Addressing the growing botnet threat

A 20 minute CERT podcast on botnets gives an overview of botnets - sizeable networks of compromised computers remotely controlled by hackers, used for stealing data, identity theft, hacking other systems and spamming. Hear how compromises occur, how botnets are used and controlled by the black hats, and how to secure your systems to avoid compromise and clean out bot infections.

If you don't have audio facilities on your system, or simply prefer to read, a transcript is also available.

A little collection of information security-related podcasts from CERT. They are aimed at busy executives with largely nontechnical content.

Drive-by malware alert

McAfee is warning about malware installed on 10,000 Web pages. The malware attempts to infect the systems of visitors to the sites by exploiting vulnerabilities in various common programs.

This kind of attack is yet another good reason to ensure your antivirus software is always up to date (assuming I don't need to tell you to install and run AV software!), and to load security patches promptly for all of the software programs on your system. PSI from Secunia (or NSI for corporates) are useful tools to track the release of patches - it keeps an eye on what's installed and what versions are current, alerting you when new patches are released. PSI, the personal home-use version, is free and recommended.

No Tech Hacking

No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing (~US$39 from Amazon, when in stock) looks like an interesting new book by Johnny Long, famous for his earlier book Google Hacking, and Kevin Mitnick, famous for the hacking exploits that landed him in jail and his earlier books The Art of Deception and The Art of Intrusion.

According to an interview in CSO Magazine, Johnny describes himself as a Christian hacker with plans to get the hacker community involved in charitable work. His writing reveals that he surely understands the Dark Side but, on the other hand, he does indeed openly promote the classical hacker ethic. Still, I'm quite sure Johnny would be the first to agree that social engineering and other hacker techniques could be classified as "dual use".

Kevin Mitnick clearly has Dark Side experience on his CV but, like Johnny, has achieved a lot without getting too deep into the technology.

I haven't read the book yet but it's on my Christmas wishlist (hint hint Santa).

Info for SysAdmins/Infosec Managers on WPAD

A new Microsoft Advisory gives further details of the WPAD (Windows Proxy AutoDiscovery) vulnerability recently disclosed at Kiwicon, New Zealand's first hacker conference.

The vulnerability relates to the way that Windows systems set to autoconfigure their web proxy settings go looking for the configuration file. If they don't find one on the local network, they go up the DNS tree and, under some ciscumstances, end up looking for a host called wpad.co.nz or wpad.co.uk or whatever. If some enterprising haxor has registered one of these domains, they have the ability to create and offer malicious proxy configuration files, and can subsequently control the way vulnerable machines access the Web.

Microsoft offers workarounds pending a proper fix of the wpad logic. Turning off wpad is one solution, though I'm not sure whether this can be configured for all machines in a domain using Group Policy, so it may require each machine to be configured. Similarly, there's a registry hack that needs to be applied on every machine. Another fix is to create a wpad server and offer a legitimate proxy config file ... but make sure it is a high-availability machine since a denial-of-service attack on it would presumably reopen Pandora's box.

Good luck!

Social engineering awareness module released

Instead of trying to break into computer networks and systems which are protected by technical security control measures, social engineers prefer to compromise the people that configure, use and manage them. They cheat and lie their way past those who are naïve and/or unaware of the threat. Generally speaking, people are easier to deceive than computers so social engineering remains a threat for all organizations, even those that have excellent technical security controls.

Almost anyone may be a social engineer. A social engineer is a person who is able to persuade someone else to part with information or something else of value. Parents can probably appreciate the social engineering skills of their children, even before they are able to speak!

In a work context, social engineers may be after sensitive company information: marketing strategies, details of our latest deals, pre-patent information, merger and acquisition plans etc. Such information may be extremely valuable to, say, a competitor. The social engineers may also need other pieces of information, such as login details for the network and a database server, in order to get to their ultimate goal.

Social engineers may also be interested in information about employees. Private investigators, for example, investigating suspected marital infidelity, may try to find out what time an employee normally leaves for home and where he is planning to go on his next business trip. Journalists might go fishing for information to corroborate a news story. Fraudsters and identity thieves would be interested in Social Security Numbers, bank account and credit card numbers, dates of birth etc.

Social engineers depend on being able to fool people into believing they have a legitimate right to information. The deception often works best if they look just like us: they dress like us, talk like us, behave like us. Which social engineer do you think would be more successful at ‘tailgating’ (following an employee into a building): someone who appears to be just another regular employee or someone wearing a stripy top and black face mask and carrying a bag marked SWAG? What about someone dressed as a maintenance engineer or policeman: would you refuse to let them pass? The deception is even easier on the telephone or email, since there are no visual clues to a person’s identity.


December’s NoticeBored security awareness module identifies numerous social engineering risks and controls, and is lightly sprinkled with real world examples of incidents reported in the general news media. Making employees alert to the possibility of social engineering is the first step towards resisting attack.

[Please see December’s NoticeBored newsletter for more background and an analysis of the social engineering threat.]

Viagra spam from Pfizer computers

A story in Wired shows that even major corporates are vulnerable to hackers and spammers. At least 138 Pfizer computers have been blacklisted for distributing spam for drugs such as Viagra, a Pfizer product, and Cialis, a competitor's product. The computers have presumably been taken over as 'bots' or 'zombies', remotely controlled by the hackers and used to distribute spam. It is entirely possible that the compromised machines have access to Pfizer's valuable proprietary information. Previous stories about Pfizer employees using peer-to-peer software, for example, indicate the kinds of information security weaknesses that could have led to the infections but, not surprisingly, Pfizer is not saying much about it.

IT professional accused of hacking former employer

An IT professional has been accused of hacking into a former employer's server to 4,000 confidential documents:

"A press note issued by S. Balu, Deputy Superintendent of Police, Cyber Crime Cell, said police had arrested M.S. Ramasamy, a 37-year-old software engineer from Avadi, on charges of hacking and stealing confidential and proprietary information from the server of Caterpillar, a US-based construction and mining company ... When contacted, Mr. Balu said the accused had gained access to the company’s server headquartered at Peoria in Illinois, US, using another employee’s user ID and password and downloaded over 4,000 confidential documents. A closed circuit camera had visuals of him accessing the server at the time when the files were downloaded. "

Lurid job ads

"Hackers stole information from the U.S. Department of Transportation and several U.S. companies by seducing employees with fake job-listings on advertisements and e-mail, a computer security firm said."

The Reuters correspondent explains that victims were lured to a site with [fake] job advertisements and (presumably) phishing emails, only to have their systems infected with malware. The malware apparently evaded detection by the standard antivirus tools. Nasty.

I've long said that narrowly-targeted/custom malware is a particular threat if it slips under the antivirus silver bullet. Imagine the power of being able to select your target organization and inject your data extraction device and suck out your fill of an organization's lifeblood, with little chance of detection or prosecution. Imagine now that you are a Foreign Power or Criminal Mastermind with the money to buy such malware or the resources to recruit and train your own black squadron of evil hackers ...

Sleep well. Don't have nightmares. Leave that to us professional paranoiacs.

The difference between black and white

The next DefCon hackers' conference will include a competition to Øwn the box. The idea of the game is for DefCon participants to hack network systems brought along by willing (or is that gullible?) sys admins. If (when) someone successfully compromises (Øwns) a box and finds the hidden random number, they get to keep (own) the box and celebrate their amazing mastery of the black arts.

The white hats who configure and donate the boxes are not allowed to interact with their own boxes (although how the the conference organizers will stop them doing so via the network is unclear). The announcement suggests they should 'take the weekend off' and play Vegas (or more likely hack their peers' systems). Meanwhile, the black hats will work around the clock to bust the systems, presumably living on energy drinks, pizzas and party pills.

To the conference organizers and most of the participants - the black hats - this is all just a lark, a bit of fun. To the sys admins and security pros desperately trying to defend their systems against this kind of attack on a daily basis - the white hats - it's rather more than a simple game. The black hats need only find and exploit one serious hole per system, whereas the whities have to plug all the holes simultaneously. It's inherently unfair. Whitie life sucks.

Still, it sounds like fun to me. Am I turning into a black hat? What can the panel advise?

What the white hats are up against

In its usual tongue-in-cheek fashion, The Register describes the Black Hat world through ten features:
1. The Black Hats form a well integrated community that shares knowledge effectively
2. Becoming a Black Hat is a career option even for those who are not super geeks.
3. There are even specialist virus tools designed to circumvent specific AV products.
4. There are SDKs for the more advanced hackers.
5. There's a market for your data.
6. There are botnets to rent.
7. Some rogue websites are very subtly managed.
8. Good hackers know how to stay safe (they stay abroad)
9. The banking system has its channels
10. Not all businessmen are entirely averse to the odd hack (on a competitor)

In the sense of "know your enemy", the article presents an interesting perspective.

Book review: Google Hacking

Google Hacking for Penetration Testers by Johnny Long is a terrifying book if you are a slightly paranoid information security professional at a major corporation. You'll soon be avidly turning the pages with a growing look of shock and fear on your face, gripped by the unfolding horror story. Google Hacking puts the spotlight firmly on those dark places that many security managers fear to tread: firewall, IDS and IPS configurations, security patching practices, web application security ... need I say more?

Read this book if you dare.

TJX customer database hacked

A database hacking incident at TJX has evidently exposed bank card and drivers’ license details of millions of customers at its American, Canadian and Perto Rican TK Maxx and other stores. The systems appear to have been hacked as far back as July 2005, some 18 months before the incident was discovered. [Generally speaking, credit card database hackers often kill the goose that lays the golden eggs by exploiting so many cards that they are traced back to the hacked originator in much less than 18 months. Perhaps the TJX hackers only recently obtained sufficient information to exploit, or perhaps they are true hackers not crackers, in other words they were driven by curiosity not malice and greed. This story is still unfolding.]

More database security, hacking, identity theft and incident management links

Congressional aide socially engineered

A congressional aide has admitted asking two jokers at Attrition.org to hack into his college's network and adjust his college grades. The jokers (who he evidently believed to be l33t hax0rs, except that he would have not the foggiest idea what those words mean) led him into believing they would do what he wanted, and in the course of the incident, got him to reveal his Social Security Number and other personal information to make their hacking job easier. The email exchange is very amusing: the victim had no clue that he was being taken for a ride, even providing photographs of a [secret] squirrel at one point to validate his location. Be sure to read the news piece on Network World that revealed the victim's details and printed his admission and apology for making a big mistake ... and led to him being fired ... but his 15 minutes of fame now include a Wikipedia entry.

More social engineering, hacking and accountability resources

Insider threats info from CERT

A fascinating podcast by CERT's Dawn Capelli reveals a survey by CERT/SEI/US Secret Service/CSO survey of the insider threat. As well as the usual roll-call of scary statistics (27% of security incidents are caused by insiders; 55% of the organizations surveyed had experienced deliberate insider malicious activities; 57% of IT sabotage attacks are committed by former employees), mentions several interesting incidents and threats such as employees deliberately stealing proprietary software and other information over a long period or just prior to moving to a new job, downloading logic bombs and framing their supervisors, creating backdoor accounts or modifying privileged scripts or planting long-fuse logic bombs while they still have privileged systems access.

To back-up the podcast, there is a wealth of information on the insider threat on CERT's website. This is evidently a focus area for CERT and (on a professional note) it is gratifying to find that employee security awareness is recognized as an important control - specifically, Dawn mentioned use of 'whistleblower hotlines', policies and so forth to encourage/facilitate employees shopping their peers. Snitching may create its own ethical dilemmas but, speaking as one who has occasionally benefited from information provided in confidence by 'snouts' aggrieved at the liberties taken by their colleagues, it is a sadly underappreciated form of control.

Account management and review processes and change/configuration change management practices are also emphasized. The podcast highlights the amount of trust placed in privileged IT insiders.

More security awareness links

When SysAdmins go bad

Information Week reports that "A federal prosecutor says the sentencing of a former IT systems administrator to eight years in prison for an insider attack should sound a warning to hiring managers that they need to be more vigilant about who they're putting in critical IT positions. ... The March 4, 2002 attack brought down about 2,000 servers both in the company's data center, as well as in branch offices around the country. The financial giant reported that simply cleaning up the mess and getting back online cost UBS more than $3.1 million. ... Duronio [the guilty party] has a criminal record that includes charges of burglary and assault. A presentencing report from the Probation Office in U.S. District Court also lists charges against Duronio from the 1960s, 1970s, 1980s, and 1990s. ... A spokeswoman for UBS said that when Duronio was hired in 1999, the company only ran background checks on a select number of people. Duronio was not one of them". Background checks aren't perfect but, in this case at least, should have raised concerns about the candidate prior to his employment in such a responsible position. The attack was sparked by Duronio getting a $15k lower than expected bonus in the aftermath of 911.

More links on hacking, malware, accountability, roles & responsibilities, incident management and laws, standards & regulations

Phone hacker sues bank for payment

Having been prosecuted and then discharged without conviction for hacking the Reserve Bank of New Zealand's telephone system, Gerry Macridis is now threatening legal action to be paid $7,500 for his unsolicited security advice. Gerry claims to have acted honourably by identifying security flaws in the bank's system and advised them of what they needed do to to resolve them. I've never met Gerry and based on the news reports I have no reason to doubt his integrity but his somewhat naive and direct approach must be a thorn in the bank's side.
More hacking links

Xerox copy center hack

A presentation at Black Hat 2006 by Brendan O'Connor covered Vulnerabilities in Not-So Embedded Systems. Specifically, it described a hack on a Xerox mulitfunction device (copy-scan-print). The machine has an embedded AMD CPU running Linux and Apache with the Xerox applications layered on top. Accessing the device remotely thanks to its web and telnet interfaces, the hacker exploited vulnerabilities in parameter handling by the applications to compromise the root account. To Brendan, this was a bit of a lark. He clearly enjoyed explaining how to hack the machine and, for example, photocopy and scan a stray paper clip and set it up as a default printing template. For Xerox, however, the presentation and exploit represents a security incident that forced them to roll out urgent security fixes to their understandably irate customers. It seems unlikely to have enhanced their reputation in the market.
More security incident management and hacking links

Insider threat case study

"The computer sabotage trial of a systems administrator who was found guilty of attacking the network he had been hired to protect at UBS PaineWebber is sending out a sobering message, and one that can't be stressed enough: No matter what network security you have in place, it may not be enough to protect you from one of your own. It's almost a clich, but one that many companies still do not take seriously."

[Good insider threat case study here]

"And O'Malley also says executives need to step it up when it comes to keeping an eye on employees who are full of complaints, or are on a bad streak with the company. "Sure it will happen again," he says. "And in all likelihood it will happen because of an insider They always say, 'Oh, he was a trusted insider.' Bingo! That's the problem. He was a trusted insider."

More information security management and hacking links

Industrial espionage laid bare

As a former NSA employee, Ira Winkler is well known on the speaking circuit for disclosing some of the cloak-and-dagger techniques used by genuine spies. His book, Spies Among Us, should be required reading for all MBA students and managers. Secrets of Superspies, a conference keynote presentation by Ira, has the usual hallmarks of his case-study style plus the analysis to explain why corporate espionage is a realistic probability for any corporation with secrets, patents or other valuable intellectual property and unethical competitors. It's enough to make me even more paranoid.
More confidentiality, social engineering and hacking resources

Spycar anti-spyware tester

Spycar comprises a suite of routines designed to mimic various forms of spyware (in a benign fashion, of course) and thereby test your anti-spyware tools. The sequence completes with a scoring and clean-up tool that politely reverts the test changes. Having been created by Ed Skoudis of Counter-Hack fame and colleagues from the SANS ISC, one can be reasonably confident that the tests are both effective and safe. The Spycar name is a tip-o'-the-hat towards the EICAR anti-virus test sequence, an old but still useful means of confirming that your antivirus tools are working. Ed, if you're watching, how about phishcar and Troycar too?
More (anti-)malware links

How To Become A Hacker

How To Become A Hacker by Steven Raymond ably explains the difference between hackers, crackers and script kiddies. It teases out the ethics and ethos of hacking, and explains the value system that bonds true hackers together. An excellent treatise.
More [anti-]hacking resources

Researchers: Rootkits headed for BIOS

A SecurityFocus article picks up on the possibility of rootkits in the computer's BIOS. The same principle applies to rootkits in video BIOS and network card BIOS. The thing about these locations is that a reboot won't clear them, nor will a normal complete system rebuild - not even a new hard drive will clear them ... unless, that is, the code in the BIOS is just a stub, a loader for the main payload on disk. Given that the machine BIOS, by its very nature, gives low level access to the hardware, it is conceivable that a stub could load the remainder from another BIOS store, or from a normally inaccessible area on disk (such as a sector marked bad).
More [anti-]hacking resources

Hacker intrigue

Here’s a hacking story with a difference: after investigating a hack perpetrated by a suspected Chinese-government-backed gang of uberhackers, Shawn Carpenter, a network security specialist at Sandia National [nuclear research] Laboratories, got caught up in the FBI investigation. Time Magazine reports that he was dismissed by Sandia when they discovered his out-of-hours hacking, even though Shawn claims to have been encouraged by the FBI to help them track the gang. The FBI has acknowledged their role in the investigation and Shawn subsequently got his security clearance reinstated, so the story seems to hold water.
More [anti-]hacking and cracking resources

Techworld.com - Critical Veritas attack code loose

Contrary to uninformed opinion, MS Windows is, of course, not the only vulnerable software Out There. Right now, there’s a race between those seeking to exploit an announced vulnerability in Symantec's Veritas Backup Exec Agent for Windows and those who are desperately patching their Veritas systems.
More change management and hacking resources

An upside to privacy breaches?

An editorial in Chief Marketing Officer Magazine hints at a possible upside to recent privacy breaches splattered acro