I have written a paper targeted for small business owners: "Some Thoughts on Computer Defense for Small Business"
"The problem of computer security will continue to increase in intensity in the coming years. Geo-political conflict, an increasing wealth divide between North and South in an increasingly networked world, and increasingly sophisticated threats will challenge the most well prepared specialists to secure your network. The passage of time has only made the following Unix administrator's adage become more true: “There are two kinds of computer users: those who have lost data and those who will.” Which part of that data loss cycle is your destiny?" read more
Friday, February 26, 2010
Wednesday, February 24, 2010
Advanced Persistent Threat IV
SRI's Malware Threat Center has issued version 1.5 of Bot Hunter. Bot Hunter uses a proprietary algorithm with data collection facilities of a customized Snort to determine the botnet communication on Windows hosts and at Unix bastion at the egress of your network. You can review the data it collects from its honey net. Here's a picture of it running on Vista:
Update: 02/27/10 And so I had a 1.10 Score. (Below) Bot Net Hunter reported that a Microsoft IP conducted an outbound scan of 18 IPs. Something to think about...
OUTBOUND SCAN (spp)
207.46.16.248 (2) (20:05:49.902 PST)
event=777:7777005 (2) {udp} E5[bh] Detected moderate malware port scanning of 18 IPs (11 /24s) (# pkts S/M/O/I=0/52/4/0): 137u:52, [] MAC_Src: 00:16:EA:4C:F3:AE
Funny, I had Netmon 3.3 running, but it didn't catch that IP at that time This turned out to be a Microsoft DNS IP:
9:41:51.287 192.168.0.14 80 (0x50) 207.46.16.248 207.46.16.248 msdn.microsoft.akadns.net 00-09-5B-00-F3-DA msdn.microsoft.akadns.net 5599 (0x15DF)
Tuesday, February 16, 2010
Advanced Persistent Threat Part III
It certainly is possible to examine host or network outbound conversations. But we then have to determine which outbound conversations are legitimate. Current AV software attempts to block access to potentially 'known dangerous' or 'pre-determined dangerous' malware sites but such judgements are apparently failing to prevent APT from sending stolen data to weigh stations. On OpenBSD if we are looking at outbound connections, we might sniff as thus using Snort:
/usr/local/bin/snort -D -vdeXX -l . -L `date "+%d%b%H%S%Z%Y.out"` -i dc0 'port not(whois or domain or router) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)'
On Vista, we might have two interfaces (wired and wireless) we need to examine:
start /min cmd /c C:\snort\bin\snort.exe -vdeXX -l . -i 1 port not(whois or domain or router or 5353) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)
start /min cmd /c C:\snort\bin\snort.exe -vdeXX -l . -i 2 port not(whois or domain or router or 5353) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)
We can look at the logs. And we are surprised by the number of outbound connections we make:
C:\Snort\bin>snort -v -q -r snort.log.1266372570 | find "->" | gawk -F"->" '{print $2}' | sort /R | uniq -c | sort /R
327 74.125.103.208:80
133 74.202.67.83:80
105 216.35.221.76:80
100 198.104.200.154:80
51 72.21.91.19:80
32 96.17.70.50:80
....
Perhaps one solution to APT would be some real time co-ordination between sites suspected of being data theft transfer stations and real-time (firewall or host) blocking of the data-transfer to those hosts/servers. This type of solution has some headwind but may need to be implemented on a individual or corporate basis to prevent "incidental blacklisting". Other solutions might include:
(1) real time packet examination of data for critical or sensitive information
(2) heuristic detection of data flows that seems 'abnormal'
(3) heuristic detection of file access that seems 'abnormal'
The industry awaits such solutions.
/usr/local/bin/snort -D -vdeXX -l . -L `date "+%d%b%H%S%Z%Y.out"` -i dc0 'port not(whois or domain or router) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)'
On Vista, we might have two interfaces (wired and wireless) we need to examine:
start /min cmd /c C:\snort\bin\snort.exe -vdeXX -l . -i 1 port not(whois or domain or router or 5353) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)
start /min cmd /c C:\snort\bin\snort.exe -vdeXX -l . -i 2 port not(whois or domain or router or 5353) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)
We can look at the logs. And we are surprised by the number of outbound connections we make:
C:\Snort\bin>snort -v -q -r snort.log.1266372570 | find "->" | gawk -F"->" '{print $2}' | sort /R | uniq -c | sort /R
327 74.125.103.208:80
133 74.202.67.83:80
105 216.35.221.76:80
100 198.104.200.154:80
51 72.21.91.19:80
32 96.17.70.50:80
....
Perhaps one solution to APT would be some real time co-ordination between sites suspected of being data theft transfer stations and real-time (firewall or host) blocking of the data-transfer to those hosts/servers. This type of solution has some headwind but may need to be implemented on a individual or corporate basis to prevent "incidental blacklisting". Other solutions might include:
(1) real time packet examination of data for critical or sensitive information
(2) heuristic detection of data flows that seems 'abnormal'
(3) heuristic detection of file access that seems 'abnormal'
The industry awaits such solutions.
Friday, February 12, 2010
Advanced Persistent Threat Part II
These thoughts occur to me this week in reading the numerous blog posts on APT and the Mandiant Report. Somehow my research made me think of the bane of Othello the Moor ( "Iago" ). Very loosely translated from Latin, "Iago" might mean "I am nothing". Often it is more commonly translated as "supplanter" or "heel grabber".
(1) I don't have a binary, technical threat analysis, disassembled stub, class diagram or detection method for APT.
(2) I don't know any host based security products that would block "illegitimate APT" (outgoing traffic) on ports 80 and 443 from a legitimate user space request. How would developers even implement such a service? If you could trace all events to an un-hijacked input device, you could block any events that are not desktop based. This would probably put updates,software installations,sandbox scripts in a pickle. Therefore, is this a problem in search of a network based solution?
(3) I propose we solve the debate about how "APT style" threats can be distinguished from other threats by
(4) I don't know yet how to prototype or replicate an APT in my lab. Therefore, How do I know it exists outside of the conceptualization of others?
(5) Ten years ago last August I received this comment while working with an IDS developer: "This product will stop the script kiddies and most of the uber-hackers. Then there's the "Men in Black". I have no idea how we stop them."
- "Iago"
(1) I don't have a binary, technical threat analysis, disassembled stub, class diagram or detection method for APT.
(2) I don't know any host based security products that would block "illegitimate APT" (outgoing traffic) on ports 80 and 443 from a legitimate user space request. How would developers even implement such a service? If you could trace all events to an un-hijacked input device, you could block any events that are not desktop based. This would probably put updates,software installations,sandbox scripts in a pickle. Therefore, is this a problem in search of a network based solution?
(3) I propose we solve the debate about how "APT style" threats can be distinguished from other threats by
- (a) ranking the level of resources needed to complete them or
- (b) the level of functional immunity granted their perpetrators
(4) I don't know yet how to prototype or replicate an APT in my lab. Therefore, How do I know it exists outside of the conceptualization of others?
(5) Ten years ago last August I received this comment while working with an IDS developer: "This product will stop the script kiddies and most of the uber-hackers. Then there's the "Men in Black". I have no idea how we stop them."
- "Iago"
Tuesday, February 9, 2010
Advanced Persistent Threat
The news on "Advanced Persistent Threat" has been broken in a big way by Google and the recent Mandiant report. More comments will follow at a later date. But some occur to me now:
(1) Our current desktop and server Operating Systems are not secure.
(2) Computer networks are insecure for most organizations and at many levels.
(3) Digital data can no longer be protected against a determined foe.
(4) Security researchers and visionaries should receive more funding. Lots.
Order and read the Mandiant Report. Then imagine what a resourced foe could do if they believed the security of their nation-state depended upon seemless corporate intrusions. Now imagine those techniques automated and in the wild. In order for the world to have safe computing systems, our government and industry needs to sponsor more research and decriminalize vulnerability research. Otherwise, no data will ever be secret or protected again.
(1) Our current desktop and server Operating Systems are not secure.
(2) Computer networks are insecure for most organizations and at many levels.
(3) Digital data can no longer be protected against a determined foe.
(4) Security researchers and visionaries should receive more funding. Lots.
Order and read the Mandiant Report. Then imagine what a resourced foe could do if they believed the security of their nation-state depended upon seemless corporate intrusions. Now imagine those techniques automated and in the wild. In order for the world to have safe computing systems, our government and industry needs to sponsor more research and decriminalize vulnerability research. Otherwise, no data will ever be secret or protected again.
Monday, February 8, 2010
Defending Against the Small Business Threat
"Do you expect I'm going to solve this? I'm going to take on these Russian thieves? Clearly I'm not going to [be able to] do it." -small business owner defrauded by malware and "money mules"
A great and overdue article in the Wall Street Journal this morning: "Wanted: Defense Against Online Bank Fraud". The article discusses a now popular cyber-crime first popularized in 2008 which is initiated by an online theft/fraud of insecured ATM/payroll data on user/client/small business PCs. Fake payroll members are created and then [recruited] "money mules" cash out fraudulent paychecks from ATM terminals across the globe. If the fraud is timed right, a small business can lose large sums from their payroll accounts within 24 hours or less. The FBI and the IC3 has been warning about this for some time:
Small businesses during a recession make excellent targets. It is a bit like capitalizing on sick children. Large businesses and banks know the value of security infrastructure and development. They have lots to lose and they have been high priority targets in the past. (And they have just received big chunks of "Stimulus funding." ) Most small business employ limited staff, have a few PCs (perhaps running some accounting software), maybe some server or cloud infrastructure investments, and a web site or web/commerce site.
The few aggressive owners/proprietors that investigate securing their infrastructure may have done so on a "self-help" basis - implementing firewalls, UTM, anti-virus, anti-spyware. But even these self-motivated individuals are in no way prepared to be the targets of dedicated information warfare from skilled global criminal enterprises originating in eastern Europe, South America, Russia, China, etc. Thus, in less than 24 hours, small business payroll accounts, many of these derived from 'bridge loans' from local banks, are wiped out. The targeting of small business by cyber-criminals is an "anti-stimulus" effort; functioning to effectively siphon funds from a weakened American economy.
Subscribe to:
Posts (Atom)