- Email: [email protected]
Anti-virus consortium launched
NEWS
Editorial Office: Elsevier Ltd The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Tel:+44 (0)1865 843695, Fax: +44 (0)1865 843933 Email: [email protected] Web: www.computerfraudandsecurity.com Editor: Danny Bradbury Editorial Advisors: Silvano Ongetta, Italy; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA; Bill J. Caelli, Australia Subscription Information An annual subscription to Computer Fraud & Security includes 12 printed issues and online access for up to 5 users. Prices: E1078 for all European countries & Iran US$1170 for all countries except Europe and Japan ¥143 400 for Japan (Prices valid until 31 December 2009) To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 Email: [email protected], or via www.computerfraudandsecurity.com. Subscriptions run for 12 months, from the date payment is received. Periodicals postage is paid at Rahway, NJ 07065, USA. Postmaster send all USA address corrections to: Computer Fraud & Security, 365 Blair Road, Avenel, NJ 07001, USA Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, email: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and email addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/ or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.
02065 Printed by: Mayfield Press (Oxford) Limited
2
Computer Fraud & Security
Editorial Once again, the RSA show in the USA is upon us. This giant trade event, which takes place in San Francisco, came under criticism last year by security guru Bruce Schneier, who said that it was due to shrink ‘like a punctured balloon’. The reason? A lack of communication. Vendors aren’t talking the same language as their customers, he asserted, and it was leaving customers confused. “You could walk into a booth, listen to a five-minute sales pitch by a marketing type, and still not know what the company does,” he said. “Even seasoned security professionals are confused.” It’s true. I was in an interview with a company this month who rolled out over ten different security-related products in one sitting. The products all tackled slightly different nuances of a closely related set of problems, and were delivered with the prerequisite level of
Anti-virus consortium launched
A
consortium of companies has created a working group to improve interoperability and working practices between anti-virus vendors. The Common Computing Security Standards consortium will make it easier for antivirus companies to share information and serve customers better, according to organiser Melih Abdulhayoglu.
Abdulhayoglu, CEO of certificate authority Comodo, called together the antivirus vendors after noticing a lack of cohesion in the way that they worked together. “The main purpose of this consortium is to give the anti-virus industry a voice, to get everyone to work together, so that end users are protected,” he said. “For example, to date, there is no organisation that will collate all the information from the anti-virus vendors about code signed malware - malware that has been digitally signed using code signing certificates.” Abdulhayoglu was responsible for forming the CAB Forum, which created
industry jargon. And of course, they were structured around a framework. Frameworks are to vendors what bailouts are to bankers; they can’t seem to live without them, even though they annoy and confuse the general public, and leave people feeling that they’ve somehow had the wool pulled over their eyes. All this is counterintuitive, when you think about it. After all, complexity is anathema to security. As the dangers mount from increasingly sophisticated cyberattacks, the need for simplicity is increasing. Simplicity makes it easier for customers to understand what is being presented to them, and makes it more likely that they’ll pay for it. Perhaps as the different security shows unfold this year, we’ll see that attitude emerging – but we’re not holding our breath. Danny Bradbury
an extended validation SSL certificate standard to increase security for internet transactions. The CCSS’s first point of order will be to create a funnelling mechanism for participating vendors to feed code-signed malware samples through to the CAB Forum so that certificate authorities can deal with the problem by revoking the certs. The organisation is also producing a compatibility matrix so that anti-virus companies can provide users with information about which other anti-malware products their own software works with. This will be a self-reporting mechanism, and the CCSS will not have its own labs, Abdulhayoglu said. Other potential activities that the CCSS could undertake include a clearing house for malware samples, along with work on a common naming mechanism for malware. At present, different vendors have their own naming conventions for the malware they discover. For example, the malware commonly known as Conficker has also been called Downadup and Kido by various vendors. To make things even more confusing, the same variant
April 2009
NEWS/ VENDOR LIABILITY of the malware has been given different letters by different vendors. The variant referred to by Microsoft as Conficker.D is known as Conficker.C by others, for example. The meeting, conducted late last month in Florida, bought together some of the major players in the antivirus space, Abdulhayoglu said. However, both Symantec and McAfee were notable absentees. “It would be nice to have them and I am sure that they will come and join us at some stage, should they care about their users,” said Abdulhayoglu. “I am sure that they are just waiting to see how the organisation takes shape.” Microsoft is involved in the effort, he said, along with WebRoot. The consortium also includes some antimalware companies specific to China. Kingsoft, one of the largest Chinese antivirus companies, is involved. Another Chinese antivirus firm, Rising, has also declared its interest in the consortium.
McCartney site hacked
P
aul McCartney’s site was serving up the Zeus trojan for three days, according to UK security firm ScanSafe. The attack, in which paulmccartney.com was compromised with malicious Javascript, appears to have been tailored to coincide with interest in his New York reunion concert in early April.
Attackers embedded a malicious IFRAME into the site, along with malicious Javascript that used a unique multi-layer obfuscation attack, said ScanSafe’s director of product management Spencer Parker. “There is no other web site, of the billion or so we’ve visited as part of our service, that’s ever done something like this before,” Parker said. The Javascript used different character encoding to cloak itself, and also send an SSL certificate to the browser to encrypt its payload. The IFRAME and Javascript directed the victims’ machine to a single IP
Should vendors be liable for security flaws in software? By Carl Almond, senior director, Americas Security Practice, Avanade Integrating security into applications is an obvious thing, especially since most software bugs are usually the result of small errors in the code or oversights in the requirements. However, very few people have publicly asked the question: should the vendors who create software containing security holes be held liable for their oversights? With the National Security Agency, along with the SANS Institute and MITRE, highlighting the urgent need for a solution with their list of the top 25 most dangerous programming errors, companies and vendors need to pay more attention.1 Organisations need to start asking more questions about the security of commercial off the shelf software (COTS) and the custom applications that are developed specifically for them. According to a description of the Top 25 project by the SANS Institute, the avoidance of most of these errors is not widely taught by computer science programs, and their presence is frequently 4
Computer Fraud & Security
not tested by organisations developing software for sale. And, the impact of these errors can be huge. SANS says that just two of the errors led to more than 1.5 million web
address (84.244.138.55) based in Amsterdam, which has now been shut down. Reverse IP lookups reveal no information about the site, but it showed up on a malicious IP list. The IP address hosted the LuckySploit toolkit, which looks for multiple vulnerabilities on target machines, including the recently-patched Adobe PDF bug. Once a vulnerability has been found, the toolkit is believed to have delivered the Zeus trojan onto victims’ machines. The quick shutting down of the IP address, in conjunction with the reunion concert, suggests that the attack was designed to harvest the maximum possible amount of traffic. “They do time their attacks very well. When the hackers find a way to exploit one of these sites and get their code embedded on the page, they will always try and time that for maximum effect,” Parker said. “And like a lot of attacks at the moment, it’s based on embedding a very small amount of code on the site.”
Carl Almond
site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their machines into zombies.2 When discussing flawed applications and possible liability, it is necessary to separate the issue into two subcategories. First, there are COTS applications that are produced en masse and have been programmed with a set of general features in mind. These features may or may not be exactly what the consumer is looking for, but they generally fit the bill. In the case of COTS applications, each application comes with an End User License Agreement (EULA) that states the rules upon which the user gets access April 2009
Editorial Office: Elsevier Ltd The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Tel:+44 (0)1865 843695, Fax: +44 (0)1865 843933 Email: [email protected] Web: www.computerfraudandsecurity.com Editor: Danny Bradbury Editorial Advisors: Silvano Ongetta, Italy; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA; Bill J. Caelli, Australia Subscription Information An annual subscription to Computer Fraud & Security includes 12 printed issues and online access for up to 5 users. Prices: E1078 for all European countries & Iran US$1170 for all countries except Europe and Japan ¥143 400 for Japan (Prices valid until 31 December 2009) To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 Email: [email protected], or via www.computerfraudandsecurity.com. Subscriptions run for 12 months, from the date payment is received. Periodicals postage is paid at Rahway, NJ 07065, USA. Postmaster send all USA address corrections to: Computer Fraud & Security, 365 Blair Road, Avenel, NJ 07001, USA Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, email: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and email addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/ or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.
02065 Printed by: Mayfield Press (Oxford) Limited
2
Computer Fraud & Security
Editorial Once again, the RSA show in the USA is upon us. This giant trade event, which takes place in San Francisco, came under criticism last year by security guru Bruce Schneier, who said that it was due to shrink ‘like a punctured balloon’. The reason? A lack of communication. Vendors aren’t talking the same language as their customers, he asserted, and it was leaving customers confused. “You could walk into a booth, listen to a five-minute sales pitch by a marketing type, and still not know what the company does,” he said. “Even seasoned security professionals are confused.” It’s true. I was in an interview with a company this month who rolled out over ten different security-related products in one sitting. The products all tackled slightly different nuances of a closely related set of problems, and were delivered with the prerequisite level of
Anti-virus consortium launched
A
consortium of companies has created a working group to improve interoperability and working practices between anti-virus vendors. The Common Computing Security Standards consortium will make it easier for antivirus companies to share information and serve customers better, according to organiser Melih Abdulhayoglu.
Abdulhayoglu, CEO of certificate authority Comodo, called together the antivirus vendors after noticing a lack of cohesion in the way that they worked together. “The main purpose of this consortium is to give the anti-virus industry a voice, to get everyone to work together, so that end users are protected,” he said. “For example, to date, there is no organisation that will collate all the information from the anti-virus vendors about code signed malware - malware that has been digitally signed using code signing certificates.” Abdulhayoglu was responsible for forming the CAB Forum, which created
industry jargon. And of course, they were structured around a framework. Frameworks are to vendors what bailouts are to bankers; they can’t seem to live without them, even though they annoy and confuse the general public, and leave people feeling that they’ve somehow had the wool pulled over their eyes. All this is counterintuitive, when you think about it. After all, complexity is anathema to security. As the dangers mount from increasingly sophisticated cyberattacks, the need for simplicity is increasing. Simplicity makes it easier for customers to understand what is being presented to them, and makes it more likely that they’ll pay for it. Perhaps as the different security shows unfold this year, we’ll see that attitude emerging – but we’re not holding our breath. Danny Bradbury
an extended validation SSL certificate standard to increase security for internet transactions. The CCSS’s first point of order will be to create a funnelling mechanism for participating vendors to feed code-signed malware samples through to the CAB Forum so that certificate authorities can deal with the problem by revoking the certs. The organisation is also producing a compatibility matrix so that anti-virus companies can provide users with information about which other anti-malware products their own software works with. This will be a self-reporting mechanism, and the CCSS will not have its own labs, Abdulhayoglu said. Other potential activities that the CCSS could undertake include a clearing house for malware samples, along with work on a common naming mechanism for malware. At present, different vendors have their own naming conventions for the malware they discover. For example, the malware commonly known as Conficker has also been called Downadup and Kido by various vendors. To make things even more confusing, the same variant
April 2009
NEWS/ VENDOR LIABILITY of the malware has been given different letters by different vendors. The variant referred to by Microsoft as Conficker.D is known as Conficker.C by others, for example. The meeting, conducted late last month in Florida, bought together some of the major players in the antivirus space, Abdulhayoglu said. However, both Symantec and McAfee were notable absentees. “It would be nice to have them and I am sure that they will come and join us at some stage, should they care about their users,” said Abdulhayoglu. “I am sure that they are just waiting to see how the organisation takes shape.” Microsoft is involved in the effort, he said, along with WebRoot. The consortium also includes some antimalware companies specific to China. Kingsoft, one of the largest Chinese antivirus companies, is involved. Another Chinese antivirus firm, Rising, has also declared its interest in the consortium.
McCartney site hacked
P
aul McCartney’s site was serving up the Zeus trojan for three days, according to UK security firm ScanSafe. The attack, in which paulmccartney.com was compromised with malicious Javascript, appears to have been tailored to coincide with interest in his New York reunion concert in early April.
Attackers embedded a malicious IFRAME into the site, along with malicious Javascript that used a unique multi-layer obfuscation attack, said ScanSafe’s director of product management Spencer Parker. “There is no other web site, of the billion or so we’ve visited as part of our service, that’s ever done something like this before,” Parker said. The Javascript used different character encoding to cloak itself, and also send an SSL certificate to the browser to encrypt its payload. The IFRAME and Javascript directed the victims’ machine to a single IP
Should vendors be liable for security flaws in software? By Carl Almond, senior director, Americas Security Practice, Avanade Integrating security into applications is an obvious thing, especially since most software bugs are usually the result of small errors in the code or oversights in the requirements. However, very few people have publicly asked the question: should the vendors who create software containing security holes be held liable for their oversights? With the National Security Agency, along with the SANS Institute and MITRE, highlighting the urgent need for a solution with their list of the top 25 most dangerous programming errors, companies and vendors need to pay more attention.1 Organisations need to start asking more questions about the security of commercial off the shelf software (COTS) and the custom applications that are developed specifically for them. According to a description of the Top 25 project by the SANS Institute, the avoidance of most of these errors is not widely taught by computer science programs, and their presence is frequently 4
Computer Fraud & Security
not tested by organisations developing software for sale. And, the impact of these errors can be huge. SANS says that just two of the errors led to more than 1.5 million web
address (84.244.138.55) based in Amsterdam, which has now been shut down. Reverse IP lookups reveal no information about the site, but it showed up on a malicious IP list. The IP address hosted the LuckySploit toolkit, which looks for multiple vulnerabilities on target machines, including the recently-patched Adobe PDF bug. Once a vulnerability has been found, the toolkit is believed to have delivered the Zeus trojan onto victims’ machines. The quick shutting down of the IP address, in conjunction with the reunion concert, suggests that the attack was designed to harvest the maximum possible amount of traffic. “They do time their attacks very well. When the hackers find a way to exploit one of these sites and get their code embedded on the page, they will always try and time that for maximum effect,” Parker said. “And like a lot of attacks at the moment, it’s based on embedding a very small amount of code on the site.”
Carl Almond
site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their machines into zombies.2 When discussing flawed applications and possible liability, it is necessary to separate the issue into two subcategories. First, there are COTS applications that are produced en masse and have been programmed with a set of general features in mind. These features may or may not be exactly what the consumer is looking for, but they generally fit the bill. In the case of COTS applications, each application comes with an End User License Agreement (EULA) that states the rules upon which the user gets access April 2009