Thursday, August 16, 2007

Speaking of Bad Guys

I wanted to bring a few threat-oriented stories to your attention if you hadn't seen them. I'm also recording them here because I abhor bookmarks.

It's important to remember that we're fighting people, not code. We can take away their sticks but they will find another to beat us senseless. An exploit or malware is a tool; a person is a threat.

Dark images like the alley on the right first described in Analog Security is Threat-Centric remind us how dangerous the Internet can be to our data, and potentially our lives.

  • Report: Web 'Mean Streets' Pervasive: This is a story about a great new Honeynet Project report on Malicious web Servers. From the news story:

    If you still think avoiding risky sites keeps you safe on the Web, think again: Newly released research from the Honeynet Project & Research Alliance shows that even seemingly "safe" sites can infect you...

    The Honeynet Project also found that IE6 SP2 was the most likely browser version to get infected, versus Firefox 1.5.0 and Opera 8.0.0, so it really is safer to use one of these less-targeted browsers, according to the report.


    No one is safe, but survival rates increase when you differentiate yourself from the herd.

  • Newsmaker: DCT, MPack developer: So you want to know about the sorts of people feeding those malicious Web sites? Read this interview:

    [Question:] How do you get the exploits for MPack? Do you buy them?

    [Answer:] For our pack, there are two main methods of receiving exploits: The first one is guys sending us any material they find in the wild, bought from others or received from others; the second one is analyzing and improving public reports and PoC (proof-of-concept code).

    We sometimes pay for exploits. An average price for a 0-day Internet Explorer flaw is US$10,000 in case of good exploitation.


    I love reading interviews with bad guys.

  • Happy Birthday ZDI!: Speaking of buying exploits, David Endler posted a very interesting report on the status of the Tipping Point Zero Day Initiative. I found some of the comments from his vulnerability sources interesting:

    Q.) Would you consider doing business with the "underground" for more money

    * Yes: 10% No: 90%

    Q.) If no, why not?

    * "A company already offered me to buy 0days for much more money but I declined this offer because I didn't know what they really wanted to do with that and at the end I don't think it will help to improve the security of the software industry."
    * "Although money wise it might be very tempting, legally and morally its not tempting at all, so No."
    * "At some point everybody could be bought, I guess. But that would have to be really a lot of more money. I will not work with criminals for ten, twenty or so times the money."
    * "I've thought about it, and got offers but no."


    I think these researchers have seen enough Sopranos episodes to know that when you start dealing with the criminal world, there's no getting out.

  • Even the hackers are nervous: John Borland from Threat Level writes:

    There's big money to be made by breaking into other computers these days, and digital mafias have long since stepped into the gap, replacing slipshod and amateur work with professional-grade coding. According to McAfee Avert Labs researcher Toralv Dirro, harvested credit card numbers are sold in batches of a thousand, for between $1 and $6 dollars for a U.S. card, or twice that for a British card...

    But everything will be fine as long as antivirus software is in place, right?

    Wrong, said researcher Sergio Alvarez. He demonstrated a debugging program that immediately found bugs in several different varieties of antivirus software, and said the same kind of problems were common throughout the industry.

    Most antivirus firms rush products out on tight deadlines, without the extremely sensitive debugging process that such critical software ought to have, he argued. That left virtually all security software open to attacks that take advantage of those bugs, opening a painful paradox for systems administrators.

    "The more you try to defend yourself, the more you're vulnerable to this kind of attack," Alvarez said.
    (emphasis added)

    That echoes the point I made in Black Hat USA 2007 Round-Up Part 2: Modern countermeasures applied to reduce vulnerability and/or exposure in many cases increase both vulnerability and exposure.

  • Malware: Serious Business: More great threat reporting:

    Speaking at DefCon 2007, Thomas Holt revealed the results of his study, "The Market for Malware." The study reflects research conducted over the last year on some 30 hacker forums and focuses on six of those forums, including those hosted in eastern Europe.

    "The idea was to go into the forums and find out how they work," says Holt...

    The average hackers' forum works much like a combination of eBay and a department store site, Holt reports...

    As sellers submit more workable exploits to testers and buyers, they build a reputation that makes it easier -- and more lucrative -- to sell their future exploits, Holt says...

    A typical exploit in a hacker forum can sell from less than $100 to more than $3,000, Holt says...

    Holt and his research team are about to embark on further study in which they will attempt to study the international market for exploits, and how the products themselves evolve as they are bought and sold.


    This is a side of the digital world hardly anyone sees, but it's there and we need to be aware of it.

  • Storm Worm's virulence may change tactics: Ninja Joe Stewart is interviewed and makes an interesting comment:

    From the number of infected machines he's found, Stewart estimates that the Storm botnet could comprise anywhere from 250,000 to 1 million infected computers. And that raises questions, along with eyebrows.

    "Why do you need a botnet that big?" he asks. "You don't need a million [infected computers] to send spam."


    Wow, someone is asking "why" for a change. Why indeed?

  • Cisco warns of critical IOS flaws: Yet more reasons to Monitor Your Routers.

  • Ten Things Your IT Department Won't Tell You: I was asked to comment on this article. You can already find The Surf At Work Page and HTTP-Tunnel (a "corporate" product!) or HTTPTunnel@JUMPERZ.NET. I disliked the tone of the article, but it's important for security people to recognize that the majority of the user base sees us as impediments and not knights in shining armor.

  • Back to School: Backpacks, Books & Bots: Finally, a reminder that universities tend to get hammered in the fall:

    The latest strategy is to make security a "cool" thing on campus. "I can't solve every possible contingency with technology," says Quinnipiac's Kelly, who is also adding IPSs to the network in the next few days. "This year, we're focusing on cultural issues with security-awareness training."

    That means making security more personal, so the students don't just pay lip service to warnings about opening suspicious emails, or put their birthdates and physical addresses on their Facebook sites. "If I say, 'you need to update your AV,' they will say they don't care," Kelly says. "But when I say you could lose your work or your identity, they perk up and listen more."

    Of course, it can be a challenge to make security "cool" in a place where self-control is constantly tempted by new freedoms, new technology, and loads of free time.

    "College students today think they are computer geniuses. But they don't know what they don't know," says Richard Bunnell, senior security engineer with MassMutual Financial Group, which has an outreach program with nearby universities in New England to raise security awareness.
    (emphasis added)

    I almost fell out of my chair when I read that last paragraph.

2 comments:

Anonymous said...

Richard, what the person quoted meant was probably along the lines of that there's stuff that they not only don't know, they don't know they don't know it. What you know you don't know you go out and learn, but how do you learn what you don't know you don't know? It's the Mack truck in your blindspot that wipes you out!

Cheers!

Richard Bejtlich said...

Researchers: Bugs Can Turn Security Tools Against Their Users