Brilliant Thinking

According to Christopher Gormley, chief operating officer at Tiversa Inc., a Cranberry Township, Pasadena-based P2P network monitoring firm: On average, about 1.5 billion searches take place on P2P (peer to peer) networks daily compared with 180 million on Google, and that a growing number of the searches are being done for malicious purposes. Gormley also said that Tiversa also has noticed the emergence of several data aggregators whose sole purpose seems to be collecting information on P2P networks for their own illegal uses or to resell to other miscreants.

1.5 billion compared to 180 million is almost 10 times as many searches. And given they are being done on P2P networks, this means that these searches are uncovering the files stored on individual computers connected to the Inernet, computers which vary from individuals at home right through to computers in the heart of large corporations. And direct access to information on these computers could reveal a lot more than the person intended - P2P software often allows access to many of the folders on the computer on which it is installed by default rather than by permission. This means that the person who installed the P2P software often unwittingly exposes all the data on their computer to the rest of the world, and this can include password files, personal information, private lists and much more.

Numerous organisations have suffered data leaks as a result of such carelessness. Last year, for instance, the personal data of about 17,000 Pfizer employees was exposed after an employee installed unauthorized P2P software on her laptop. And at a US Senate hearing last year, lawmakers heard testimony from several witnesses about the abundance of classified government and military documents as well as corporate data freely available on P2P networks.

The data said to be available included a full diagram of the Pentagon’s secret backbone network infrastructure, complete with IP addresses and password-change scripts; contractor data on radio-frequency manipulation techniques for dealing with improvised explosive devices in Iraq; the complete minutes of a board meeting held at a large financial services company; and the detailed launch plan of a start-up company, complete with growth targets and other business forecasts.

Naturally, the immediate reaction is to not allow P2P software and so remove the risk of this happening. But people are creative and find ways around the rules which means P2P software will creep in and the risk resurface. And while the main threat comes from public P2P software (e.g. Limewire, Kazaa), P2P technology is also being used as a business enabler in many organisations.

So, the big question is how do we mitigate against confidential data loss? One thought is to focus attention on network monitoring to see which files are being sent in and out of corporate networks. However, I am not sure how this benefits us as it doesn’t directly prevent illegal transmission versus legal transmission - it simply gives us an audit trail we can dissect when the proverbial excrement hits the fan.

However, there may be a more straightforward solution … most connected systems use specific port numbers over which they transmit data. A corporate network should have a know port topology - ie we should be able to define exactly which ports are needed for communication with the outside world, and in which direction that communication should be. So, for example, if we needed port 6346 to be open (which is Limewire’s default communication port), we could easily define which direction traffic was allowed. We could block outbond traffic with a simple rule in the firewall and so stop all outbound traffic dead in its tracks. We could work through all the ports (OK there are a lot) and define a full firewall map and so manage corporate network traffic exactly as we needed to. The remaining ports could be monitored if required, but this would be a more manageable task.

Quick reference lists of common port numbers abound, and so a network administrator would be able to quickly present a route-map to securing their corporate network and earn a few brownie points from their CIO. Of course, implementing or even suggesting such a plan of action might be met with blank stares because few people are fully aware of the risk to their sensitive data from unctontrolled P2P applications.

IRC Beginners Reference
List of Common TCP/IP numbers (PDF)

Let’s hope this article helps IT departments get a head start on securing their networks, or at least raising awareness of the issue to the execs.

Article inspired by: File-sharing breach at investment firm highlights dangers of P2P networks — again

Towards the end of May, the AVG Security Suite started spewing fake hits to websites across the web which appear as web stats in your web analytics reports. Given there are approximately 20 million users of the new AVG suite, this amounts to a very large amount of fake traffic.

In February, AVG acquired Exploit Prevention Labs and its LinkScanner tool, then bundled the tool in the latest AVG release. What the LinkScanner does - in an effort to protect the user from being hacked, spammed or spoofed - is to pretend that it is a human and “clicks” on every link found in search engine results. So when you visit Google and search for something, every single result found is visited by LinkScanner to determine if the website linked is legitimate or a link to malware. The end result is what appears to be real traffic on the website.

For small sites, this is not going to make much difference, although it may appear you have more visitors than usual. For larger sites with high traffic volumes, this will mean a large spike in traffic. But, it will also potentially mean larger bills because website owners have to pay for bandwidth (small sites are below the minimum threshold so this doesn’t become an issue).

Adam Beale, who runs a UK-based internet consultancy, says that across his small stable of clients, traffic has spiked as much as 80 per cent on some sites. And this is more than just an inconvenience. After all, sites live and die by their traffic numbers. And net resources aren’t free.

“Although [the AVG LinkScanner] might be good for the security of users, it’s a real pain for website owners and webmasters. It’s causing people to think their traffic is increasing, costing those who pay for bandwidth, and wasting disk space with large amounts of unnecessary lines in log files.”

One of his clients, Beale says, normally pulls in 140GB of bandwidth a month, and for June, he predicts a 5 per cent jump.

At the moment, there is a way of filtering AVG traffic from log files. But it’s unclear whether this method would filter out legitimate traffic as well. After all, the traffic appears to come from numerous legitimate IP addresses of general web users. And AVG suggests that - in the name of high security - they may make changes that prevent such filtering. After all, if you can filter it, so can the malware producers they are trying to block.

“A situation like this generates false traffic, bogus data, and this leads to wrong budget decisions and marketing activities,” says Barry Parshall, director of product management at WebTrends, a popular web analytics firm. “I completely get the value proposition [of LinkScanner], but it would be responsible of them to identify themselves, with agent code or whatever it might be, so legitimate businesses can serve their customers properly.”

AVG have promised a fix to alleviate this condition, but until then pay close attention to the number of very short duration visits you receive on your website (assuming you have good analytics software that shows you this kind of statistic). If you are using basic log file analysis software that does not show the duration of visits or allow you to drill down into the details, it may be time to upgrade or consider more thorough tools such as Google Analytics, Yahoo!, comScore, or Nielsen NetRatings.

It’s been a while since I last wrote on systems security, but the latest revelation of a couple of “mainstream” trojans to affect Mac OS X suggests a new wave in Internet security threats.

The most notable is a security hole in the latest versions of Tiger and Leopard that allows attackers to install malware on a Mac without first requiring a user to enter an administrator’s password. A flaw in OS X makes it possible to circumvent the safety measure by funneling Applescript commands through the Apple Remote Desktop Agent (ARDAgent). Because the commands run as the root user, they have almost unfettered access to sensitive parts of a machine.

Interestingly, the exploit was was written modularly, so that the code that actually exploits the Mac weakness can be bundled with other malware code. That means the same weakness could be targeted over and over by a variety of other Trojans.

Full story: Trojan heralds OS X’s ‘new phase of exposure to malware’

The last bit - about the code being modular and thus more portable to other applications - implies there is a growing trend to target the once “safe” bastion of the Apple Macintosh. There are a lot of them in use now, and many owners see them as safe alternatives to the Windows PC. However, is now the time to get on board the Mac security train?

The bottom line?

Nothing is totally secure, but you can add differing layers of security to provide your desired level of protection.

I have had a couple of emails and MSN messages in the last couple of days from people I know. These messages are invitations to sign up to a service that allows you to see who has blocked you from their MSN Messenger contacts list.

This sounds like an interesting service - a kind of “who doesn’t like me any more” service feeding off our online social insecurities made all the more visible by the huge growth of online social networking on sites like Facebook, Bebo, etc, etc.

However, in the terms and conditions of these services there is a clause which allows the service to contact anybody on your contacts list with promotional messages. Given that these people did not opt in to receive such promotional messages, this clause is clearly in violation of online privacy rights and is a clever attempt to steal the email addresses of a large proportion of registered MSN Messenger users for spamming.

If you get invited to use a service such as blokr or anything to do with blocked MSN Messenger users, AVOID IT! If you have friends who have already signed up, be prepared to receive a torrent of spam and MSN Messenger messages (which you should also AVOID!) Given that the sign-up sites seem to be “here today, gone tomorrow” this should be a clear sign that they are not to be trusted.

An article published today on The Register says that a security vulnerability has been discovered in one of the Web’s most widely distributed third-party applications. Flash applets - the executable SWF file that are produced by numerous authoring tools, including Abode’s own Creative Suite, TechSmith Camtasia, InfoSoft FusionCharts, software from Autodemo and many more - are vulnerable to attacks in which malicious strings are injected into the legitimate code through a technique known as cross-site scripting, or XSS.

The particular exploit is documented in a soon-to-be-release Web 2.0 security book (”Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions“), but, in essence, the vulnerability allows hackers to exploit Internet users’ ignorance and phish (steal by deception) private information from them. Here is a summary of how the exploit could work:

A bank website hosts marketing graphics in the form of a vulnerable Flash applet. Attackers who trick a customer into clicking on a malicious link are able to execute the SWF file but inject malicious code variables that cause the customer’s authentication cookies or login credentials to be sent to the attacker.

“Lots of people are vulnerable, and right now there are no protections available other than to remove those SWFs and wait for the authoring tools and/or Flash player to be updated,” says Alex Stamos, one of the book’s authors. “In the mean time, people will have to think: ‘What kind of flash am I using on my site,’ and manually test for vulnerabilities.”

And he’s not joking - the book’s authors (who work for penetration testing firm iSEC Partners as well as for Google) say a web search reveals more than 500,000 vulnerable applets on major corporate, government and media sites (the most likely targets of phishing attacks).

Stamos said Adobe is likely to update its Flash Player so it does a better job of vetting code variables before executing SWF files. But he said interaction with third-party code is such a core part of the way Flash works that updates to the player would likely provide only a partial fix. Eradicating the problem will require updates to all of the authoring tools so they no longer generate buggy Flash content. And even then, security professionals will have to analyze all of a website’s SWF files and recompile any that are found to be vulnerable.

Full story: Serious Flash vulns menace tens of thousands websites | The Register