Greetings from Las Vegas and the Blackhat Conference.
As I mulled over what I was going to write, I realized that if I said everything that I wanted to say I would be an epic post and that most people probably wouldn't make it all the way through. So, I'll try to keep my editorials brief and to the point as I review Day 1 at Blackhat.
The morning started with a keynote by Douglas Merrill, formerly of Google (and several other places, but he is mostly likely most known for his work at Google). This was a great talk where he said, among other things, that we are doing security incorrectly. In large part I agree with him. This is generally because it appears that the goals of the security program from the Information Security Officer's perspective and the CEO are very different. We already know that support from executive management is critical to the success of your security program, but I don't think we are doing enough of is making sure those goals are aligned. That comes down to better coordination between the security officer and the CEO. The CEO might fully support the work that you are doing, but you need to be sure your intentions are aligned otherwise you might be focusing on the wrong thing, which could end you up in hot water should an event happen which the CEO thought you had well in hand. There were many other things that he covered as well, but I want to move on to the rest of the day.
The next session that I attended was one on Router exploitation. This was also a very interesting talk because the presenter segregated his talk into different ranges: part of the talk was at a level more for the managerial types in the room and the other was geared more toward the hardcore assembly programmers in the room (and some in between). The primary focus of this presentation was on the ranges of exploitability (is that a word?) between different types of routers. He zeroed in on Cisco's IOS, mostly because they manufacture the most widely used routers on the internet. Also discussed were the difficulties in exploiting Cisco's routers. Why? Because their code is so secure that it is nearly unbreakable? No. Because of the different variations in their build process. According to Cisco's feature navigator as of June 2009 they have over 272k different builds of their IOS software, which probably contain about as many different memory and heap layouts. These different memory layouts make exploiting a router very difficult because you have to write your shellcode based on a memory layout which is entirely variable based on who you are targeting. He also discussed how to potentially exploit a router using ROMMON (ROM Monitor) and some of the challenges associated with that type of hack as well.
Next I attended a presentation on fighting Russian cyber crime mobsters. This was a very interesting talk with a lot of historical references and timelines primarily with respect to the Dark Market FBI sting headed up by Agent Keith Mularski, who was one of the folks speaking. He gave detailed accounts of his undercover operation and how well crafted it was. It was so well done that people in his own agency couldn't figure out he was the one participating in the sting. He also gave accounts of how he earned the trust of the top members of Dark Market, even to the point of getting them to move the Dark Market forums to FBI servers (of course the Dark Market folks didn't know they were FBI servers) when the site was under a DDoS attack. Very entertaining.
The next session was about cross site scripting (XSS) and how to craft XSS that will bypass some of the known filters out there like Noscript, IE 8's built-in functionality, PHP-IDS, and mod_security. I learned a few new XSS tricks that I am looking forward to bringing back and playing with. The moral of this talk was that even though there are ways to construct XSS attacks that can bypass these filters, overall they do a pretty good job (save for mod_security which you should steer clear of) of detecting the common attacks and even do well at picking off the not so common ones. The biggest issue with mod_security is that its filtering looks for specific keywords and doesn't handle many different encodings (so it is easily fooled).
The next talk was about the underground economy. Although I found this talk very interesting and full of facts, I don't necessarily agree with some of the statements that were made. One of their overriding assertions during this talk was that spammers aren't making very much money. The quote was that "If anybody can do it, everybody does, and nobody makes any money." I believe that this assertion largely depends on what part of the spammer "food chain" you are looking at. At the bottom rung of the food chain you have the grunts, the mules, the infantry....the ones who are most at risk of being caught. These are generally the folks who are running the drop accounts, the accounts that are used to move money from one account to the next. These folks are the most expendable and make a small wage for their time. Consider them the burger flippers and french fry makers of the organization (no offense intended to burger flippers and french fry makers!). As you move up the food chain you are dealing with people who are generally less visible to the operation and are also pulling in more money. Continue to move up the chain until you get to the guy at the top. Now, if you are playing off of sheer percentages, yes, a good percentage of the operation, the front line folks, aren't making that much money. The reality, however is that if spammers weren't making much money they wouldn't have the motivation to continue doing it. It is a financially motivated economy and the only reason these guys stay in the game is because they can make money, lots of it.
They did make one point which I thought carried a lot of weight, and that was the reasoning behind why more banks have not implemented something the security community has been asking for: two factor authentication. Some banks have implemented some cosmetic features like on-screen keyboards and SiteKeys, but the reality according to their figures is that banks lose an average of 34 cents per year per person. The average support phone call that gets through to a person is about $10/call. So, even if 10% of a bank's customers made one phone call to the bank on a support issue, that still dwarfs the losses from phishing. So, at the end of the day the cost/benefit analysis of whether or not to implement two-factor authentication falls on the "no" side of the fence.
The last talk I attended today was one called Internet Special Ops (Stalking Badness Through Data Mining). This talk started off kind of rough. Paul Vixie started his portion of the presentation by apologizing (doesn't he know this is one of the things that you NEVER do during a presentation) to the audience because the slides he was going to present were probably too high level for the audience (another one of the things you NEVER do. You must know your audience). He said he was expecting more people in suits than technical folks. I am assuming he has spoken at Blackhat before??? Anyway, the other two presenters were decent, talking about Conficker and how to correlate different disparate data points to put together a story. I have to admit though that because of how this presentation started, this was the one that I was most underwhelmed with. It was also the end of a long, learning filled day so you could also accuse me of being a bit apathetic at that point and I wouldn't argue with you about that point.
I also attended Johnny Long's talk about Hackers for Charity where he also talked about his story from where he began to how he got to the "Internet Rockstar" status he currently has. This guy is laugh out loud funny. I know quite a few people who make me laugh pretty hard, but I can usually control it to a low roar. This guy made you laugh out loud to where you are completely unable to keep yourself from doing it. In addition to Hackers for Charity being a great organization, he had a great message as well. That message was that in the security community we have great power and knowledge. We should use that great power and knowledge to make sure we are doing things that are bigger than ourselves. Don't focus on personal gains. Focus on how you can help other people. A great message that we should all live by regardless of our professions.
So, that is my wrap up from Day 1 at Blackhat. Overall a great day and I am looking forward to tomorrow being just as fruitful.
We released the MX Logic August Threat Forecast today and wanted to share a few notable pieces of information.
In July we saw spam as a percentage of overall mail reach its highest point ever currently accounting for 94.6 percent of all email. However, malicious threats being sent via email has been on the decline. We’ve seen this shift taking place over the last several months and in July web-borne threats finally crossed the threshold into the predominant method cybercriminals are using. This is note worthy considering the large volume of spam that was recorded; this is not to say that the usual suspects were not developing new malware. It just appears as email has, once again, fallen out of favor as a delivery method for some of the major groups although it is being used as a primary vehicle to deliver messages that contain links to web sites that deliver malware. A few additional highlights include:
- Spam volumes increased by another 27 percent month-over-month as compared to June and have increased 400 percent since February 2009.
- There was an increased prevalence of spammers utilizing Google’s trending topic information (see previous post for details)
- Biggest threats were spam related to Michael Jackson’s death and Waledac’s July 4th Fireworks
- Health related spam continues to be far and away the most prevalent type of spam
- Top Spam Countries: Brazil is about to take the number one position -United States (12.86%); Brazil (12.43%)
See the full report: http://www.mxlogic.com/threatforecast/
Today Microsoft will release two out of band patches: one to address a vulnerability in Internet Explorer that is rated as "critical" (which typically means that there are exploits available in the wild that predicate the need to have to release an update outside of the normal "Patch Tuesday" schedule which occurs on the second Tuesday of every month. The second patch is rated as "moderate" by Microsoft and affects Visual Studio.
It is recommended that any out of band patches released by Microsoft be tested before being deployed on any systems, particularly those critical to the function of your organization. After the patch has been tested in your environment, deploy it is quickly and as responsibly as possible in order to minimize your window of exploitation. Again, generally when out of band patches are released, exploits are already available in the wild.
For more information about the patches being released today see Microsoft's web site. More information will be posted on the details of the vulnerabilities being patched after Microsoft releases the updates.
*** UPDATE 7/28/2009 12:00pm MST *** Microsoft has released the security updates and has named them MS09-034 and MS09-035. MS09-034 is a cumulative update for Internet Explorer and MS09-035 is an update for the Visual Studio Active Template Library (ATL). Both vulnerabilities allow for a remote hacker to execute arbitrary code on your system. This includes the ability to install a backdoor or Trojan on your PC. As stated before, please test and deploy these patches as soon as you can.
Do we really know? Recent research would say that we don't.
In late April two conflicting articles were published: One was an article was posted at IT Brief which appears to have been supported by AVG that states 250,000 malicious web sites are created every day and another article was published by Security Pro News that says MessageLabs claims 3,500 new malicious sites daily.
So, which is it? The truth in my opinion is that we don't really know. Also, what neither of these articles discuss is the increase in compromise of legitimate sites due to trojans like Gumblar. The number of compromised legitimate sites is also harder to quantify because it is likely there are a lot more of them out there than are currently known.
One thing appears to be for certain and that is that we have reached the tipping point with the web being used as the primary threat vector for the distribution of malware ahead of email.
Last month we discussed the abuse of Twitter's Trending Topics system to increase the ranking of interesting topics so that links can be distributed via Tweets that lead users to phishing and malware sites. This tactic was a follow up to previous abuses of Google's PageRank system which accomplished the same purpose.
The commonality with those two scenarios is that the cyber criminals had to do work to increase the ranking or interest of a particular topic in order to lure users to infected web sites.
We are starting to see a new wrinkle where hackers are using already popular Google Trending Topics, search criteria that users are interested in and looking for through Google, to determine what users already want to see. They are now tailoring their social engineering tactics to create new spam and websites that exploit users' curiosity. No work required on a hacker's part to organically generate interest. That interest is already being generated by high profile news stories, which have already shown to be very effective through the many iterations of Storm and Waledac over the past couple of years.
An example is being reported by Dan Kaplan at SC Magazine where he said (via Sophos) that cyber criminals have created fake websites claiming to show nude videos of Erin Andrews, a popular ESPN reporter, who was recently videotaped through a peephole camera. These fake websites are being used to inject malware onto curious users' computers. They could also very easily be used in phishing campaigns to steal user's personal information.
Search criteria for these Erin Andrews videos through Google currently accounts for two out of the top three search trends at the writing of this post.
As news of the most recent Twitter breach spread and details of what was compromised started to come forth the question that was at the forefront of my mind was "Whatever happened to responsible disclosure?" where you notify the vulnerable party, give them ample time to fix the problem, and if any information is released publicly, it is done after the problem has been confirmed resolved by the vendor.
According to the article on TechCrunch that contains data that was stolen, they "spent much of the last 36 hours talking directly to Twitter about the right way to go about doing that" (where that = the right way to go about releasing the data). Now I was certainly not privied to those discussions, but I have a hard time believing personally that those discussions involved Twitter saying "yes, please post the information, but just leave out the secret sauce bits." I don't understand what criteria TechCrunch used such that they are now the governing authority over what is and is not confidential or why they feel they have a right to make that call to begin with. I am disappointed that a purportedly reputable news organization would feel that they have such privilege.
In a follow up post TechCrunch attempts to justify their actions by pointing to previous cases where they and another news organization had each taken it upon themselves to post sensitive information. I guess that means that since there is a precedent for something happening that it somehow makes it right? They also state within this article that they "break big stories." Obviously, those that break the big stories get the big press, but let's not also forget that a certain level of responsibility is expected as well. Saying that "others do it too" as justification for doing anything is just plain juvenile.
Of course, let's not let the person who leaked the information to TechCrunch off the hook either as they are certainly culpable as well. At this point nobody seems to know who that person is (at least not publicly). This mystery person submitted the information with the expectation that it would get published. Otherwise, why send it to a news organization to begin with. They baited the hook and TechCrunch bit down hard.
Whether TechCrunch will end up facing any legal action from Twitter remains to be seen. Twitter might want to consider at least sending TechCrunch a thank you note for at least temporarily turning the stink-eye from this whole mess away from themselves as TechCrunch appears to be getting flamed worse than Twitter, who had the breach to begin with!
Funny how things work sometimes :)
It looks like the Hack du Jour, Twitter, has had another high profile data breach.
It seems like we have been around the block on this topic before on a couple of occasions, haven't we?
According to TechCrunch the cause of this most recent data breach isn't stolen Twitter account credentials because of ClickJacking exploits or people who have given up their logins because of look-alike Twitter application sites. This exploit was far more elementary and one that Twitter could stand to learn a lesson from on their own account signup form: weak passwords. According to the TechCrunch article, the password to some of Twitter's publicly facing servers was "password". Maybe they thought that was too easy for people to guess and that nobody would actually try a password as simple as "password" ? Either way, this is another example of how Twitter needs to take its own security and the security of its users much more seriously. Strangely enough repeated lapses in judgment does not appear to have slowed their growth.
The portion of the MSNBC article that I linked to in the first paragraph that irked me the most was in the section titled "Dangers Highlighted" where the author states that "The techniques used by the hackers to obtain access to Twitter highlight the dangers of a broader trend promoted by Google Inc. and others toward storing more data online, instead of on computers under your control." I couldn't disagree more with this statement. The missteps by Twitter that have caused their recent compromises are not a result of a lack of standards or good security practices by cloud computing, SaaS, or other off-network service providers. They are a result of Twitter's poor security practices and Twitter's alone.
Any service provider, construction outfit, or home business who has their own network equipment needs to ensure that they have taken proper precautions to secure those devices. That includes changing default passwords and identifiers (like SSIDs on wireless access points) all the way through to keeping those devices up to date on security patches and application updates. These are not practices that are relevant to Cloud Computing providers alone. To insinuate such in an effort to spread FUD against these types of services is downright irresponsible, in my opinion. We're talking about best practices that need to be employed by everyone in all industries and form factors. Perhaps if we did that instead of just talking about it and always looking to point the finger at someone when they make a mistake we would have less people to point fingers at.
Roger Thompson, Chief Research Officer at AVG Technologies, said in an article posted on Network World that the latest vulnerability in Microsoft's Video Controller ActiveX library could be the next Conficker.
I very much disagree with that sentiment.
Conficker was similar to the Slammer worm from back in 2003 where there was no overt action required on the part of any individual person to get infected. You could get infected simply by being out of date on security patches. The current Directshow exploit requires a user to visit a malicious web site (links to sites hosting the exploit code are currently being sent out in spam emails) to get infected. Also, the user must be an admin on their computer to get infected by the Directshow exploit. Most people do run in this mode, however so that won't be much of a hurdle to clear, but the requirement that a user must visit a web site hosting malicious code is a tactic that users are becoming more accustomed to avoiding.
There are some similarities here that are worth pointing out, however.
For starters, there are claims that Microsoft knew about this vulnerability well in advance of exploit code being released for it, but neglected to patch it. This makes sense considering Windows Vista and Internet Explorer 8 are not vulnerable to this exploit, but Windows XP and Internet Explorer 6 and 7 are. This does beg the question though as to why Windows Vista is not vulnerable since it has been out for well longer than the exploit has supposedly been known by Microsoft. This is similar to the Conficker situation because the MS08-067 vulnerability that allowed that worm to appear was also being exploited for about a month prior to Microsoft releasing an out of band patch for it. Unfortunately, at that point the damage had already been done and regardless most of the machines that were infected with Conficker are running versions of Windows XP that had never installed a single Microsoft security update (see research at http://mtc.sri.com/Conficker).
Anyway, I digress from my point. Although I do believe that the Directshow exploit is significant and that the out of band patch that Microsoft released to address it is absolutely the right thing for them to have done (as opposed to waiting for their typical Patch Tuesday release next week), I believe it is blowing the situation out of proportion to say that this will be the next Conficker.
Research was published yesterday coming out of Carnegie Mellon University that states that the number of potential combinations of what your social security number could be is limited based on publicly available information such as your birth place and date.
This is significant because places like financial and educational institutions (among others) frequently use the SSN as either a method of verifying who you are over the phone or as a method of authentication on web sites greatly increasing risk of identity theft. As a side note, organizations like the American Health Information Management Association (AHIMA) published an article back in 2006 recommending against using SSNs as an identifer in systems that contain health care data.
According to the research, you "could identify in a single attempt the first five digits for 44 percent of deceased individuals who were born after 1988 and for 7 percent of those born between 1973 and 1988. They were able to identify all nine digits for 8.5 percent of those individuals born after 1988 in fewer than 1,000 attempts". In the instances where the first 5 digits of a 9 digit SSN could be identified in the first attempt, this narrows the number of possibilities of what your SSN could be down to only 10,000, which is essentially the same as being able to determine someone's 4-digit PIN. Trivial by today's technology standards. Since the Social Security Administration's Death Master File can be purchased online for about $7,000 (if you live in the US, Canada, or Mexico; about $15,000 otherwise) according to Steve Goldsby's blog this cost could easily be recouped after only a few identity thefts. This is pretty good ROI for cyber criminals despite the up front cost.
As predicted in this month's MX Logic Threat Forecast and Report, cyber criminals have decided to take advantage of the July 4th holiday to send out spam that links to a malware infected web site.
All of the messages that our Threat Operations Center have observed thus far have July 4th themed subject lines and brief message bodies consisting of only a few words followed by a link, a tactic used many times by the Storm/Waledac folks previously.
Some of the subject lines that we have seen thus far include:
Amazing firework 2009
Amazing Independence Day salute
Amazing Independence Day show
America for You and Me
America the Beautiful
American Independence Day
Bright and joyful Fourth of July
Celebrate Independence
Celebrate the spirit of America
Celebrate with Pride
Celebrating Fourth of July
Celebrating the Glory of our Nation
Celebrating the spirit of our Country
Celebrations have already begun
Fabulous Independence Day firework
Fourth of July Fireworks Shows
God Bless America
Happy Birthday America!
Happy Birthday USA!
Happy Birthday, America!
Happy Fourth of July
Happy Independence Day
Home of the Brave
Independence Day firework broke all records
Let the fireworks begin!
Let's celebrate Independence Day
Light up the sky
Long Live America
Proud to be an American
Sparkling Celebration of Independence Day
Spectacular fireworks show
Stars and Stripes Forever
Super 4th!
The best firework you've ever seen
The best of 4th of July Salute
This Land Is Your Land
Time for Fireworks
Well done 4th!
Traffic so far has been pretty modest, only at about 2,500-3,000 per hour and is likely being mitigated by the fact that many companies have given their employees July 3rd off this year in observance of the fact that this year's United States Independence Day holiday is on a Saturday.
Below is a screen shot of a sample message that someone may receive in conjunction with this campaign:
The site that users who click the link in the email are lured to claims to be a video of a fireworks show, but is actually a download of an executable file (video.exe) that when run will infect the user's PC. So far all of the links that our Threat Operations Center have observed have been subdomains of the "moviesfireworks.com" domain, however our team is on the lookout for more, and this post will be updated as necessary.
Below is a screen shot of the fake video web site.
Here's to everyone having a safe, happy, and malware free July 4th holiday :)
|
