- Email: [email protected]
Corporate attacks focus on web
FEATURE creates a memory-isolated instance of Firefox and, when the browser is closed, all traces of it are erased from the computer’s memory. With technologies like this, passwords are likely to have a finite life. Eventually it will be possible to authenticate yourself to a device, locally or remotely, on a one-time TAN basis, using the highest possible levels of encryption.
About the author
References
Steve Gold has been a business journalist and technology writer for 26 years. A qualified accountant and former auditor, he has specialised in IT s ecurity, business matters, the Internet and communications for most of that time. He is technical editor of Infosecurity and lectures regularly on criminal psychology and cybercrime.
1. Weber, Richard. ‘The Statistical Security of GrIDsure’. University of Cambridge, June 2006.. 2. ElcomSoft. 2010. . 3. Dell KACE secure browser.
...Continued from page 2
available to anyone. It has become one of the world’s largest botnets – within four months of initial testing Damballa saw a peak of 25,000 machines attempting to resolve the IP address of the botnet’s C&C servers. The majority of the infected machines that comprise the botnet are in China, but it also includes machines around the world, including a number of major corporate networks. “The commercial nature of this botnet and the rapid growth and ultimate size are what make this discovery interesting,” said Gunter Ollmann, vice president of research for Damballa. “The public website hosting the DDoS service offering, with various ‘plans’ and attack options, speaks to the ease with which anyone can leverage criminal infrastructure. The malware used is simplistic, yet it was successful in spreading rapidly. And while it appears to be primarily a DDoS delivery platform, the size of the botnet reached impressive proportions, certainly large enough to wreak major havoc on any victim organisation should it be pointed in the right direction.” Damballa has published an analysis here:. Meanwhile, the Mexico-based Mehika botnet is the latest to use Twitter as its C&C channel, a technique first detected in summer 2009 but still
pretty rare. Using this method means that the botnet operators don’t need to establish a dedicated C&C server that could be taken down or require the use of sophisticated protection techniques. The control messages themselves are difficult to spot in the high volumes of traffic on Twitter. Mehika went silent the same day it was spotted. It is one of four botnets analysed in a new report by Trend Micro – ‘Discerning Relationships: The Mexican Botnet Connection’ (PDF):
February 2010, Microsoft had obtained a court order allowing VeriSign, as the registry for the domains, to deactivate 277 domains (one was subsequently claimed by a legitimate owner whose site had been compromised). This effectively shut down the botnet, which has since failed to reappear. This means Microsoft’s legal approach has proved to be one of the most successful takedowns to date and may be a model for future action. In spite of these setbacks, the malware and botnet industries seem to be doing good business. EMC’s RSA security division has issued its latest fraud report – ‘Prices of Goods and Services offered in the Cybercriminal Underground’ – which puts price tags on various elements of this underground activity. Bulletproof hosting, it says, can be had for $87-179 a month. The SpyEye trojan kit will cost you $1,000 and the Zeus trojan kit three times that. The report is here (PDF): There are new botnets on the scene, too. Security specialist Damballa recently unearthed the IMDDOS botnet, based in China, which is offering Distributed Denial of Service (DDoS) attacks as a pay-for-delivery service
September 2010
Corporate attacks focus on web
M
ore than 80% of attacks against corporate networks target web systems, claims a new report by HP TippingPoint’s Digital Vaccine Labs (DVLabs). And the number of attacks is rising rapidly.
The ‘Cyber Security Risks Report’ covers the first half of 2010 and, says DVLabs, is based on real security event data. Attacks on web servers, using SQL injection, PHP File Include or other techniques, have doubled in the past six months, says the report. Those using browser-based flaws, such as QuickTime and Flash vulnerabilities, have tripled and now constitute the main entry point for hackers into corporate networks. Continued on page 20...
Network Security
19
CALENDAR ...Continued from page 19 “To mitigate network security risk, organisations need insight into the potential threats associated with using social media networking sites and web application downloads in a business environment,” said Mike Dausin, manager, Advanced Security Intelligence, HP TippingPoint DVLabs. “By understanding the increased risk these applications pose to the corporate network, organisations can implement remediation strategies to ensure that business processes, as well as data, remain secure.” According to DVLabs, the aim of the report is to help organisations understand the attack frequency and risks of web-based computing in order to adapt their security accordingly. In particular, DVLabs argues that firms need to get to grips with PDF vulnerabilities, understand new techniques being used by attackers and prevent older threats – such as SQL Slammer, Code Red and Conficker – from becoming a problem by understanding their pervasiveness. Data for the report was provided by hundreds of deployed HP TippingPoint Intrusion Prevention Systems (IPS), plus information provided by SANS, the Open Source Vulnerability Database and Qualsys. The report is available here (PDF):.
Smartphones present major threat
T
he smartphone is emerging as a key threat vector, but most organisations are being slow to appreciate the dangers, according to industry experts.
At the IDC Security Conference 2010, Howard Clegg, head of solution sales at Vodafone UK, said he believes that businesses are not taking mobile security seriously. He claimed that users are 15 times more likely to send confidential information using smartphones than laptops when working outside the office. 20
Network Security
“It is difficult to get organisations to realise smartphones are as important as laptops in terms of security,” he said. “With the rise in attacks on smartphones in 2010, these devices need to be considered in the same light as mini PCs.” Paul Vlissidis, technical director at NGS Secure, part of the NCC Group, has similar concerns. He believes that rogue applications downloaded to smartphones should be the top security concern for organisations. Speaking to Computer Weekly, he said: “Most large companies have the security policies and software in place to protect mobile devices on a base level, but only now are they beginning to consider apps as vulnerable to cybercrime.” These warnings come at a time when the Android platform has acquired its second trojan. Kaspersky has identified SMS malware which it has dubbed SMS.AndroidOS.FakePlayer.b. As the name suggests, it masquerades as a media player and infection requires the user to manually install the application. Warning signs are that the code is less than 17KB and requests that the user authorises the sending of SMS messages – both highly unlikely for a media player. Currently, the trojan is being distributed via Russian adult websites.
Hacking popular among students
N
early a quarter of UK college students have indulged in hacking IT systems, according to a survey conducted by Tufin Technologies and supported by the Association of Chief Police Officers (ACPO).
Encouragingly, 84% said they know that hacking is wrong, although 32% said it is cool. That means there is some degree of overlap where they feel it is both wrong and cool. Of the hackers, a third do it for fun, 22% out of curiosity and just 15% to make money. The practice is split evenly between males and females. The main hacking activity involves getting into other people’s email and social networking accounts – nearly half the students had themselves fallen victim to this.
EVENTS CALENDAR 9 October 2010 ZaCon community hacker conference Location: University of Johannesburg, South Africa Website: http://zacon.org.za
21 October 2010 MALWARE 2010 – 5th International Conference on Malicious and Unwanted Software Location: Grand Hotel de la Reine, Marlboro, MA, US Website: www.malware2010.org
25-30 October 2010 SANS Chicago 2010 Location: Chicago, US Website: www.sans.org/info/61188
27 October 2010 The 3rd Regional Conference on Criminal Law and Challenges of Fighting Cybercrime Location: Casablanca, Morocco Website: Cybercrime-fr.org/index.pl/ maroc2010
3 November 2010 Cyber Security Readiness Summit Location: Arlington, Virginia, US Website: www.wbresearch.com/cybersecurity/
7 November 2010 SANS San Francisco 2010 Location: San Francisco, California, US Website: www.sans.org/info/61308
8 November 2010 5th International Conference for Internet Technology and Secured Transactions (ICITST-2010) Location: London, UK Website: www.icitst.org
September 2010
About the author
References
Steve Gold has been a business journalist and technology writer for 26 years. A qualified accountant and former auditor, he has specialised in IT s ecurity, business matters, the Internet and communications for most of that time. He is technical editor of Infosecurity and lectures regularly on criminal psychology and cybercrime.
1. Weber, Richard. ‘The Statistical Security of GrIDsure’. University of Cambridge, June 2006.
...Continued from page 2
available to anyone. It has become one of the world’s largest botnets – within four months of initial testing Damballa saw a peak of 25,000 machines attempting to resolve the IP address of the botnet’s C&C servers. The majority of the infected machines that comprise the botnet are in China, but it also includes machines around the world, including a number of major corporate networks. “The commercial nature of this botnet and the rapid growth and ultimate size are what make this discovery interesting,” said Gunter Ollmann, vice president of research for Damballa. “The public website hosting the DDoS service offering, with various ‘plans’ and attack options, speaks to the ease with which anyone can leverage criminal infrastructure. The malware used is simplistic, yet it was successful in spreading rapidly. And while it appears to be primarily a DDoS delivery platform, the size of the botnet reached impressive proportions, certainly large enough to wreak major havoc on any victim organisation should it be pointed in the right direction.” Damballa has published an analysis here:
pretty rare. Using this method means that the botnet operators don’t need to establish a dedicated C&C server that could be taken down or require the use of sophisticated protection techniques. The control messages themselves are difficult to spot in the high volumes of traffic on Twitter. Mehika went silent the same day it was spotted. It is one of four botnets analysed in a new report by Trend Micro – ‘Discerning Relationships: The Mexican Botnet Connection’ (PDF):
February 2010, Microsoft had obtained a court order allowing VeriSign, as the registry for the domains, to deactivate 277 domains (one was subsequently claimed by a legitimate owner whose site had been compromised). This effectively shut down the botnet, which has since failed to reappear. This means Microsoft’s legal approach has proved to be one of the most successful takedowns to date and may be a model for future action. In spite of these setbacks, the malware and botnet industries seem to be doing good business. EMC’s RSA security division has issued its latest fraud report – ‘Prices of Goods and Services offered in the Cybercriminal Underground’ – which puts price tags on various elements of this underground activity. Bulletproof hosting, it says, can be had for $87-179 a month. The SpyEye trojan kit will cost you $1,000 and the Zeus trojan kit three times that. The report is here (PDF):
September 2010
Corporate attacks focus on web
M
ore than 80% of attacks against corporate networks target web systems, claims a new report by HP TippingPoint’s Digital Vaccine Labs (DVLabs). And the number of attacks is rising rapidly.
The ‘Cyber Security Risks Report’ covers the first half of 2010 and, says DVLabs, is based on real security event data. Attacks on web servers, using SQL injection, PHP File Include or other techniques, have doubled in the past six months, says the report. Those using browser-based flaws, such as QuickTime and Flash vulnerabilities, have tripled and now constitute the main entry point for hackers into corporate networks. Continued on page 20...
Network Security
19
CALENDAR ...Continued from page 19 “To mitigate network security risk, organisations need insight into the potential threats associated with using social media networking sites and web application downloads in a business environment,” said Mike Dausin, manager, Advanced Security Intelligence, HP TippingPoint DVLabs. “By understanding the increased risk these applications pose to the corporate network, organisations can implement remediation strategies to ensure that business processes, as well as data, remain secure.” According to DVLabs, the aim of the report is to help organisations understand the attack frequency and risks of web-based computing in order to adapt their security accordingly. In particular, DVLabs argues that firms need to get to grips with PDF vulnerabilities, understand new techniques being used by attackers and prevent older threats – such as SQL Slammer, Code Red and Conficker – from becoming a problem by understanding their pervasiveness. Data for the report was provided by hundreds of deployed HP TippingPoint Intrusion Prevention Systems (IPS), plus information provided by SANS, the Open Source Vulnerability Database and Qualsys. The report is available here (PDF):
Smartphones present major threat
T
he smartphone is emerging as a key threat vector, but most organisations are being slow to appreciate the dangers, according to industry experts.
At the IDC Security Conference 2010, Howard Clegg, head of solution sales at Vodafone UK, said he believes that businesses are not taking mobile security seriously. He claimed that users are 15 times more likely to send confidential information using smartphones than laptops when working outside the office. 20
Network Security
“It is difficult to get organisations to realise smartphones are as important as laptops in terms of security,” he said. “With the rise in attacks on smartphones in 2010, these devices need to be considered in the same light as mini PCs.” Paul Vlissidis, technical director at NGS Secure, part of the NCC Group, has similar concerns. He believes that rogue applications downloaded to smartphones should be the top security concern for organisations. Speaking to Computer Weekly, he said: “Most large companies have the security policies and software in place to protect mobile devices on a base level, but only now are they beginning to consider apps as vulnerable to cybercrime.” These warnings come at a time when the Android platform has acquired its second trojan. Kaspersky has identified SMS malware which it has dubbed SMS.AndroidOS.FakePlayer.b. As the name suggests, it masquerades as a media player and infection requires the user to manually install the application. Warning signs are that the code is less than 17KB and requests that the user authorises the sending of SMS messages – both highly unlikely for a media player. Currently, the trojan is being distributed via Russian adult websites.
Hacking popular among students
N
early a quarter of UK college students have indulged in hacking IT systems, according to a survey conducted by Tufin Technologies and supported by the Association of Chief Police Officers (ACPO).
Encouragingly, 84% said they know that hacking is wrong, although 32% said it is cool. That means there is some degree of overlap where they feel it is both wrong and cool. Of the hackers, a third do it for fun, 22% out of curiosity and just 15% to make money. The practice is split evenly between males and females. The main hacking activity involves getting into other people’s email and social networking accounts – nearly half the students had themselves fallen victim to this.
EVENTS CALENDAR 9 October 2010 ZaCon community hacker conference Location: University of Johannesburg, South Africa Website: http://zacon.org.za
21 October 2010 MALWARE 2010 – 5th International Conference on Malicious and Unwanted Software Location: Grand Hotel de la Reine, Marlboro, MA, US Website: www.malware2010.org
25-30 October 2010 SANS Chicago 2010 Location: Chicago, US Website: www.sans.org/info/61188
27 October 2010 The 3rd Regional Conference on Criminal Law and Challenges of Fighting Cybercrime Location: Casablanca, Morocco Website: Cybercrime-fr.org/index.pl/ maroc2010
3 November 2010 Cyber Security Readiness Summit Location: Arlington, Virginia, US Website: www.wbresearch.com/cybersecurity/
7 November 2010 SANS San Francisco 2010 Location: San Francisco, California, US Website: www.sans.org/info/61308
8 November 2010 5th International Conference for Internet Technology and Secured Transactions (ICITST-2010) Location: London, UK Website: www.icitst.org
September 2010