While the hijacking happened as described in the Congressional report that was released earlier this week, the probability that this was done to steal information is very low. There are far stealthier and surgical approaches available and used on a daily basis.
On the other hand, it shows off the vulnerability of BGP, a core routing protocol of the Internet. While this vulnerability is well known among network security engineers, this incident will bring it to the attention of senior management of Fortune 500 organizations.
Is there anyone left on the planet by now who’s (a) in charge of a large chunk of address space, (b) not monitoring the BGP routing of that space, and (c) not petitioning their service providers to implement best common practices for route filtering?
Late Friday afternoon, Pacific Time, the computer identified as the command-and-control server used to send instructions to infected Koobface machines was offline. According to Nart Villeneuve the chief research officer with SecDev Group, the server was one of three Koobface systems taken offline Friday by Coreix, a U.K. Internet service provider. “Those are all on the same network, and they’re all inaccessible right now,” Villeneuve said Friday evening.
Villeneuve has no illusions about Koobface being stopped. “I think that they’ll probably start up pretty soon, and they’ll probably try to recover as many of their bots as soon as they can,” he said.
Something I’ve found unsettling for some time now is the drastically increased usage of gzip as a Content-Encoding transfer type from web servers. By default now, Yahoo, Google, Facebook, Twitter, Wikipedia, and many other organizations compress the content they send to your users. From that list alone, you can infer that most of the HTTP traffic on any given network is not transferred in plaintext, but rather as compressed bytes.
The post goes on to claim that most network security solutions are blind to gzipped web traffic.
While I have not done a survey of “most” network security solutions, I can say for sure that Palo Alto Network does automatically decompress gzipped content in hardware and then inspect and apply policies.
John Pescatore harkens back 59 years ago to the first direct dial transcontinental telephone call and 100 years before that when the telegraph was spreading throughout the U.S., comparing that to Facebook.
Same thing going on in security today – next generation firewalls and secure web gateways are way less about blocking and way more about securely enabling connectivity of people and applications – applications like social networking…
In an effort to broaden the range of incidents used by Verizon Business’s annual Data Breach Investigations Report beyond those it investigates itself and those provided in 2010 by the Secret Service, Verizon Business’s ICSA Labs has created an application that allows anyone to add incidents using the VERIS Framework.
In return for adding anonymized incident information,
…you will receive a comparative report that frames your incident within the broader VERIS dataset. You will, for instance, know whether your incident was a rare event or one commonly experienced by others and such information can help you decide what, if anything, should be done to prevent similar events in the future.
Is this enough value? Why not allow direct access to the VERIS database through an API? This would allow you to do your own analysis rather than just relying on Verizon’s. Is it possible that third parties, bringing different perspectives and tools, would glean insights that Verizon is missing?
The VERIS Framework is very straightforward. There are three key components to any incident – Agents (actors), Actions, Assets. Perhaps I like it because it’s very similar to methodology I developed with a colleague for log analysis using the terms Subject, Action, Object, which not coincidentally corresponds to the three key parts of a sentence – Subject, Verb, Object.
There is a fourth “A” which stands for Attributes of the above mentioned three A’s. The selection of classification Attributes is critical to effective analysis. For anonymized incident information, Verizon has done a good job in its classification attribute selection.
Brian Krebs highlights Nart Villeneuve’s detailed analysis of Koobface. This is the most detailed analysis I’ve read about how one type of botnet thrives.
The entrée point for Koobface is almost irresistible: a link sent from a fake “friend” prompting a visit to a video site that purportedly reveals the recipient captured naked from a hidden web cam. Who wouldn’t follow that link? But for the hapless recipient, that one click leads down a Kafka-esque rabbit hole of viruses and Trojan horses, and straight into the tentacles of the Koobface network.
In a sense, Koobface, while malware, is the opposite of Zeus because the value per illicit transaction is very low, while Zeus’s transaction value is very high.
The operators of Koobface have been able to successfully monetize their operations. Through the use of payper-click and pay-per-install affiliate programs, Koobface was able to earn over US$2 million between June 2009 and June 2010 by forcing compromised computers to install malicious software and engage in click fraud.
Without a victim, particularly a complainant, it is almost impossible for a police force to justify the resources to investigate a case like Koobface. Police officers ask: what’s the crime? Prosecutors ask: what or whom am I supposed to prosecute? In the case of Koobface, it is almost as if the system were purposefully designed to fall between the cracks of both questions.
New preventive and detective controls are needed to combat this new generation of malware. Think about this:
A recent study by Bell Canada suggested that CA$100 billion out of $174 billion of revenue transiting Canada’s telecommunications infrastructure is “at risk.” The same operator measured over 80,000 “zero day” attacks per day targeting computers on its network — meaning, attacks that are so new the security companies have yet to
register them.
Preventive network security controls must include (1) next generation firewalls which combine application-level traffic classification and policy management with intrusion prevention, and (2) 0-day malware prevention which is highly accurate and has a low false positive rate.
Detective controls must include (1) a Log/SIEM solution which uses extensive contextual information to generate actionable intelligence , and (2) a cloud-based botnet detection service which can alert you to compromised devices on your network.
Web Mail and Instant Messaging are the most popular applications. Gmail, which is SSL encrypted is the most popular by traffic rate. Hotmail and Yahoo claim more users but are behind Gmail in usage. They are also moving to SSL encryption. If your network security solutions cannot decrypt SSL, you are blind to this traffic and potential data leak vector. Facebook dominates social networking. No surprise here, but it does highlight the need for being able to monitor and control social networking using a more fine-grained approach than URL blocking, since there are business benefits to allowing some people, particularly sales and marketing, access to certain functions.
File sharing shifting to the browser. The implication is that blocking peer-to-peer file sharing is not sufficient to control file sharing any more.
10% of the applications found can be considered “Enterprise Cloud.” This covers applications like WebEx, GoToMeeting, Salesforce.com, Microsoft Office Live, and Google Docs.
Why is Microsoft Internet Explorer 6 still the third most popular browser? The biggest reason organizations do not upgrade, according to this article, is that they are running third party applications that do not work properly with IE8. In fact, Gartner estimates that 40% of in-house applications do not work properly with IE8.
Another reason, since most social media sites do not work well with IE6, companies stay with IE6 as a form of URL filtering!! Of course, the security risks associated with this strategy far outweigh the benefits.
Bruce Schneier highlights “Control Fraud.” While I never heard the term before, once you read about it, it will sound familiar.
This is an interesting paper about control fraud. It’s by William K. Black, the Executive Director of the Institute for Fraud Prevention. “Individual ‘control frauds’ cause greater losses than all other forms of property crime combined. They are financial super-predators.” Black is talking about control fraud by both heads of corporations and heads of state, so that’s almost certainly a true statement. His main point, though, is that our legal systems don’t do enough to discourage control fraud.
