Toward a Culture of Security Measurement

September 2, 2010

“Our dependence on all things cyber as a society is now inestimably irreversible and irreversibly inestimable.”

Yeah, I had to re-read that line a few times, too. Which is probably why I’ve put off posting a note here about the article from which the above quote was taken, a thought-provoking essay in the Harvard National Security Journal by Dan Geer, chief information security philosopher officer for In-Q-Tel, the not-for-profit venture capital arm of the Central Intelligence Agency.

The essay is well worth reading for anyone remotely interested in hard-to-solve security problems. Geer is better than most at tossing conversational hand grenades and then walking away, and this piece doesn’t disappoint. For example:

“Looking forward, without universal strong authentication, tomorrow’s cybercriminal will not need the fuss and bother of maintaining a botnet when, with a few hundred stolen credit cards, he will be able to buy all the virtual machines he needs from cloud computing operators. In short, my third conclusion is that if the tariff of security is paid, it will be paid in the coin of privacy.”

Geer’s prose can be long-winded and occasionally sesquipedalian (such as the phrase “Accretive sequestration of social policy”), but then he turns around and shows off his selective economy with words by crafting statements like:

“..demand for security expertise so outstrips supply that the charlatan fraction is rising.”

In the essay, Geer touches on a pet issue of mine: Accountability for insecurity. I recently wrote an editorial for CSO Online addressing a public request for advice by the Federal Communications Commission (FCC), which wants ideas on how to craft a “Cybersecurity Roadmap” as part of its $7 billion national broadband initiative.

In that column, I suggest that the FCC find a way to measure and publish data about the number and longevity of specific cyber security threats resident on domestic ISPs and hosting providers. I also suggest that the government could achieve this goal largely by collecting and analyzing data from the many mainly volunteer-led efforts that are already measuring this stuff.

Geer warns readers that “the demand for ‘safe pipes’ inexorably leads to deputizing those who own the most pipes.” But mine isn’t a “punish or regulate ISPs-for-having-lots-of-security-problems” approach. Instead, it’s more of a “publish a reputation score with the imprimatur of the federal government in the hopes that the ISPs will be shamed into more proactively addressing abuse issues” idea.

Who knows if my idea would work, but it wouldn’t be terribly risky or expensive to try. After all, as Geer said, “security is a means and that game play cannot improve without a scorekeeping mechanism.”

“These are heady problems,” he concludes. “They go to the heart of sovereignty.  They go to the heart of culture.  They go to the heart of ‘Land of the Free and Home of the Brave’.  They will not be solved centrally, yet neither will they be solved without central assistance.  We have before us a set of bargains, bargains between the Devil and the Deep Blue Sea.  And not to decide is to decide.”

Cue the music.

Cyber Thieves Steal Nearly $1,000,000 from University of Virginia College

September 1, 2010

Cyber crooks stole just shy of $1 million from a satellite campus of The University of Virginia last week, KrebsOnSecurity.com has learned.

The attackers stole the money from The University of Virginia’s College at Wise, a 4-year public liberal arts college located in the town of Wise in southwestern Virginia.

Kathy Still, director of news and media relations at UVA Wise, declined to offer specifics on the theft, saying only that the school was investigating a hacking incident.

“All I can say now is we have a possible computer hacking situation under investigation,” Still said. “I can also tell you that as far as we can tell, no student data has been compromised.”

According to several sources familiar with the case, thieves stole the funds after compromising a computer belonging to the university’s comptroller. The attackers used a computer virus to steal the online banking credentials for the University’s accounts at BB&T Bank, and initiated a single fraudulent wire transfer in the amount of $996,000 to the Agricultural Bank of China. BB&T declined to comment for this story.

Sources said the FBI is investigating and has possession of the hard drive from the controller’s PC. A spokeswoman at FBI headquarters in Washington, D.C. said that as a matter of policy the FBI does not confirm or deny the existence of investigations.

The attack on UVA Wise is the latest in a string of online bank heists targeting businesses, schools, towns and nonprofits. Last week, cyber thieves stole more than $600,000 from the Catholic Diocese of Des Moines, Iowa.

Update, Sept. 4, 4:27 p.m. ET: Jordan Fifer, a reporter for the Highland Cavalier, the official student newspaper for UVA-Wise, writes that school officials now say they have recovered the stolen money.

Advertisement

MS Fix Shores Up Security for Windows Users

September 1, 2010

Microsoft has released a point-and-click tool to help protect Windows users from a broad category of security threats that stem from a mix of insecure default behaviors in Windows and poorly written third-party applications.

My explanation of the reason that this is a big deal may seem a bit geeky and esoteric, but it’s a good idea for people to have a basic understanding of the threat because a number of examples of how to exploit the situation have already been posted online. Readers who’d prefer to skip the diagnosis and go straight to the treatment can click here.

DLL Hijacking

Windows relies heavily on powerful chunks of computer code called “dynamic link libraries” or DLLs. Each of these DLLs performs a specific set of commonly-used functions, and they are designed so that Windows can share these functions with other third-party programs that may want to invoke them for their own purposes. Many third-party apps will load these DLLs or bring their own when they first start up and often while they’re already running.

Typically, DLLs are stored in key places, such as the Windows System (or System32) directory, or in the directory from which the application was loaded. Ideally, applications will let Windows know where to find the DLLs they need, but many do not.

The potential for trouble starts when an application requests a specific DLL that doesn’t exist on the system. At that point, Windows sets off searching for it — looking in the above-mentioned key places first. But eventually, if Windows doesn’t find the DLL there or in a couple of other places, it will look in the user’s current directory, which could be the Windows Desktop, a removable device such as a USB key, or a folder shared on a local or remote network.

And while an attacker may not have permission to write files to the Windows system or program directories, he may be able to supply his own malicious DLL from a local or remote file directory, according to the U.S. Computer Emergency Readiness Team.

Several months ago, experts from a Slovenian security firm warned that hundreds of third-party applications were vulnerable to remote attacks that could trick those apps into loading and running malicious DLLs. According to the Exploit Database — which has been tracking confirmed reports of applications that are vulnerable to this attack — vulnerable apps include Windows Live Mail, Windows Movie Maker, Microsoft Office Powerpoint 2007, Skype, Opera, Medialplayer Classic and uTorrent, to name just a few.

The FixIt Tool

Roughly one week ago, Microsoft released a workaround tool to help users and system administrators blunt the threat from all of this by blocking insecure DLLs from loading from remote and local file sharing locations. But the tool wasn’t exactly made for home users: After you installed and rebooted, you still had to manually set a key in the Windows registry, an operation that can cause serious problems for Windows if done imprecisely.

On Tuesday, Microsoft simplified things a tiny bit, by releasing one of its “FixIt” tools to make that registry fix so users don’t have to monkey around in there. Trouble is, you still need to have installed the initial workaround tool before you can install this point-and-click FixIt tool.

It’s tough to gauge whether DLL hijacking poses the same threat to home users that it does to users on larger enterprise networks. Microsoft maintains that this class of vulnerability does not enable a “driveby” or “browse-and-get-owned” zero-click attack, but the attack scenarios Redmond describes where a Windows user could get owned by this attack probably would work against a majority of average Windows users.

And while it may take some time for developers of vulnerable third-party apps to fix their code, Microsoft’s interim fix does add a measure of protection. If you’d like to take advantage of that protection, visit this link, scroll down to the Update Information tab, and click the package that matches your version of Windows. Install the fix and reboot Windows. Then visit this link, and click the FixIt icon in the center of the page and follow the installation prompts.

Further reading:

An excellent writeup on this from SANS Internet Storm Center incident handler Bojan Zdrnja.

A discussion thread about this on DSL Reports’ security forum.

Crooks Who Stole $600,000 From Catholic Diocese Said Money Was for Clergy Sex Abuse Victims

August 30, 2010

Organized cyber thieves stole more than $600,000 from the Catholic Diocese of Des Moines, Iowa earlier this month. The funds were spirited away with the help of dozens of unwitting co-conspirators hired through work-at-home job scams, at least one of whom was told the money was being distributed to victims of the Catholic Church sex abuse scandals, KrebsOnSecurity.com has learned.

In a statement released last week, the diocese said the fraud occurred between Aug. 13 and Aug. 16, apparently after criminals had stolen the diocese’s online banking credentials. The Diocese it was alerted to the fraud on Aug. 17 by its financial institution, Bankers Trust of Des Moines.

The diocese also said the FBI and U.S. Treasury Department were notified, and that the FBI had taken possession of several diocesan computers. To date, roughly $180,000 has been recovered.

The diocese added that law enforcement had advised them that the theft seems to have been the work of a highly sophisticated operation based overseas, which moved the stolen money out of the United States by recruiting people who unknowingly act as intermediaries.

“While the Diocese of Des Moines is protected by insurance and anticipates the restoration of the funds, we have been advised that such criminal activity is rampant,” Des Moines Bishop Richard Pates said. “Obviously, any entity that experiences such a crime should be significantly concerned.”

Once again, the theft involves so-called money mules willingly or unwittingly recruited by a specific money mule cash-out gang whose work I have written about several times already. Among the mules involved in this incident was a man in Newnan, Ga. who received almost $30,000 of the church’s cash. Daniel Huggins, the 29-year-old owner of Masonry Construction Group LLC, got mixed up with a company calling itself the Impeccable Group, claiming to be an international finance company operating out of New York.

Huggins said the Impeccable Group recruited him via e-mail, claiming it had found his resume on job search site Monster.com. The Impeccable Group told him he would be doing payment processing for the company, and on Aug. 16, Huggins’ erstwhile employers sent him two payments, one for almost $20,000 and another for slightly less than $10,000.

Huggins said he contacted the Impeccable Group shortly after the transfers because the amounts seemed quite high and the transfers appeared to be coming from the Catholic Church. The scammers apparently were ready for this question and were quick on their feet with a reply that was as plausible as it was diabolical: Huggins was told the money was going to be distributed as legal settlements to people who had been affected by the clergy sexual abuse scandals that have rocked the church in recent years.

“The told me it was going to be payouts to some of the settlements in the sex crimes cases against the Church,” Huggins said.

Continue reading

Researchers Kneecap ‘Pushdo’ Spam Botnet

August 27, 2010

Security researchers have dealt a mighty blow to a spam botnet known as Pushdo, a massive grouping of hacked PCs that until recently was responsible for sending more than 10 percent of all junk e-mail worldwide.

According to security firm M86 Security Labs, junk e-mail being relayed by Pushdo (a.k.a. Cutwail) tapered off from a torrent to a dribble over the past few days. M86 credits researchers at LastLine Inc., a security firm made up of professors and graduate students from University of California, Santa Barbara, the Vienna University of Technology (Austria), Eurecom (France), and Ruhr-University Bochum (Germany).

LastLine’s Thorsten Holz said his group identified 30 Internet servers used to control the Pushdo/Cutwail infrastructure, located at eight different hosting providers around the globe. Holz said Lastline contacted all hosting providers and worked with them to take down the machines, which lead to the takedown of nearly 20 of those control servers.

“Unfortunately, not all providers were responsive and thus several command & control servers are still online at this  point,” Holz wrote on the company’s blog. “Nevertheless, this effort had an impact on Pushdo/Cutwail, which you can also see in new Anubis reports generated today  by re-running the analysis: Many connection attempts fail and infected machines can not receive commands anymore.”

Continue reading

White House Calls Meeting on Rogue Online Pharmacies

August 26, 2010

The Obama administration is inviting leaders of the top Internet domain name registrars and registries to attend a three-hour meeting at the White House next month about voluntary ways to crack down on Web sites that are selling counterfeit prescription medications.

The invitation, sent via e-mail on Aug 13 by White House Senior Adviser for Intellectual Property Enforcement Andrew J. Klein, urges select recipients to attend a meeting on Sept. 29 with senior White House and cabinet officials, including Victoria Espinel, the Obama administration’s intellectual property enforcement coordinator.

“The purpose of this meeting is to discuss illegal activity taking place over the internet generally, and more specifically, voluntary protocols to address the illegal sale of counterfeit non-controlled prescription medications on-line,” the invitation states.

Continue reading

Adobe, Apple Issue Security Updates

August 25, 2010

Both Adobe and Apple have released security updates or alerts in the past 24 hours. Adobe pushed out a critical patch that fixes at least 20 vulnerabilities in its Shockwave Player, while Apple issued updates to correct 13 flaws in Mac OS X systems.

The Adobe patch applies to Shockwave Player 11.5.7.609 and earlier on Windows and Mac operating systems. Adobe recommends that users upgrade to Shockwave Player 11.5.8.612, available at this link. But before you do that, you might want to visit this link, which will tell you whether or not you need to update, and indeed whether you currently have Shockwave installed at all. If you visit it and don’t see an animation, then you don’t have Shockwave (and probably aren’t missing it either).

One other note about Shockwave: Firefox users may notice a “Shockwave Flash” entry when they click “Tools,” “Add-0ns,” and then the “Plugins” tab. For reasons that are too complicated to explain in one breath, this is actually Adobe’s name for its regular Flash player, which most people probably do want installed because can be difficult to browse and use the Internet without it.  By the way, if you haven’t updated your Flash Player in a while, Adobe issued a new version of that software on Aug 10 that plugged a half dozen security holes.

Apple’s update affects Mac OS X Server 10.5, Mac OS X 10.5.8 , Mac OS X Server 10.6 , Mac OS X 10.6.4 and is available via Software Update or from Apple Downloads.

MalCon: A Call for ‘Ethical Malcoding’

August 24, 2010

I was pretty bummed this year when I found out that a previous engagement would prevent me from traveling to Las Vegas for the annual back-to-back Black Hat and Defcon security conventions. But I must say I am downright cranky that I will be missing MalCon, a conference being held in Mumbai later this year that is centered around people in the “malcoder community.”

According to the conference Web site, MalCon is “the worlds [sic] first platform bringing together Malware and Information Security Researchers from across the globe to share key research insights into building the next generation malwares. Spread across the world, malcoders now have a common platform to demonstrate expertise, get a new insight and be a part of the global MALCODER community. This conference features keynotes, technical presentations, workshops as well as the EMERGING CHALLENGES of creating undetectable stealthy malware.”

The call for papers shows that this security conference is encouraging malware writers of all shapes, ages and sizes to bring and share their creations. “We are looking for new techniques, tool releases,unique research and about anything that’s breath-taking, related to Malwares. If your presentation, when given with all its valid techno-Jargon can give our moderators a head-ache, you are right up there. The papers and research work could be under any of the broad categories mentioned below. You can submit working malwares as well.”

Among the “malwares” encouraged are novel phishing kits, botnets and mobile phone-based malware, malware creation tools, cross-platform malware infection techniques, and new malware self-defense mechanisms, such as anti-virus exploitation techniques.

At first, I didn’t know what to make of this conference, which was initially brought to my attention by a clueful source in the botnet underground. My hoaxmeter went positively bonkers after I pinged both of the e-mail addresses listed on the site and each e-mail bounced.

Continue reading

Anti-virus Products Struggle Against Exploits

August 23, 2010

Most anti-virus products designed for use in businesses do a poor job of detecting the exploits that hacked and malicious Web sites use to foist malware, a new report concludes.

Independent testing firm NSS Labs looked at the performance of 10 commercial anti-virus products to see how well they detected 123 client-side exploits, those typically used to attack vulnerabilities in Web browsers including Internet Explorer and Firefox, as well as common desktop applications, such as Adobe Flash, Reader, and Apple QuickTime.

Roughly half of the exploits tested were exact copies of the first exploit code to be made public against the vulnerability. NSS also tested detection for an equal number of exploit variants, those which exploit the same vulnerability but use slightly different entry points in the targeted system’s memory. None of the exploits used evasion techniques commonly employed by real-life exploits to disguise themselves or hide from intrusion detection systems.

Among all ten products, NSS found that the average detection rate against original exploits was 76 percent, and that only three out of ten products stopped all of the original exploits. The average detection against exploits variants was even lower at 58 percent, NSS found.

Continue reading

Adobe Issues Acrobat, Reader Security Patches

August 19, 2010

Adobe Systems Inc. today issued software updates to fix at least two security vulnerabilities in its widely-used Acrobat and PDF Reader products. Updates are available for Windows, Mac and UNIX versions of these programs.

Acrobat and Reader users can update to the latest version, v. 9.3.4, using the built-in updater, by clicking “Help” and then “Check for Updates.”

Today’s update is an out-of-cycle release for Adobe, which recently moved to a quarterly patch release schedule. The company said the update addresses a vulnerability that was demonstrated at the Black Hat security conference in Las Vegas last month. The release notes also reference a flaw detailed by researcher Didier Stevens back in March. Adobe said it is not aware of any active attacks that are exploiting either of these bugs.

More information on these patches, such as updating older versions of Acrobat and Reader, is available in the Adobe security advisory.