19. November 2010 · Comments Off on China’s 18-Minute Mystery – Renesys Blog · Categories: blog · Tags: , , ,

China’s 18-Minute Mystery – Renesys Blog.

This is absolutely the best analysis I’ve read of the China internet hijack incident in April 2010.

While the hijacking happened as described in the Congressional report that was released earlier this week, the probability that this was done to steal information is very low. There are far stealthier and surgical approaches available and used on a daily basis.

On the other hand, it shows off the vulnerability of BGP, a core routing protocol of the Internet. While this vulnerability is well known among network security engineers, this incident will bring it to the attention of senior management of Fortune 500 organizations.

Is there anyone left on the planet by now who’s (a) in charge of a large chunk of address space, (b) not monitoring the BGP routing of that space, and (c) not petitioning their service providers to implement best common practices for route filtering?

15. November 2010 · Comments Off on Researchers take down Koobface servers · Categories: blog · Tags:

Researchers take down Koobface servers.

Late Friday afternoon, Pacific Time, the computer identified as the command-and-control server used to send instructions to infected Koobface machines was offline. According to Nart Villeneuve the chief research officer with SecDev Group, the server was one of three Koobface systems taken offline Friday by Coreix, a U.K. Internet service provider. “Those are all on the same network, and they’re all inaccessible right now,” Villeneuve said Friday evening.

Villeneuve recently published a detailed paper on Koobface.

Is this the end of Koobface?

Villeneuve has no illusions about Koobface being stopped. “I think that they’ll probably start up pretty soon, and they’ll probably try to recover as many of their bots as soon as they can,” he said.

15. November 2010 · Comments Off on Network Forensics Blog » Blog Archive » Network Forensics and Reversing Part 1 – gzip web content, java malware, and a little JavaScript · Categories: blog · Tags: , , ,

Network Forensics Blog » Blog Archive » Network Forensics and Reversing Part 1 – gzip web content, java malware, and a little JavaScript.

Something I’ve found unsettling for some time now is the drastically increased usage of gzip as a Content-Encoding transfer type from web servers. By default now, Yahoo, Google, Facebook, Twitter, Wikipedia, and many other organizations compress the content they send to your users. From that list alone, you can infer that most of the HTTP traffic on any given network is not transferred in plaintext, but rather as compressed bytes.

The post goes on to claim that most network security solutions are blind to gzipped web traffic.

While I have not done a survey of “most” network security solutions, I can say for sure that Palo Alto Network does automatically decompress gzipped content in hardware and then inspect and apply policies.

15. November 2010 · Comments Off on Thoreau Would Have Wanted You to Block Access to Facebook · Categories: blog · Tags: , ,

Thoreau Would Have Wanted You to Block Access to Facebook.

John Pescatore harkens back 59 years ago to the first direct dial transcontinental telephone call and 100 years before that when the telegraph was spreading throughout the U.S., comparing that to Facebook.

Same thing going on in security today – next generation firewalls and secure web gateways are way less about blocking and way more about securely enabling connectivity of people and applications – applications like social networking…

Here are Cymbel’s links to next generation firewalls and secure web gateways.

14. November 2010 · Comments Off on Verizon Incident Classification and Reporting · Categories: blog · Tags: ,

Verizon Incident Classification and Reporting.

In an effort to broaden the range of incidents used by Verizon Business’s annual Data Breach Investigations Report beyond those it investigates itself and those provided in 2010 by the Secret Service, Verizon Business’s ICSA Labs has created an application that allows anyone to add incidents using the VERIS Framework.

In return for adding anonymized incident information,

…you will receive a comparative report that frames your incident within the broader VERIS dataset. You will, for instance, know whether your incident was a rare event or one commonly experienced by others and such information can help you decide what, if anything, should be done to prevent similar events in the future.

Is this enough value? Why not allow direct access to the VERIS database through an API? This would allow you to do your own analysis rather than just relying on Verizon’s. Is it possible that third parties, bringing different perspectives and tools, would glean insights that Verizon is missing?

The VERIS Framework is very straightforward. There are three key components to any incident – Agents (actors), Actions, Assets. Perhaps I like it because it’s very similar to methodology I developed with a colleague for log analysis using the terms Subject, Action, Object, which not coincidentally corresponds to the three key parts of a sentence – Subject, Verb, Object.

There is a fourth “A” which stands for Attributes of the above mentioned three A’s. The selection of classification Attributes is critical to effective analysis. For anonymized incident information, Verizon has done a good job in its classification attribute selection.

14. November 2010 · Comments Off on Pursuing Koobface and ‘Partnerka’ — Krebs on Security · Categories: blog · Tags: , , , , ,

Pursuing Koobface and ‘Partnerka’ — Krebs on Security.

Brian Krebs highlights Nart Villeneuve’s detailed analysis of Koobface. This is the most detailed analysis I’ve read about how one type of botnet thrives.

The entrée point for Koobface is almost irresistible: a link sent from a fake “friend” prompting a visit to a video site that purportedly reveals the recipient captured naked from a hidden web cam. Who wouldn’t follow that link? But for the hapless recipient, that one click leads down a Kafka-esque rabbit hole of viruses and Trojan horses, and straight into the tentacles of the Koobface network.

In a sense, Koobface, while malware, is the opposite of Zeus because the value per illicit transaction is very low, while Zeus’s transaction value is very high.

The operators of Koobface have been able to successfully monetize their operations. Through the use of payper-click and pay-per-install affiliate programs, Koobface was able to earn over US$2 million between June 2009 and June 2010 by forcing compromised computers to install malicious software and engage in click fraud.

Without a victim, particularly a complainant, it is almost impossible for a police force to justify the resources to investigate a case like Koobface. Police officers ask: what’s the crime? Prosecutors ask: what or whom am I supposed to prosecute? In the case of Koobface, it is almost as if the system were purposefully designed to fall between the cracks of both questions.

New preventive and detective controls are needed to combat this new generation of malware. Think about this:

A recent study by Bell Canada suggested that CA$100 billion out of $174 billion of revenue transiting Canada’s telecommunications infrastructure is “at risk.” The same operator measured over 80,000 “zero day” attacks per day targeting computers on its network — meaning, attacks that are so new the security companies have yet to
register them.

Next-generation defense-in-depth includes both preventive and detective controls.

Preventive network security controls must include (1) next generation firewalls which combine application-level traffic classification and policy management with intrusion prevention, and (2) 0-day malware prevention which is highly accurate and has a low false positive rate.

Detective controls must include (1) a Log/SIEM solution which uses extensive contextual information to generate actionable intelligence , and (2) a cloud-based botnet detection service which can alert you to compromised devices on your network.

14. November 2010 · Comments Off on What Web Apps Are Employees Using at Work? · Categories: blog · Tags: , ,

What Web Apps Are Employees Using at Work?.

Here is a summary of Next Generation Firewall vendor, Palo Alto Networks‘ semi-annual Application Usage and Risk Report‘s findings:

Web Mail and Instant Messaging are the most popular applications. Gmail, which is SSL encrypted is the most popular by traffic rate. Hotmail and Yahoo claim more users but are behind Gmail in usage. They are also moving to SSL encryption. If your network security solutions cannot decrypt SSL, you are blind to this traffic and potential data leak vector.
Facebook dominates social networking. No surprise here, but it does highlight the need for being able to monitor and control social networking using a more fine-grained approach than URL blocking, since there are business benefits to allowing some people, particularly sales and marketing, access to certain functions.

File sharing shifting to the browser. The implication is that blocking peer-to-peer file sharing is not sufficient to control file sharing any more.

10% of the applications found can be considered “Enterprise Cloud.” This covers applications like WebEx, GoToMeeting, Salesforce.com, Microsoft Office Live, and Google Docs.

14. November 2010 · Comments Off on The Scourge of IE6 Continues, for Some Surprising Reasons · Categories: blog · Tags: , ,

The Scourge of IE6 Continues, for Some Surprising Reasons.

Why is Microsoft Internet Explorer 6 still the third most popular browser? The biggest reason organizations do not upgrade, according to this article, is that they are running third party applications that do not work properly with IE8. In fact, Gartner estimates that 40% of in-house applications do not work properly with IE8.

Another reason, since most social media sites do not work well with IE6, companies stay with IE6 as a form of URL filtering!! Of course, the security risks associated with this strategy far outweigh the benefits.

07. November 2010 · Comments Off on Securosis Blog | SQL Azure and 3 Pieces of Flair · Categories: blog · Tags: ,

Securosis Blog | SQL Azure and 3 Pieces of Flair.

Adrian Lane, the database security analyst at Securosis, points out the rather limited security controls Microsoft provides for SQL Azure.

Firewall, SSL, and user authentication are the totality of the technologies prescribed.

In other words, you are on your own. We recommend Sentrigo, an agent-based database intrusion prevention solution that sits right in the database VM.

07. November 2010 · Comments Off on Schneier on Security: Control Fraud · Categories: blog · Tags:

Schneier on Security: Control Fraud.

Bruce Schneier highlights “Control Fraud.” While I never heard the term before, once you read about it, it will sound familiar.

This is an interesting paper about control fraud. It’s by William K. Black, the Executive Director of the Institute for Fraud Prevention. “Individual ‘control frauds’ cause greater losses than all other forms of property crime combined. They are financial super-predators.” Black is talking about control fraud by both heads of corporations and heads of state, so that’s almost certainly a true statement. His main point, though, is that our legal systems don’t do enough to discourage control fraud.