Custom and automated attacks against web sites continue as vendors and developers still have not gotten the hang of secure coding techniques.
In one case, an automated attack has infected more than 600,000 sites in about two days.
The other, was a case of a targeted attack against MySQL. Interestingly, the attackers are taking credit for this exploit.
Broad automated attacks like the first are usually driven by botnot groups who are ultimately seeking to compromise a large number of end-user systems.
The second attack is becoming less common. My guess, is that they are seeking to establish credibility for their attack skills and to demonstrate their ability to launch a 0-day hack. This sort of activity ranges from the somewhat benign: the hacker equivalent of resume fodder, or more malignantly: demonstrating value before selling their exploits to the criminal underground.
While defects will always exist, it is clear that web site providers still fail to perform the security basics: vetting code before deployment and monitoring their site for compromise.
(updated)
Current infection counts can be found (for a few of the domains hosting the malicious scripts) with Google:
Saturday, April 2, 2011
Wednesday, September 22, 2010
HyperSentry
HyperSentry is a technology that uses IPMI to allow an out-of-band method for checking hypervisor integrity.
IPMI is a backdoor to the system, so it is something that has to be managed carefully. When I did pen-testing I often found that it was not secured properly. That said, it is a very interesting idea.
I think the hardware "root-of-trust" technology: that has been developed by AMD and Intel is also interesting
I think we will see availability of tools, including Catbird, where a combination of these technologies is built-in to the system. I do have to point out that IPMI based checks have been possible for years and yet no one has touted them as a solution for detecting conventional rootkits. I've learned that anything with "IBM" in the release has a certain amount of FUD factor and it may be a year or longer before we see a real capability that can be built into a product.
Perhaps the broader implication is that work like this is common on open-source hypervisors and is much harder to perform on proprietary systems.
IPMI is a backdoor to the system, so it is something that has to be managed carefully. When I did pen-testing I often found that it was not secured properly. That said, it is a very interesting idea.
I think the hardware "root-of-trust" technology: that has been developed by AMD and Intel is also interesting
I think we will see availability of tools, including Catbird, where a combination of these technologies is built-in to the system. I do have to point out that IPMI based checks have been possible for years and yet no one has touted them as a solution for detecting conventional rootkits. I've learned that anything with "IBM" in the release has a certain amount of FUD factor and it may be a year or longer before we see a real capability that can be built into a product.
Perhaps the broader implication is that work like this is common on open-source hypervisors and is much harder to perform on proprietary systems.
Thursday, September 2, 2010
VA cloud outage
--Virginia Gov't Agencies Suffer Massive Outage
(August 27 & 30, 2010)
A storage area network (SAN) memory card failure at the Virginia
Information Technologies Agency (VITA) left at least two dozen agencies
without the ability to conduct business. Among the affected agencies
are the Department of Motor Vehicles, which was unable to issue driver's
licenses, and the Department of Social Services, which was unable to
distribute benefits. The data center where the failure occurred is run
by Northrop Grumman.
[Editor's Note (Northcutt): The state of Virginia was an early adopter
of blades and virtualization. The advantages and economics are obvious.
These outages may prove to be a cautionary tale. With virtualization,
you end up with a lot of eggs concentrated in a fairly small basket so
that if your continuity of operations plans fail, you go down pretty
hard.
(Schultz): This is a perfect example of what can go wrong when cloud
services fail. People in general neither recognize the real risk nor
plan for loss of availability in cloud services.]
Wow, they were not running dual HBAs into the SAN? Can't be.
Outage report from VA is here: http://www.vita.virginia.gov/about/default.aspx?id=12596
I am not sure the SANS editor comments are warranted. This may be related to an architectural error in the deployment of the EMC DMX 3 and its backup.
The DMX is an SMP-based HA system with a petabyte of capacity. The comment about too many eggs in one basket is accurate with respect to the State of Virginia's use of a monster SAN, but not so much as per use of virtualization.
The real failure here is whether or not they tested their COOP capability ... ever. Then we have to ask when was the last time they ran a DR test because their time to recover seems a little long as well.
My failure analysis: over reliance on a vendor's claim that their hardware never fails.
Saturday, August 28, 2010
Web site reputation
Recently several companies have developed features or products to make web surfing more secure. One of these technologies uses reputation. Reputation is a measure of trust for a web site or web page. In this case trust is typically measured by how much SPAM, malicious traffic, or attacks a site is known to generate. It turns out that measuring these things is not that hard because a majority of web traffic flows through a relatively small number of gateways and backbone networks.
This is a very good idea. If a web site is known to host malware or send a lot of SPAM, then block or warn users before they visit a site. Of course, cyber-criminals have started to figure out how to bypass these checks. They simply attack sites with good reputations and get them to host the malware. In some cases, it's just a matter of providing an advertisement.
Reputation based security is still a great idea because it forces the crooks to work harder. However, we can't get over confident and rely on this technique to always protect us. This means keep your software patched, don't click on suspicious links, and ignore any offer that is to good to be true.
This is a very good idea. If a web site is known to host malware or send a lot of SPAM, then block or warn users before they visit a site. Of course, cyber-criminals have started to figure out how to bypass these checks. They simply attack sites with good reputations and get them to host the malware. In some cases, it's just a matter of providing an advertisement.
Reputation based security is still a great idea because it forces the crooks to work harder. However, we can't get over confident and rely on this technique to always protect us. This means keep your software patched, don't click on suspicious links, and ignore any offer that is to good to be true.
Tuesday, August 24, 2010
Alert FOX News!
So, I got this funny SPAM email, and I thought someone will take this seriously and alert FOX news to yet another massive government intrusion into our lives... ;-)
By the way the SPAM came with a ZIP file that will probably p0wn your computer if you install it...
------ Begin Message
From: Alfreda Robertson
Date: Tue, 24 Aug 2010 16:04:07 +0200
To:
Subject: IRS Notification - For Tax Payer xxx-x-xxxx-x@catbird.com
Dear Tax Payer,
As part of new requirements from the IRS, all U.S. Citizens are required by law to update their computers with new tax software.
To begin the update, install the attached file
After doing so, no further action is required on your part.
Thank you for your cooperation.
Sincerely,
IRS Agent #175
Alfreda Robertson
------ End of Message
By the way the SPAM came with a ZIP file that will probably p0wn your computer if you install it...
------ Begin Message
From: Alfreda Robertson
Date: Tue, 24 Aug 2010 16:04:07 +0200
To:
Subject: IRS Notification - For Tax Payer xxx-x-xxxx-x@catbird.com
Dear Tax Payer,
As part of new requirements from the IRS, all U.S. Citizens are required by law to update their computers with new tax software.
To begin the update, install the attached file
After doing so, no further action is required on your part.
Thank you for your cooperation.
Sincerely,
IRS Agent #175
Alfreda Robertson
------ End of Message
Friday, July 2, 2010
Always a good idea to keep your BIOS up to date....
Looks like Sony has learned from Dell’s leaky capacitor debacle.
Sony says 535,000 laptops at risk of
overheating. More than half a million Sony laptops sold this year contain a software
bug that could lead them to overheat, the company said June 30. Sony has recorded 39
cases of overheating among Vaio F and C series laptops that have been on sale since
January. In some cases, the overheating has led the laptop case to deform. A bug in the
heat-management system of the BIOS software is to blame. Sony is asking users to
either update the software themselves or return their laptops so it can apply the update.
The fault affects 535,000 computers, although Sony is asking a total of 646,000 owners
to update their machines. The additional 111,000 machines are susceptible to several
less serious problems that have also been found in the software, said Sony. BIOS is
present in every PC and runs below the operating system, controlling the most basic
functions of the computer and interaction between major components. It is usually
invisible to users except for a BIOS start-up message that is typically seen when a PC
boots. The problem affects machines sold both in Japan and the rest of the world.
Affected models sold outside Japan are the VPCCW25FG/B, VPCCW25FG/P and
VPCCW25FG/W.
Source: Computerworld
Sony says 535,000 laptops at risk of
overheating. More than half a million Sony laptops sold this year contain a software
bug that could lead them to overheat, the company said June 30. Sony has recorded 39
cases of overheating among Vaio F and C series laptops that have been on sale since
January. In some cases, the overheating has led the laptop case to deform. A bug in the
heat-management system of the BIOS software is to blame. Sony is asking users to
either update the software themselves or return their laptops so it can apply the update.
The fault affects 535,000 computers, although Sony is asking a total of 646,000 owners
to update their machines. The additional 111,000 machines are susceptible to several
less serious problems that have also been found in the software, said Sony. BIOS is
present in every PC and runs below the operating system, controlling the most basic
functions of the computer and interaction between major components. It is usually
invisible to users except for a BIOS start-up message that is typically seen when a PC
boots. The problem affects machines sold both in Japan and the rest of the world.
Affected models sold outside Japan are the VPCCW25FG/B, VPCCW25FG/P and
VPCCW25FG/W.
Source: Computerworld
Wednesday, March 17, 2010
Are Open Source Applications More Secure?
Full Disclosure: I am a long time Firefox user
Recently, there have been serious security advisories for Chrome, Safari, and Internet Explorer:
While a patch is now available for Safari (and perhaps Chrome), the community is still waiting on a fix from Microsoft.
Browsers, and Internet Explorer in particular, are the most commonly used application in the world. Additionally, most web users visit one of the top 500 sites at least once a day. This intersection makes for a very attractive target for criminals. At any given moment, the site you are visiting, even the site you are using to read this post, could be attacking you through your browser and trying to seed your system with malware.
Your first line of defense is a secure browser. I can't prove this easily, but I think an open-source browser like Firefox will always be more secure than a proprietary browser.
My advice:
Make use of virtualization software and run a special purpose virtual machine for your banking and financial applications, run another virtual machine for casual web browsing and entertainment. Never ever browse the web using your host system.
One last piece of advice:
Don't forget to wear some green today!
Michael
Recently, there have been serious security advisories for Chrome, Safari, and Internet Explorer:
http://www.eweek.com/c/a/Security/IE-Attacks-Circulate-as-Microsoft-
Updates-Advisory-766154/
http://www.v3.co.uk/v3/news/2259391/apple-updates-safari-browser
While a patch is now available for Safari (and perhaps Chrome), the community is still waiting on a fix from Microsoft.
Browsers, and Internet Explorer in particular, are the most commonly used application in the world. Additionally, most web users visit one of the top 500 sites at least once a day. This intersection makes for a very attractive target for criminals. At any given moment, the site you are visiting, even the site you are using to read this post, could be attacking you through your browser and trying to seed your system with malware.
Your first line of defense is a secure browser. I can't prove this easily, but I think an open-source browser like Firefox will always be more secure than a proprietary browser.
My advice:
- Keep your browser up to date, note ie8 is not exposed by this current vulnerability
- Keep your OS up to date
- Run some sort of host-based intrusion protection system, if you have one of the consumer security suites you have this
- Run at least a basic network firewall
- Businesses should run a network intrusion protection system
Make use of virtualization software and run a special purpose virtual machine for your banking and financial applications, run another virtual machine for casual web browsing and entertainment. Never ever browse the web using your host system.
One last piece of advice:
Don't forget to wear some green today!
Michael
Subscribe to:
Posts (Atom)