The role of anti-automation in DoS attacks March 16, 2011
Posted by alexoldman in Computer, Information security, Malware, Security.add a comment
TrustWave Spider labs have published their Semi-annual review titled “Web Hacking Incident Database”. The headline is a sharp increase in the number of Denial of Service (DoS) attacks such as those of the hacktivist group Anonymous Group. Anonymous Group were motivated by ideology to attack websites they perceived as a threat to Wikileaks. Visa, MasterCard, Amazon, PayPal were all well documented examples of these attacks, resulting in downtime, business interruption and financial loss. Other DoS attacks have been reported in areas of political unrest such as Tunisia and Egypt. In the case of Egypt, the government ordered major internet service providers to disconnect their customers.
While much has been written about the motivations, methods and effects of these attacks, there is little communication on defence. This may be because defending against DoS is a complex process – with many layers needing consideration: network; platform; database; application.
SpiderLabs report 36% of applications fail to provide anti-automation features. Automation is an issue because the source of these attacks are typically botnets – a distributed network of zombie computers under command and control of a single group or individual called a herder. The botnet herder issues commands to the zombies on what to attack. Criminal business models are built on this, offering a DoS on-demand service much like your pay-as-you-go mobile. The zombies are compromised via malware and will sit there quietly awaiting instructions on what to attack. Gone are the days of destructive malware – the viruses of days gone by. Nowadays the criminals want to monetise a compromised computer, so they won’t destroy it. These botnets can be large. In 2010, CERT Netherlands closed down a botnet with 1.5 million zombies. What is worrying is that the traditional controls of firewalls and IDS devices may not be sufficient to rappel such an attack. What was new about Anonymous Group is that they asked individuals to run DoS software (willingly and knowingly) on their computers, and take orders via Twitter. No malware required in that botnet. This attack was very hard to defend against. This is highlighted by the fact that goliaths of the internet such as MasterCard were so badly hit.
A classic anti-automation control is to insert a Turing Test into a web page. The Turing Test is a way to determine if you are dealing with a human or software. A good example is a visual verification test, asking what the user sees, and giving choices. CAPTCHA (www.captcha.net) is a technology, where distorted text is displayed to users, which they must then type back as a response.
Turing Tests and CAPTCHA technology can be defeated by farming out the responses to actual humans. Some websites offering free pornography will perform a Turing Test, or ask for a CAPTHA response first. The human answer is then fed back to the attack software. CAPTCHA can also be defeated with recognition software, so is increasing in sophistication all the time. This has become something of a cat and mouse game.
Furthermore, the attacks by Anonymous were against the services and platforms providing the web application, drawing on well understood weaknesses in network protocols. It may be time to move from IPv4 to IPv6, which is labeled as a much more secure protocol.
Egypt’s internet outage was a worst case scenario really, where as a company providing a web service, your ISP pulls the plug on you. Universal Mirroring may be the only response.
So, the challenge is to respond to these threats: To first of all recognise that the threat environment is changing at an alarming rate; design your infrastructure, platforms and applications to defend against attack; to regularly measure the effectiveness of your controls; and to monitor developments in this arena.
Developers and Solutions Architects should pay attention to The OWASP Top 10 (http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) which describes the most prevalent application security risks. The Common Weakness Enumeration (CWE) Top 25 (http://cwe.mitre.org/top25/) compliments the OWASP Top 10.
Download a copy of the report TrustWave Spider Labs yourself from https://www.trustwave.com/wp/whid/
A solution to corporate iPhone security problem? February 15, 2011
Posted by alexoldman in Computer, Security.add a comment
You cannot deny that iPhones and iPads are ubiquitous, game changing devices. They are changing the way people interact with information and with each other. Always-on corporate devices such as the Blackberry have been breaking down the corporate divide for years now – people twitter at work, and check emails at home at the weekend. These devices offer us a potentially utopian work/life balance, and I am a big fan. Problem is on the cool scale, and iPhone is more cool than a Blackberry….
The Information Security community has been scared of encouraging Apple devices because of the lack of built-in controls. Features familiar to us from Blackberry Enterprise Server, such as on-device encryption, in-air encryption, remote wiping, policy enforcement, password protection etc. just don’t exist on Apple platforms. It surprises me that Apple have not done more to embrace enterprise requirements. In turn, the corporate response is to actively discourage Steve Job’s devices.
Well where there is a market opportunity, entrepreneurs will fill the need. There is a neat looking tool called “Good for Enterprise” now in the iTunes app store. Now not having dealt with Good products before, I cannot advocate them myself, but on paper, this solution sounds good for our Enterprise.
Read more on Good For Enterprise at http://www.good.com/media/pdf/enterprise/Good_for_Enterprise_Brochure.pdf
YouriPhone = MyniGhtmare February 3, 2011
Posted by alexoldman in Computer, Information security, Security.add a comment
A friend invited me to attend the forthcoming London BCS meeting to discuss the Verizon Business 2010 Data Breaches Report. Now, I’ve not seen this Verizon report, but I tend to spend about 1-2 hours per week researching security issues and news, and this sort of report comes up a lot, so I am generally aware of what it will say.
Other good reports I regularly read are published by Gartner and Ponemon Institute.
Generally these reports are likely to say that incident volumes are rising and resulting costs are increasing. The reasons for increasing security incident volumes isn’t entirely clear – I think there are many factors. Some argue that its due to increased regulation which is now tending to require reporting (previously incidents may have been unreported). The EU direction towards mirroring US style privacy disclosure are something I’m keeping an eye on.
There is also an interesting shift in the way people are thinking about information security – the social barriers on private/public information are fuzzing. The recently enabled check-in feature on Facebook is a good example of this. Who would have said 10 years ago, I could see where people had been, or were, by looking on a website? Also there are a load of devices such as iPad/iPhone apps offering geo-based services. There is a general movement towards acceptance of this. The US Groupon.com is a good example of how users accept the privacy risk/reward shift.
Apple iPhone/iPad are themselves enabling a whole host of problems. Right there you have a highly desirable small, portable device that is jammed full of personal information and can’t be centrally managed (in IT Security terms). Your iPhone = My niGhtmare.
Costs of privacy incidents are also rising. There is the regulatory side e.g. since April 2010 the ICO has had new powers to fine (up to £500,000) and is starting to flex its muscles. The market is reacting with the wise starting to build in requirements (read costs) into contractual requirements. And don’t even get me started on cloud computing! It’s all good stuff for security folks of course. Should keep me paying the bills for a while.
Getting started with static malware analysis January 19, 2011
Posted by alexoldman in Computer, Malware, Security.add a comment
From time to time your anti-virus product will detect and kill some malware. You live day after day, year after year, trusting your anti-virus….then, perhaps twice every decade you will be unfortunate to deal with an infection that your anti-virus product is not detecting. In my time I’ve had to deal with Slammer (a network worm which hit most of the world’s vulnerable SQL servers within a few minutes of the initial infection) and more recently, PinkSlip, a fairly harmless but persistent Trojan worm, which just wouldn’t die.
Your first call could be to the support desk of your anti-virus vendor. However, you may feel the need to take things into your own hands to answer questions like: What is the payload; what ports do I block to prevent spreading; what are the characteristics of infection…
So let’s assume that you’ve got your hands on an infected system. I would advise that you disconnect it from the network, but don’t shut it down. Take a moment to note the operating system version (Windows XP or Windows 7?), service packs. Write down your observations in a log book for future reference. Look at the file you suspect. If its an EXE, is there any evidence of it running in task manager?
Grab a copy of the suspect file(s), and any associated files such as DLL’s, or log files, and keep them in a compressed archive file called infected.zip. By calling it infected.zip you, or anyone else who stumbles across the file, should know not to execute the contents.
Run Process Explorer from Microsoft SysInternals suite, which is like task manager on steroids. What happens if you kill the suspect process? Does another process immediately spawn? This can indicate that you’ve got two processes looking out for one-another.
Submit your sample to www.virustotal.com for analysis. Virus Total will scan your sample against loads of anti-virus engines, including the most popular, and tell you what they detect.
If you need more information, like how it is propagating, what ports to block, or anything else about the payload, I found www.threatexpert.com very useful.
Once you know what you are dealing with, you can start developing a malware virus removal strategy. For the most part, the easiest way to guarantee that you’ve removed all the nasties, is to FDISK the system, and start again. Obviosuly, make sure that you have a good backup of your data, and take care with that backup.
Another option for a desktop computer is physically removing the disk and adding it to a known clean PC for scanning and cleaning. If you have encrypted disks, this may be problematic.
If the machine is remote to you, can consider using something like the Ulimate Boot CD for Windows (UBCD4WIN) which can get a remote machine to an IP address, just by booting with removable media. A USB boot is an option. Once you have it on the network, you can map a network drive and just us known clean machine to scan over the network. The problem here could be impact on network bandwidth and just how long a scan of a large disk may take.
How to unblock zip attachments in Adobe PDF files January 7, 2011
Posted by alexoldman in Computer, Security.19 comments
There is a neat feature in Adobe PDF’s that supports file attachments. As any security conscious user will know, file attachments can be dangerous, as they may contain malicious executable content.
Adobe have applied a security template to their software, to protect against interaction with various file types. The most frustrating block I frequently come across is a ZIP file. In my opinion as a user I should be able to choose if its safe to open a Zip file that has been embedded in a PDF.
Here is how to remove the policy block on Zip file attachments in Adobe PDF. These instructions work for Adobe Reader or Adobe Standard:
- Open Regedit.exe
- Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\<product>\<version>\FeatureLockDown\cDefaultLaunchAttachmentPermsReplacing <product> and <version> as appropriate e.g. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\8.0\FeatureLockDown\cDefaultLaunchAttachmentPerms
- Locate in the value list, .ZIP:3 and edit to read .ZIP:1 this changes the behaviour to prompt the user for an action (save or open).
- Close Regedit and open Adobe.
You should now be able to open Zip attachments in PDF files.
If this is a corporate problem, you can deploy the Registry update easily using a .REG file, or great a Group Policy to apply using Microsoft Active Directory.
Spotting a malicious proxy December 8, 2010
Posted by alexoldman in Computer, Security.add a comment
A web proxy is a piece of software (sometimes presented as an embedded hardware such as BlueCoat proxies), which handles web requests on your behalf. Proxies can cache web traffic, and serve up a cached copy instead of reloading a whole page on the internet. This can speed up a users web experience. A good thing.
The term proxy can also be applied to software such as Burp. These are software which is installed on the PC, and the purpose generally is to intercept web traffic. The reasons for doing this can vary. Typically Burp can be used to examine and even potentially modify web browser requests. Burp proxy is an excellent tool for security testing web applications, but if you are a Burp user, you’d know it was there….
A nasty piece of malware I had to deal with recently, was seen to execute a hidden proxy on a Windows machine, and modify the registry settings to redirect browser traffic via the proxy. In this case, google search results traffic was redirected to websites advertising anti-virus software.
Identify and kill
I was able to examine the registry by hand, using Regedit.exe, to identify the port in use.
The registry key of interest is:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
“MigrateProxy”=dword:00000001
“ProxyEnable”=dword:00000001
“ProxyHttp1.1″=dword:00000000
“ProxyServer”=”http://ProxyServername:80″
“ProxyOverride”=”<local>”
The value of 80 on the end of ProxyServer key indicates the port. In my case, it was something like port 31524.
I then used netstat -ab command to identify the process that was hosting the proxy on that port and killed off of the errant process using TaskManager. It was then a case of identifying the executable responsible, now it was unloaded from memory and cleaning up my system.
Handy reference for Information Security laws and acts November 29, 2010
Posted by alexoldman in Computer, Security.add a comment
Do you have trouble knowing where you stand with regard to the (many and varied) laws and regulations of Information Security?
Check out this useful primer for a list of Laws, Regulations and Guidelines.
McAfee Anti-virus path November 4, 2010
Posted by alexoldman in Computer, Security.add a comment
I have just found out that there is an environment variable of %DEFLOGDIR% in Windows systems, whcih points to the LOG files used by McAfee anti-virus products.
Use the command SET %DEFLOGDIR% to view the path to the log files
Two useful logs to examine are:
- OnDemandScanLog.TXT contains the results of the most recent scan
- UpdateLog.TXT has the update history
Hope this is useful to someone.
Stopping my Blackberry Curve from making emergency calls October 18, 2010
Posted by alexoldman in Security.add a comment
I’ve got a Blackberry 8520 curve as my company mobile phone.
It is centrally managed by policy from a Blackberry Enterprise Server (BES), so the screen locks after a certain period of time. There is a feature, which I understand is a European requirement, to permit Emergency Calls from the Unlock screen, without entering an unlock code. On at least three occasions, this has resulted with my phone making emergency service calls, from my pocket or bag. I normally only notice when the switchboard at the other end “blast” a message on my phone saying something like “did you mean to call us”…..I hang up, worried that I’ve wasted some time and perhaps cost lives.
I am relieved to have discovered that you can “lock” the entire keypad including the “pearl” by putting the device into Standby Mode. It can still receive text messages and phone calls, but the keypad won’t work, just like my old Nokia.
To enter standby mode, press and hold the Mute key until the display tells you that it’s about to enter standby mode. To exit standby mode, just press the mute button again. Genius!
Prey Project October 3, 2010
Posted by alexoldman in Computer, Security.add a comment
I’ve never had the personal mis-fortune of losing a computer. I once left my work laptop on a train in Manchester, but amazingly got it back within 20 minutes thanks to some quick witted train staff.
I was reading with interest on Wired magazine website about Prey Project. This is an open source software to assist in the retrieval of your lost or stolen computer. By running in a background service, you can control reports on your computer including hardware scans, geo location (using wifi hotspot geo-location) and even take stealth photographs using built-in webcams, lock the computer or send messages to the screen of the remote computer.
It’s an intriguing piece of software, and something that along with TrueCrypt, I’ll be rolling out on all my home computers.
Alex Oldman's blog 