayas. No, I’m talking about malware.

Time was when malicious software was written by kids in the comfort of their own home. They were more interested in exploring computing technology and claiming bragging rights than in actually doing something with the systems they took over. If problems occurred, they were mostly accidental. Today it’s different. Today malicious software is written by criminals for the purpose of making money. In yesterday’s world, you could get a computer virus and then launch a cleanup tool. Then, as it removed the infection, you were free to sit and ponder the lovely flying cars that we’d have in the future. Today, you could get a computer virus and never notice, then when you check your bank balance online, all your money could be transferred overseas while you ponder the fact we still don’t have our flying cars.

A lot has been written about different classifications of malware, and the differences between worms, viruses, trojans and the like. I see no need to repeat what’s been done before. Instead, I’d like to look at how malware can get on your system, what it can do once it’s there and what you can do about it.

Vectors

One way to get malware into the world is to just toss it onto the Web. There tend to three ways this is done. The easiest is for them to just put up their own website. However, if they do this, they have the same problem you might in driving traffic there. Sure, they can do all the basic advertising and search engine optimization (SEO) techniques to drive folks there, but in the end, people just won’t go a boring website. Instead, it helps to have a hook.

Though one would think that all it would take is making a fancy website about the new flying cars out there, the more common hook that we’re seeing today is to play on people’s fears. In this case, fears of malware. Yes, we are seeing sites out there designed resemble anti-malware sites… that exist to spread malware. They’ll even try to leverage current events fears, so if a legitimate company has an issue with one of their products, you’ll probably start seeing ads appear stating things like “Problem with [Company]? Try [Fake Antivirus]!”. You hit one of these sites, and it pops up a little dialog box that there may be a problem and asks whether you’d like to run a scan. When you click “Yes” (or “No”, they’re awfully helpful), it will pretend to run a scan, pretend to find problems and then offer you a lovely little cleanup utility. You download and run it, and promptly get infected. Then, just to pour salt in the wound, you’ll likely get a bill for removal services. Sophos reports that there are 15 new sites like this discovered daily.

A more difficult, but often more successful technique is to target a popular social networking site with a good reputation (not an unpopular one with a bad reputation). Social media sites are successful because regular users can post content. So, once there, they post content and try to get people to download it. If you go to a website and see a friend’s posting something about this cool video about flying cars, you can get infected, and your account starts posting the flying car malware too. That’s when your friends get into the mix. Since the content is being posted as you, it’s viewed as “safe”, so they download it and then they also get infected. In May, there was a quite successful attack of this type that was linked to a viral (in more ways than one) video of somewhat questionable taste.

The most difficult way, but often the most rewarding attack is to take over an already popular website. Most of the big sites on the Internet are pretty well protected these days, but if they manage to get control of one, they can load it up with malware. In fact, recent analysis has shown that some website carry around 18.000 pieces of malware. These attacks go on all the time. Sometimes they are general, as in earlier this year when there was an Internet-wide attack that aimed to find flaws in backend databases. Sometimes, though, sites are specially targeted, as in April when Paul McCartney’s website was hacked and all his visitors were infected with malware that stole their online banking usernames and passwords. Thus, the more interesting you are, the more of a target you will be. (Boring people should be safer.)

Of course, there is more than just web vectors. The second most popular attack is via email. It’s important to remember that email is fundamentally flawed. It was intended to serve email just within a local campus and was neither sufficiently scalable nor secure to be used in the way it is today. One fundamental problem is that anyone can send any email to anyone from anywhere. While there are a few technologies in place that limit this, the vast majority of attacks use this flaw.

So what does that mean? Basically, if an attacker can uncover a trusted relationship between you and someone else, all they have to do is send you an email as if it were from that person. You receive the email from good old Uncle Johnny and without puzzling over the fact that he was killed in that tragic flying falling car accident, you open it and suddenly get infected. Of course, not everyone has a (poor old) Uncle Johnny, so the attackers will use whatever they can to get you to open the email. Often times, this involves riding a popularity wave. Anytime we see news about a natural disaster or a celebrity death, there will be malware-laden spam in it’s wake — earthquakes producing tidal waves of infections.

Remember, organizations like the FBI and IRS send letters, not emails. If there’s a problem with a package delivery, your customer will call you, not UPS or DHL. If you get an email from someone you don’t expect, there’s a good chance that it also contains what you don’t expect.

Of course, the traditional attacks still work, so CDs, DVDs, BluRays, Floppies, media cards and USB are still legitimate vectors. In fact, some enterprising folks have managed to infect a keyboard. The basic principle here is to take over a system through any of the avenues into it. Thus, if you use a cell phone for email or connect an mp3 player up to your system, they can be suspicious too.

Lastly, there is the ever-popular “just break in” method. Every month, Microsoft releases patches. Every quarter, Adobe and Oracle do the same. In the open source world, patches come out hourly. Each one of these fixes a known issue. Some of them are remotely exploitable, meaning that if you don’t have them in place, an attacker can waltz right in and do what they wish. If you use a firewall but don’t keep up on patches, it’s like having a machine gun turret on your flying car, but ignoring the suspension problem. It’s going to catch up to you just like it did to Uncle Johnny.

Impact

So, once it infects you, what does this malware actually do? Well, short form: anything it wants. By the time the malware is running, it’s too late. It can grab your passwords as you use them, it can search your disk for sensitive data and copy it offsite, it can wait for you to login to your banking system and start transferring all of your money overseas while simultaneously interfering with your web browser so that everything looks normal. (There’s a lot of this latter going on right now.)

More, it can just sit there and wait for orders. Often, infected machines will gang together and form a “botnet” that is centrally controlled by a small group of attackers. The attackers can use these systems to send spam, steal user names, passwords, account numbers, credit card numbers, and so on. They can also rent these “services” to others if the price is right.

Analysis

What can you be doing about all this?

In addition to basic server and network hardening (firewall, disable unneeded applications, layers of defense, etc), you should deploy a complete endpoint security solution. Unlike previous versions of anti-malware that just matched signatures, a complete endpoint solution contains multiple features. You need to consider:

Anti-virus

Even though the old style of signature matching is considered passe, all those old attacks are still out there. You have to protect against them somehow and this isn’t a bad way.

Behavior-based Profiling

In addition to signatures, anti-malware systems can also look at what applications are actually doing. This used to be called “heuristics”, but these days tends be something like “suspicious behaviour detection” or “pre-execution analysis”. The way it works is to load a small environment around each application and detect what it’s going to do before it does it. If it’s something bad, it stops it. Please note that it is very important that this functions as “pre-execution” and not “during execution”. If it runs at the same time that the application does, there is a chance that the malicious behavior will run before the anti-malware system can stop it.

Firewall

This is a different sort of firewall than your Cisco ASA or Astaro (or the kind on a car, flying or otherwise). This is a host-level firewall that protects the server/workstation itself. The problem here isn’t to duplicate what the network firewall does, it’s to protect a layer where the network firewall cannot. If an attacker manages to get in to one of your workstations, in a normal network, they can then attack all the other workstations on that network. A local firewall protects against attacks pivoting within the same zone to take over more and more of your network.

Traditionally, host-based firewalls have been difficult to manage, but modern endpoint protection systems have central management consoles that makes this easier.

Application Control

The idea behind application control is simply that a central authority can determine which applications may or may not be run on a system. In the ideal world, of course, all users would have minimal privilege levels and not be allowed to run non-approved software. However, since many Windows applications require administrative privileges you need another layer. application control is this layer.

Web Browser Helper Objects

Some malware these days never touches the disk. When you hit a compromised site in your browser, it loads the malware into memory. Once there, it can look at browser traffic, analyze what you’re doing and take over sessions. Since it never hits the disk, it’s not detectable by traditional scanning technologies. Anti-malware solutions that have a Helper Object feature can protect your browser from this sort of malware. It basically wraps the browser and analyzes the pages you visit, providing a layer of protection.

Zero Day Protection

There is necessarily a delay between the discovery of a vulnerability and the availability of a patch. If malware is released during this delay, it’s called a Zero Day Exploit. A system that offers good Zero Day protection combines heuristics with a knowledge of system vulnerability types to catch problems before they take over a system. While it is impossible to ever achieve 100% protection against Zero Day Exploits, the good anti-malware suites are tested against these. You just have to pick one that does well in the independent tests.

Optional: Encryption

Some systems are including the ability to manage local encryption. This can protect important data against casual spying and theft. It’s worth noting that if the malware can manage to run at all, it can just wait until you decrypt the data to view it. However, it does add another layer and if you typically deal with sensitive data, it is worth considering.

Optional: Network Access Control

Network Access Control (NAC) allows your anti-malware system to communicate with your network infrastructure. In the old model, all a machine has to do to connect to the network is be plugged in. With NAC, you layer additional checks such as patch status and whether anti-malware services are running. This would be like a built-in breathalyzer in a flying car. (Can you imagine the drunk driving problem we’d have there?) It’s not been widely accepted yet, but it is growing. In the near future, it will likely be standard, so it would be wise to at least select a vendor that has experience in this field.

Optional: Data Loss Prevention

This technology is aware of the type of data that you work with and will examine it when it is accessed. If there is a rule against allowing that data to leave the network, the DLP system will block access to it. It is worth noting that this technology is still quite new and new technologies generally have a few bumps on the way to adoption. If the anti-malware system includes it, great… but it’s probably not essential quite yet.

Optional: Reporting

Some industries are unregulated and can just get by doing the best business they can. Most anti-malware systems these days have decent consoles that can be used to get a snapshot of activity. This is generally sufficient for most day-to-day operations. But, within a regulated or audited business, it can be important to show trends of activity over time. For this, you need a more robust reporting capability. Sadly, most systems do not include this in the basic package. However, if you have this need, be sure to ask about additional packages. It may be available.

Optional: Lightweight, Frequent Updates

I’ll admit that I’m biased. I like the systems that give me constant updates. If I had a flying car, I’d want to always know about potential problems so I could correct for them. I wouldn’t like it when those updates are big and bring my systems (or my car) down. However, it’s not a requirement per se. If your business doesn’t access the Internet often, slower and bigger updates may work just fine for you. On the other hand, if you have a distributed environment with branch offices or remote workers, consider the impact of pushing out updates.

Time Tested

There are some interesting new approaches in the world of anti-malware. While these are always worth considering, you should also be aware that this is a lot more complex than people think. Even the big vendors have had some pretty embarrassing problems as they grew their business. By all means, check out the newer players, but keep in mind that rocky starts are common in both business and software development. Do you want these rocky starts in your security software?

Also, if you want to check out the newer players, keep in mind that attackers are creating fake anti-malware sites and filling up the search engine listings with links to them. At the very least, pull the list and links from reviews in reputable journals. The last thing you need is to think you’re evaluating anti-malware when in fact you are installing malware itself.

Company Operations

Some anti-malware companies try to reduce their pricing by reducing service levels. From a business perspective, I understand this. It allows you to pick the level of service you want and pay accordingly. However, with security software and service, there is a huge value in responsiveness and operating hours. If there is a new outbreak on the Internet, you want to know that the company is addressing it. If you have a new outbreak, you want to be able to pick up the phone and get help… not an invitation to purchase the new “Uranium Level Tech Support”. (In general I feel that metallurgy belongs in my flying car, not in my technical support.)

Home and Mobile Use

These days, the idea of having a “secure” network are gone. If you allow users to connect to the network from their home or with their various smart phones, there are far too many ways in to the network to keep it secure at the perimeter. This means that the concept of “endpoint” extends out to computers that you don’t own. Luckily, some anti-malware vendors provide “bonus” licenses to cover home PCs and mobile devices. This way you can make sure that all the systems have a level of protection, even if they’re not exactly yours. If you’re advanced enough to be running NAC (above), you can even enforce connection requirements.

Multiplatform and Legacy Issues

If you are completely on the ball, and are only running the absolute latest and greatest operating systems and vehicles, congratulations! Most of us aren’t there (and are still driving pathetic land-bound conveyances). If you have a handful of older systems or systems running different operating systems, you may have a challenge with anti-malware. Many systems still require a separate console for each OS and some of them don’t even support the older systems. Keep this in mind during your evaluations.

Conclusion

In the end, if you have money, you are a target. While running anti-malware isn’t a perfect solution, it is certainly part of a measured response to the problem. As malaware gets increasingly nasty, you have to step up your defenses. I am assuming that you already have a firewall in place and have your servers reasonably configured. The next step would be endpoint protection. Sure, there are many many steps after this, but just having these three layers will get you in a position where there are many easier targets than you… which buys you the time to get proactive about things.

This essay was originally published by Alliance Technologies

Small Business Defense – Web Disclosure

The best defense you have against an accidental data leak is to keep a clear data classification policy and invest in technology that prevents data tagged “private” (or “non public”) from being released. However, that’s not practical for many businesses.

As an alternative, you can flip it around and run attacks against your own servers. You can do file-level scans and make sure that the only files made public are the ones that are supposed to be. Note though, that an attacker could always find your scanning software and use that to explore the system (as I did).

Alternatively alternatively, you could run various Google scans against your systems. You could even schedule them to occur on a regular basis. Of course, the scans would only be as good as the person setting them up and it would be quite possible that something could slip through. Of course, regardless, you’re only catching things this way once Google knows about them… and then attackers might be able to get them too.

You could also just not have any public Web presense at all. If there’s no web site, there’s no chance of a data leakage… but it would also make it difficult to get new business. The same goes for not having any private data. Unless you’re working strictly with open source, odds are that you’re going to have some secret.

You know, a data classification program is starting to look more appealing.

Small Business Attack – Web Disclosure

One of the flaws on a legacy server at the Iowa State University Cyber Defense Competition resulted in granting me the ability to scan the entire web directory. Normally, you’d think “What’s the big deal”, right? After all, the whole point of having a web server is to share it with the world.

In the case of the competition, some very private data was stored on the site. Sure, it was protected, but since there was the flaw that let me scan the system, it was easy enough to circumvent security restrictions and download the files I wanted. After all, I knew exactly where to look.

In the industry, we call this a “data leak”. Typically, it’s when private data somehow wanders across a boundary to the public world and someone on the outside finds it. This used to be primarily done via email or disk, but increasingly it occurs through the Web. As we combine web-based technologies into both extranets and intranets, the chance increases that something from the internal intranet world will cross over into the external extranet world.

Of course, it should be simple, right? Just keep the private stuff private… well, sorta. It turns out, not all information falls cleanly into “public” and “private” categories. Increasingly, attackers target private data, but if they can’t get it, they can leverage sorta-private data against sorta-public data. By finding, for example, the names of your board members on a public website, their mother’s maiden names from a genealogy site, and their personal associations from a search engine, an attacker is in the perfect position to start taking over accounts and working towards that more private data… and that’s just with purely public information.

Imagine if they were able to get confidential or private data…

Security Lessons from Nature – Units of Measurement

One thing that was hammered into me as I pursued my Physics degree was the importance of specifying units in my answers. Unlike my fellow students who chose to study Math, those of us in Physics actually had work that meant something. ;) At the time, I thought that my teachers were just being annoying, as it was pretty obvious what the units were.

Well, as it turns out, the reason that units matter in Physics is because it helps to build physical intuition. Since all answers match (at least, theoretically) reality, you can do a quick check against the answer at the end and make sure it makes sense (well, usually).

However, the reason that this works at all is because we defined all the units a long time ago. The International System of Units (which, for some stupid reason involving non-English languages, we abbreviate as “SI”), defines a unit for everything we have to measure and does so in such a way that it is standardized throughout the world.

The meter measures length, and is defined as the length of the path travelled by light in vacuum during a time interval of 1/299 792 458 of a second
The second measures time and is the duration of 9 192 631 770 periods of the radiation corresponding to the transition between the two hyperfine levels of the ground state of the cesium 133 atom.
The kelvin measures temperature and is the fraction 1/273.16 of the thermodynamic temperature of the triple point of water.
The candela measures luminous intensity, in a given direction, of a source that emits monochromatic radiation of frequency 540 x 1012 hertz and that has a radiant intensity in that direction of 1/683 watt per steradian.

Now, sure, for historical reasons, we have had to fix the values of the units to some pretty arbitrary numbers. However, whenever someone says that something is a second long, everyone knows exactly what they mean (unless it’s a justasecond, which quite a bit longer). That is the advantage of scientific consensus.

Which, of course, makes certain aspects of business difficult. Test of Time Design recently pointed out the problems with comparing yourself to your competition. Really though, the problem compounds when your competition starts comparing themselves to you too. That way, you build a vicious cycle of measurement and are soon making decisions based on metrics that are drifting further and further from reality.

I think that we tend to fall into the trap of measuring the easy things instead of the things that really matter. For example, there are many retail establishments that measure their progress against last year’s performance. What does that really measure? After all, you’re measuring in dollars, and the value of a dollar changes over time. If you base your business decisions on a constantly-changing unit, you have no idea if the changes you are making matter.

We see this problem in the security field as well. Many of us bemoan the lack of decent security metrics. Really, what we want to measure is how much we’re protecting the organization. However, it’s clear that the right way to measure that would be to wait until your company gets breached, figure out what it cost, travel back in time, put up defenses. Then you simply measure the cost of the breach and the cost of the defense, a little subtraction, and you know exactly what your solution is worth.

Alas, time travel can be tricky. So, we have to resort to other methods. There are communities doing some very interesting work in this subject. There are formal methods that are used in enterprises. However, those models tend to take time to work through… often time that the small business doesn’t have in the first place. Luckily, there’s another option.

Just fall back to physical intuition. Even if you can’t make a precise measurement of the weight of a brick, you can know that it’s going to hurt like hell when one hundred of them land on you. Similarly, you don’t need to know exactly what it will save you to deploy a security technology. You just need to look at the cost of the technology and ask yourself “if something bad happened, what would that cost me and how likely is it to happen?” Will this model work for a large enterprise where security solutions cost hundreds of thousands of dollars and can take up to a year to implement? Of course not. However, for small and medium sized business, most common security solutions are inexpensive enough that a rough intuitive calculation will probably do just fine.

Mythic Monday – Ozymandias

A bit of poetry to start your week:

Ozymandias by Percy Bysshe Shelley

I met a traveller from an antique land
Who said: “Two vast and trunkless legs of stone
Stand in the desert. Near them on the sand,
Half sunk, a shattered visage lies, whose frown
And wrinkled lip and sneer of cold command
Tell that its sculptor well those passions read
Which yet survive, stamped on these lifeless things,
The hand that mocked them and the heart that fed.
And on the pedestal these words appear:
`My name is Ozymandias, King of Kings:
Look on my works, ye mighty, and despair!’
Nothing beside remains. Round the decay
Of that colossal wreck, boundless and bare,
The lone and level sands stretch far away”.

Ozymandias (who we now know as Ramesses the Great) was an Egyptian king who many consider to be the most important one ever.

( probably translates as “World’s Greatest Pharaoh” and was found on a mug^*, probably given by Prince Ramesses-Meriamen-Nebweben in a desperate plea for attention.)

^*Not really.

As tempting as it is to go off on the typical history geek listing of great accomplishments, I’ll just point you to the Wikipedia Link instead. Besides, it’s more fun to look at Shelley’s poem. The point, fairly obviously, is that Ozymandias was one impressive guy in his day. He was the Grand Poobah of all of Egypt, did a lot of impressive stuff and was well neigh irreplaceable. Today, little remains of what he did, we get his name wrong in history and make fun of him in blog posts. He was vital in his day and was utterly erased by the sands of time.

(Granted, due to advances in archeology, we know that this isn’t historically true… but we’re talking about a poem from from 1818 (and this blog is ostensibly about IT security anyway, so we’re going to ignore the truth in favor of the lesson.))

We all know people like Ozymandias. Many of them, for some reason, seem to find jobs as IT administrators or developers. They may protect their knowledge within a little silo whilst claiming “job security”. They may build large and complex systems and brag about how they are so complex that no one can ever figure out how to support them. They may resist applying updates or integrating their systems in with everything else, because it’s their legacy. They may also be laid off in the next round.

The problem is that actually, Ozymandias was pretty impressive. He was the most important person in his sphere (being Egypt between 1279 BC to 1213 BC). However, he was clearly not the most important person ever (Bing says that was Juanita Gooden’s mother, Google is less certain) and his works have clearly not survived. The same applies to those special isolated IT systems.

The sad fact is that people don’t last forever, and whether they retire or move on, the systems they leave behind won’t last forever either. In fact, if there is a system that others were never allowed to maintain, it will often age even more quickly than other legacy solutions. No one will be able to troubleshoot it or update it for changing business conditions. It will begin to fail and then the business owners will likely look at purchasing a system to replace it.

Sadly, when this occurs, it serves to commoditize the business just a little bit more. Over time, that which makes a business unique will be eroded by the sands of time and when the business fails, nothing will be left but ruins. Then, three thousand years later, some historico-business-poet^* will write something about the former technology and how greatness doesn’t last.

^*OK, you tell me when they’ll call industry analysts in three thousand years.

The thing is, this could have been avoided. An empire does not exist solely for one man… nor does a business. If the business can identify those protectionist silos and work towards integrating them with the rest of the operations, not only can technological similarities be leveraged but it would be possible to add developers or maintainers and accelerate the adaptability of the business. This would drive the business away from becoming a commodity… then they just have to wait for the other businesses to slowly crumble into dust and they emerge victorious.

(Image by Hajor.)