Monday, May 11, 2009

Around The Horn vol.1,98

Researchers: image spam making unexpected return

By jacqui@arstechnica.com (Jacqui Cheng) on study

Don't call it a comeback, but image-based spam is on the rise once again after hitting near-extinction late last year. Ralf Iffert and Holly Stewart of IBM's X-Force team detailed the phenomenon in a blog post last week, noting that the techniques used in the latest waves of image spam aren't any different than that seen during its height in 2006 and 2007, and that most spam blockers should be able to catch them. Still, the new rise in this old spamming practice indicates that spammers are once again pulling out all the stops to drum up business.

According to the two researchers, image spam saw its heyday in 2006 and 2007 when it got as high as almost 45 percent of all spam. It began to tank, however, in the second half of 2007, with 2008 practically putting a nail in the image spam coffin. The spamming method had dropped to only five percent of all spam in October of 2008 before the notorious McColo shutdown, subsequently taking image spam down to less than one percent of all spam in November.

Sysinternal Tool updates: Autoruns v9.5, PsLoglist v2.7, PsExec v1.95

By Robert A. on Tools

Not website security related but still useful tools. Autoruns v9.5: This update to Autoruns, a powerful autostart manager, adds display of audio and video codecs, which are gaining popularity as an extension mechanism used by malware to gain automatic execution. PsLoglist v2.7: This version of PsLoglist, a command-line event log display...

Thousands of Vulnerabilities Detected In FAA's Air Traffic Control Apps

By Robert A. on Vulns

"A government audit (PDF) has pinpointed more than 3,800 vulnerabilities -- 763 of which are high-risk -- in the Federal Aviation Administration's Web-based air traffic control system applications, including some that could potentially put air travel at risk. The U.S. Department of Transportation report, with the help of auditors from KPMG,...

Five simple PC security tips

By Dennis O'Reilly

The list of PC security products never ends. For every name that drops off, two more jump on. In fact, determining the best security hardware and software is a full-time job. Sometimes, you just want to throw up your hands and take your chances.

Maybe I'm just a cockeyed ...

Originally posted at Workers' Edge

Durzosploit v0.1 - JavaScript Exploit Generation Framework

By Darknet on XSS

Durzosploit is a JavaScript exploit generation framework that works through the console. This goal of that project is to quickly and easily generate working exploits for cross-site scripting vulnerabilities in popular web applications or web sites. Please note that Durzosploit does not find browser vulnerabilities, it only is an framework...

The feeling of greater security tempts us to be more reckless

The recent newsletter - rant, really - about the National Institute of Standards and Technology (NIST) white paper on enterprise password management ('Managing' passwords doesn't make them less unsafe) elicited a number of comments, some not very complimentary.

Classify data first

A big decision about cloud services is determining what not to commit to the cloud, so businesses should set about prioritizing their assets now.

6 ways to protect your privacy on Google

Google provides many ways to protect your privacy online -- you just need to find them. Here are six good ones.

Inside a data leak audit

When the director of IT at a Boston-based, midsize pharmaceutical firm was first approached to participate in a data leakage audit, he was thrilled. He figured the audit would uncover a few weak spots in the company's data leak defenses and he would then be able to leverage the audit results into funding for additional security resources.

Personal data warning over web forum killing
German murderer used Facebook to feed obsession

Police have warned against posting too much personal information on the internet, after a German man was today sentenced to life imprisonment for murdering a British computing student he met online.…

US Uni campus hack provokes security alert
Crash team on standby after medical centre hack

The personal info of more than 160,000 current and former students and staff at the University of California, Berkeley has potentially been exposed after hackers broke into campus health service computers.…

Is your Symantec Antivirus Alerting working correctly?, (Sun, May 10th)

In the past several months multiple difficulties have arisen with Symantec AMS (Alert Manageme ...(more)...

App service cloud could boost security, manageability

By Eric Ogren

New products from Citrix Systems Inc. could help organizations get started creating a corporate application service.

Vpopmail and QmailAdmin Email Quota Multiple Integer Overflows

. Using an integer is not enough because it will overflow when the user has more than 2 Gigabytes in their mailbox. Furthermore a long integer isn't a good solution because a long integer has the same range as an integer in 32-bits machines.

Why Silent Updates Boost Security

Thomas Duebendorfer Google Switzerland GmbH and Stefan Frei Communication Systems Group, ETH Zurich, Switzerland looked into the performance of Web browser update mechanisms. The analysis of anonymized Google Web server logs allowed us to compare and rank the update strategies deployed by Google Chrome, Mozilla Firefox, Apple Safari, and Opera.

PDF Silent HTTP Form Repurposing Attacks

This paper sheds light on a modified approach to triggering web attacks through JavaScript protocol handler in the context of opening a PDF in a browser.

IBM Tivoli Storage Manager Agent Service Buffer Overflows

Secunia Research has discovered two vulnerabilities in IBM Tivoli Storage Manager Agent Client (dsmagent.exe), which can be exploited by malicious people to compromise a vulnerable system.

Grabit NZB File Parsing Stack Overflow

Grabit is a popular Windows usenet client designed for downloading binary files. It has support for NZB files, which a user would usually acquire from an external source. All versions 1.7.2 beta 3 and earlier of Grabit are vulnerable to a stack overflow when parsing DTD references in NZB files.

HPUX Running Useradd(1M) Local Unauthorized Access

A potential security vulnerability has been identified in HP-UX running the useradd(1M) command. The vulnerability could be exploited locally to allow unauthorized access to directories or files.

libwmf Packages Vulnerable to Denial of Service

Tavis Ormandy discovered that the embedded GD library copy in libwmf, a library to parse windows metafiles (WMF), makes use of a pointer after it was already freed.

HP OpenView Network Node Manager (OV NNM) Denial of Service (DoS)
Pango Heap Allocation Size Calculations Integer Overflow

Pango is a library for laying out and rendering text, with an emphasis on internationalization.

Ensuring Data Security When it's Time to Retire Computers

The recent discovery of a computer on eBay with data on a U.S. missile system underscores the importance of securing data when it is time to retire and dispose of a machine. Enterprises need to have proper plans and oversight in place to protect their information.
- When reports that data on a U.S. missile system was found on a computer auctioned on eBay, enterprises were provided another example of what happens when they fail to securely manage data at the end of its life. In this case, the consequences were nil, as the computer in question was purchased as p...

Insider Threat Myth Documentation

By Richard Bejtlich

In my first book The Tao of Network Security Monitoring, published in July 2004, I tried to trace the origin of the "80% myth". In the following section reprinted from pages 31-34, and newly annotated now, I document what this means for insider vs outsider threat. (This section is also posted here at Informit.com.)



OUTSIDERS VERSUS INSIDERS: WHAT IS NSM’S FOCUS?
This book is about network security monitoring. I use the term network to emphasize the book’s focus on traffic and incidents that occur over wires, radio waves, and other media. This book does not address intruders who steal data by copying it onto a USB memory stick or burning it to a CD-ROM. Although the focus for much of the book is on outsiders gaining unauthorized access, it pertains equally well to insiders who transfer information to remote locations. In fact, once an outsider has local access to an organization, he or she looks very much like an insider. [10]
Should this book (and NSM) pay more attention to insiders? One of the urban myths of the computer security field holds that 80% of all attacks originate from the inside. This “statistic” is quoted by anyone trying to sell a product that focuses on detecting attacks by insiders. An analysis of the most respected source of computer security statistics, the Computer Crime and Security Survey conducted annually by the Computer Security Institute (CSI) and the FBI, sheds some light on the source and interpretation of this figure. [11] [Bejtlich: I question saying "most respected" now, but I wrote that in 2004 before we had other reporting.]
The 2001 CSI/FBI study quoted a commentary by Dr. Eugene Schultz that first appeared in the Information Security Bulletin. Dr. Schultz was asked:
I keep hearing statistics that say that 80 percent of all attacks are from the inside. But then I read about all these Web defacements and distributed denial of service attacks, and it all doesn’t add up. Do most attacks really originate from the inside?
Dr. Schultz responded:
There is currently considerable confusion concerning where most attacks originate. Unfortunately, a lot of this confusion comes from the fact that some people keep quoting a 17-year-old FBI statistic that indicated that 80 percent of all attacks originated from the [inside]...
Should [we] ignore the insider threat in favor of the outsider threat? On the contrary. The insider threat remains the greatest single source of risk to organizations. Insider attacks generally have far greater negative impact to business interests and operations. Many externally initiated attacks can best be described as ankle-biter attacks launched by script kiddies.
But what I am also saying is that it is important to avoid underestimating the external threat. It is not only growing disproportionately, but is being fueled increasingly by organized crime and motives related to espionage. I urge all security professionals to conduct a first-hand inspection of their organization’s firewall logs before making a claim that most attacks come from the inside. Perhaps most successful attacks may come from the inside (especially if an organization’s firewalls are well configured and maintained), true, but that is different from saying that most attacks originate from the inside. [12]

Dr. Dorothy Denning, some of whose papers are discussed in Appendix B, confirmed Dr. Shultz’s conclusions. Looking at the threat, noted by the 2001 CSI/FBI study as “likely sources of attack,” Dr. Denning wrote in 2001:
For the first time, more respondents said that independent hackers were more likely to be the source of an attack than disgruntled or dishonest insiders (81% vs. 76%).
Perhaps the notion that insiders account for 80% of incidents no longer bears any truth whatsoever. [13]

The 2002 and 2003 CSI/FBI statistics for “likely sources of attack” continued this trend. At this point, remember that the statistic in play is “likely sources of attack,” namely the party that embodies a threat. In addition to disgruntled employees and independent hackers, other “likely sources of attack” counted by the CSI/FBI survey include foreign governments (28% in 2003), foreign corporations (25%), and U.S. competitors (40%).
Disgruntled employees are assumed to be insiders (i.e., people who can launch attacks from inside an organization) by definition. Independent hackers are assumed to not be insiders. But from where do attacks actually originate? What is the vector to the target? The CSI/FBI study asks respondents to rate “internal systems,” “remote dial-in,” and “Internet” as “frequent points of attack.” In 2003, 78% cited the Internet, while only 30% cited internal systems and 18% cited dial-in attacks. In 1999 the Internet was cited at 57% while internal systems rated 51%. These figures fly in the face of the 80% statistic.
A third figure hammers the idea that 80% of all attacks originate from the inside. The CSI/FBI study asks for the origin of incidents involving Web servers. For the past five years, incidents caused by insiders accounted for 7% or less of all Web intrusions. In 2003, outsiders accounted for 53%. About one-quarter of respondents said they “don’t know” the origin of their Web incidents, and 18% said “both” the inside and outside participated.
At this point the idea that insiders are to blame should be losing steam. Still, the 80% crowd can find solace in other parts of the 2003 CSI/FBI study. The study asks respondents to rate “types of attack or misuse detected in the last 12 months.” In 2003, 80% of participants cited “insider abuse of net access” as an “attack or misuse,” while only 36% confirmed “system penetration.” “Insider abuse of net access” apparently refers to inappropriate use of the Internet; as a separate statistic, “unauthorized access by insiders” merited a 45% rating.
If the insider advocates want to make their case, they should abandon the 80% statistic and focus on financial losses. The 2003 CSI/FBI study noted “theft of proprietary information” cost respondents over $70 million; “system penetration” cost a measly $2.8 million. One could assume that insiders accounted for this theft, but that might not be the case. The study noted “unauthorized access by insiders” cost respondents only $406,000 in losses. [14]
Regardless of your stance on the outsider versus insider issue, any activity that makes use of the network is a suitable focus for analysis using NSM. Any illicit action that generates a packet becomes an indicator for an NSM operation. One of the keys to devising a suitable NSM strategy for your organization is understanding certain tenets of detection, outlined next.
Footnotes for these pages:
10. Remember that “local access” does not necessarily equate to “sitting at a keyboard.” Local access usually means having interactive shell access on a target or the ability to have the victim execute commands of the intruder’s choosing.
11. You can find the CSI/FBI studies in .pdf format via Google searches. The newest edition can be downloaded from http://www.gosci.com.
12. Read Dr. Schultz’s commentary in full at http://www.chi-publishing.com. Look for the editorial in Information Security Bulletin, volume 6, issue 2 (2001). Adding to the confusion, Dr. Shultz’s original text used “outside” instead of “inside,” as printed in this book. The wording of the question and the thesis of Dr. Shultz’s response clearly show he meant to say “inside” in this crucial sentence. [Looking back on this five years later, I am still confused by Dr. Schultz's meaning. If he really meant to say "some people keep quoting a 17-year-old FBI statistic that indicated that 80 percent of all attacks originated from the outside," then why not say "this 17-year-old FBI statistic is the opposite of your claim?"]
13. Dr. Dorothy Denning, as quoted in the 2001 CSI/FBI Study.
14. Foreshadowing the popularization of “cyberextortion” via denial of service, the 2003 CSI/FBI study reported “denial of service” cost over $65 million—second only to “theft of proprietary information” in the rankings.

My biggest regret reading this section involves trying to interpret Dr. Schultz's comments. If anyone can find a copy of an "FBI study" from approximately 1984 that discusses insider vs outsider threat, please let me know!
Reading this section now, I see the primary value as finding documentation that the "80% myth" refers to the idea that "80 percent of all attacks are from the inside." If you agree that an attack is not the same as an "incident," then you can see how Dr. Denning's comment about "the notion that insiders account for 80% of incidents" introduces more problems by talking about incidents and not attacks. If someone wants to throw "risk" in there, you now have a third meaning.
What I find sad is that so many people carelessly cite the "FBI" or "CSI" studies as supporting whatever "80%" claim they want, but if asked to point to the actual study they could never do so. In my first book I at least tried to document what was available at that time.

Schumer calls for probe into phone spam (AP)

In us

AP - Unsolicited calls to home and cell phones warning of a final notice and an expiring vehicle warranty are a nuisance and harassment and should be the subject of a federal investigation, a U.S. senator said Sunday.

SB09-131: Vulnerability Summary for the Week of May 4, 2009

Vulnerability Summary for the Week of May 4, 2009

Five Free Security Hacks

Security software is still the lock on your PC's front door, but we have some tricks to make your front door a little less attractive to crooks.

Do Social Networks Invite Hackers into the Office?

Social networks are proving a useful professional tool, but they may raise security risks for the enterprise.

No comments:

Post a Comment

My Blog List