return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Cybersecurity Public ]

Detecting a stealth directed bot net attack

  #

In response to Directed bot nets, a private member asked, "Is there a way to figure out what "problem" one might have already?? Are Macs equally vulnerable as PCs?"

Readers are welcome to weigh in with their own comments as my reply is that it is not easy and that there is an active component to my safety checking for a bot net product that may not be producing a failure signature on your machine.

First and foremost, have a good virus scanner and keep it current by downloading/checking for updates daily. (Our service sends us notices and when we start getting them during the day, we immediately upgrade.) Many known attacks will compromise a machine such that other malware can climb atop it.

Second, have firewalls in place even for a lone PC. (If you have a DSL or Cable Modem "always on" condition, it is criminal not to have one as your dedicated IP address gets swept such that you become a known target. Sometimes -- such as for Roadrunner which may dynamically allocate an IP address within their domain -- attackers will sweep the domain looking for live targets.) We use hardware firewalls that are much more resistant to being compromised or disabled by an attack. You can also add a personal software firewall such as the free version of Zone Alarm which will more easily alert you to outbound traffic requests that might give away a resident bot net. We shut down most ports as a matter of course.

Beyond that, I check the SANS Institute Internet Storm Center which opens with a 'Handlers Diary' of what is going on in the world in terms of network threats. As an obsolescing techie, I am not unfamiliar with ports (think of them as windows into your operating system) so that when ISC talks of ports, sources, targets, trends, and services, I can read the map. Some simple definitions from their pages:

  • Port: The port targeted
  • Source: distinct source IP scanning for a given port -- these are the attackers
  • Target: distinct IP targeted by these sources -- these are just as stated -- targets
  • Service: service(s) commonly used on this port -- for our purposes, the attacking apps

ISC adds millions of records daily and their reports can be set to flag trends, i.e., new sources, targets, and services that warrant more investigation.

If this is not daunting for you, then what I look at are Today's Diary, Daily Archive (to the right of Today's Diary), Top 10, and Trends. ISC has all manner of reports with which you look at activity on a specific port, etc., but that gets beyond my attention span and skill level to do something meaningful with it.

If a reader has a better approach for tying to spot an emerging bot attack, I am all ears.

FYI, while I love the CAIDA site (Cooperative Association for Internet Data Analysis), my primary use for this site is as an encyclopedia of the Web's topology. The paths that interest me are Analysis and Tools (mainly Taxonomy and Visualization). Under the spell of many of the fine visualization tools, the web takes on the aura of the living three-dimensional animal that it is.

P.S. To the reader's last question, there are relatively few Mac attacks in comparison to Wintel or Linux/Unix.

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

Sasser's primary infection to home and student PCs

  #

Home users and students represent as much as 80 percent of the Sasser worm, thus Sasser will persistence as these users "don't generally know what to do" to remove the worm. (Remember the difference between virus and worm; a virus requires Homo Boobus to do something such as opening an email whereas a worm probes for vulnerable systems and installs itself.)

That would indicate that there is fertile ground for the much more dangerous Gaobot/Agobot worm. I do wonder if a new worm will have to carry a Sasser-scrubber so as to overcome the frequent rebooting that Sasser brings but perhaps not, and of course, if a user scrubs Sasser without patching the OS, they will remain vulnerable to the next worm.

To my point: I wonder when ISPs will begin to make good on their threats to disconnect unpatched or repeat offenders from their network. Yes, users will feel distress and will forget that it was their error that put them in the lurch, but something has to be done to remove this reservoir of willing hosts.

As the backlash will inevitably turn back to the majority Wintel OS provider, I can only assume that this will add further incentive to MS to produce more 'trustworthy' releases sooner and to overhaul its cumbersome patch procedure. (I still maintain that MS can defeat many of its putative rivals by producing a secure OS.)

Yes, security is a 24 X7 job, but unless it is easy to enforce, even the most diligent will start to slack. And buy someone else's product even if, like Linux or Unix, they actually have more faults than Microsoft.

Sasser keeps squirming into homes, businesses
By Robert Lemos
Staff Writer, CNET News.com
Story last modified May 4, 2004, 2:01 PM PDT


Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

Watching the other end of the barn -- outgoing email

  #

With all the incoming threats, it is easy to overlook dangers in a firm's outgoing mail -- Intentional or inadvertent revealing of trade secrets, financial data or confidential client information to unauthorized individuals. The Gramm-Leach-Bliley Act that placed strictures on release of sensitive information by financial companies is now matched by the Health Insurance Portability and Accountability Act (Hipaa) for health-care firms while Sarbanes-Oxley mandated that firms prevent unauthorized disclosure of any "material information."

Firms can trap or flag prohibited spam forwarding, inadvertent virus transmissions, and the results of key word/phrase/marker searches. False positives are an issue although it can be ameliorated by flagging for review over trapping and adjustments in search/filter criteria.

Expect a modest growth business in outbound filtering. I suspect that it will be expanded or merged with CRM tools as a means of managing a firm's interaction with the external world.

The Dangers in Outbound E-Mail
By MICHAEL TOTTY
Staff Reporter of THE WALL STREET JOURNAL
April 26, 2004; Page R6

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

Directed bot nets: Script to virus to bot to worm

  #

Continuing our theme of attacking the critical path, remote attack tools, called bot software, infect PCs without disabling them so that their users are not alerted while the bots work in background. These bots are already among us, numbering from the hundreds of thousands to millions. One of the newest variants has incorporated open source code to breach virtually every vulnerability on "almost every Windows system sold in the past five years."

These bots can be joined with worms and viruses to create hybrids in which worms are launched from a cooperating bot net. The use of a directed bot net allows the perps to conserve bandwidth in their attack and so avoid much of system noise that a conventional worm attack would generate.

Once the bot net has pre-seeded the desired number of machines, the perps can launch a variety of attacks from an active DDoS to a passive computational attack in which the slaved PCs are used a distributed supercomputer for decryption and password cracking. Spammers are also using bot nets to send bulk mailings that mask the senders' address. In all cases the evolutionary process seems to be script to virus to bot to worm.

We have no real idea how many of these bots and bot nets are now in the wild -- sleepers if you will. As a comparison, Microsoft noted that its update system had patched 9.5 million PCs, vastly exceeding the estimates of the antivirus entities that track such things. A new variant of Agobot may soon show us as it uses a specific port to attack vulnerable systems, and traffic on that port was rising at the end of the week.

Given that these bots are already in place and have a 'Swiss army knife' capability of attack vectors, and, I would surmise, an ability to distribute new exploits as they are disclosed and developed, the bot net owners will be working inside our ability to respond with a proper patch. Every machine should, of course, keep all critical patches current, make more and frequent backups, and have network administrators and/or your firewall check for suspicious outbound traffic.

Alarm growing over bot software
By Robert Lemos
CNET News.com
April 30, 2004, 9:16 AM PT


Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

VoIP telephony as susceptible to hacking as pure data networks

  #

Attacks: DDoS (distributed denial-of-service attack), packet reconstruction, and OS attacks from within and without the company.

The only difference is that VoIP hacks are presently few in number but that will change dramatically as the technology builds a critical mass in terms of installed base or critical path users.

The critical first step is to separate voice and data networks with virtual local-area networks (VLANs) to prevent a DDoS attack against your corporate data website from taking down your VoIP network, or vice versa. Reduced costs will not justify the loss of both voice and data should your business's sole connection to the Internet go down.

Then comes encryption (you were going to do that, correct?), switches over hubs, hardwired over software-based phone solutions (much more resistant to hacks), protocol-specific IT expertise, and then the many standard needs of physical access control, firewalls, proxies, antiviral, and backups.

There are solutions but they are not as cheap as a phone line for small(er) businesses if these security needs are factored in. Without the security handling, VoIP is a sitting duck for the taking.

How your phone could be hacked
By Robert Vamosi: Senior Associate Editor, Reviews
Friday, April 23, 2004

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

Glacial yet essential improvements in software security and assurance

  #

While Security holes force firms to rethink coding processes was peripherally cited in Risk amelioration for software creation, subversion, and diversion, it deserves independent mention. Likewise the authors of the EE Times article, "Linux: unfit for national security?" deserve mention to add gravitas to their comments:

  • Eugene Spafford, Purdue University, and executive director of the Center for Education and Research in Information Assurance and Security
  • Cynthia Irvine, Naval Postgraduate School, Monterey, professor of computer science and an expert on information warfare

Spafford responded as a SANS guest editor to a dissent:

"Security is more than the apparent lack of obvious buffer overflows or the ease with which an experienced programmer can apply a patch. It includes fundamental issues of design, including (for instance) separation of privilege, user interfaces, minimalism of function, fail-safe defaults, and freedom from deadlock. Large, complex systems written for general environments are not designed to these principles. Furthermore, the majority of those systems have been developed and maintained by personnel whose skills, motives, and loyalties are not necessarily known. As such, these systems should not be used in mission-critical systems, sensitive embedded applications, or systems with high assurance needs. Those people arguing the dogma of "Linux is better" or "Windows is better" are missing the point -- both are inadequate for these needs. Unfortunately, we have too many people making decisions about security and high assurance who do not really understand the fundamentals."

Some software vendors, perhaps even Microsoft, realize that salvation in not in patches, but in processes and tools that trap problems in development. Microsoft has instituted a buddy system between security experts and programmers (though security folks are vastly outnumbered). In addition to its own tools, MS has added independent review of its products. Some of those outside firms are hiring yet other firms to vet their tools and processes.

Yet much security review remains manual art, though automation for application and source-code analysis is becoming more available -- some for near real-time/daily analysis. Some firms are rising above the programmer to provide tools for "those with responsibility for understanding where risks are" such as CIOs and chief security officers.

Those are very good trends, late but good. This is the article that alluded to Foundstone's forthcoming report that an "apples-to-apples study comparing the history of flaws discovered in several versions of Linux to Microsoft software, "Linux is worse" with about 10% more flaws uncovered."

I still maintain that Microsoft can best Linux by providing more secure products, not by more geek goodies. Save for good, secure groupware, of course.

Security holes force firms to rethink coding processes
This story appeared on Network World Fusion
By Ellen Messmer
Network World, 04/19/04

Gordon Housworth



Cybersecurity Public  InfoT Public  Strategic Risk Public  

discussion

  discuss this article

Risk amelioration for software creation, subversion, and diversion

  #

Software design for weapons systems -- who does it, where do they do it, what tools do they use under what design rigor -- is a consistent concern in our supply chain infrastructure risk assessment.

With the Telrad (Israeli) penetration of the White House phone system never far from mind, the presence of foreign contractors in the F-35 Joint Strike Fighter aircraft is a concern and the prime's (Lockheed Martin) contention that "98 percent of the F-35's software was "U.S.-sourced" and two percent came from abroad" offers no solace when a few lines of malicious code can prejudice aircraft stability, avionics, or weapons.

What good does it do to have an aircraft that can turn sideways on a dime if someone can turn off its fly-by-wire system. It would be the singular software trapdoor of a future air superiority engagement. Were I a bad guy, it would rank high on my penetration list.

An excellent, and highly recommended, article on inappropriateness of Linux (along with Windows and Solaris) for "control systems for tanks, bombs, missiles and defense aircraft" drew my attention as one of its salient charges is that Linux contains "many elements of unknown origin," and that just a few lines of subversive code could "cause a major malfunction." What goes for operating systems goes for suppliers.

"Software subversion," in which adversaries add a few lines of code that can cause a major system to malfunction, is a concern of security experts... In such applications, developers need to use "high-assurance" operating systems with the smarts to prove that subverting code doesn't exist. Linux is not one of them."

As an aside, the "many eyes" concept of open-source development and peer review is not sufficient for national security apps as a "subtle flaw could be included in the system and missed by all those eyes, because they may not have the training or motivation to look for the right problems." (Remember that an attempt to deliberately add a security flaw to Linux was only recently averted and both the Unix and Linux kernels have had serious flaws.) A forthcoming independent security report will show that ""Linux is worse" [than Microsoft software] with about 10% more flaws uncovered."

With a history of diverting US technology, Israel recently joined the eight JSF full partner countries as a lower "security cooperation participant" (SCP).  As late as mid-2002, the US was still resisting Israeli participation requests due to concern that classified technology might be leaked to unfriendly countries, notably the PRC. 

"Unlike the other full partners, Israel will not be able to impact JSF requirements or have a presence in the JSF program office. However, Israeli industry will be able to compete for SDD [system development and demonstration] work on the JSF like the other full partners."

While the researchers' Congressional testimony focused on software, their comment that the programming community must "get past issues of cost, corporate politics and technological "religion" when dealing with matters of national security" has wide applicability:

"The problem occurs when a vendor decides to adopt software because of cost or because of familiarity to their current programmers," he said. "They end up making a decision that involves risk, and they don't have the appropriate background to make that decision."

That should apply to every vendor across the JSF supply chain. It is no longer enough to deal with direct cost, time, and delivery/availability risk. The risk amelioration for creation is not enough to address the risks of subversion and diversion. Yes, there will be an added direct cost to dealing with these longer range risks, but we forego it at our peril.

Linux: unfit for national security?
By Charles J. Murray, EE Times
April 19, 2004 (11:29 AM EDT)

U.S. lawmakers to weigh Pentagon's foreign-software use
Reuters, 01.08.04, 2:15 PM ET
By Jim Wolf

FBI Probes Espionage at Clinton White House - suspected telecommunications espionage

by J. Michael Waller,  Paul M. Rodriguez

Insight on the News

May 29, 2000

Original scrolled off

Mirror

Gordon Housworth



Cybersecurity Public  InfoT Public  Strategic Risk Public  

discussion

  discuss this article

Structural TCP flaw permits simple reset attack

  #

I wonder if naysayers would continue to hurl doubts on Dick Clarke's warnings on the potential of cyber Pearl Harbors. Who is to say that one or more criminal groups or governments had not already discovered the flaw and had put in their quiver for that special moment. Remember that hackers penetrated and, for a period of time, took control of parts of the TeraGrid, a run-up for what could have been a stupendous DDoS attack:

"Experts previously said such attacks could take between four years and 142 years to succeed because they require guessing a rotating number from roughly 4 billion possible combinations. Watson said he can guess the proper number with as few as four attempts, which can be accomplished within seconds."

"Watson predicted that hackers would understand how to begin launching attacks ``within five minutes of walking out of that meeting.''

How's that for operating within our OODA Loop? How many other flaws of equal magnitude are still out there? An in whose quiver? How would we know? When do we get to find out?

Discovery of Internet Flaw Prompts Security Push
By THE ASSOCIATED PRESS
April 20, 2004
Filed at 5:31 p.m. ET

TCP flaw threatens Net data transmissions
By
Robert Lemos
CNET News.com
April 20, 2004, 12:40 PM PT

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

Chocolate as a hacking tool

  #

A delicious reminder as to how tender is our perimeter security when passwords can be pried loose for a bar of chocolate -- one of the cheapest social engineering attacks on record. Richard Feynman would be proud both for the simplicity of the attack and the exposure of the risk.

"Surprisingly, 37 percent immediately agreed, while another 34 percent were persuaded to give up their secret access codes when the interviewer commented that it was most likely to be the name of their pet or their child."

I may be stretching but I think the willingness to give up passwords is yet another sign that users are annoyed by their proliferation. Users surveyed certainly wanted a less demanding, uniform means of secure entry.

New hacking tool: chocolate
By
Munir Kotadia
ZDNet (UK)
April 20, 2004, 6:38 AM PT

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

Terrorists that exploit rather than destroy the web

  #

Gabriel Weimann shows that terrorists have gained an effective understanding of using the web equal to, and sometimes surpassing, commercial firms.

I would go so far as to describe the web as an asymmetrical weapon in that its very low cost offers an easily obtainable, flexible C3 (command, control, and communication) capacity to attack its adversaries.

"…terrorist organizations and their supporters maintain hundreds of websites, exploiting the unregulated, anonymous, and easily accessible nature of the Internet to target an array of messages to a variety of audiences."

Most sites contain history, teleology, aims, activities, maps, exploits, biographies, news, and chat rooms. Al Qaeda humint targeting was recently described here. While most do not make explicit references to acts, Hezbollah and Hamas are exceptions in that they provide statistics on operations, slain members, enemies and collaborators -- all the trappings of a model company.

Three target audiences:

  • Current and potential supporters
  • International public opinion, journalists included
  • Enemy publics, i.e., citizens of the states against which the terrorists are fighting

Eight identified uses:

  • Psychological Warfare
  • Publicity and Propaganda
  • Data Mining
  • Fundraising
  • Recruitment and Mobilization
  • Networking
  • Sharing Information
  • Planning and Coordination

Terrorists of all persuasions, "Islamist, Marxist, nationalist, separatist, racist - have learned many of the same lessons about how to make the most of the Internet." The 11 September hijackers used the Internet well and their successors have only improved their skills and raised their presence on the web.  Just as with other western weapons systems, terrorists have adopted the web to good effect for organization, proselytization, and operation.

We’d hire them if we didn’t have to stop them.

www.terror.netHow Modern Terrorism Uses the Internet
SPECIAL REPORT 116
Gabriel Weimann
United States Institute of Peace

PDF here.

Gordon Housworth



Cybersecurity Public  InfoT Public  Strategic Risk Public  Terrorism Public  

discussion

  discuss this article

Prev 1  2  3  4  5  6  [7]  8  9  Next

You are on page 7

Items 61-70 of 89.


<<  |  May 2020  |  >>
SunMonTueWedThuFriSat
262728293012
3456789
10111213141516
17181920212223
24252627282930
31123456
view our rss feed