Tag Archive for Security

| May 9, 2009
Comments Off on Lessons From Botnet Demise

Lessons From Botnet Demise

Lessons From Botnet DemiseBrian Krebs on the Washington Post blog Security Fix profiled a case where a bot-herder killed 100,000 zombie clients in his botnet. The bot-herder implemented a “kill operating system” or kos command resident in the Zeus bot-net crimeware. The kos command caused the infected PCs to Blue Screen of Death (BSOD). The Madrid-based security services firm S21sec reports that invoking the kos command only results in a blue screen and subsequent difficulty booting the OS. There appears to be no significant data loss and neither the Trojan binaries nor the start-up registries are removed, In this post, they look at what happens to an infected computer when it receives a Zeus kos.

Russian botnet

The Zeus crimeware was designed by the Russian A-Z to harvest financial and personal data from PCs with a Trojan. UK Computer security firm Prevx found the Zeus crimeware available for just $4,000. The fee includes a DIY “exe builder” which incorporates a kernel-level rootkit. According to the Prevx this means it can hide from even the most advanced home or corporate security software. RSA detailed the capabilities of Zeus crimeware in 2008. Zeus also includes advanced “form injection capabilities” that allows it to change web pages displayed by websites as they are served on the user’s PC. For example, criminals can add an extra field or fields to a banking website asking for credit card numbers, social security numbers, etc. The bogus field makes it look like the bank is asking you for this data after you have logged on and you believe you are securely connected to your bank.

rb-

The reason for BSODing 100,000 machines isn’t quite clear. Several security experts have offered up their opinions including S21sec and Zeustracker (currently down due to an apparent DDOS). What is clear are the implications of this action.

Botnets and their related crimeware are dangerous for more and more reasons. They can steal massive amounts of personal data. They can launch denial-of-service attacks and they can execute code. I agree with Krebs that the scarier reality about malicious software is that these programs leave ultimate control over victim machines in the hands of the attacker.

Politically motivated attackers

For the time being, it is still in the best interests of the attackers to leave the compromised systems in place. They can plunder more information. However, imagine the social chaos created if 9 million PCs infected with Conflicker including hospitals from Utah to the UK were under the control of Al-Queda or other similarly minded groups. These politically motivated attackers could order all the infected machines to BSOD, creating computer-enhanced chaos. One of the forgotten lessons of 9-11 is that our technology can be hi-jacked and turned against us.  This could be the opening into a new type of cyber warfare.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| April 8, 2009
Comments Off on Feds Aim to Nationalize Private Networks

Feds Aim to Nationalize Private Networks

Feds Aim to Nationalize Private NetworksIn the tradition of federalization of the auto industry. And in keeping with promises made in the 2008 campaign. The Obama administration and Democrats in Congress are proposing to increase cybersecurity by federalizing networks. The legislation, co-sponsored by Senate Commerce Committee Chairman John D.”The Internet Should Never Have Existed” Rockefeller IV (D-W.Va.) and Sen. Olympia J. Snowe (R-Maine), was drafted with White House input.

Office of the National Cybersecurity AdviserThe Rockefeller-Snowe measure would create the Office of the National Cybersecurity Advisor, the White House cybersecurity “czar.” The czar would report directly to the president and would coordinate defense efforts across government agencies. The proposed bills go beyond securing government networks and puts the White House in charge of the security of private networks with the authority to shut them down. Under the guise of “critical infrastructure”, the Feds are going to nationalize banking, utilities, air/rail/auto traffic control, and telecommunications networks.

The new rules are proposed in two senate bills, S.773 the Cybersecurity Act of 2009, and S.778. S.778 is a bill to establish, within the Executive Office of the President, the Office of National Cybersecurity Advisor. S.773 is “A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.”

NIST logoIt would require the National Institute of Standards and Technology to establish “measurable and auditable cybersecurity standards” that would apply to private companies as well as the government. It also would require licensing and certification of cybersecurity professionals.

Director of National Intelligence Dennis C. Blair acknowledged there will be privacy concerns about centralizing cybersecurity, and he told the Washington Post that the program should be designed in a way that gives Americans confidence that it is “not being used to gather private information.”

rb-

How does the Obama Cyber Czar plan to ensure the continued free flow of commerce when they take the Telco networks off-line. In case they haven’t noticed, the telcos provide most of the long-haul interconnect for the Internet. If the Obama Cyber Czar decides to take the banks offline, there are going to be bigger problems. Can you say bank run? I will pull my cash out at the local branch.

Finally, this is a bad policy, because the Security Czar is a political appointment and network security is too important to be left to politics unless of course, it is in the corporate boardroom.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| February 21, 2009
Comments Off on Costs of Data Breach is Increasing

Costs of Data Breach is Increasing

Costs of Data Breach's IncreasingThe annual Cost of Data Breach survey conducted by the Traverse City, MI-based Ponemon Institute and funded by encryption vendor PGP Corp. found the total average costs associated with data breaches rose slightly since 2007.

The fourth annual U.S. Cost of a Data Breach Study (registration required) surveyed 43 firms that experienced a data breach and asked them to give estimates for their expenses. The total average costs of a data breach grew to $202 per record compromised, an increase of 2.3% since 2007 ($197 per record) and 11% compared to 2006 ($182 per record).

Depending on the size of the breach, costs could become astronomically expensive, said Dr. Larry Ponemon, chair and founder of The Ponemon Institute. Some in the privacy community have a view that people over time will become indifferent to a data breach notification. But the Ponemon breach found the costs associated with lost business continue to climb. The lost business now accounts for 69% of data breach costs, up from 65% in 2007.

“Our model suggests that people haven’t reached the point of indifference yet,” Ponemon said. “When people reach that point the cost of churn should decline, but our findings show the costs continue to creep up year by year.”

The survey also found many firms having trouble preventing data breaches. Of the firms surveyed, 84% said they experienced more than one breach, though the costs are higher for companies experiencing a breach for the first time. Per victim cost for a first-time data breach is $243 versus $192 for experienced companies.

“It’s impossible to create an environment where you cannot have a data breach,” Ponemon said. “Data breaches will probably continue even for the best of companies, but it’s how you detect it, how you respond to it, and how you manage the risk that matters most.”

Companies are fearful of malicious insiders getting access to sensitive data. The rising tide of layoffs as a result of the poor economy has put a focus on the insider threat. But insider negligence continued to play a major role in causing a data breach. More than 88% of all cases involved incidents of insiders mishandling data. Far fewer breaches were from malicious insiders. The Ponemon study found that the per victim cost for data breaches involving negligence cost $199 per record versus malicious acts costing $225 per record.

Fewer firms are investing in additional technologies. Encryption was the first technology implemented after a breach. Of the technology options, 44% of companies have expanded their use of encryption, the Ponemon survey found.

“One of the mistakes people make with encryption is they’ll go and encrypt a laptop and forget about thumb drives, email or FTP servers,” he said. “People are addressing some issues but not addressing the entire problem.”

Some companies turn to the use of third-party services to handle personal information such as payment transactions and customer loyalty programs. But the Ponemon survey found that those services may increase the risk of data leakage and increase the cost of a breach. Breaches by outsourcers, contractors, consultants and business partners were reported by 44% of respondents, up from 40% in 2007. Third-party vendors often take more time to investigate and conduct forensic analysis. Services sometimes lose information due to poor processes or inadequate data protection technologies, Ponemon said.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| February 1, 2009
Comments Off on Fannie Mae – What Ails America

Fannie Mae – What Ails America

Fannie Mae - What Ails AmericaComputerWorld reports that an Indian national Rajendrasinh Babubhai Makwana, in an outsourced contract job as a Unix engineer is accused of planting malicious code on his employer’s network. Makwana was employed by the Federal National Mortgage Association, better known as Fannie Mae. He has been accused of planting malicious code on the corporation’s network that was to “destroy and alter” all the data on the company’s servers on 01-31-09, court documents show.

H-1B VisaMakwana, 35, was indicted on 01-27-2009 by a federal court on a single charge of computer intrusion, according to documents released yesterday. Reports are unclear about the attacker’s employer or his employment status. According to the AP, Makwana has lived in the United States since at least 2001.

According to the complaint sworn by FBI Special Agent Jessica Nye, Makwana was let go from his outsourced contract position at Fannie Mae’s Urbana, Md., datacenter on Oct. 24, 2008. He was fired after he had “erroneously created a computer script that changed the settings on the Unix servers without the proper authority of his supervisor,” Makwana had created that settings-changing script on Oct. 10 or Oct. 11, as much as two weeks before he was fired, Nye said.

Fannie Mae data centerWithin 90 minutes of being told he was terminated on Oct. 24, and several hours before his access to the Fannie Mae network was disabled later that evening, Makwana embedded a malicious script in a legitimate script that ran on Fannie Mae’s network every morning, Nye said in her affidavit.

The logic bomb would have “caused millions of dollars in damage and reduced if not shutdown [sic] operations at [Fannie Mae] for at least one week” if it had not been found before Saturday’s trigger date, the complaint said. “this script would power off all servers, disabling the ability to remotely turn on a server,” said the government’s complaint. “Subsequently, the only way to turn the servers back on was physically getting to a data center.”

rb-

I agree with Dvorak’s piece on MarketWatch which asks the rhetorical question, why was Makwana working at Fannie Mae in the first place?  Are you telling me no American citizen could have done his job? 

It has long been believed that in most cases H-1B visas in technology have been exploited by companies such as Fannie Mae only because programmers coming from India work cheaper. Over the years, companies like Fannie Mae have been begging for more and more H-1B visas to outsource more jobs.. That means more people working cheaper than the going rate. You get what you pay for.

This episode also is further evidence that Fannie Mae is still a poorly run company. Is it really so hard to turn off someone’s network access when you take their ID card?. A good place to start is that when a person is meeting with their boss and HR, to be terminated, their access to all systems is to be suspended. There is no reason to allow access to remote systems. In this case, based on the papers filed, Just more of my tax dollars at waste work.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| November 16, 2008
Comments Off on Online Security Threats Growing

Online Security Threats Growing

Online Security Threats GrowingDarkReading is reporting that Ann Arbor-based Arbor Networks has issued its fourth Worldwide Infrastructure Security Report. The global report is based on responses from 70 lead security engineers worldwide. Some of the report’s findings are that DDoS attacks have grown a hundredfold since 2000 and the newest threat is increasing service-level attacks

Arbor Networks logoRespondents to the survey said the main threat vectors for attacks experienced during August 2007 to July 2008, were:

  • external, brute force attacks (61%)
  • known vulnerabilities (12 %)
  • social engineering (3%)
  • misconfiguration (3%)
  • none from zero-day threats.

Brute force attacks, such as DDoS, jumped 67 percent over the last year. ISPs reportedly spent most of their available security resources combating distributed denial of service (DDoS) attacks. Flood-based attacks represented 42 percent of the attacks reported and protocol exhaustion-based attacks at 24 percent last year. DDoS attacks have grown from megabit levels in 2000 to 40-gigabit attacks this year. Nearly 60 percent of ISPs worldwide say they experienced DDoS attacks larger than 1 gigabit-per-second (Gbps) to a record 40 Gbps, according to Arbor’s report. Arbor also indicates the growth in attack size continues to significantly outpace the corresponding increase in underlying transmission speed and ISP infrastructure investment according to Danny McPherson, chief security officer for Arbor Networks.

Bandwidth bottleneckThe report indicates that the ISPs surveyed are less worried about DDoS attacks than they were a year ago. This year ISPs describe a far more diversified range of threats, more than half are battling an increase in service-level attacks which accounted for 17 percent of all attacks, that attempt to exploit vulnerabilities and limitations of computing resources. New attacks are being directed at new services, as ISP’s work to diversify their income sources by expanding into content distribution, VoIP or other managed services. These new threats include:

  • domain name system (DNS) spoofing
  • border gateway protocol (BGP) hijacking
  • spam.

Almost half of the surveyed ISPs now consider their DNS services vulnerable. Others expressed concern over related service delivery infrastructure, including voice over IP (VoIP) session border controllers (SBCs) and load balancers. Several ISPs reported multi-hour outages of prominent Internet services during the last year due to application-level attacks.

Botnets are still a big problem for ISPs. Botnets continue their expansion across the Internet. ISP’s report that botnet used for:

  • SPAM (36%)
  • DDoS (31%)
  • phishing (28%)
  • ID fraud (>5%)
  • click fraud (>5%)

Rob Malan, founder and chief technology officer of Arbor Networks explained that, with application-based attacks, bot-infected computers worldwide make connections to a targeted site, then “use an application protocol to deliver a perfectly valid request, not a vulnerability, not something that an IDS or other type of firewall would necessarily flag”. For example, a botnet might instruct its zombie computers worldwide to do a back-end query off a database. “By itself, it’s not bad but, if you have multiple such requests, then you tie up the application – in this case, database – resources on the back-end,” he said.

Even the newest technologies are not secure, 55 percent of ISPs see the scale and frequency of IPv6 attacks increasing. “They are asked to deploy V6, but they don’t feel they can have security [with it],” Dr. Craig Labovitz chief scientist for Arbor Networks says. Today’s IPS/IDS, firewall, and other tools don’t have the proper visibility into IPv6 networks to secure them, he says. Arbor Networks released an earlier study in August 2008 which revealed negligible IPv6 usage.

The response capability of the respondents is mixed. The majority of ISPs report that they can detect DDoS attacks using tools. This year also shows significant adoption of inline mitigation infrastructure and a migration away from less discriminate techniques like blocking all customer traffic (including legitimate traffic) via routing announcements. Many ISPs also report deploying walled-garden and quarantine infrastructure to combat botnets.

Despite the tools, on hand, only a few of the surveyed ISPs said they have the capability to mitigate DDoS attacks in 10 minutes or less. Even fewer providers have the infrastructure to defend against service-level attacks or this year’s reported peak of a 40-gigabit flood attack.

Even less of an emphasis is placed on finding the criminals responsible for these attacks. Arbor Networks found that ISPs have faith in law-enforcement bodies. Nearly two-thirds of respondents indicated that they do not believe law enforcement has the means to act upon the information they provide about attacks or other security incidents. “It’s hard on carriers,” said Malan. “They get paid on traffic, not to do forensic analysis. So it’s hard from their perspective to make the economics work.”

The Arbor Networks 2008 Worldwide Infrastructure Security Report describes a networked world where DDoS attacks growth has outpaced the ability of firms to respond to them and new service level attacks are driven by botnet’s are matching the firm’s efforts to diversify their service offerings to customers. These facts when combined with the current economic recession, the networked world still appears to be a difficult place to do business.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
« Older Entries   Recent Entries »