Tuesday, March 31, 2009

Conficker and GhostNet Hype

Have you seen all this hype about Conficker and GhostNet recently? Surely there are more important threats out there rather than what this media frenzy would have you believe. How many times can security vendors claim "the sky is falling" before their customers get tired of the FUD?

I've been examining the details of both incidents/outbreaks, and it's got me chuckling while watching how many professionals are chasing their tails.

A word to the wise, if a threat gets a unique name and makes it to the prime-time news then it's too late - the odds are that it's no longer a threat to be worried about. The good guys have already countered it (as far as enterprise's are concerned anyway).

I've just blogged about the intricacies of the malware naming business and the (mitigated) threat that is Conficker and GhostNet over on the Damballa Blog site.

Read my first appearance on the blog and the brand-spanking-new post "Who really will be the fool on April Fool's day?"

Monday, March 30, 2009

Bye bye IBM. Hello Damballa!

Many readers will have heard that I in handed my notice to IBM a few weeks back, and actually (finally) departed the company mid-last week. This week I begin my new role at Damballa as VP of Research.

By way of history, having worked for several NZ and UK-based companies previously, I rejoined ISS back in 2005 as Director of X-Force and relocated to Atlanta - just in time to pick up the reigns following Cisco-gate (funny true story - I was actually a backup speaker at Blackhat that year and if Mike Lynn hadn't got on stage I would have probably have been giving a replacement talk - even though at the time I was working NGS Software (so wasn't involved in ripping pages out of the conference books) - can't remember what topic I had submitted though). Then, in October 2006 IBM came along and gobbled up ISS, and I decided to shift in to a more strategic role - Chief Security Strategist.

I largely enjoyed my time with IBM, and got to work on many interesting (and HUGE) projects. However, as with any big company, I found myself moving further and further away from the coalface of security. And, for anyone thats known me for some time, they'll know that I'm deeply interested in the technical aspects of security evolution and cybercrime - which isn't something that IBM is typically associated with.

So, with that in mind, I decided to join Damballa (conveniently located in Atlanta - the Silicon Valley for security companies) and focus on the most important security threat affecting enterprises today - botnets and organized crimeware. If you're at least partially familiar with the threat, then you've probably already seen or heard about some of the leading research Damballa are doing in this area. Given all that, it was a no brainer for me to join Damballa and work to kick things up a notch or two in stopping the bad guys.

I obviously won't be posting to ISS' Frequency-X blog, but you'll be able to tune in to my botnet analysis and threat evolution opinions on Damballa's blog. For other security topics not specifically associated with Damballa and crimeware, I'll continue to post here in my personal security blog - and post new whitepapers over at my main Web site Technical Info.

If you're really interested in what I'm doing, the press announcement can be found here.

I'm really looking forward to diving deeper in to the rapidly evolving botnet threat and, just as importantly, having a a little more elbow room when discussing/publishing whats going on with the threat (without an entourage of PR bodyguards).

Thursday, March 26, 2009

Reigniting the Bugs for Cash Debate

It's like one of those magic candles people place on birthday cakes that sparkle and relight themselves each time you think they've been blown out. That's how I'd define the most recent ignition of the "bugs for cash" debate.

By now you'll have probably heard that Dino Dai Zovi, Charlie Miller and Alex Sotirov have declared "No more free bugs" (Dai Zovi affirms his position and provides insight to his side of the argument over on his blog titled "No more free bugs").

It's been picked up by several of the security media channels, and Robert Lemos over at Security Focus as a good summary "
No more bugs for free, researchers say" (although I'd debate this being anything like a "new chapter"). And then, this morning, I read Dave Goldsmith's blog posting Vulnerability Research: Times They Are A-Changin.

Since I'm hardly a wall-flower and have been outspoken about the various aspects of the disclosure debate (particularly vulnerability purchase programs) for several years, I figured I'd better provide my perspective on this most recent disclosure storm.

While I respect the technical capabilities of
Dino Dai Zovi, Charlie Miller and Alex Sotirov in finding new vulnerabilities and weaponizing them in to exploits - I think there's a lot of show-boating going on, and it seems that the popular media is happy to go along for the ride.

Several people have pointed out that security researchers invest a lot of time in finding bugs and, since the "good" vulnerabilities are getting harder to find (i.e. taking more effort), they deserve to be paid for their work. I'd go along with that reasoning but for a simple fact, the software vendors haven't asked nor employed these particular researchers to find bugs in their products.

From a vendors perspective, their CEO and CFO have defined the companies operational budget and optimized their expenditure processes. Most have invested in to secure software development lifecycle programs and have included many security review and QA gates already. Most of the major vendors also employ professional (external) vulnerability research teams at the tail of the development lifecycle to "blackhat" their way to any bugs or vulnerabilities that may have been missed. Then, even having followed this process, the odd vulnerability still makes it through.

From the vendors perspective, vulnerabilities should have been caught within their existing processes. But, as someone with firsthand experience of this, each sub-process is operating within time and financial constraints. Take the third-party vulnerability researchers that consult for the vendor - they were probably contracted to provide 100 man-days of effort for $250k (plus expenses) - and may find anywhere between zero and a thousand vulnerabilities - WITHIN those time/financial limits. The vendor set those budget/time limits. If they were wrong, maybe some external (unaffiliated) security researcher will uncover a vulnerability that was missed. The vendor then needs to decide whether future investments in their security review processes are needed - and would be budgeted accordingly.

With a vendor-perspective-hat on, why should they be paying for more bugs? If it's a concern (i.e. affects customer confidence or damages the brand), they'll reprioritize their internal QA spending and increase budgets.

Vulnerability Worth
I've seen many security researchers debate the value of a vulnerability - and most are "dissatisfied" with the compensation paid by the commercial vulnerability purchase programs. As
Dave Goldsmith clearly states in his blog - "Defenders Buy Vulns, Attackers Buy Exploits" - and there's a big difference in uncovering a vulnerability and actually turning it in to an exploit.

Criminals (and Governments) pay a premium for weaponized vulnerabilities - so to compare the prices they're willing to pay for some new zero-day versus a security vendor who's focused on remediating the vulnerability is naive. And, as for these $5,000 (etc.) contests to be the first to break something - that has nothing to do with improving security, its a marketing exercise - and the researchers who participate in them are merely associating a small dollar value to their professional reputation.

Getting back to my point about a software vendors budget for assuring/improving security... What I've found is that many of the best security researchers are already contracting with, or working within, the major software vendors and helping to improve their products security. From a compensation perspective, those security researchers regularly earn anywhere between $150k to $250k per annum (plus benefits) - which is much more profitable than picking up $5k at a contest here and there.

Then there's the "Best of the best" security researchers out there. Not only are they smart enough to find the most important vulnerabilities and figure out how to exploit them, but they're also smart enough to set up there own businesses and really rake up the dollars (and get others to do the tedious research work!).

So, whats a bug worth in that context? That 100 man-day contract may yield 100 bugs - placing each bugs value at $2,500. On the other hand they may only find one bug - and that single bug is now worth $250k. Take your pick.

In my opinion "No more bugs for free", while headline grabbing, is old ground trodden over many times in the past. Routes already exist for legitimate/ethical security researchers to make a mint from the vulnerabilities they are capable of finding - if they're smart enough to understand the business.

Vulnerability showboating is for amateurs from a past age. The vulnerability research business has moved on.

Wednesday, March 25, 2009

"Two-factor Authentication Failing" - Doh!

This morning I came across a short news article by Jeremy Kirk over at IDG titled "German Police: Two-factor Authentication Failing". My initial response - Doh!

For anyone familiar with the rapidly evolving class of malware often coined "Brazilian Banking Trojans", you'll have known that two-factor authentication hasn't been an inhibitor to financial online fraud for the last 3 or so years.

Now, I'm not saying that the German Police have been left in the dark, or that the iTan system for transaction signing doesn't have a value, but Brazilian Banking Trojans have defeated this particular security technology for quite some time. In fact over the last couple of years I've traveled to many countries and met with most of the security teams at the major banking establishments around the world, and had the opportunity to educate them about the threat targeted at the transaction (well, at least I thought so).

Given the nature of man-in-the-browser attack vectors and the relative complexity of the online banking application (in the eyes of the customer), it's very easy to socially engineer the customer (i.e. victim) to unknowingly become a key component in the success of the fraud.

Without going in to the minutia of the threat and it's attack vectors here (I'll write a whitepaper on the topic some time soon - probably available over at www.technicalinfo.net) readers may want to check out the presentation I gave at OWASP late last year on the topic (from a security consulting perspective - but you'll get the idea) - titled "Multidisciplinary Bank Attacks" and a Video of the presentation is also available.

Perhaps more importantly, many of the newer man-in-the-browser engines now come with quite advanced scripting engines that greatly improve the speed and efficiency of the attack. Features of these engines not only include the ability to alter any content being received by the Web browser before its rendered to the customer, but also to make numerical calculations of balances and effectively "erase" extra transactions from what the customer sees - and keep their account balances looking good.

I could go on for hours about the topic - but I think it'll be best covered by a technical whitepaper. In the meantime, any banking organizations out there that need more details on the topic and best practice advice in countering the threat - well, I'm pretty easy to get hold of.

One last point. The news story makes mention of CAPTCHA's as a anti-fraud mechanism. Sorry - but that's been defeated too. In fact it's already evolved in to subscription-based criminal managed service. Check out my other blog "CAPTCHA's and Mechanical Turks".

Saturday, March 21, 2009

Blinkered 'Smart Grid' Security Responses

A colleague pointed me to a CNN headlined news story this morning titled ‘Smart Grid’ may be vulnerable to hackers.

It’s an interesting piece largely focused upon several implied risks associated with the “smart” part of the new grid proposals – i.e. the interconnected nature of the newer devices. There are of course the usual smatterings of sensationalist “hackers can break this”.

I’ve been involved in several aspects of Smart Grid security for some time now – ranging from embedding security in to the smart meters themselves through to penetration testing of national power grids and nuclear plants. And yes, while it’s true that there are ways of breaching most of the technologies out there (and several of the technologies that are still only a twinkling in the eyes of an engineer), this applies to any technology – past, present and future.

Without getting in to the nitty-gritty of particular technologies and their respective security flaws, I think many people underestimate the advances that have been made in overall system security as we progress towards a Smart Grid infrastructure. Sure, for many the use of wireless communication technologies in household power meters raises the specter of past security failings in technologies such as 802.11b WEP – but a lot has been learnt in the meantime. Just as many security consultants will point to old security flaws, and actively look for them in newer technologies, the engineers developing these new smart grid solutions aren’t ignorant of the past either.

Yes there are going to be security flaws. I know firsthand of several such flaws, and I can point out several new vectors for attack that power distribution systems haven’t had to worry about in the past. However, proposals to not pursue this newer and vastly more efficient Smart Grid technology for fear of security flaws – in my opinion – are pointless. The older systems already have more severe vulnerabilities, (which are known to a greater number of people) and many of the technology advances within Smart Grid are designed to remedy them.

I’ve heard many times that a hacker could break in to a home’s wireless power meter and do all kinds of nastyness (and in some cases it’s probably true – with enough time and effort). That’s as maybe - but why bother? Today (and for the last 50+ years) you can do much more damage and conduct all kinds of fraud with a $2 pair of wire cutters.

I’ve also heard that someone could hack in to a nuclear power plant and shut it down, which would affect millions of houses and businesses in the country. Frankly you could cause much of the same wide scale disruption by simply crashing a couple of rental cars into two power distribution centers simultaneously - which could cause a widespread cascading power failure. Or, on a more provincial level, simply throwing a bicycle over the fence of a local distribution center and on to the pylons will be enough to interrupt power to thousands of local houses and businesses. Which particular threat are you trying to protect against?

There are thousands of security aspects to Smart Grid, and there are going to be security flaws - but we're going to be in a much better position to mitigate them. Unfortunately we (speaking on behalf of those of us in the security business) often spend a disproportionate amount of time picking holes in future and proposed technologies rather than properly acknowledging the security flaws already present within today’s deployed systems. In a perfect world we could take a time out before advancing to a new technology – making sure it was perfect before implementation. Sorry, but nothings perfect, and you can’t guarantee anything will be secure from a motivated attacker with time on their hands.

I've seen a lot of this "sky is falling" rhetoric recently. I'd rather we compared the state/security of the present/past power system with the proposed state/security of the replacement Smart Grid solutions.

Thursday, March 19, 2009

(near) Cyberheist at Sumitomo Bank

John Leydon over at The Register has a great article on the recently announced failed cyberheist targeting Sumitomo Bank - "How police busted UK's biggest cybercrime case".

It's well worth the read.

I hadn't realized that the attempted heist was conducted back in 2006 and that the police had been working on the case for a couple of years. When I read previous news stories it kind of sounded like an open & shut case - but evidently not.

On a related note, someone recently asked me about the use of commercial keyloggers and why you'd want to use them? Well, there are several reasons:
  1. They're plentiful and you can purchase them online with a credit card.
  2. Many are designed to be used within corporate environments and their manufacturers have agreements with the major anti-virus companies to NOT raise a client-side alert to their presence (since its "probable" that the IT department installed the keylogger intentionally for HR/police monitoring purposes).
  3. Many of the commercial keyloggers allow you to download trial versions, and you can also acquire licence key generators from many of the warez sites (i.e. you don't even need to pay the money if you were criminally inclined).
  4. Typing "keylogger" in to Google will yield pages of links to commercial keyloggers first (lazy criminals ;-)
If you're interested in learning more about keylogging technologies, I wrote a couple of blogs on the topic a while back over on my main Web site www.technicalinfo.net.

Tuesday, March 3, 2009

Digging up the Dead?

What happens when you die? OK, so that's a classic question that philosophers and theologians have been trying to answer for millennium now. But seriously, in this digital world, what happens when you die?

If you're like me, you've probably heard the terrible stories about fraudsters that scan the obituary columns of the local news paper and create new bank accounts and take out loans in the name of the recently deceased - only to scarper with the cash while family members are mourning the loss. It's a terrible crime - no doubt about it - but what about the the cyber aspects?

A couple of months aback a journalist asked me how family members of the recently deceased could recover the passwords of email accounts, and that got me thinking more about the subject.

Hijacking an Identity
Since we already know that people conduct this fraud in the physical world, what would it take to do the scam in the cyber world? Would it be easier or tougher? Are there more or less opportunities to get away with the crime?

Normally I'm game for a bit of tinkering to prove a point, but this time I won't - so lets just go through the theory - the last thing I want to do is prove how doable it would be by hijacking (or creating afresh) the cyber identity of someone that's just died.

A) Finding the deceased...
Well, that proves to be extraordinarily easy. Instead of having to wait for the morning's delivery of dead tree and scanning the columns, there are Web sites that automatically collate obituaries from multiple national papers (e.g. Obituaries.com) and even allow you to search for keywords.

B) Selecting the deceased...
The type and volume of information contained within obituary write-ups can vary considerably, but more often than not there's enough information there to be 'dangerous' and helpful from an identity theft perspective. For example, the first obituary I came across had the following data nuggets:
  • Full name
  • Birth date
  • Home Address (the wake attendees were to meet there)
  • List of family members and siblings (including all the grandparents names - i.e. Mothers Maiden Name)
  • Schools (a list of schools and colleges attended)
  • Favorite sports
  • Home phone number
  • Parents email address
  • Dogs name
C) The cyber deceased...
Armed with a full name, address and general age-group information, it's pretty easy to Google your way around and uncover more relevant cyber information. Social network profiles, blogs, photo sharing sites and other posting forums can provide a wealth of new information - although the fraudster is probably better off targeting a deceased person with a slightly unique name if they don't want to spend ages sifting out unrelated material.

D) Going after the email...
Frankly, the most useful piece of information (that's going to reap the most rewards the fastest) is probably going to be the deceased main email account. Armed with that, it'll become almost trivial to recover the authentication information from any other related and interesting sites - i.e. through the typical "I've forgotten my password" which responds with an email verification. It's not like anyone's going to be watching the email account are they?

Hijacked Identity
Armed with a hijacked cyber identity, the fraudster/criminal can do all the normal badness we'd expect - except that he's got a window of time with a much higher probability of successfully making money. While family members are bereaved and otherwise occupied, the fraudster can be making merry and escaping with their ill gotten gains.

Which leads me to my next question. If someone dies, how do you legitimately gain access to their cyber identity/accounts?

Take myself as an example, I have several online bank accounts in multiple countries (I know, it's a bit extreme, but I've lived and worked in multiple countries over the years) - each with different account credentials and passwords, a dozen regular email accounts and Web sites, several social network accounts, about two dozen physical service portal accounts (e.g. cable TV, Electric Utilities, etc.) for bill payment, and probably another 50-80 online accounts that I use regularly for various things (e.g. blogging, Work VPN, online shopping, etc.). No two accounts share the same passwords, but lots of them store my credit/debit card details, and I don't have any of that written down.

So, if I was to kark it tomorrow, would my family be able to recover the accounts - either transferring them over to their own account names (for bill payments) or shutting them down to prevent misuse? Frankly, I think the answer would be a colossal No. And, the more I think about it, that's probably going to be a problem.

With more and more "cyber identities" out there, and more and more of our day-to-day lives being conducted online, if you do croak, how do friends and family recover the important accounts - and how can they do that quickly? (yeah, I'm one of those folks with the slightly unique names).

Armed with the content of a typically verbose obituary, any automated dead-like-me equivalent to "forgotten my password" is probably going to be pretty useless. Not to mention the fact family members are probably going to be rather occupied for the first few weeks. Also, lets say family members never uncover a particular account (e.g. a social network page/micro-site) - how long will it stay there? Should it stay there?

More Questions than Answers
This is one of those security blog entries that raise more questions than answers. And, even then, I think I'm only just scratching the surface of questions. However, I know from my own pentesting and passive information gathering experience that stealing online identities based upon obituary write-ups is going to be pretty easy - I'm you can guarantee that someone figured this out a while back and is probably already making a lot of money from this cyber vector.

I'd welcome any comments and thoughts from readers below...

Monday, March 2, 2009

Searching for a Phishing Spot

Phishing is one of those threats that have been around since the dark ages of the Internet and has never really gone away. It's constantly on everyone's lips, and most people know someone who's fallen victim to the scam somewhere along the line. I think that, as a threat, Phishing is on the decline (from the perspective of uncontrollable escalation like some other threats) but will likely never go away as long as we continue with Internet 1.0.

From the criminal phishing perspective, a critical component to the scam is the hosting of the counterfeit Web site. While I'd say that most security professionals have a good feel for the percentage and frequency of Web sites that are compromised and end up hosting the phishing content, I'd never really encountered any public analysis of the compromise vector and what the percentages were beyond a finger in the air.

Today I came across a very interesting paper Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing, by security researchers Tyler Moore and Richard Clayton, which actually quantifies whats been going on.

Of particular interest to me was their analysis of the use of search engines by the criminals to find the vulnerable Web servers, and how repeated compromise of these vulnerable Web servers (for the purpose of Phishing) can be analyzed.

It's a very interesting paper, and I'd recommend those of you looking to protect your sites from Phishers take the time out to read through it.

Personally, I think the best defense against the Search vector is what we've been saying for decades (and has appeared in every single pentest report I can ever remember writing) - watch out for information leakage, and change/obfuscate all service banners! Yes, I know that that's not going to work in all cases, but it's a damn good place to start!

You should probably also check out the paper I wrote several years back related to Passive Information Gathering.