Archives for August 2010

Cameron Diaz tops malware bait list

McAfee (via Network World) just updated its “malware bait list” and Cameron Diaz came in number one.

Most anti-malware vendors, including McAfee offer a service to flag risky sites in search results that appear right in the search results, thus helping you avoid malware-laden web pages.

This is just another example of the “inside-out” attack style which, while rather random, is still a major risk considering that the bad guys watch for popular search terms and build sites to bait people.

Internet Explorer 6 still represents more than 16% of web traffic

I was reviewing Zscaler’s State of the Web – Q2 2010 and was surprised to learn that Zscaler is seeing 16% of web traffic is still using Internet Explorer 6! Since Zscaler can be configured to prevent the use of IE 6, my guess is that IE 6 usage in the general population is even higher.

There is good news though – the trend for IE 6 and IE 7 is down and IE 8 is up, but IE 7 is still the most used browser by far at 25%. Firefox is second at 10%.

Is there a Facebook “Dislike” button?

Apparently, there ought to be. Sophos’ Graham Cluley has a post about the virally spreading malware, Facebook Dislike button. While Facebook has a legitimate “Like” button, the “Dislike” button is malware.

Malware widget infects 500,000 to 5 million sites

Both Brian Krebs and Andy Greenberg (Forbes) are reporting that Network Solutions’ “parked” domain-default registered sites that have not been updated, which number between 500,000 to 5 million, have been infected with a compromised widget from GrowSmartBusiness.com.

By compromising GrowSmartBusiness.com, the attackers were then able to compromise the widgets deployed on the third party sites controlled by Network Solutions. While a widget gives a company tremendous leverage, so too it gives attackers leverage.

From a site owner’s perspective, no matter how rigorous you are with the security of your own site, you also must monitor all third party software you allow on your site, such as third party widgets and advertising networks.

From a corporate security perspective, URL filtering by itself provides no security. You may use URL filtering to control internet use, but that’s it. You must check all components of every web page being downloaded by every user with web access, all the time, whether the user is on your site or remote.

Finally, if you have users performing high risk transactions or processes, and those users also can browse the web, you must assume that their computers are compromised.

Time for security protection on smartphones?

Critical vulnerabilities appearing in both iPhones and Android phones point to the need for third party security products.

Apparently Juniper and McAfee think so. Juniper recently announced that it was acquiring SMobile Systems for $70 million. McAfee acquired TenCube. Another product in this space is Lookout.

Finally, which operating system do you think is more secure? Do you prefer closed vs. open source? Here is a recent article from Network World discussing this issue.

SIEM: Moving Beyond Compliance

Dr. Anton Chuvakin recently wrote a white paper for RSA entitled, SIEM: Moving Beyond Compliance. While I am no fan of RSA’s Envision product (Cymbel partners with AccelOps), the white paper is quite good. As its title says, it discusses “use cases” for SIEM beyond the basic compliance requirements that drive a lot of SIEM projects. Here is the list with my comments:

  • Server user activity monitoring – It’s not always possible to collect the logs from all servers. Sometimes a network-based product like PacketMotion is needed to complement log collection.
  • Tracking user actions across disparate systems – Same comments as above.
  • Comprehensive firewall monitoring – Key capability needed by the SIEM is Active Directory integration for mapping IP addresses to users and generating reports by AD groups.
  • Malware protection – I think this would be better termed “Malware behavior detection” since a SIEM cannot actually detect malware itself as an Intrusion Protection/Detection System would. Ideally, the SIEM should provide a behavior anomaly detection capability.
  • Web server attack detection – A SIEM can provide “detection” capabilities to complement the “protection” capabilities of a Web Application Firewall (Cymbel partners with Barracuda) whose logs also ought to be captured and correlated.
  • Incident response enablement – In addition to SIEM, Cymbel recommends a Full Packet Capture product be deployed. Cymbel partners with Solera Networks.

Anton closes with the three “worst practices” he has seen. Based on my six years of SIEM experience, I agree:

  • Storing logs for too short a time
  • Trying to prioritize logs and store “just what’s important”
  • Trying to use advanced SIEM features before establishing success with basic log collection and reporting

Taxonomy of Social Networking Data

Bruce Schneier recently blogged about his A Taxonomy of Social Networking Data essay in the IEEE Security & Privacy magazine. There are six categories of data: Service, Disclosed, Entrusted, Incidental, Behavioral, and Derived.

It’s also clear that users should have different rights with respect to each data type. We should be allowed to export, change, and delete disclosed data, even if the social networking sites don’t want us to. It’s less clear what rights we have for entrusted data — and far less clear for incidental data. If you post pictures from a party with me in them, can I demand you remove those pictures — or at least blur out my face? (Go look up the conviction of three Google executives in Italian court over a YouTube video.) And what about behavioral data? It’s frequently a critical part of a social networking site’s business model. We often don’t mind if a site uses it to target advertisements, but are less sanguine when it sells data to third parties.

Stuxnet – Nation-state attacker threatening critical infrastructure?

There has been a lot written about the Stuxnet malware in the last several weeks and rightfully so. Stuxnet not only infects Windows computers which supervise industrial control systems, but then goes on to infect the software running on individual Programmable Logic Controllers (PLCs) which control the actual subsystems of those industrial processes. (Each Windows computer controls some number of PLCs which actually run the industrial processes.)

Therefore Stuxnet enables the attacker to remotely cause an industrial automation system to malfunction. It gets even worse – the PLC malware is hidden in a way that PLC software engineers won’t notice the change! Thus Stuxnet is the first known rootkit for industrial control system.

And the vulnerability Stuxnet exploits was zero-day. In other words, the vulnerability was not known at the time Stuxnet began. Stuxnet was first detected in late July 2010, but now information is coming out that it really started in 2009! Some are saying that the sophistication of Stuxnet indicates nation-state involvement.

You can read more details (depending on how technical you want to get) from CNET, SC Magazine, Symantec, Kaspersky, and Mandiant.

There has always been a lot of talk about the need to protect critical infrastructure. Now we are seeing a real threat which increases the risk of industrial control incidents, and therefore heightens the priority to deploy Boundary Defense Controls in these environments.

Is SSL safe?

Via DarkReading, if you are using the latest version of SSL and it’s configured properly, the answer still may be no, based on two presentations at BlackHat last week.

First, according to Ivan Ristic, the Director of Engineering at Qualys, the main problems with SSL are running old versions of SSL and poor configuration management. Ivan said that half the sites running SSL are still using SSLv2 which has known vulnerabilities. In addition, a statistically large number have invalid certificates.

On the other hand, Robert “RSnake” Hansen and Josh Sokol believe that SSL is broken. They presented some 24 HTTPS/SSL exploitation techniques. Their assessment is that “HTTPS simply cannot guarantee confidentiality and integrity in the browser.”

Ristic countered with, “While the state of SSL websites is “average” in terms of security, SSL is rarely targeted by attackers today. “I have a disclaimer: SSL is not a common attack vector today because there’s so much low-hanging fruit out there. I think it’s the time to start fixing things, and they can be fixed.”

Security awareness still a problem even in enterpise IT organizations

Via Network World,

Social engineering hackers — people who trick employees into doing and saying things that they shouldn’t — took their best shot at the Fortune 500 during a contest at Defcon Friday and showed how easy it is to get people to talk, if only you tell the right lie.

Contestants got IT staffers at major corporations, including Microsoft, Cisco Systems, Apple and Shell, to give up all sorts of information that could be used in a computer attack, including what browser and version number they were using (the first two companies called Friday were using IE6), what software they use to open pdf documents, their operating system and service pack number, their mail client, the antivirus software they use, and even the name of their local wireless network.

Now I would understand the ease with which social engineering would work with non-IT workers. But this contest was focused on IT workers whom you would think are more security conscious. But I guess after the Robin Sage story, I am not surprised.