Researchers at matousec.com, a security research and consulting group, released a paper describing a vulnerability in the way that anti-virus vendors integrate their products with Windows – System Service Descriptor Table (SSDT). They also built code that exploits this vulnerability which enables them to bypass these anti-virus programs. The Register has a good summary.
My first reaction is "so what?" Anti-virus programs have become almost irrelevant as the primary attack vector has shifted to browser-based applications. On the other hand, this vulnerability could lead to a resurgence of more direct viruses.
Second, how and how quickly will Microsoft and the anti-virus vendors react?
Third, what are the implications for Intel's vPro technology?
Fourth, is there an anti-virus vendor out there that does not use SSDT to integrate with Windows?
Peter Kuper posted an interesting article on fudsec.com claiming that there is an "Innovator's Crisis" in IT Security. I disagree. There are several new, innovative solutions coming from start-ups that do mitigate the new risks created by the explosion in "web 2.0" applications.
Large enterprises are facing huge challenges though. First, capital investments made in security during the last several years must be written down because the technology is obsolete. For example, stateful inspection firewalls have become essentially useless.
Second, the new solutions require these enterprises to reorganize their security staff. For example, most large enterprises have separate groups to manage firewalls and intrusion prevention systems. The "next-generation" firewalls which can reduce the risks associated with the employee usage of "web 2.0" applications, combine the firewall and intrusion detection function and also integrate with directory services, which touches a third security group – Identity and Access Management.
Separately, while this may be obvious, there is a good reason why these large diversified information technology manufacturers are not acquiring security start-ups. They have gotten so large that security revenue does not significantly move the revenue needle. Cisco and Juniper come to mind. Peter mentioned IBM's botch of ISS. We'll see what HP does with TippingPoint.
Gartner's John Pescatore blogged about his view on the future of firewalls today. Many pundits have opined about enterprise deperimeterization. Not so says Pescatore, although the functionality of the firewall is changing to respond to the changes in technology and the threat landscape. Gartner calls this new technology, "next-generation firewalls."
It is really just border control – we don’t declare countries
“deperimeterized” because airplanes were invented, we extend border
control into the airport terminals.
Unfortunately every firewall vendor in the industry has jumped on the term. So in order to help you separate marketing fluff from reality, whenever you are speaking to a firewall vendor, be ready with these questions:
How have you adapted your stateful inspection engine in your next-generation firewall?
When in the firewall's packet/session analysis is the application detected?
Is all packet analysis performed in a single pass?
How does your appliance hardware support you analysis approach?
is there a single user interface for all aspects of policy definition?
What is the degradation in performance as functionality is turned on?
If you like the answers, ask for more thing – show me.
The latest version of the Zeus do-it-yourself crimeware kit goes to
great lengths to thwart would-be pirates by introducing a
hardware-based product activation scheme similar to what's found in
Microsoft Windows.
The newest version with bare-bones capabilities starts at $4,000 and
additional features can fetch as much as $10,000. The new feature is
designed to prevent what Microsoft refers to as "casual copying"
by ensuring that only one computer can run a licensed version of the
program. After it is installed, users must obtain a key that's good for
just that one machine.
To state the obvious, if anyone needed a reminder, the crimeware software industry is big business and maturing.
In addition The Register reported:
The latest version of Zeus is 1.3.3.7, SecureWorks researcher Kevin Stevens told El Reg.
But the authors are already busy working on version 1.4, which is being
beta tested. It offers polymorphic encryption that allows the trojan to
re-encrypt itself each time it infects a victim, giving each one a
unique digital fingerprint. As a result, anti-virus programs, which
already struggle mightily to recognize Zeus infections, have an even harder time detecting the menace.
No information was provided as to where you could submit your feature requests.
Web security firm, Finjan, published a report (Issue 2, 2009) this week on a more advanced funds transfer fraud trojan called URLZone. It basically follows the now well understood process I blogged about previously, where:
Web site visitors are infected with a trojan, in this case URLZone.
The trojan is used to collect bank credentials.
Cybercrirminals transfer money from the victims to mules.
The money is transferred from the mules to the cybercriminals.
URLZone is a more advanced trojan because of the level of automation of the funds transfer fraud (direct quotes from the Finjan report):
It hides its fraudulent transaction(s) in the report screen of the compromised account.
Its C&C [Command and Control] server sends instructions over HTTP about the amount to be stolen and where the stolen money should be deposited.
It logs and reports on other web accounts (e.g., Facebook, PayPal, Gmail) and banks from other countries.
In the past, the trojan was merely a keylogger that sent credentials back to the cybercriminal. These exploits were mostly against small businesses and schools where relatively large amounts of money could be stolen. But the URLZone trojan has much more sophisticated command and control which enables a much higher volume of transactions. Finjan reports 6,400 victims in 22 days losing 300,000 Euros. So far all the victims have been in Germany.
CSO Online Magazine has an article about IBM ISS Security Strategist Joshua Corman's concerns with the security industry. While I agree with much of what he says, I disagree with his core premise, expressed in Dirty Secret 1. Here are my comments on each of Josh's eight dirty secrets.
"Dirty Secret 1: Vendors don't need to be ahead of the threat, just the buyer – This is the problem that leads to the seven "dirty secrets" that
follow. In essence, Corman said, the goal of the security market is to
make money, not to ensure the customer's security."
I find it surprising that a representative of one the largest and most profitable enterprises in the world attacks other vendors for wanting to make money, as if making money is bad. Is he serious about attacking capitalism? Is security some special market where profits are bad? From my perspective, making money is the result of solving client problems and helping them meet their objectives.
"Dirty Secret 2: AV certification omissions – While AV tools detect replicating malware like worms, they fail to identify such as [sic] non-replicating malware as Trojans."
Aside from the grammar issue, I agree that some vendors are having difficulty keeping up with the constantly evolving threat landscape. However, this creates opportunities for new vendors. Joseph Schumpeter called this "creative destruction."
"Dirty Secret 3: There is no perimeter – Corman said those who truly believe there's still a network "Perimeter" may as well believe in Santa Claus."
There has never been a perimeter in the sense that if you just protect the edge of your network, you are safe. I do agree that it can be difficult to know where that edge is. However, there is still an important role to be played by a perimeter firewall that understands applications, users, and content. Beyond that, good security has always been about "defense-in-depth."
"Dirty Secret 4: Risk management threatens vendors – Risk
management really helps an organization understand its business and its
highest level of risk, Corman said. But a company's priorities don't
always map to what the vendors are selling."
Again, this allusion to disreputable vendors. At any point in time, there surely are disreputable vendors. But they don't last long. Of course any IT Security control being deployed should be in the context of how risk is being reduced.
"Dirty Secret 5: There is more to risk than weak software – Corman
said the lion's share of the security market is focused on software
vulnerabilities. But software represents only one of the three ways to
be compromised, the other two being weak configurations and people."
No argument here, but not really new. The issues around security awareness training, for example, are much deeper than lack of money being spent on it. Regarding configuration management, has the issue been lack of attention or lack of good products to deal with the issues? It's a hard problem.
"Dirty Secret 6: Compliance threatens security – Compliance with such laws and industry standards as Sarbanes-Oxley and PCI DSS
drives companies to spend far more on security than they might
otherwise. Security vendors have obviously seized upon this fact,
offering products that do everything from offer PCI compliance out of
the box to ultimate cure-alls for healthcare entities coping with the
demands of HIPAA. Of course, this too leads to companies buying security tools that fail to properly address the particular risks they face."
I surely agree that compliance threatens security and there surely are cases where vendors have been successful by focusing on compliance rather than on reducing risk. When an organization "only" focuses on compliance requirements it falls short of what it can and should be doing to protect its assets. In fact, compliance represents a floor or bare minimum level of security.
Put another way, if you only focus on compliance, you will surely not be maximizing the value of your security investment. At the very least, there is no way that regulatory bureaucracies can keep up with the changing threat landscape.
"Dirty Secret 7: Vendor blind spots allowed for Storm – The Storm botnet, as an archetype, is being copied and improved. The Storm era of botnets is alive and well, nearly two years from when it first appeared, Corman said."
As I said in my comment on Dirty Secret 2, some vendors may not be responding to the changing threat landscape, but there are others who are. If you feel your vendors are not responding, look for new ones. There is a lot of innovation in the IT Security industry.
"Dirty Secret 8: Security has grown well past "do it yourself" – Technology
without strategy is chaos, Corman said. The sheer volume of security
products and the rate of change has super-saturated most organizations
and exceeded their ability to keep up."
Any actions or tactics that are not part of a strategy is obviously chaos. First Corman says that vendors are not keeping up and now he is saying that enterprises cannot keep up (without his help). With all due respect, let's remember that Corman is part of IBM's consulting organization. On the other hand, there is no harm in repeating that technology by itself is not the answer. It's people, process, and technology, as it has always been.
