"A botnet is comparable to compulsory military service for windows boxes" - Stromberg (http://project.honeynet.org/papers/bots/)
A Botnet is a network of computers that have been infected and are under the control of a hacker or group of hackers. Once they have computers under their control the hackers can use them to propagate viruses, send spam, launch attacks against web sites (distributed denial of service attacks or DDos) or any number of other suspect activities. Criminal gangs have even been known to “rent” their Botnets to other criminals. This is what occured during the recent Botnet experiment by the BBC http://itnetworksecurity.blogspot.com/2009/03/botnets-very-real-threat.html (not that I am comparing the BBC to criminals, you understand).
Botnets can consist of many thousands of compromised computers, with this number of machines under their control the people behind the Botnets can cause all sorts of chaos including Distributed Denial of Service (DDos) attacks against corporate web sites. Botnets are being used by criminal gangs to extort money – sending messages to companies threatening to take their website down unless payment is forthcoming.
One technique that is used in the fight against Botnets is called a honeypot. The idea of a honeypot is to provide an unprotected machine or set of machines and examine how attackers infiltrate the systems. A great site to read up on this topic more is The Honeynet Project (http://project.honeynet.org) which describes its own site's objective as "To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned."
Friday, March 27, 2009
Nine Steps to Securing Your Computer
The Internet revolution has meant that many more people have computers permanently connected to Internet services and that more and more people are using their computers for activities such as on-line banking and shopping. The “always on” nature of broadband connections coupled with the increasingly sensitive information we store means that we are more and more open to potential hackers and criminals. While security may be considered obvious – there is always room for improvement, below are a few easy and cost effective steps that you can take to improve security.
- Always keep backups of important information and keep them in a safe place. It is better to store them away from your home, if at all possible as this will give you additional protection against fire, theft etc.
- Update and patch your operating system, browser and any software frequently. If auto update options are available, use them.
- Make sure that you have antivirus/anti-malware software installed, that it is up-to-date and has the latest patterns installed. If it has an auto-update mechanism, ensure that it is enabled.
- Install a personal firewall. Many home routers provide some kind of firewall functionality but it is always worth having the additional protection offered by a personal firewall. Many home user security packages (e.g. Norton Internet Security) include firewall functions or you can opt for a separate firewall such as ZoneAlarm.
- Check the settings in your Internet browsers. Active-X and Javascript are used by hackers to install malicious software (“Malware”) on computers. Internet Explorer offers a number of “zones” for grouping sites, by default everything is in the Internet zone. Set the security level of the Internet zone to high. Internet Explorer also offers a trusted sites zone for sites that you trust, set the security level in this zone to medium.
- Do not open unknown email attachments from unknown senders and be extremely suspicious of attachments from known senders that seem out of character for the sender. Many viruses and other pieces of Malware spread by compromising email clients and sending themselves to people in the address book.
- Do not run programs of unknown origin as they can contain malware even if they appear to do something harmless. Resist the temptation to forward such programs on to friends, family and colleagues because they are funny or interesting. This is another mechanism used by malware authors to spread their programs.
- Disable the Windows “hidden extension” feature. By default Windows will hide the file extensions of known file types. This option should be turned off and you will be more able to see any unusual file extensions that may be there.
- Consider disconnecting your computer from the network and/or turning it off when you are not using it.
You should also consider making a boot or emergency disk for use in case or computer is compromised by malware.
Fundamentally, you can never be too vigilant and the simple steps discussed above may prevent you falling foul of a damaging attack.
- Always keep backups of important information and keep them in a safe place. It is better to store them away from your home, if at all possible as this will give you additional protection against fire, theft etc.
- Update and patch your operating system, browser and any software frequently. If auto update options are available, use them.
- Make sure that you have antivirus/anti-malware software installed, that it is up-to-date and has the latest patterns installed. If it has an auto-update mechanism, ensure that it is enabled.
- Install a personal firewall. Many home routers provide some kind of firewall functionality but it is always worth having the additional protection offered by a personal firewall. Many home user security packages (e.g. Norton Internet Security) include firewall functions or you can opt for a separate firewall such as ZoneAlarm.
- Check the settings in your Internet browsers. Active-X and Javascript are used by hackers to install malicious software (“Malware”) on computers. Internet Explorer offers a number of “zones” for grouping sites, by default everything is in the Internet zone. Set the security level of the Internet zone to high. Internet Explorer also offers a trusted sites zone for sites that you trust, set the security level in this zone to medium.
- Do not open unknown email attachments from unknown senders and be extremely suspicious of attachments from known senders that seem out of character for the sender. Many viruses and other pieces of Malware spread by compromising email clients and sending themselves to people in the address book.
- Do not run programs of unknown origin as they can contain malware even if they appear to do something harmless. Resist the temptation to forward such programs on to friends, family and colleagues because they are funny or interesting. This is another mechanism used by malware authors to spread their programs.
- Disable the Windows “hidden extension” feature. By default Windows will hide the file extensions of known file types. This option should be turned off and you will be more able to see any unusual file extensions that may be there.
- Consider disconnecting your computer from the network and/or turning it off when you are not using it.
You should also consider making a boot or emergency disk for use in case or computer is compromised by malware.
Fundamentally, you can never be too vigilant and the simple steps discussed above may prevent you falling foul of a damaging attack.
Wednesday, March 18, 2009
Avoiding Pharming and DNS Exploits
I had the “privilege” of seeing a scary exploit the other night …..
In essence it was a variation on the idea of “pharming” where a hacker attempts to redirect traffic legimate website traffic to a different, fraudulent, website – the most common use of this exploit is to re-direct traffic destined for on-line financial site in order to harvest user names, passwords and other security credentials. There are a number of ways this type of attack can be executed.
The first, and simplest method is to compromise the hosts file on the user’s PC. The hosts file is a remnant of ARPANET, the predecessor of the Internet, which did not have a domain name system for resolving network names. Instead each node held its own records of other nodes that it needed to know about and this is what is contained in the hosts file. An entry contained in the hosts file will override the need to look up an address using the domain name system.
In order to execute an attack the hacker needs to modify the host file; something which can be achieved by enticing the user to download a small piece of malware to their computer – this malware would then modify the hosts file with the name of the site they wished to direct and the bogus IP address that they wished to redirect it to.
The second way of executing a pharming attack is to use a technique call DNS cache poisoning – this is where the hacker compromises a DNS server by exploiting a flaw in the DNS server software and cause the DNS server to accept bogus information. By doing this the DNS server will then provide an incorrect IP address for a given name and direct users to the attacker’s web site.
The third way uses malicious code to reconfigure the DNS settings of a user’s home router, this is also called a “Drive by” pharming attack. If you look at the configuration of your home router somewhere in its configuration you will usually find references to primary and secondary DNS servers – these parameters are usually set to whatever your ISP provides but, even when your ISP has provided the configuration, it is possible to change these settings.
In this attack, the hacker changes these DNS settings so that any attempt to resolve names is not sent to the ISP’s DNS server but to a DNS server controlled by the hacker. Thus, the hacker is able to provide whatever address he chooses and redirect the traffic to another server under his control. Thus an attempt to access the Natwest web site (www.natwest.com) could result in the user being redirected to a bogus server offering web pages that look superficially like the genuine site – allowing the hacker to collect online banking credentials.
This attack requires the user to be tricked into downloading some malware to their PC – either via Javascript embedded into an email or via a compromised web site. In many cases it will also require the administrative user name and password for the home router, although many users do not change the default and a quick session with a search engine will usually reveal the default username and password for most popular home routers. Scarily, there are some home routers out there that allow the username/password validation for administrative access to be bypassed.
So, what can you do to protect yourself – here are some simple tips.
Does the web site displayed in your browser look genuine? If it is something sensitive like an online banking site, is it using HTTPS (the padlock symbol is most browsers).
If the site is using HTTPS did you get a certificate warning? If you get a certificate warning you should never, ever proceed.
Does the site seem to be asking for too much information? Most online financial institutions have a user name, password and several pieces of memorable information. If the site that you have connected to wants you to provide all of this information in one hit then it is not the genuine article. Likewise, if the site you have connected to is asking you to type your complete password when you would normal select specified characters from a drop down list or click keys on an on screen keyboard, it is not the genuine article either.
Change the default administrative user name and/or password on your home router.
Good luck – and stay secure.
In essence it was a variation on the idea of “pharming” where a hacker attempts to redirect traffic legimate website traffic to a different, fraudulent, website – the most common use of this exploit is to re-direct traffic destined for on-line financial site in order to harvest user names, passwords and other security credentials. There are a number of ways this type of attack can be executed.
The first, and simplest method is to compromise the hosts file on the user’s PC. The hosts file is a remnant of ARPANET, the predecessor of the Internet, which did not have a domain name system for resolving network names. Instead each node held its own records of other nodes that it needed to know about and this is what is contained in the hosts file. An entry contained in the hosts file will override the need to look up an address using the domain name system.
In order to execute an attack the hacker needs to modify the host file; something which can be achieved by enticing the user to download a small piece of malware to their computer – this malware would then modify the hosts file with the name of the site they wished to direct and the bogus IP address that they wished to redirect it to.
The second way of executing a pharming attack is to use a technique call DNS cache poisoning – this is where the hacker compromises a DNS server by exploiting a flaw in the DNS server software and cause the DNS server to accept bogus information. By doing this the DNS server will then provide an incorrect IP address for a given name and direct users to the attacker’s web site.
The third way uses malicious code to reconfigure the DNS settings of a user’s home router, this is also called a “Drive by” pharming attack. If you look at the configuration of your home router somewhere in its configuration you will usually find references to primary and secondary DNS servers – these parameters are usually set to whatever your ISP provides but, even when your ISP has provided the configuration, it is possible to change these settings.
In this attack, the hacker changes these DNS settings so that any attempt to resolve names is not sent to the ISP’s DNS server but to a DNS server controlled by the hacker. Thus, the hacker is able to provide whatever address he chooses and redirect the traffic to another server under his control. Thus an attempt to access the Natwest web site (www.natwest.com) could result in the user being redirected to a bogus server offering web pages that look superficially like the genuine site – allowing the hacker to collect online banking credentials.
This attack requires the user to be tricked into downloading some malware to their PC – either via Javascript embedded into an email or via a compromised web site. In many cases it will also require the administrative user name and password for the home router, although many users do not change the default and a quick session with a search engine will usually reveal the default username and password for most popular home routers. Scarily, there are some home routers out there that allow the username/password validation for administrative access to be bypassed.
So, what can you do to protect yourself – here are some simple tips.
Does the web site displayed in your browser look genuine? If it is something sensitive like an online banking site, is it using HTTPS (the padlock symbol is most browsers).
If the site is using HTTPS did you get a certificate warning? If you get a certificate warning you should never, ever proceed.
Does the site seem to be asking for too much information? Most online financial institutions have a user name, password and several pieces of memorable information. If the site that you have connected to wants you to provide all of this information in one hit then it is not the genuine article. Likewise, if the site you have connected to is asking you to type your complete password when you would normal select specified characters from a drop down list or click keys on an on screen keyboard, it is not the genuine article either.
Change the default administrative user name and/or password on your home router.
Good luck – and stay secure.
Saturday, March 14, 2009
BotNets – a very real threat
The BBC has been able to acquire software and gain control of over 22,000 computers. In their test they ordered the computers under their control to send spam messages to two mailboxes – within hours the mailboxes began to fill up with junk mail. They also managed to launch a DDOS (distributed denial of service) attack. See the full story at http://news.bbc.co.uk/1/hi/programmes/click_online/7932816.stm
Thursday, March 12, 2009
Endpoint Security II - Removable Media
Removable media is one of the things that makes personal computers useful and has been with us in many forms since the advent of the personal computers – these days we have moved on from tape based systems and floppy disks to high capacity USB memory sticks. The downside to this is that as the capacity of removable media increases so do the risks; it is possible to lose more information as the result of a single security incident.
Many of the recent data leaks in the public sector have been as a result of problems with removable media – from the well publicized case of child benefit records in the UK being sent unencrypted on CDs through an insecure mail service to any number of cases where USB memory sticks have been lost.
The trouble with removable media is that is so convenient – how many times have you used a USB memory stick to transport information without thinking about how that information is protected or the consequences of losing that information. A particular issue with USB memory sticks is that they are quite small, while this does make them convenient it also makes them very easy to lose.
There are two issues – one is user training about appropriate use of removable media –simply there is some information that is so confidential that it should never be stored on removable media. This should also be backed up with an enforcement and auditing system.
The second issue is mitigating the effect of losing removable media – this is really the domain of encryption products, if the data is encrypted then the usefulness of the removable media to anybody who does not have the encryption keys is seriously limited.
Many of the recent data leaks in the public sector have been as a result of problems with removable media – from the well publicized case of child benefit records in the UK being sent unencrypted on CDs through an insecure mail service to any number of cases where USB memory sticks have been lost.
The trouble with removable media is that is so convenient – how many times have you used a USB memory stick to transport information without thinking about how that information is protected or the consequences of losing that information. A particular issue with USB memory sticks is that they are quite small, while this does make them convenient it also makes them very easy to lose.
There are two issues – one is user training about appropriate use of removable media –simply there is some information that is so confidential that it should never be stored on removable media. This should also be backed up with an enforcement and auditing system.
The second issue is mitigating the effect of losing removable media – this is really the domain of encryption products, if the data is encrypted then the usefulness of the removable media to anybody who does not have the encryption keys is seriously limited.
Wednesday, March 11, 2009
Endpoint Security I – Laptop Security
There are many aspects to network security but it is often the risks associated with the humble laptop PC that gets overlooked.
The portability of laptops makes them inherently vulnerable; they are designed to be portable. Traditionally, people and organizations consider laptop security from the perspective of the financial value of the device but as the cost of laptops has reduced it is likely that the information contained on a laptop’s hard disk is more valuable than the laptop itself.
There are a number of simple measures that can be taken to protect laptops and the information they contain such as not leaving them unattended in public areas or in parked cars (whether on display or not). This is an issue that can be addressed by training, but even the most careful person can make mistakes. So what can be done to protect the data against compromise when a laptop is lost or stolen?
It would be relatively simple to design a system where little or no data is held on the laptop itself; this would require the use of some type of thin client arrangement such as Windows Terminal Services or Citrix where all applications run and all data is held on centrally located servers and the endpoints simply function as a “dumb” terminal that simply provides an interface to the user. The problem with this kind of implementation is that constant connectivity is required to the central data centre(s) hosting the applications.
So, given that most users are going to store some data locally what can be done to prevent this data falling into the wrong hands. The answer is to encrypt some or all of the information held on the local hard drive; there is a wide choice of products available to achieve this; however, some considerations in selecting a product.
Ease of use – the product has to be easy to use and the process of encryption and decryption as transparent as possible to the user. Most people are not technical and if they are provided with something that is difficult to use they will not use it.
Security of the encryption algorithm
Management of encryption keys – it is important that the organization as the ability to manage encryption keys. Under section 53 of the Regulation of Investigatory Powers Act (RIPA)(UK) the police have the powers to demand the decryption of data or the production of decryption keys; it is clearly important that an organization should be able to comply with this requirement.
Security of passwords/encryption keys when held in memory – at some point most encryption systems are going to hold user passwords or encryption keys in dynamic memory. When this occurs there is a risk that a malware program that has infected the laptop could steal this information and provide it to a third party; therefore, any encryption system should provide some method of obscuring or protecting this information while it is held in dynamic memory.
Next time … more on endpoint security, specially looking at removable media.
The portability of laptops makes them inherently vulnerable; they are designed to be portable. Traditionally, people and organizations consider laptop security from the perspective of the financial value of the device but as the cost of laptops has reduced it is likely that the information contained on a laptop’s hard disk is more valuable than the laptop itself.
There are a number of simple measures that can be taken to protect laptops and the information they contain such as not leaving them unattended in public areas or in parked cars (whether on display or not). This is an issue that can be addressed by training, but even the most careful person can make mistakes. So what can be done to protect the data against compromise when a laptop is lost or stolen?
It would be relatively simple to design a system where little or no data is held on the laptop itself; this would require the use of some type of thin client arrangement such as Windows Terminal Services or Citrix where all applications run and all data is held on centrally located servers and the endpoints simply function as a “dumb” terminal that simply provides an interface to the user. The problem with this kind of implementation is that constant connectivity is required to the central data centre(s) hosting the applications.
So, given that most users are going to store some data locally what can be done to prevent this data falling into the wrong hands. The answer is to encrypt some or all of the information held on the local hard drive; there is a wide choice of products available to achieve this; however, some considerations in selecting a product.
Ease of use – the product has to be easy to use and the process of encryption and decryption as transparent as possible to the user. Most people are not technical and if they are provided with something that is difficult to use they will not use it.
Security of the encryption algorithm
Management of encryption keys – it is important that the organization as the ability to manage encryption keys. Under section 53 of the Regulation of Investigatory Powers Act (RIPA)(UK) the police have the powers to demand the decryption of data or the production of decryption keys; it is clearly important that an organization should be able to comply with this requirement.
Security of passwords/encryption keys when held in memory – at some point most encryption systems are going to hold user passwords or encryption keys in dynamic memory. When this occurs there is a risk that a malware program that has infected the laptop could steal this information and provide it to a third party; therefore, any encryption system should provide some method of obscuring or protecting this information while it is held in dynamic memory.
Next time … more on endpoint security, specially looking at removable media.
Tuesday, March 10, 2009
Public Sector Data Leaks
On 9th March Lothian and Borders Police announced that they had lost containing details of vehicles of interest and other intelligence (http://news.bbc.co.uk/1/hi/scotland/edinburgh_and_east/7932228.stm). In recent months there have been a number of high profile data losses in the UK public sector – what is happening, why and what can be done to prevent it.
The public sector is being driven by the requirement to aggregate data from many sources into large databases; this increases the attraction to criminals as there is the potential to harvest more data from compromising a single database. Another effect of data aggregation is that it becomes increasingly difficult and costly to “dis-aggregate” the data when sharing it with third parties
This is exactly what happened in well publicized case of the lost child benefit records; the National Audit Office had requested specific “de-personalised” data – internally within HMRC it had been decided that it was too expensive to depersonalize the data in the way requested by the national audit office had requested and, therefore, the complete data was sent; this was only compounded by the fact that the data was sent unencrypted on a CD via an insecure mail service.
As well as the primary effect of this incident (the compromise of people’s personal details), there was a secondary attack where people were targeted with a email offering a £215 tax rebate which redirected them to a malware site.
The bad news is that it is getting worse, in the 12 months to September 2008 there were 12 major incidents in the public sector affecting 29 million records. See http://www.silicon.com/publicsector/0,3800010403,39295167,00.htm for more details.
The government’s response to data has been a working party that produced the following recommendations.
Changes to policy, systems, procedures and controls with the focus on trust, reputational risks, cost avoidance and accountability.
However, the focus is on risk and cost avoidance from a government perspective. In most of these incidents the government bears very little cost or risk. In the case of the HMRC incident the risk was borne by the individuals claiming child benefit (potentially having their bank accounts compromised) and the cost was borne by the banks (the administrative effort in potential losses through fraud, changing account numbers, reissuing cards etc).
Penetration Testing.
Penetration testing is a worthwhile exercise but it assumes that the weakest point is the network perimeter; this would not have prevented any of these incidents occurring.
Encryption of end points.
All of these incidents have occurred because of endpoint vulnerability; the CD, the USB memory stick or the laptop left in a taxi. Clearly the encryption of endpoints is critical in mitigating risk if the endpoint itself is lost or stolen.
Unfortunately, they do not address the real issue – the people in control of the data have no interest in keeping it secure, an effect called externality. The organizations involved do not bear the consequences of their actions – there is no point in fining a public sector organization as it is public money anyway. The only way this issue will be addressed is for the individual employees of these organizations to bear the consequences of their actions – and ultimately this will probably man serious criminal sanctions.
The public sector is being driven by the requirement to aggregate data from many sources into large databases; this increases the attraction to criminals as there is the potential to harvest more data from compromising a single database. Another effect of data aggregation is that it becomes increasingly difficult and costly to “dis-aggregate” the data when sharing it with third parties
This is exactly what happened in well publicized case of the lost child benefit records; the National Audit Office had requested specific “de-personalised” data – internally within HMRC it had been decided that it was too expensive to depersonalize the data in the way requested by the national audit office had requested and, therefore, the complete data was sent; this was only compounded by the fact that the data was sent unencrypted on a CD via an insecure mail service.
As well as the primary effect of this incident (the compromise of people’s personal details), there was a secondary attack where people were targeted with a email offering a £215 tax rebate which redirected them to a malware site.
The bad news is that it is getting worse, in the 12 months to September 2008 there were 12 major incidents in the public sector affecting 29 million records. See http://www.silicon.com/publicsector/0,3800010403,39295167,00.htm for more details.
The government’s response to data has been a working party that produced the following recommendations.
Changes to policy, systems, procedures and controls with the focus on trust, reputational risks, cost avoidance and accountability.
However, the focus is on risk and cost avoidance from a government perspective. In most of these incidents the government bears very little cost or risk. In the case of the HMRC incident the risk was borne by the individuals claiming child benefit (potentially having their bank accounts compromised) and the cost was borne by the banks (the administrative effort in potential losses through fraud, changing account numbers, reissuing cards etc).
Penetration Testing.
Penetration testing is a worthwhile exercise but it assumes that the weakest point is the network perimeter; this would not have prevented any of these incidents occurring.
Encryption of end points.
All of these incidents have occurred because of endpoint vulnerability; the CD, the USB memory stick or the laptop left in a taxi. Clearly the encryption of endpoints is critical in mitigating risk if the endpoint itself is lost or stolen.
Unfortunately, they do not address the real issue – the people in control of the data have no interest in keeping it secure, an effect called externality. The organizations involved do not bear the consequences of their actions – there is no point in fining a public sector organization as it is public money anyway. The only way this issue will be addressed is for the individual employees of these organizations to bear the consequences of their actions – and ultimately this will probably man serious criminal sanctions.
Subscribe to:
Posts (Atom)