Thursday, March 22, 2007

Dynamic Security with its physical and ICT security convergence fights the bad guys

British bust plot against Internet

This is why our Uncle Julius always kept his stock certificates in his desk drawer: British police have revealed that they last year uncovered an al Qaeda plot to bring down the country's Internet systems and throw the stock markets into chaos. According to Scotland Yard, the suspects planned to infiltrate a Docklands hub facility called Telehouse Europe and detonate explosives. The target may have been symbolic: Telehouse itself is intended to provide backup power for Britain's networks in case of a terrorist attack, and it is nicknamed CTU after the counter-terrorist headquarters in the heart-pounding (and torture-boosting) television show 24. The discovery of the plot also resulted in a second positive outcome. MI5 has established a special unit to focus on infrastructure protection.


Dynamic Security and IDentiWall are the answer to the hacking issue

Hacker attacks getting more personal

Jaikumar Vijayan


March 20, 2007 (Computerworld) In the same way some e-commerce sites serve up customized content based on a user's profile, cybercriminals are increasingly using personalization techniques to more effectively attack those who visit their Web sites.

Over the past year or so, the number of malicious sites using personalization techniques has mushroomed and today represents a new and disturbing trend, according to IBM's Internet Security Systems X-Force threat analysis group.

Unlike older sites that simply served up the same exploit code over and over, the new ones are loaded with multiple exploits and payloads, said Gunter Ollmann, director of security strategies at IBM's ISS X-Force team. The sites are crafted to first probe a visitor's browser for specific information, which it then uses to craft a customized attack, he said.

"We're seeing a large number of malicious Web sites that make use of IP address and browser information before they start to create an attack," Ollmann said

For instance, a user who visited a malicious Web site using Internet Explorer would be targeted with exploits seeking to take advantage of specific IE flaws, while those running Firefox or Netscape would be targeted with attacks specific to their browser types. The typical payloads include spyware programs and keystroke logging software, he said.

Each Web site can host literally "dozens and dozens of exploits" targeted at old and new flaws in browsers such as IE, Firefox and Netscape, Ollmann said. "We have seen a lot of zero-day exploits being used on such sites."

Very often, the exploits are secured from organized "managed exploit providers" who, for a monthly subscription fee -- sometimes as low as $20 per month -- provide a virtually unlimited number of exploits, he said.

According to the X-Force 2006 report on security trends, about 30% of malicious Web sites at the end of 2006 were using personalization techniques. That number is growing at the rate of about 1,000 new sites every week, Ollmann said. Many of the sites are live for about four or five days before disappearing, he said.

Cybercriminals typically lure users to such sites by using spam mail or by hijacking and using domains that appear to be legitimate sites, he said. Sometimes, users can also get directed to such sites when they click on shared objects within a Web page, such as a banner advertisement or a visitor counter, he said.

Often such sites use IP addresses to ensure that they deliver the malicious code just once in order to minimize the chance of being detected, Ollmann said. Some are even beginning to compile lists of IP addresses of Web sites belonging to security vendors to ensure that visitors from such sites are not targeted with malicious content at all, he said.

Many of these Web sites use sophisticated obfuscation techniques to evade detection, he said. Java scripts, for instance, are often used to "basically encrypt the contents within a page" to hide information from signature-based detection technologies, Ollmann said. A malicious program might also be sometimes truncated into two or more innocuous looking bits, which can then be later reassembled when needed.

Many sites also deliver the payload in two phases. First, a so-called dropper or a downloader program is installed on a system. This program is then later activated to download the malicious payload.


IDentiWall is the solution and it's coming soon

Gozi Trojan leads to Russian data hoard

Jaikumar Vijayan


March 20, 2007 (Computerworld) A Russian Trojan program named Gozi that remained largely undetected for more than 50 days earlier this year has stolen more than 10,000 records containing confidential information belonging to about 5,200 home users.

The compromised information included about 2,000 Social Security numbers, account numbers, user names and passwords that the individuals used to log into bank accounts as well as online retail and e-commerce sites.

The stolen data also included employee log-in information to applications from more than 300 companies and government organizations -- including several law enforcement agencies at the federal and state level -- as well as medical information of health care employees and patients whose usernames and passwords were compromised via their home PCs.

All of the information was sent by Gozi to a server in St. Petersburg, where it was then sold on a subscription basis to an unknown number of individuals. The black market street value of the stolen data: $2 million.

Details of the Trojan and the stolen information were uncovered in January by Don Jackson, a security researcher at SecureWorks Inc., an Atlanta-based managed security service provider. Jackson noted that there are at least two more known variants of Gozi, meaning new attacks are likely.

According to Jackson, an acquaintance reported that several accounts on Web sites he visited from work and home had been hijacked. An investigation of the PC used to access the sites uncovered a previously unclassified malware executable that appeared to have been installed last December.

An analysis of the Trojan program showed that it was designed to steal data from encrypted Secure Sockets Layer (SSL) streams and send it to a server based in Russia. The Trojan took advantage of a vulnerability in the iFrame tags of Microsoft Corp.'s Internet Explorer. The buffer overflow flaw basically allows attackers to take complete control of a compromised system. In this case, the users compromised by the Gozi Trojan appear to have visited several hosted Web sites, community forums, social networking sites and those belonging to small businesses.

The server to which the information was being sent had a very professional-looking front end that allowed users to log into individual accounts, view indexed data and get results from queries based on certain fields such as URL and form parameters. Each customer-generated query had a price associated with it, Jackson said. The currency unit used on the site was WMZ, which is a WebMoney unit roughly equivalent to the U.S. dollar, Jackson said.

When Jackson first discovered the Trojan in January, not one of the 30 antivirus products he tested detected the malware specifically. Several flagged it as a suspicious file or a generic threat based on the fact that it was using a commonly known packing tool to compress the code. Updated versions of the same 30 products in early February did a better job of picking up Gozi, though even at that point five of the products completely missed it, according to Jackson.

Details of the Trojan and the information on the Russian server have been passed on to law enforcement authorities, and to several of the affected companies, Jackson said. The subscription service offering this stolen information was disabled Match 12, he said. However, the server housing the data is still online and is continuing to receive stolen information, he said.


Just wait and see how IDentiWall tackles the hacking problem

Grab Fingerprint, Then Attack


MARCH 20, 2007 | Hacker "Simple Nomad" showed just how easy it is to hack intrusion detection and intrusion prevention systems yesterday in a briefing at the InfoSec World conference.

First you determine if an IDS/IPS is sitting at the perimeter, and then "fingerprint" it to find out the brand of the device, says the hacker also known as Mark Loveless, security architect for Vernier Networks. By probing the devices, "You can extrapolate what brand of IPS is blocking them and use that to plan your attack."

Different IDS/IPS products block different threats, so an attacker can use those characteristics to gather enough intelligence to pinpoint the brand name, he says. And it's not hard to distinguish an IDS from an IPS: If you can access XYZ before the attack, but not after, it's an IPS. And if there are delays in blocking your traffic, it could be an admin reading the IDS logs, Loveless says.

Loveless pointed to IDS/IPS evasion using an old vulnerability in Windows, "Web hits," which dates back to earlier versions of Microsoft Windows NT and IIS. "It's so old that it's not out there anymore and not supported." Few IPSes block it because it's so dated, he says, so that helps determine which ones you're up against.

"You can tell which ones they are by how they react" to an attack, he says. "Sourcefire's Snort doesn't have a signature for it, but NetSense from Jupiter does."

The trouble with this particular vulnerability was that IDS/IPS signature writers modeled their code after an exploit of the bug -- namely that the header value of zero would cause a buffer overflow -- to build their detection rules, rather than basing it on the actual vulnerability itself. "It wasn't that it had a set value of zero. It was that if the value was smaller than the amount of data you were going to shovel into it," he says.

Loveless changed just one parameter to cause a buffer overflow and to bypass the Snort IDS. "This is more a reflection on who wrote the signature rather than on Snort."

"All it usually takes is changing a couple of these [parameters], and you can bypass most IDS/IPSes," he says. Basically, you use an IDS/IPS against itself by exploiting weaknesses in its signatures (or lack thereof). An attacker can force an IPS to invoke blocking and fall into a denial-of-service trap, and can force a buffer or heap overflow to knock the security tools offline.

How do you protect yourself against such a determined attacker? Besides the obvious -- patch, update, and audit regularly -- Loveless says to ask IDS/IPS vendors if they write their own signatures. If not, do they test them before adding them? Do they detect vulnerabilities or just the exploit? "Vulnerabilities and exploits are two separate things, but the trend is they are most likely looking at the exploit, not the vuln," which limits their effectiveness, he says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading


Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc