Intrusion Detection & Response - Leveraging Next Generation Firewall Technology
Category: Firewalls & Perimeter Protection
Paper Added: March 30, 2009
Watch your Internet routers!, (Mon, Mar 30th)ISC reader Nick contacted us to share information about an Internet router at his workplace that got ...(more)...
Locate Conficker infected hosts with a network scan!, (Mon, Mar 30th)The Honeynet Project has discovered an anomaly in Conficker that makes it possible to detect infecte ...(more)...
April 1st - What Will Really Happen?, (Sun, Mar 29th)As reports and the belief of impending problems from the April 1st changes to Conficker contine to g ...(more)...
GhostNet, (Sun, Mar 29th)We've had several readers write in with links to news articles about a cyber-espionage network ...(more)...
Is 'Conficker' Solved? Researchers Develop Scan Tool (PC Magazine) (Yahoo Security) Security Sleuths Work Overtime to Confound Conficker (TechNewsWorld.com) (Yahoo News) Security Researchers Score Win Against Conficker Worm (E-Week Security) Massive Chinese Espionage Network (Schneier blog) GhostNet Highlights Evolving Threat Environment (PC World) (Yahoo Security) Adobe Reader, IE 7 Holes Under Attack (IT World) (Yahoo News) Vexing computer worm to evolve on April Fool's Day (AFP) (Yahoo Security)By Rik Ferguson on government
Information Warfare Monitor this weekend published a very interesting paper detailing their research into “a suspected cyber espionage network”. This research complements Trend Micro’s own ongoing research, since we first noted that the Tibetan Government in Exile’s own web site was compromised back in April of last year to serve malware through maliciously crafted image files. The paper [...]
Britain could be shut down by hackers from China, intelligence experts warnPosted by InfoSec News on Mar 30
http://www.telegraph.co.uk/news/worldnews/asia/china/5072204/Britain-could-be-shut-down-by-hackers-from-China-intelligence-experts-warn.html
By Alastair Jamieson
Telegraph.co.uk
29 March 2009
Ministers have been warned that a new £10bn communications network being
developed by BT is...
Posted by InfoSec News on Mar 30
http://www.nytimes.com/2009/03/29/technology/29spy.html
By JOHN MARKOFF
The New York Times
March 28, 2009
TORONTO -- A vast electronic spying operation has infiltrated computers
and has stolen documents from hundreds of government and private offices
around the world, including those of...
Posted by InfoSec News on Mar 30
http://www.news.com.au/dailytelegraph/story/0,22049,25248019-5001021,00.htm
By Ian McPhedran
The Daily Telegraph
March 27, 2009
ROGUE Defence spies have been accused of hacking into Defence Minister
Joel Fitzgibbon's personal laptop computer to steal bank details of his
Chinese-born...
Posted by InfoSec News on Mar 30
http://www.dailyherald.com/story/?id=282101
By Rob Olmstead
Daily Herald
3/27/2009
At 11 a.m. Friday, David Yen Lee of Arlington Heights was supposed to be
in the air on a plane to China, authorities said.
Instead, he was sitting in a courtroom awaiting a hearing, wearing the
...
Posted by InfoSec News on Mar 30
http://www.theregister.co.uk/2009/03/27/cybercrime_mythbusters/
By John Leyden
The Register
27th March 2009
A leading security researcher has unpicked the origins of the myth that
revenues from cybercrime exceeds those from the global drug trade,
regurgitated by a senior security officer...
Posted by InfoSec News on Mar 30
+----------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| March 27th, 2009 Volume 10, Number 13 |
How Much Is Conficker Really Impacting Enterprises?
Posted by InfoSec News on Mar 30
http://www.eweek.com/c/a/Security/How-Much-is-Conficker-Really-Impacting-Enterprises-718842/
By Brian Prince
eWEEK.com
2009-03-27
Given that Microsoft issued a patch for the flaw targeted by the
Conficker worm and the use of strong passwords can prevent much of the
spread, it seems odd...
Researchers find Conficker cure, just in time
Security experts have made a breakthrough in their five-month battle against the Conficker worm, with the discovery that the malware leaves a fingerprint on infected machines which is easy to detect using a variety of off-the-shelf network scanners.…
BT network 'vulnerable to Chinese attack'Spy chiefs warn over Huawei gear in 21CN
Spy chiefs have reportedly briefed ministers that Huawei hardware bought by BT could be hijacked by China to cripple the UK's communications infrastructure.…
China rubbishes cyber-espionage claimsSpooky Ghostnet revives malware spying accusations
China has been accused of using malware to spy against the Tibetan government-in-exile and the private office of the Dalai Lama, as well as numerous foreign embassies.…
Paper: "Tracking GhostNet: Investigating a Cyber Espionage Network"By Robert A. on IndustryNews
There's been a bunch of news regarding a new report published indicating a wide spread Chinese espionage network dubbed 'ghostnet'. From the paper "This report documents the GhostNet - a suspected cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of...
What you see is NOT what you getBy Abhishek Karnik and Vitaly Zaytsev on General Computer Security
We’ve all read of social engineering tactics before and how gullible users fall prey to many tactics used by virus authors. As researchers we often give recommendations to family and friends on how not to fall prey to such tricks, but once in a while we need to remind ourselves too that we are included in [...]
Brief: Researchers find way to detect ConfickerResearchers find way to detect Conficker
NSM vs The CloudBy Richard Bejtlich
A blog reader posted the following comment to my post Network Security Monitoring Lives:
How do you use NSM to monitor the growing population of remote, intermittently connect mobile computing devices? What happens when those same computers access corporate resource hosted by a 3rd party such as corporate SaaS applications or storage in the cloud?
This is a great question. The good news is we are already facing this problem today. The answer to the question can be found in a few old principles I will describe below.
- Something is better than nothing. I've written about this elsewhere: computer professionals tend to think in binary terms, i.e., all or nothing. A large number of people I encounter think 'if I can't get it all, I don't want anything." That thinking flies in the face of reality. There are no absolutes in digital security, or analog security for that matter. I already own multiple assets that do not strictly reside on any single network that I control. In my office I see my laptop and Blackberry as two examples.
Each could indeed have severe problems that started when they were connected to some foreign network, like a hotel or elsewhere. However, when the obtain Internet access in my office, I can watch them. Sure, a really clever intruder could program his malware to be dormant on my systems when I am connected to "home." How often will that be the case? It depends on my adversary, and his deployment model. (Consider malware that never executes on VMs. Hello, malware-proof hosts that only operate on VMs!)
The point is that my devices spend enough time on a sufficiently monitored network for me to have some sense that I could observe indicators of problems. Of course I may not know what those indicators could be a priori; cue retrospective security analysis. - What is the purpose of monitoring? Don't just monitor for the sake of monitoring. What is the goal? If you are trying to identify suspicious or malicious activity to high priority servers, does it make sense to try to watch clients? Perhaps you would be better off monitoring closer to the servers? This is where adversary simulation plays a role. Devise scenarios that emulate activity you expect an opponent to perform. Execute the mission, then see if you caught the red team. If you did not, or if your coverage was less than what you think you need, devise a new resistance and detection strategy.
- Build visibility in. When you are planning how to use cloud services, build visibility in the requirements. This will not make you popular with the server and network teams that want to migrate to VMs in the sky or MPLS circuits that evade your NSM platforms. However, if you have an enterprise visibility architect, you can build requirements for the sort of data you need from your third parties and cloud providers. This can be a real differentiator for those vendors. Visibility is really a prerequisite for "security," anyway. If you can't tell what's happening to your data in the cloud via visibility, how are you supposed to validate that it is "secure"?
I will say that I am worried about attack and command and control channels that might reside within encrypted, "expected" mechanisms, like updates from the Blackberry server and the like. I deal with that issue by not handling the most sensitive data on my Blackberry. There's nothing novel about that.
Response to 60 Minutes Story "The Internet Is Infected"
By Richard Bejtlich
I just watched the 60 Minutes story The Internet Is Infected. I have mixed feelings about this story, but I think you can still encourage others to watch and/or read it. Overall I think the effect will be positive, because it often takes a story from a major and fairly respected news source to grab the attention of those who do not operationally defend networks.
I'd like to outline the negative and positive aspects of the story, in my humble point of view.
The negative aspects are as follows:
- I detest the term "infected." Computers in 2009 are not "infected." They are compromised by malware operated by a human with an objective. The malware is a tool; it is not the end goal. In the late 1990s I enjoyed defending networks because the activity I monitored was caused by a human, live on the Internet, whose very keystrokes I could watch. At the beginning of this decade I despaired as human action was drowned in a sea of malware that basically propagated but did little otherwise. Since the middle of the decade we have had the worst of both worlds; when I see malware I know there is a human acting through it for malicious purposes. I detest "infection" because the term implies we can apply some antiseptic to the wound to "clean it." In reality the malware's operator will fight back, resist "cleaning," and maintain persistence.
- Cue the "teenage hacker." I thought we were collectively making progress away from the pasty-faced teenager in the parental basement. It seems the popular consciousness has now moved to the pasty-faced teenager in Russia, courtesy of 14-year-old "Tempest" in the 60 Minutes video. Never mind the organized crime, foreign intelligence, and economic espionage angles. Two other groups are definitely going to be upset by this: Chinese hackers and insider threats. Actually, not hearing a word about the latter makes me feel happy inside.
- "I thought I had a good enough firewall." GROAN. Hearing people talk about their firewalls and anti-virus was disheartening. I almost thought Vint Cerf was going to spill the beans on the easiest way to avoid Conficker when he said the following:
I’ve been on the Net ever since the Net started, and I haven’t had any of the bad problems that you’ve described," Cerf replied...
Because I don't use Windows! Say it Vint! Oh well.
The positive aspects are as follows:
- Hello security awareness. Stories like this wake people up to the problems we face every day. Sure Conficker is just the latest piece of malware, definitely not "one of the most dangerous threats ever," as said on TV. At the very least this story should enable a conversation between management and security operations.
- Client-side exploitation via socially-engineered and social network attacks were demonstrated. Good for Symantec to show that Morley Safer owns Leslie Stahl via Facebook. Better yet, 60 Minutes even used the term "owned"!
- Real consequences were demonstrated. I am very glad that Symantec showed just what an intruder can do to an owned computer. Keystroke logging, screen scraping, sensitive informatiomn retrieval, the works. They didn't even mention opening and closing the CD tray or activating the Webcam. That would have been cool, though.
Expect a few questions about this tomorrow at work!
3 Ways Pen Testing Helps DLP (and 2 Ways It Doesn't)
Penetration testing's future has been caught in heated debate recently, sparked by Fortify Co-Founder and Chief Scientist Brian Chess' prediction that the practice would die off this year. [See: Penetration Testing: Dead in 2009]
Smart grid, other environmental control systems not smart about securityIf lengthy requirements were a measure of success, then smart grid technology is well on its way to being an anomaly in the environmental controls space. But I'm not going to try to hold my breath for that to happen.
EC to probe online profiling by Web sites and ISPsThe European Commission is about to launch an investigation into how consumers' online data is being used by search companies, social networking Web sites and ISPs, a spokeswoman said Monday.
GhostNet highlights evolving threat environmentThe high-profile disclosure over the weekend of the GhostNet cyberespionage ring that targeted 1,295 computers in more than 100 countries underscores how highly targeted and sophisticated attacks, often run by criminals, are changing the security landscape, according to a security researcher at Symantec.
Mozilla patches Firefox's critical Pwn2Own bugMozilla Corp. patched two critical Firefox bugs on Friday, including one used the week before by a German student to win $15,000 for hacking three different browsers at the Pwn2Own contest.
The Experts CommunityI missed The Experts Conference last week (formerly the Directory Experts Conference), the first time in a number of years. And, as this was the first edition of the event since Quest assimilated NetPro last fall, I was quite interested in how it went.
New security standard MashSSL builds application trustApplication mashups are gaining traction in the enterprise. There's no doubt that productivity can be enhanced when new functionality can be delivered quickly and conveniently by combining information from multiple sources. However, there's a trade-off in application security. Mashups hold the potential to introduce a new network attack vector. A proposed new standard called MashSSL could eliminate the security concerns, making enterprise mashups as secure as any SSL transaction.
Top 10 technology skillsAmidst the worst job market in 25 years, IT is holding steady. Most CIOs are maintaining their current staffing levels; while a few are hiring specialists who have in-demand IT skills.
Latest cloud storage hiccups prompts data security questionsThe pitch from providers of hosted storage services sounds enticing. Instead of what these provider call the inherent risks in using hard drives or DVDs to store data, users are better off paying pay a small fee and backing up data in the cloud. Cloud storage providers pledge that putting valuable data into their hands is like keeping money in a bank.
Deep computer-spying network touched 103 countriesA 10-month cyberespionage investigation has found that 1,295 computers in 103 countries and belonging to international institutions have been spied on, with some circumstantial evidence suggesting China may be to blame.
Chinese cyberespionage network runs across 103 nations
By jhruska@arstechnica.com (Joel Hruska) on Tibet
The existence and operation of massive, coordinated, government-affiliated online espionage networks is typically the province of television or the silver screen, rather than the subject of research. In the real world, even a direct link between online and offline action (Russia's invasion of Georgia and the simultaneous online attacks against that country are a good example) is not enough to automatically prove that the government behind the one is automatically behind the other. We've covered the rise of hacktivism previously on Ars; as more citizens come online, we'll undoubtedly see more of this type of crowdsourced aggression in the future.
Researchers in Toronto, however, may have actually discovered and tracked a hacking effort that can be traced back to a foreign intelligence network—China's, in this case—over the past ten months. The team, which is affiliated with the Munk Centre for International Studies, has published an extensive report on the activities of what they dub GhostNet. Their investigation took place from June 2008 through March of 2009, and focused on allegations that the Chinese had engaged in systemic online espionage activities against the Tibetan community. GhostNet was spread through the use of a wide variety of Trojans, many of which were controlled through a program nicknamed gh0st RAT (Remote Access Tool).
MyID.is takes logical step, links Web ID with real world
By david@arstechnica.com (David Chartier) on OpenID
The notion of online verification is certainly nothing new, though it is also not for everyone. Many users prefer the anonymity of the Web for any number of (sometimes nefarious) reasons. For others, a centralized login and identity management resource is an ideal solution for the modern times, and these kinds of systems are blossoming. OpenID itself is experiencing broad adoption by the largest players in technology and the Web, though consumers have not been as quick to hop on board. Facebook Connect has taken off as both a single sign-on launchpad and activity syndication mechanism, but the newly launched, London-based MyID.is may be the first to tackle the challenge of tying our Web personas with our real world identities.
MyID.is' approach is simple, though it takes some time to get set up. The company is an OpenID provider, and it adds a key element of real world ID verification by charging a small, random setup fee (between €2 and €5) to your credit card, then mailing a code to your home address. Much like PayPal's account creation process, you must enter the fee amount and snail mail code on MyID.is' website, and the name on your card must match the name you registered with. After you successfully enter all this information, you'll have a MyID.is-provided OpenID URL and identity with which to badge your blog (pictured above), forum comments, Facebook profile, and just about any other online activity to prove that the content you generate is really coming from you.
GhostNet Highlights Evolving Threat Environment
Attacks are increasingly sophisticated and targeted, making them difficult to defend against.
Deep Computer-spying Network Touched 103 Countries
UPDATE: Analysts find spyware installed on servers belonging to foreign ministries, embassies and private companies.
Concern about Secure Disposal Hampers Green Efforts
A study finds that security worries, not environmental issues, drive e-waste disposal habits by businesses.
Cybersecurity Office Fate Uncertain
Federal cybersecurity duties may go to a new White House office or be handled by an existing agency, such as Homeland Security.
Search for 'Conficker' Could Lure Virus
Symantec warns
Firefox Patches Zero-day, Hacking Contest Bugs
The update fixes a bug used to win the Pwn2Own hacking contest.
Security Analyst Spots Three Flaws in Google Docs
Google denies problems, but finds could raise more questions over the safety of storing data in the cloud.
Google caches payment card details for 19,000 brits
Stolen information wants to be free, too
More evidence of Google's success in organizing the world's information and making it universally accessible: Payment card details for 19,000 Brits were recently found hosted in the search engine's web cache.…
Romanian phisher gets 50 month prison termNo credit for good grammar
A Romanian man has been sentenced to serve more than four years in US prison for taking part in a sophisticated phishing scam that cost financial institutions at least $150,000.…
Delivering sustainable securityAudio + Slides
Regcast In the third in our series of Regcasts assessing the state of the IT security market, the experts look at the mechanisms required to ensure security solutions evolve to match the ever changing threat landscape.…
Firefox update fixes pwn2own vulnEarly arrival
Mozilla responded to reports of vulnerabilities by pushing out a new version of Firefox on Friday.…
Conficker flaw yields new tool for detectionBy Robert Westervelt
A flaw in the way Conficker infects machines has given security experts the ability to design a new tool to remotely detect infections over the network.
Firefox update blocks proof-of-concept codeBy SearchSecurity.com Staff
Mozilla updated Firefox to repair several flaws, including a critical zero-day flaw.
Microsoft calls next Conficker variant 'manageable'By Robert Westervelt
The next version of Conficker expected April 1, should be treated like any other malware attack, Microsoft said in a message to customers.
Posts
