The latest Microsoft Security Intelligence Report (Volume 11) has been released and contains some interesting information that Microsoft has collected from the execution of its Malicious Software Removal Tool (MSRT) and Internet Explorer SmartScreen® data.  Several of the results confirm what those of us in the network security monitoring community already know: Java is the most often exploited application (page xvii), Adobe Acrobat exploits account for most malicious documents (page xviii), and Adware is the most common type of malware identified (page xx).  Microsoft also stated that over a third of malware detected could spread via the AutoRun feature on removable media or on network shares.  Updates exist that help make the AutoRun feature in XP and Vista more like the one in Windows 7, which is to say more secure.  Deploy those updates.

Some of the more interesting information reported:

• What is not getting exploited as often as I would have suspected – Adobe Flash and Microsoft Office.  Even though two Flash vulnerabilities identified in the first half of 2011 led to an increase in exploits against Flash, Flash is getting exploited 7 times less often than Java!

• For the last four quarters (Q3 2010 through Q2 2011) the detection of trojan and backdoor malware has experienced a consistent slight downward trend.  An explanation could be the coordinated take down of several large botnets in the past year.  Microsoft has been involved in those take downs, so a shout of thanks goes to them!

• Another unexpected result: phishing attacks against social networks accounted for slightly less than half of all phishing attempts, while attacks against financial institutions accounted for slightly more than one-third of phishing attempts.  In April, Microsoft’s data indicated that 84% of all phishing attempts were against social networks.

So, what does this mean for security professionals in the corporate world?  Well, it’s nothing new really: protect the clients just as you would the servers.  Patching the OS is no longer enough.  You must patch applications regularly too – most importantly, Java, Acrobat, and Flash.   Disable AutoRun, if possible, but at a minimum deploy the updates from Microsoft for XP and Vista that make them more secure.  And, finally, warn your users about phishing attacks and discourage using the same password for personal social networking and financial websites as they use for their corporate login(s).

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

Security is expensive. We all know that. I see the battles my clients continually face – particularly the small and medium-sized businesses (SMBs) – as they try to spread their limited security dollars across dedicated salaries (for the fortunate ones), toolsets, appliances, training, and consulting (maybe we don’t need to include the last one…). The underlying belief that many SMBs seem to receive some relief from: “I’m the small guy. Surely I won’t be targeted when there are banks and multinational retailers to be hacked.” Mr. Angelastri says as much in this Wall Street Journal article.

While this assumption may have been relatively safe to make in the not too distant past, I have a feeling statistics shared in the article and again for you here are going to be a source of angst for many SMBs, particularly and for the moment, those that process credit cards.

• In 2010, the U.S. Secret Service and Verizon Communications Inc.’s forensic analysis unit, which investigates attacks, responded to a combined 761 data breaches, up from 141 in 2009. Of those, 482, or 63%, were at companies with 100 employees or fewer.
• Visa Inc. estimates about 95% of the credit-card data breaches it discovers are on its smallest business customers.

The questions that enter my mind are, ‘How do we as security professionals respond to this apparent trend to better protect our clients within their resource constraints?’ and ‘How is the Payment Card Industry going to respond to this shifting risk profile?’

I have some immediate thoughts on those topics (dial-out terminal, tokenization, end-to-end encryption, validation shifting strategies) that I will discuss in future posts, but in the mean time, I’m curious to hear how you personally are responding to this shift.

Dominic Schulte

Dominic Schulte currently serves as the Managing Director of Security Services & Consulting at TRUE, where he is responsible for the execution of a wide range of security and regulatory compliance services. Previously, Dominic worked with the National Security Agency (NSA) as a Global Network Exploitation and Vulnerability Analyst in the National Security Incident and Response Center (NSIRC). He holds CISSP, QSA and CNSS 4011-4015 certifications.

Adobe has released updates for the Acrobat suite of products. The update fixes over two dozen vulnerabilities[adobe.com], at least one of which is being actively exploited. The version number of the fixed Acrobat and Acrobat Reader products are 9.2, 8.1.7, and 7.1.4.

What is more damning than the 29 vulnerabilities fixed is that it appears that many of the vulnerabilities have existed since the Acrobat 7.x and are just now being discovered and/or addressed. I have a suggestion for Adobe: Get your developers some secure coding training. Stop all coding at your company until all your developers have taken one month of secure coding classes.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

Another Adobe Acrobat vulnerability is being exploited in the wild. All versions up to and including 9.1.3 are vulnerable. The current exploit targets Acrobat and Acrobat Reader on Windows specifically, but all Acrobat variants (those for Linux and Mac OS X) are vulnerable. Apparently, using DEP (Data Execution Prevention) in Windows may thwart the attack (at the moment). DEP is an optional setting. Here is the Microsoft KB article about DEP, but their server is saying it’s “too busy” at the moment (4:11p). More information from the ISC is here.

Adobe is set to release an update on October 13. Until then, keep on your toes!

TRUE Network Security Monitoring customers: rest easier: if your resources are successfully attacked, we should see the results.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

According to NIST, with the proliferation of VOIP, the demands for security are significantly compounded.  Now, network administrators must protect two invaluable assets – our data and our conversations. Federal agencies are required by law to protect a great deal of information, even if it is unclassified. The current Internet architecture does not provide the same physical wire security as the phone lines. What’s the solution? Encryption! Encryption! Encryption!

Encrypting VOIP traffic and running it over a virtual private network provides excellent security when dealing with external communications. Architecture decision, like locating IP Telephones behind NATs and Firewalls, are also important.

Nathaniel James

Website - More Posts

As you may know, our company provides 24×7 Network Security Monitoring services to many customers.  Our clients vary widely in size, industry, and information security maturity.   Even so, we see many similar successes, failures, and trends in security monitoring alerts between these customers.  Spyware infections tendsto be a significant number of the incident reports we generate.  Today, I would like to write about the reason spyware alerts are a threat to your organization, why you should take them seriously and respond timely, and what you can do to decrease these incidents on your network.

The danger of spyware is two-fold.   First, it indicates a deficiency on the part of the user in general information security knowledge and specific corporate information security policies.  A spyware infection means that the user likely installed unapproved software on his/her system.  Perhaps the user was doing non-business related web surfing and found the “Totally Awesome Change Your Life Toolbar” from hAcme Software, Inc.  Or maybe the user was tricked into installing this software via social engineering.  (“Click here to install a media player to see Jane E. Celebrity in a bikini!”)  Either way, the user was not aware of the dangers of his/her actions wrt. information security and wrt. corporate security policies.  (You do have policies defining acceptable use of corporate information resources and punishment for misuse, right?)

The second danger (related to the first–in fact, the first is a consequence of the second, so maybe I should have reversed these points–oh well) indicated by a spyware infection is that the user has sufficient rights to execute unapproved software on his/her system that can modify his/her settings and hijack information.  With these rights the user may be delivered and subsequently execute much more damaging malware that exfiltrates personal and/or corporate information or receives and executes instructions from external attackers.  This malware may be delivered by the spyware itself.  Regardless of how it is delivered, your organization has a problem, and it needs to be fixed.

For these two reasons above you should take spyware infections seriously and respond to them in a timely manner.  But what can you do to limit future infections?

1. Limit user rights.  Do not make them a member of the local Administrator or Power Users groups.  If you have applications that require Administrator privileges to run (QuickBooks, I’m looking in your diretion), get rid of them.  That is a poorly designed application and is likely going to have far worse flaws.
2. One word: Education.  Provide it to your users.  If you don’t have a sufficiently trained and knowledgeable employee who can teach one day classes on information security, there are plenty of companies that provide that service–and you won’t have to develop the curriculum.  Google is your friend, here.
3. Follow the hardening guidelines from Microsoft, NIST and NSA on how to secure your Windows systems and networks.
4. Use Group Policy or other enforcement mechanisms available from companies like Cisco, Symantec, etc., to whitelist applications.  Only applications listed in the whitelist can be executed by the user. Use Group Policy to disable all but a few approved Internet Explorer BHOs (Browser Helper Objects).  This will prevent a lot of the toolbar spyware software from infecting your systems.
5. Get serious about your corporate information security posture.  Convince upper management to dedicate sufficient time and money to sustaining a CISO position.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

With the current US economy downturn, cyber crime is increasing at an alarming rate. Let’s face it – data loss can quickly become a public relations nightmare for any business. Solid Core conducted a survey [solidcore.com] of 201 IT and compliance professionals and found that more than half of the respondents admitted their organization either experienced or did not know if they had experienced a compliance control deficiency in the last year.

The Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center, released the 2008 Annual Report on the number of Internet crime complaints received. This report [ic3.gov] was made available on March 31, 2009.

The 2008 Annual Report states that complaints of online crime hit a record high in 2008. The Internet Crime Complaint Center received a total of 275,284 complaints, a 33.1% increase over the previous year. The total dollar loss linked to online fraud was $265 million, about $25 million more than in 2007. The average individual loss totaled roughly around $931 dollars.

Now more than ever, it’s extremely critical for everyone to do their part and be vigilant when it comes to network and enterprise security. Still, with the recent gains in the stock market, I’m hopeful this trend will become more positive.

Nathaniel James

Website - More Posts

The Office of Management and Budget (OMB) has issued a memo directing all federal agencies to implement the DNSSEC (see, among others, RFC 4035) extension by January 2009.  Assuming all agencies follow this memo and implement it on all of their public-facing DNS servers, this could finally be the long awaited start to securing the last major flaw in the Internet infrastructure–name resolution.

Unfortunately, the benefits of DNSSEC are still many years in the future, even if the above change happens quickly.  Why?  Because the name resolution chain starts and ends with your operating system, and the next link in the chain from either end is your ISP’s DNS servers.  Neither of these likely support DNSSEC now.  The user can’t verify the authenticity of a DNS responder if the entire resolver chain doesn’t support DNSSEC.

ISPs are unlikley to implement DNSSEC on their servers until end-user OSes support it, and end-user OSes are unlikely to support DNSSEC until ISP DNS servers do.  Chicken, meet Egg.  It might be reasonable to expect the default Linux resolvers to support DNSSEC soon, but Linux is a small part of the end-user market.  Don’t expect Windows to support it very soon, either.

And so the Internet techies yawn…

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

Slashdot has posted an item[slashdot.org] about the upcoming results of a survey by Symantec and Applied Research-West describing the threat to IT from the so-called ‘Millenials’ generation–those born after 1980. The IT threat apparently comes from the willingness of this young crowd to connect almost any device or social networking software to the corporate network. There is a positive in the report: Millenials are more likely to be aware of the security implications of what they are installing or connecting.

Whew…for a second there I thought my generation was going to be banned from working! It’s not like that would make that many of us angry…just don’t take away our Internets!!! You don’t want us to get angry!

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

The new Boeing 787 Dreamliner has been widely reported as a feat of technological engineering. The plane has three separate networks on-board: an administrative network, a flight control/navigation network, and a passenger network. Everything about this plane seems cool from the Ethernet jacks in the armrest of every seat, to the completely computerized flight controls system, to the ability for the plane to automatically adjust humidity settings based on the number of passengers on-board. There’s just one problem. Reports indicate[foxnews.com] that the three networks (administrative, flight, and passenger) are not completely separated. There is at least the ability for one-way communications from one of the networks to another. But unless this is a connectionless, no guarantee of delivery, UDP-like fire-the-message-and-hope-it-arrives communications protocol, there are obviously two-way connections, even if control information was designed (in software) to be transmitted in only one direction.

So these networks are not air-gapped, the only foolproof way to prevent one network from talking to another. To make matters worse, it seems that the administrative network is accessible via Wi-Fi (for maintenance personnel), particularly while the aircraft is sitting at the gate. So a sufficiently skilled 16-year-old Johnny Q. Hacker could sit comfortably in an airport terminal with his laptop and attempt to hack into a 787′s administrative network.

I hope they are using WPA2 with AES encryption and rolling keys…

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts