I’ve been asking about this for years now, but I finally got my answer, yes, the US government is going to test the state of cyber-security in the event of a cyber war. The goal is to identify weaknesses and come up with solutions to a large scale network attack. I was bitching about this when I was a member of the IT-ISAC - there was no one working on this at the time, and it was scaring the crap out of me. Apparently someone was listening!

I have no idea how the test is going to play out, but to anyone who is involved, let me reiterate this issue - the attacks often come from within. It’s not only outside threats we are going to have to contend with (and furthermore once something is inside a network it’s hard to get out). So is the case with viruses, XSS worms, botnets, etc…. You may be able to kill the command and control but that relies on one critical assumption - that there is one. Anyway, I’ll be very interested to see the results of these tests if they are ever published.

Am I going to have to eat my words? I was thumbing through some AV reports over the last few days and one report stuck out at me. Granted, I don’t follow each worm (not enough hours in the day for all the things I’d like to explore) but I was surprised to see a worm that had to do with Pharming. For those of you who are unfamiliar with the term, unlike phishing, pharming takes a more proactive approach by forcing people’s DNS entries to point to a different/malicious server. Frankly, I thought it was mostly the stuff of science fiction since no one could point to a single example of any instance of pharming greater than 100 people (a single ISP that got it’s DNS compromised). Granted, the trojan doesn’t mention pharming but that is the obvious next step if it isn’t already doing it (rather than just trying to get some click-through traffic on some websites).

Trojan.Flush.K also known as Trojan.Dnschanger modifies DNS entries on your Windows box and attempts to forward you to a malicious website. The obvious synergies with phishing attacks make this particular one stand out at me. Symantec rated this one very low (probably to do both with the lack of virulence and the ease of cleaning the system), but it’s interesting to note how potentially dangerous this could be if it were more widespread and written with more malice.

I know I don’t often talk about network security (that’s really more id’s domain than mine anyway), but I got sent this link this morning that I thought I’d share. It’s the small business primer on network security threats. It’s a pretty good brief overview on what you want to do as a small company to make sure you are secure from the more common security threats out there. It’s a pretty good high level read. There are a few things I’d probably have added if I had written it.

Anti-Spyware: spyware is really really nasty, I don’t care what people say, it’s one of the nastiest things out there today. Not just because it can read what you are doing, but because with minor changes they can force your system to download viruses, keyloggers or whatever else they want. It’s nearly impossible to stop without a good anti-spyware program. People may confuse this with a Trojan, but a trojan is something with an implicit back door. With spyware or adware the administrators can inadvertently land you on a site that will make them a few bucks but the other server in question gives you something malicious. It’s not a Trojan by design, but it can act as one.

Network segregation: id could probably go off on this one bullet alone, but by separating your networks (wireless is separate from corporate, etc…) you hugely reduce the liability of having one machine compromised.

Local admin genie: Don’t let the local admin genie out of the bottle. If you give your users local admin rights, they will do way more with the computer than you would want them to. The second you give them higher privileges to install anything, you have opened yourself up to attack. It makes it hugely inconvenient for your users who want to install their favorite MMORPG on your work computers, but it’ll save you tons of hassles.

SSL/SSH/VPN: Encrypt your traffic, even if someone can ARP spoof a switch, they’ll be reading garbage. Don’t let them see your traffic. This is in response to their WiFi honeypot (I think they meant MITM bridge, but you get the idea).

Turn off all unneeded services: It’s a simple one, but this is one of the most important to corporate security. There’s no reason to keep FTP open, if you have SSH - you can SCP things over SSH, so shut down that exploitable outdated WuFTP service.

Email separation: Keep your work and your personal email separate, that way if they get an email from their bank at their work address they’ll be more likely to know it’s fraud. Further, don’t click on links in emails - ever! That’s what we call, bad. If you really want to cause a revolt ban all access to all freemail services, because really, what are you paying them for?

Backups: If you aren’t backing your data up, something as simple as a misplaced cup of coffee can bring your business to a halt. Network security involves good application security as well, and disaster recovery is a key component of that.

Anyway, I’m sure there are dozens of other simple things you can do, but that stuff definitely will help. Interesting read for the IT novices.

This is a really upsetting story about how a teenager was infected by a trojan, used as a fileserver for child pornography, and then attempted to be prosecuted as a sex offender. The sex offender charge was based off of a plea charge after admitting to showing other teenaged boys a playboy magazine. The circumstances are so ridiculous it’s just painful to read. The jist is the boy went to visit a porn site that infected his computer, and then the police detected the computer uploading child pornography.

I was asked after being sent this if having a firewall and anti-virus is enough to protect your computer. Unfortunately the answer is no. Let’s think about session riding for a second. It is trivial to get any user to download images from any website that doesn’t protect itself with a simple IMG tag. In this way a user can visit an otherwise benign site, and be forced to download child pornography or perform attacks on servers or whatever the attacker wants by proxy. Very scary.

Michael Sutton has a good writeup on the Google blacklist that he released today. He sort of went over the obvious stats, who’s getting phished the most, where the phishers are hosting, etc… So for the most part it wasn’t that interesting to me personally (but I’ve been in this business for years). However, one thing did make me think. Michael mentioned that the lack of sophistication points towards the lack of need for sophistication.

Like any stats person would do, I had to think about what that really means. Is it that they don’t require sophistication or is it that they can’t achieve it. Who is building the phishing kits that they buy? Are these people the world’s best programmers? Are they going to build something that’s in vogue for a few days (a 0day browser exploit) only to have to re-code it a few days later when the patch roles?

Just like in any business the name of the game is scalability. You have to build a scalable product for as cheaply as possible. Just because x% people have anti-phishing in their browser doesn’t mean you don’t put it up. That’s like saying if you’re McDonalds you don’t want to stay in business because a certain slice of the population cares about early heart disease. Who cares? If it makes you money that’s all that’s important. Sophistication is not a current requirement for their business model. The scary thing is that with technology that is years old they are only now encountering tools that even put a dent in their business model.

That lack of sophistication in our own tools to detect and take down phishing sites is the real issue here. We (browser companies, AV companies, ISPs) have not created enough damage to their business to force them to adopt next generation tactics. So although they may have the arms necessary to fight a nuclear war, they don’t have to, because we’re still fighting with bows and arrows. They haven’t even scratched the surface of technical sophistication in their phishing attacks. And who could blame them? There’s no cost incentive to do so. We haven’t created that incentive yet.

I go to sleep for a few hours and I miss all the fun. Apparently Kyran wrote and turned on an XSS worm against Gaiaonline.com. In just 3-4 hours over 1500 people were infected with the benign virus. I chatted with Kyran about this, and although it used a persistent means to propagate it was really a reflective payload. One could argue it’s completely persistent, but it’s interesting none-the-less.

Here’s the source to Gaiaworm.

Clearly these types of worms are becoming more commonplace as the propagation methods become more widely understood. Unfortunately most of these worms happen to look a lot like AJAX, so it’s difficult to write signatures for them. I’m surprised the anti-virus/anti-malware community hasn’t tried to solve this one yet. This is really their domain of expertise - genetic propagation.

I ran across this article today on 99 ways to secure your email. Largely it’s email etiquette and efficiency fluff and there are really only a small handful of actual ways to secure your email in it (numbers 78-99). There are a few tips that I’d tell people that are definitely not mentioned on their list. Here are a few from my personal list:

1) Turn off preview panes. When you click an email and it shows up in the preview you are rendering the remote images and the click-tracking that spammers use to verify the email lists executes. That alerts them to the fact that you a) are a real user and b) are a user who reads spam. Having your email automatically open also increases the likelihood of email client automatic exploitation. None of those are good, so turn off the preview pane.

2) Don’t put email addresses or sensitive corporate information into out of office emails. If you are out of office, just tell them the name of who to get in contact with. If they know anything about your company they’ll know how to get in touch with the front desk and use the person’s name to get in touch with them. A number of times people have set out of office messages with stuff like, “If you need information on super secret project x please contact….” Firstly, that’s bad if it’s someone who doesn’t really know you (sales people, etc…) secondly, if it contains email addresses those too can be scraped by the spammers who watch the return addresses for bounces.

3) Use domain keys, SPF (sender policy framework) records or other tools to reduce spoofing. If you want to allow people to know if you are legitimately sending email from all users on your domain without causing them too much grief, install domain keys or use SPF records to reduce the likelihood of people successfully spoofing your email. PGP signing is great but it only works for the one person using it, unlike domain keys.

4) Unlike what the article says do NOT use Yahoo or Hotmail as methods to send anonymous emails. Both send headers showing the recipient where you are originating from. Use something like hushmail instead.

5) Create custom email accounts for specific applications. I’ve seen a number of people who have begun building out vanity email addresses based on the specific site they are visiting, EG: ha.ckers.org@mysite.com

6) Validate users who are allowed to send email to you. This is an ugly one but by only allowing people who you have authorized to email you you can significantly reduce unsolicited email. You had better not use one of these accounts for anything you want to get electronic receipts for, but for personal accounts it’s a pretty decent solution.

7) Use a fake or modified name on each site you visit. If my name is “John Smith” I could use something like John Petsmart Smith will allow me to know that Petsmart has sold my email information when I get spam or phishing emails in the future.

Anyway, there are dozens of ways to secure your email. I’m sure everyone can contribute to this list. It’s a huge topic, that they really only scratched the surface of.

I know this isn’t 100% on topic, but I really get a kick out of viral issues in social networks. In this case there is a new virus that hit Second Life that auto-replicates a particular item all over the world. Second Life is an interactive game where users can create their own land and items etc for actual money. Sounds like trouble to me. Mixing personal interest with untested designs is often cause for exploitation.

In this case the virus called Grey Goo (named after the theory that a molecular self replicating machine could destroy the earth and turn it, essentially into grey goo) ended up taking the game down for just a little while as they fixed the issue. A minor annoyance, some bad press and a few lost customers at worst. But think about how bad self replicating code really is. There is no actual distinction between that and any genetic self replicating organism.

The only major difference is that we are personally immune the effects of the viruses (at least for the most part). It’s annoying, but we have out of band mechanisms for dealing with code. But think about a future where everything has an IP address. Something as simple as a flicker can cause epilepsy. A bug could drive your car off the road. A glitch could cause all the dams in the country to open up and flood the surrounding areas. Thankfully this grey goo scenario could be stopped by out of band mechanisms, but the more we automate systems in the physical world the less and less easy it will become to be completely in control of the machines we build.

It’s awfully nice to have the big red panic button. Let’s just make sure we don’t automate that too.

Today Anurag Agarwal posted a link to the WASC list that demonstrates a conceptual manual AJAX worm. Actually that’s sort of a misnomer since this really is just using XMLHTTPRequest and not XML but you get the idea. The link is benign, but what it does show is a very slowed down and non malicious version of an XMLHTTPRequest worm that propagates via XMLHTTPRequest only (only on Anurag’s domain and only for the files he links to).

This is an interesting take on what we’ve been talking about. Of course it’s extremely slowed down because it’s not meant to overtake anything, and it’s all manual (you can see that the URL field does not change). This is kind of interesting when you can’t XSS the page your interested in but you are able to XSS at least one page that a user will end up clicking on.

The conceptual Warhol worms that I’ve worked on really have very few user requirements save that the user views a page that’s under the control of the worm and has the appropriate technologies installed. But breaking it down into it’s core components is definitely one step to understanding the most effective virulence methodologies. XMLHTTPRequest is definitely a technology worth thinking about though, especially combined with browser bugs like internet explorer’s mhtml: issue et al. Any way to move from one system to another makes the power of such a worm far more potent.

There’s an interesting link over at Network Blog talking about a survey done of a number of office workers who were completely unaware of the risks involved with email security. Namely most of the users interviewed were happy to open any email they got and even worse click on links regardless of who sent it.

They then link to an article at Application Security Blog that discusses how webbugs work in the context of emails. Email clients are becoming more and more resistant to this trick now a days because they now ask if users would like to download images. Of course there are ways to circumvent those security measures (consumers preffer convenience and will turn almost any security measure off if they can if they don’t understand how it’s protecting them).

As we’ve seen malware is pretty prevolant these days - (at least 1/10th the spam I get has .zip or .src or other horrible attachments). Of course this goes beyond the realm of Outlook, Lotus and Thunderbird to the realm of Yahoo Mail, Hotmail and Gmail. Scanning attachments for viruses is one free service that a lot of these webmail clients offer, but it certainly doesn’t offer security from zero-day exploits - so one off targeted attacks will always be possible. And of course there are phishing aspects, or simply links that lead to malicious websites with all sorts of consequences (like the unsubscribe link and the JavaScript port scanner).

Email is a pretty scary medium these days. Part of the problem is that email clients and web browsers are becoming more full featured as user demands on functionality rise. These issues are only partially under control at the moment, but the interaction between software is becoming more and more complex and it is only allowing more and more vectors as a result. The fact that email can call the web is an issue, but there are tons of other applications that are starting to do the same (even things as obscure as online games). It will be interesting to watch these vectors morph as user interest in the mediums shift. Instant messaging is a great example as it gradually overtakes email in popularity and as it becomes more and more feature rich.