Archive for the ‘Security Industry’ Category

Prevolence of Botnets and Their Zombies Encourages Spam

July 27, 2009

By: Tim Cronin

Dark Reading published an article titled “Booming Underground Economy Makes Spam A Hot Commodity, Expert Says” regarding the ease of using botnets for spam activity and how this makes spamming profitable.  Some of the more startling statistics show that “For about $10, [a spammer] can send a million emails”.  Even if 2 people order a product that they are selling for $10, that’s a 100% profit over the cost of the use of the botnet.  Assuming the actual production of the product is cheap enough, that’s a good margin.

How are botnets so inexpensive, though?  And, why are there so many available?  If you look at Commtouch’s Malware Outbreak Center you will notice that the vast majority of detected malware seems to be botnet downloaders.  Gone are the times when malware consisted of cute “look what I can do” code we are now in the time of real revenue-generating malware.  All a botnet “commander” needs to do is create the code, send it out and let it propagate through the Internet.  Eventually, there will be enough zombie hosts to really make money.

The strategies in use now should provide a good-enough deterrent to spammers, but there are simply not enough people using current protections.  So long as host-based malware detection is in use and network based protections such as IDS/IPS, malware scanning and firewalling are in use, then the amount of zombies on the internet will be reduced enough so that spamming will not be profitable.  Then we can look at our in boxes with confidence.  We haven’t reached that point yet, because there just simply aren’t enough people using adequate controls of network traffic.  According to Commtouch  again, in the Western world, zombies are not as common as developing nations.  Unfortunately for the Western world, we feel the effects of others’ lack of controls. 

Judging from all of this information, all the world needs to do in order to stop spam is make sure we are using currently available controls for our networks.  This will make spamming unprofitable and make spammers use their tricks for other means.  Until that day, the back-and-forth between spam and anti-spam will continue.

A Conversation on “Health Information Technology”

July 20, 2009

By: Tim Cronin

On Sunday, the Boston Globe printed a portion of a letter to the editor I sent in regards to one of the paper’s articles. The opinion discussed the mandating of electronic health records and the importance of security for such records. Below is the complete letter.

——————————————————————————————————–

One of the hot-button issues facing the country today is healthcare reform.  President Obama has identified widespread electronic medical records as a major benchmark towards achieving the goal of affordable health coverage for all.  Scott Kirsner did an excellent job describing some of the technologies Massachusetts companies are creating that will make universal electronic health records possible in his article State helping to shape US efforts to digitize health records for all. The article neglected to examine the network security concerns of such a system.

One may say “Moving medical records online will mean less privacy for everybody.” In reality less privacy is not an issue if proper security is in place. Therefore, moving medical records to electronic storage will increase the need to secure networks.  The truth is that records are no less secure when stored electronically, as long as the network is secure.  In fact, there are gains in privacy. The biggest risk involved is that making all records electronic does allow a person to attempt to gather information remotely by compromising a network. As long as medical facilities deploy network security technologies and maintain them, this should not be a widespread problem. With paper records, someone who wanted to steal medical information can be successful, but would need to get a hold of a physical copy of the record.  This means that an attacker would need to take a risk and go to the location of the records storage.  Paper records also pose a risk to patient privacy as medical staff bring records home with them so they can work outside of the hospital. Recently, an employee at a Boston hospital accidently left records on the “T”. If the records were accessible electronically through a secure network connection, this wouldn’t have happened.

Electronic medical record keeping also provides for a more secure data backup process. Hospitals using electronic records will need redundant hard drives, servers, data storage and other important infrastructure to ensure medical information is never lost. With all those backups, many fear that it will be easier to gain unauthorized access to patient information. In actuality, the electronic backups will be easier to secure than the current system of paper charts. Currently paper records are sent to storage vendors and the vendor’s employees have access to the information in clear text. The best security that you can provide without destroying the information is to send the charts in a locked receptacle.  In an electronic system, data can be encrypted and stored at vendors’ facilities without fear that the vendor will be able to read the data.  This adds to the locked receptacle, because you can lock storage medium in a case, then if that case is compromised, you also have the data in an illegible form.  You can also deploy hashing functions to ensure that no data is tampered with.

To address one of the biggest fears, properly deployed medical networks will not send information in a manner that is easy for someone to simply capture.  With electronic medical records, you will need to make sure that there is no path for the records to be sent over the open Internet. Instead records should be sent over secured VPN networks specifically designed to protect this information.  Nobody should have access to the network that does not need access.  Congress has already acted to ensure that this guideline is followed, through the HIPAA and HITECH acts.  However, these acts stop short of dictating the security standards and focus on the penalty for if a record is compromised. Creating an electronic medical records system will benefit the healthcare system in America in many ways, including increasing the security of medical records However, if the country is to move towards mandating electronic medical records, then congress should create additional acts creating security standards.

Google Chrome OS and Some Words On Hype

July 9, 2009

By: Tim Cronin

THE HYPE

With the announcement of the upcoming Google Chrome OS, Google is adding some hype to the mix.  Google is boldly stating that they are “going back to the basics and completely redesigning the underlying security architecture of the OS so that users don’t have to deal with viruses, malware and security updates. It should just work.”  That is a very lofty goal and a loaded statement.

In reality, Google is not too off base here.  What it seems they are going to do is make a very small OS.  The OS will really only be responsible for basic input and output and run a browser.  This means that all of the security holes that go along with the “extras” of modern operating systems will not be a factor.  This will have an impact on malware.  It means that there won’t be any holes in code that doesn’t exist.  This will dramatically reduce the security footprint of the operating system.  This is true.

Generally speaking, when you develop something, it will have errors.  The errors can be limited and if there are any vulnerabilities, they can be mitigated.  However, if you develop software that is used to interact with other peoples projects, then the security is only as good as the weakest link.  In Google’s case, they may be developing a light-weight, hardened OS that only runs a browser (for use with Google docs and other web-based applications), but if you use the browser to view a page that is vulnerable then you are still just as insecure.

THE REAL DEAL 

Here is a prediction.  Google Chrome OS will set out to revolutionize the OS world.  They will be successful overall in producing a shift in concepts, but not in the ways they intend on security.  There will be exploits that take advantage of the basic input and output.  Not only that, but there will be exploits that take advantage of cross-site malware, session hijacking and other browser-only tricks.  For instance, Google intends that for productivity you will be using Google Docs.  What would happen if you browse a site that has a cross-site exploit that steals your Google Docs?  That’s just one thought. 

I also predict that there will be security updates.  Any operating system has the distinct responsibility to be in charge of any input and output of the entire system.  Anything that can subvert this is malware and must be dealt with.  Any OS is vulnerable just by the nature of being an OS.  The advantage to Google’s approach is that any holes will be found quickly as there will be a much smaller footprint.  Also, you will still need to install some third party drivers and such for input and output.  Vulnerabilities can quickly show up here (and although Google can’t be held responsible, neither can Microsoft and we all know how we act when something *seems* to be Microsoft’s bug). 

IF THE HYPE IS RIGHT

If Google is fully successful in securing their code and making an OS that depends on software that exists over a network then this means that Internet security will inherently be much more important.  IPS offerings will be in charge of securing your documents rather than client-based AV protection.  Security will shift along with the new thoughts on OS technology and application flow.  This is an announcement that should live up to the hype, either way.

As Slowloris HTTP DoS Rises Astaro is Ready

June 26, 2009

By: Angelo Comazzetto

Recently the Slowloris Denial of Service attack has jumped in popularity. This attack is similar to SYN flood, but uses HTTP instead, basically consuming sockets on the Web Server vs. trying to saturate all the bandwidth. This is an interesting attack, particularly because it does not require a lot of bandwidth by the attacker. It is possible to DoS even large sites simply using a common residential Internet connection, and using Slowloris to eat-up the Web Server’s ability to respond to other HTTP requests, by sending partial ones itself and thus holding the sockets open. You can read more about this DoS technique here.

 While the approach is not new, the working implementation of it “for the masses” is starting to appear more commonly.

As we have already received dozens of queries about how to stop this attack, we’d like to inform you that Astaro installations with current/updated Intrusion Protection Patterns will be protected against this, so neither admins nor their Web Servers need to fear. The ID for this new rule is #1000023, and is located in the HTTP Servers Group under the Apache category.

Microsoft’s DirectAccess: Reinventing VPN

June 8, 2009

By Tim Cronin

As we know, Virtual Private Networking (VPN) is a technology that allows remote systems to connect to a local system in a secure manner.  This is what Microsoft’s DirectAccess is setting out to do as well.  Microsoft is marketing the new remote access tool as somewhat of a revolution, claiming that you can throw the VPN out with the bathwater.  This is not necessarily the case, but DirectAccess may still herald a new generation of VPN technologies.

WHAT IS DirectAccess

DirectAccess is a technology that allows Vista, Server 2008 and Windows 7 to connect with the office LAN seamlessly, without having to log into any clients.  DirectAccess is also being used to remotely manage remote PCs without the PCs needing logged in user (for instance, you can push a new update to an idle PC).  This technology comes at a time when there are a multitude of remote technologies to choose from so Microsoft is distinguishing itself by saying that DirectAccess is basically a hands-off technology.  The user doesn’t need to do anything except get a network connection and log into the machine as normal – the OS takes care of the rest. 

HOW IT WORKS

Despite Microsoft’s marketing, DirectAccess is a VPN technology with new functionality.  For those familiar with configuring VPNs, DirectAccess uses IPSec to tunnel the remote system to a DirectAccess server.  The DirectAccess server then authenticates the system and, if configured, authenticates the user.  Both of these steps rely on certificates (and the option of smart cards for multi-factor authentication for the user).  From here, there are differences in topology and design from which you can choose.  You can use “End to End” (security to the application server) or “End to Edge” (security to the perimeter, then letting unsecured traffic on the LAN). 

One key piece of information that must be taken into account: DirectAccess uses IPv6 as the preferred protocol.  You can use IPv4, but there will be extra steps that you may need to take.  There are several more key points to the connection for which I will refer you to Microsoft’s documentation at http://www.Microsoft.com/servers/directaccess.mspx.   

SECURITY CONCERNS

Microsoft has taken steps to make sure that security of this technology is the focus and seems to have been successful.  When this technology is configured properly and used properly, I can see a step forward with this technology.  That being said, DirectAccess does assume some things.  The most glaring is that user authentication is not required. If a user’s laptop is stolen and not reported in time, then it is conceivable that an attacker would have access to your internal network.  Although, they may not be able to log into the domain, there is still an IPSec connection between the attacker and the LAN.  This will make the use of full disk encryption even more necessary.  Also, the fact that there are so many technologies involved in order to get a connection is a concern.  If any one of them has a vulnerability it can be a problem to say the least.

END OF THE VPN?

All-in-all, I don’t think DirectAccess will herald the end of the VPN.  I think that there may be some changes, but VPN is here to stay for the moment.  The public information on DirectAccess is still a bit hazy on site to site connections (in fact, I am not sure it’s possible).  For this reason VPNs are still going to be in use.  Also, remote access VPN technologies, as they exist today, will adapt to new market requirements.  I foresee the major VPN vendors keeping pace with Microsoft.

Advice for the Cyber Czar

May 28, 2009

By: Angelo Comazzetto

Yesterday, the Washington Post reported that President Obama is preparing to announce the appointment of a national “’cyber czar,’ a senior White House official who will have broad authority to develop strategy to protect the nation’s government-run and private computer networks”, and that this announcement will coincide with the release of the government’s cyber-security initiatives and policies. (Article here).

 While I am not holding my breath waiting for a call from the White House, I do have some advice for the new cyber czar.

 First of all, it is going to be important for you to be transparent and to quell fears that this is the first step towards an Orwellian world. Let people know you do not plan on being “big brother” and that you in no way plan to censor or shut down the Internet. This might sound silly, but there are some that see the creation of a cyber czar and the potential passing of the CyberSecurity Act of 2009 as a step towards a government run web.

 Second, take a good hard look at our infrastructure and figure out just how much of it is dependent on the web.  Then determine which networks are the most vulnerable and most likely to be attacked. Are we really worried about our cable stations being hacked by foreign countries? It wouldn’t be good, but I think having a virus in our electric grid would be worse.  However, let’s stop talking and creating reports about how important this role is and why. We all know what’s at stake – it’s time to take some action.

Which brings me to my third and final piece of advice: We should focus on ways to prevent attacks from succeeding, rather than standards for what to do if we are attacked via the Internet. I realize we need to have a system in place for IF our networks are penetrated, but just like businesses, we should focus on keeping viruses, and malicious code out of our critical infrastructure networks, rather than fixing the mess once we know it is there. This will save our country time, money and possibly even lives.

I will continue blogging about the creating of the cyber czar and what the government is doing to protect critical infrastructure’s networks, so check beck often.