Botnets – Herds of Internet Creatures Running Amuck

Botnets

Remember the 1999 Sci-Fi classic movie, The Matrix, where Earth had been taken over by machines that created a simulated reality in order to control the human population? The human race deliberately created a sentient network of computers for the good of mankind. As energy became scarce, however, the computer network created a simulated reality to mentally enslave the human population; using human body heat and electrical activity as an energy source.

While historic symbolism runs rampant through the movie, the geeks among us most likely latched onto the comparison of the sentient network in the Matrix and where our own Internet is heading. With literally billions of computers connected to and communicating over the Internet, and a commercial (Siri anyone?) and government demand for artificial intelligence, one wonders how far off true sentience lies.

While our attention is immediately drawn to the Internet when we think about the benign-turned-evil Matrix, a more interesting comparison can be made to the current Internet plague of botnets. Far less conversationally visible than the computer network we call the Internet, a botnet is a self-replicating, self-defending, collection of malicious computers that is the basis of much of the cyber warfare we see today.

A larger botnet may be made up of tens of millions of bots (an infected computer), where each bot is unknowingly hosted on a personal computer. To reinforce this often missed fact, the computer from which you are reading this blog entry may be one of the hundreds of millions of personal machines (i.e., PCs, laptops, servers, Xboxes) that make up these botnet armies.

As I researched for this article, I found myself collecting a huge volume of fascinating data, with the chance of writing about only a fraction of it. I’ve picked the best of the best; I do believe you’ll be as fascinated with the botnet world as I am. Continue reading Botnets – Herds of Internet Creatures Running Amuck

Detecting and Combating Business Logic Attacks

Business Logic Attacks – Stealthly, and Often Hard to Call Illegal, These Fraudulent Attacks Can Cost Organizations Big Money 

In my old neighborhood there used to be a “smart” traffic light system. It was put in place to control cars exiting a parking lot and the heavy traffic on the main street. When a car approached the traffic light, a sensor would trigger the lights, which in turn allowed the cars coming out of the driveway to receive the right of way. The problem? There was a huge delay as cars needed to Business Logic Attacksapproach the sensor before it turned green, and once the car passed, it would immediately go back to red. This caused heavy congestion every morning for cars coming out of the lot. One day, a neighbor took a scrap of metal and placed it in front of the sensor so the light would stay green. It was not illegal, just one that defeated the logic of the system. The person may not have known it, but my neighbor performed a real-world business logic attack.


Continue reading Detecting and Combating Business Logic Attacks

EFF proposes new method to strengthen Public Key Infrastructure

The Electronic Frontier Foundation (EFF) is proposing an extension to the current SSL chain of trust that aims to improve the security of HTTPS and other secure communication protocols.

EFF’s “Sovereign Keys” (SK) specification is designed to give domain owners control over the link between their domain names and their certificates after recent Certificate Authority (CA) compromises raised serious questions about the security of the entire Internet Public Key Infrastructure (PKI).

One of the main problems with the current PKI model is the lack of control over CAs and their subsidiaries. There are literally hundreds of organizations spread around the world that are allowed to issue certificates for any domain name and some of them are operated by governments that practice Internet surveillance and censorship.

Sovereign Keys was designed to solve this problem by allowing domain owners to sign CA-issued certificates with their own private keys for additional authenticity. These validated domain-certificate associations are kept on so-called timeline servers and are synchronized with mirrors that are queried by clients.

The SK specification, which is still in the design stage, has safeguards in place to ensure that clients only trust the most recent entries in the timeline, that associations can easily be revoked and modified by the sovereign key owners, and that browsing performance is not severely affected by the additional traffic.

In essence, the SK model reduces the number of attack points from hundreds of CAs to 30 or fewer servers where any compromise can be detected automatically. Suspicious entries and other indications of a security breach will cause a compromised server to be immediately ignored by mirrors and clients alike.

Ever since security breaches at CAs Comodo and Diginotar resulted in fake digital certificates for high profile domains being issued, Internet engineers and security researchers have tried to come up with solutions to improve the current system.

One of the suggested solutions, public key pinning, was recently presented at an Internet Engineering Task Force (IETF) meeting in Taipei. It relies on special HTTP headers to inform browsers what certificates should be cached for particular domains and what CAs their owners trust to issue them.

This approach makes things harder for attackers, because they can’t generate trusted certificates unless they compromise one of the limited number of CAs accepted by the domain they wish to attack. Continue reading EFF proposes new method to strengthen Public Key Infrastructure

Unpatched Apache flaw allows access to internal network

A yet-to-be-patched flaw discovered in the Apache HTTP server allows attackers to access protected resources on internal networks if some rewrite rules are not defined properly.

The vulnerability affects Apache installations that operate in reverse proxy mode, a type of configuration used for load balancing, caching and other operations that involve the distribution of resources over multiple servers.

In order to set up Apache HTTPD to run as a reverse proxy, server administrators use specialized modules like mod_proxy and mod_rewrite.

Security researchers from Qualys warn that if certain rules are not configured correctly, attackers can trick servers into performing unauthorized requests to access internal resources.

The problem isn’t new and a vulnerability that allowed similar attacks was addressed back in October. However, while reviewing the patch for it, Qualys researcher Prutha Parikh realized that it can be bypassed due to a bug in the procedure for URI (Uniform Resource Identifier) scheme stripping. The scheme is the URI part that comes before the colon “:” character, such as http, ftp or file.

One relatively common rewrite and proxying rule is “^(.*) http://internal_host$1”, which redirects the request to the machine internal_host. However, if this is used and the server receives, for example, a request for “host::port” (with two colons), the “host:” part is stripped and the rest is appended to http://internal_host in order to forward it internally.

The problem is that in this case, the remaining part is “:port”, therefore transforming the forwarded request into http://internal_host:port, an unintended behavior that can result in the exposure of a protected resource.

In order to mitigate the problem server administrators should add a forward slash before $1 in the rewrite rule, the correct form being “^(.*) http://internal_host/$1”, Parikh said.

The Apache developers are aware of the problem and are currently discussing the best method of fixing it. One possibility would be to strengthen the previous patch in the server code in order to reject such requests, however, there’s no certainty that other bypass methods won’t be discovered.

“We could try improve that fix, but I think it would be simpler to change the translate_name hooks in mod_proxy and mod_rewrite to enforce the requirement in the ‘right’ place,” said Red Hat senior software engineer Joe Orton on the Apache dev mailing list. Ortonproposed a patch that is currently being reviewed by the other developers.

How to Lock Down Your Laptop While on the Road

How to Lock Down Your Laptop While on the Road

Laptop is a must-have companion for many travelers. Unfortunately, the complications of a long journey can bring about lots of opportunities for thieves to snatch your machine. Here are some ways to make your computer less of a target, as well as some strategies to mitigate the loss if your laptop does end up in the hands of crooks.

Losing a laptop may be less painful now than it used to be because the cost of replacing the physical device has trickled downward recently. You can now pick up a decent workhorse for three or four hundred dollars at a big-box retailer. Big deal if you lose it.

What hasn’t become less valuable, though, is the data held within. In fact, the data has become more valuable with the prevalence of identity theft and our copious use of the machines to store every aspect of our multimedia-driven and socially networked lives.

However, the gut-wrenching realization that your laptop has possibly been converted into a methamphetamine-induced haze for a local derelict, and is now winging its way to some unknown destination on the wrong side of town, can be alleviated with some simple precautions.

Deterrent Measures

Stow the laptop on the road by placing it in an in-room safe. The safes are usually large enough, although they don’t look it from the outside.

If there isn’t a safe in your room, place the laptop in your luggage, which should be fitted with a simple lock. You can pick the locks up at airport boutiques. Unlock the luggage and remove the laptop when checking out.

Universal Security Slot

Identify whether your laptop features a Universal Security Slot. This is a thin keyhole-like slit in the computer that can be used to accept a laptop-specific security cable. The slot is sometimes not labeled. If you have the slot, purchase a security cable that you can use to attach the laptop to a fixed object, like a railing or pipe. You can get them at office products stores. This is a good deterrent to use in a public place.

It’s just a deterrent, though, and it won’t thwart bolt cutters. Motion-sensing alarms that use the slot are also available from other vendors.

Cable Specifics

Affix the cable’s included hook to a table. The cables often ship with a strong, self-adhesive eye hook that’s designed for attaching to laptops that don’t have the security slot. The hook can also stick to any flat surface, like a table underside in a public place. Thread the cable and lock it.

When you’re finished, say goodbye to the eye hook — it will be almost impossible to remove.

Rendering Unusable

Password-protect the computer’s operating system. In Windows XP, choose the Control Panel and select “User Accounts.” Then “Edit.” The next time you log on you will be prompted for the password.

This method of rendering the computer unusable is not iron-clad, but it may spoil your average small-time crook, or a drug addict’s enjoyment of your machine.

Software Solutions

Look for encryption software that will encrypt an entire file system, or just encrypt sensitive files. Symantec (Nasdaq: SYMC) makes products that can perform either task.

The disadvantage to encrypting the whole system is that read and write file operations will be slower than on a non-encrypted system.

Hardware Solutions

Install biometrics add-ons. Various shopping websites sell USB finger-print readers for under Kshs. 7,000.

However, locking up a laptop with biometric security is probably easiest when the hardware is built into the laptop, rather than added via USB.

Tracking Solutions

Install tracking software.

GadgetTrak makes solutions that use the laptop’s WiFi location positioning and take advantage of the laptop’s webcam by capturing images of the perpetrator — useful in court.

The Cloud

Leave the laptop on overnight and back up your files to the cloud whenever you can. If you have Internet connectivity on your laptop while traveling, install backup software that will sync your laptop with the cloud and other machines that you have at other locations.

Mozy, Carbonite and SugarSync have products worth taking a look at. Allow the backup to take place during supposedly quiet hours overnight, and you won’t notice lag.

Bad Security Moon Rising

Bad Security Moon Rising

The cybersecurity world is awash in oceans of porn, blown water pumps and civil liberties rhetoric. Facebook was slammed with an attack recently that left some users reaching for a bottle of eye bleach, while hackers elsewhere apparently were able to temporarily control parts of a small public utility. Meanwhile, the DoJ sought new powers that could impact you if you ever use an assumed name anywhere online.

All things considered, this past week has been hell on security professionals.

On Monday, AT&T (NYSE: T) Wireless announced that hackers used automatic scripts to target some subscribers in a bid to steal information stored in their online accounts. They apparently didn’t succeed.

Hackers have breached security at utilities in Springfield, Ill., and in South Houston, Texas, in what might prove to be a sign of things to come.

Meanwhile, Norway’s oil, gas and defense installations also were breached.

On the mobile front, security vendors are once again saying that Android is fast becoming a major mobile threat, echoing a warning that’s growing all too familiar.

Cybermiscreants last week also made friending painful, flooding some Facebook users’ accounts with porn and gore, eliciting complaints and, in some cases, cancellations.

Eager to come to grips with cybersecurity issues, the United States is seeking to criminalize violations of a given site’s TOS on the one hand, and gunning for Chinese communications companies Huawei and ZTE on the other.

No Power to the People

A hacker apparently reconfigured the SCADA (supervisory control and data acquisition) system at a small water utility in Springfield, Ill., causing a pump to break down.

Another hacker, with the handle “pr0f,” claimed to have cracked the system of a utility serving the city of South Houston and posted screenshots of its IT infrastructure.

SCADA systems are used in industries like electric utilities whose demands and processes aren’t designed with security in mind, Joseph Weiss, managing partner at Applied Control Solutions, told TechNewsWorld.

Is Electric Utility Security a Damp Squib?

The utilities don’t want to face the issue, Weiss alleged.

“I just held my latest annual conference on cyber control systems, and EPRI and NERC weren’t there,” Weiss said. “They don’t want to hear this. It just doesn’t make sense.”

EPRI, the Electric Power Research Institute, is funded by electric utilities that together generate and distribute more than 90 percent of the electricity consumed in the United States. NERC,the North American Electric Reliability Corporation, ensures the reliability of the North American bulk power system.

EPRI didn’t respond to requests for comment by press time.

Android’s a Pain in the Mobile Device

Security experts have renewed warnings that Android malware poses a clear and present danger to mobile device users.

That’s possibly tied in with the skyrocketing popularity of Android gadgets. They accounted for more than 52 percent of smartphone sales to end users worldwide in the third quarter, more than doubling market share year over year, according to Gartner (NYSE: IT).

However, they’re also becoming a increasingly popular target for malware, according to recent studies produced by Juniper Networks (Nasdaq: JNPR) and McAfee.

Security experts partially blame Google’s (Nasdaq: GOOG) laissez-faire attitude toward vetting Android apps for the maladies, and they’re once again voicing concern on that issue.

Subverting Facebook Friendships

Facebook was hit hard this past week by hackers that managed to pepper some members’ News Feeds with images that were gory, pornographic or, in some cases, both.

“This particular outbreak of inappropriate imagery could [lead to] a second, third or deeper wave of attacks that keep riding on one another in a never-ending cycle,” Armando Carillo Jr., Web media manager at Zvelo, told TechNewsWorld.

The attackers employed self-inflicted JavaScript injection, a technique that “is not new but also is not that common,” Mike Geide, senior security researcher at Zscaler ThreatLabZ, told TechNewsWorld.

Essentially, potential victims are encouraged to cut and paste a line of JavaScript code that “can contain a variety of functionalities” into their browser bar, Geide said.

Fly Like an Eagle

American lawmakers are responding to the multifarious cyberthreats facing the U.S.

The U.S. House of Representatives’ committee on intelligence has begun investigating a possible threat from the penetration of Chinese owned-telecoms companies, including Huawei and ZTE, into U.S. telecommunications infrastructure.

Meanwhile, the U.S. Defense Department has renewed warnings that the country reserves the right to retaliate with military force against a cyberattack.

Finally, the U.S. Department of Justice has begun seeking harsher penalties for various unlawful online activities. It’s also seeking to make it a crime to violate websites’ terms of service, a measure that could theoretically criminalize the use of an alias when creating a profile on a site.

The DoJ told Congress that this measure’s necessary in order to stop unauthorized access by insiders to sensitive information.

That has privacy advocates worried.

“There’s a lot of people who, for legitimate reasons, assume a different identity online,” Gregory Nojeim, director of the project on freedom for the Center for Democracy and Technology, told TechNewsWorld.

BEAST Browser Security Threat Is Not As Fierce As It Looks, Says Context Information Security

Researchers at Context Information Security are playing down the level of risk to businesses and government organisations posed by BEAST, or Browser Exploit Against SSL/TLS. Recently disclosed by Thai Duong and Juliano Rizzo, the SSL vulnerability allows an attack on a browser to decrypt cookies and compromise HTTPS, giving access to encrypted website log-on credentials. But Context believes that hackers are very unlikely to use this complex attack and also provides some advice on how to further reduce the risks.

“In effect, BEAST is simply a practical way to exploit an existing theoretical vulnerability in older versions of TLS/SSL (TLSv1.0, SSLv3.0 and lower), commonly used for HTTPS connections,” said Michael Jordon, research and development manager at Context. “For an attack to be effective, a vulnerable version of SSL using a block cipher must be used; network sniffing of the connection must be possible; and there also has to be a successful Java applet injection into the same origin of the web site.”

Developers can already increase the complexity and mitigate the risk of malicious content being injected within the same origin through actions such as setting the HTTPOnly property that prevents applets or JavaScript to gain access to the cookie and prevent session hijacking. Therefore, in terms of risk, the BEAST attack is akin to not setting the HTTPOnly property on cookies that is not unusual among websites.

“If people are concerned about the BEAST attack, we suggest they first look to see if their HTTPOnly property is set properly. If it is not, then a BEAST attack would not be needed to deliver the same opportunities to hackers,” says Jordon.

The major vendors of both browsers and server-side technologies have also announced that they are working on patches for TLS1.0. Within a controlled environment such as an internal network, it may be possible to upgrade all users and servers to products that support TLS 1.1/1.2. However, this could mean that some users may have difficulties accessing older web servers.

There are also a number of other areas in which the use of session hijacking can be reduced or made more complex, including transferrable session prevention; the use of effective logout and session timeout functions; regeneration of a new and unique cookie value per session; and adoption of one-time passwords.

“The BEAST vulnerability exists but there are simple steps that developers and security managers can take to mitigate the risks and with the number and complexity of mechanisms needed by an attacker, plus the number of greater value attacks that could take place in the same circumstances, we believe that it is unlikely that BEAST will be seen in the wild,” concludes Jordon.

Details of Context’s research into BEAST can be seen at: http://www.contextis.co.uk/research/blog/beast/

About Context Context Information Security is an independent security consultancy specialising in both technical security and information assurance services. Founded in 1998, the company’s client base has grown steadily based on the value of its product-agnostic, holistic approach and tailored services combined with the independence, integrity and technical skills of its consultants. The company’s client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. As best security experts need to bring a broad portfolio of skills to the job, Context staff offer extensive business experience as well as technical expertise to deliver effective and practical solutions, advice and support. Context reports always communicate findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report.