Brilliant Thinking

According to Christopher Gormley, chief operating officer at Tiversa Inc., a Cranberry Township, Pasadena-based P2P network monitoring firm: On average, about 1.5 billion searches take place on P2P (peer to peer) networks daily compared with 180 million on Google, and that a growing number of the searches are being done for malicious purposes. Gormley also said that Tiversa also has noticed the emergence of several data aggregators whose sole purpose seems to be collecting information on P2P networks for their own illegal uses or to resell to other miscreants.

1.5 billion compared to 180 million is almost 10 times as many searches. And given they are being done on P2P networks, this means that these searches are uncovering the files stored on individual computers connected to the Inernet, computers which vary from individuals at home right through to computers in the heart of large corporations. And direct access to information on these computers could reveal a lot more than the person intended - P2P software often allows access to many of the folders on the computer on which it is installed by default rather than by permission. This means that the person who installed the P2P software often unwittingly exposes all the data on their computer to the rest of the world, and this can include password files, personal information, private lists and much more.

Numerous organisations have suffered data leaks as a result of such carelessness. Last year, for instance, the personal data of about 17,000 Pfizer employees was exposed after an employee installed unauthorized P2P software on her laptop. And at a US Senate hearing last year, lawmakers heard testimony from several witnesses about the abundance of classified government and military documents as well as corporate data freely available on P2P networks.

The data said to be available included a full diagram of the Pentagon’s secret backbone network infrastructure, complete with IP addresses and password-change scripts; contractor data on radio-frequency manipulation techniques for dealing with improvised explosive devices in Iraq; the complete minutes of a board meeting held at a large financial services company; and the detailed launch plan of a start-up company, complete with growth targets and other business forecasts.

Naturally, the immediate reaction is to not allow P2P software and so remove the risk of this happening. But people are creative and find ways around the rules which means P2P software will creep in and the risk resurface. And while the main threat comes from public P2P software (e.g. Limewire, Kazaa), P2P technology is also being used as a business enabler in many organisations.

So, the big question is how do we mitigate against confidential data loss? One thought is to focus attention on network monitoring to see which files are being sent in and out of corporate networks. However, I am not sure how this benefits us as it doesn’t directly prevent illegal transmission versus legal transmission - it simply gives us an audit trail we can dissect when the proverbial excrement hits the fan.

However, there may be a more straightforward solution … most connected systems use specific port numbers over which they transmit data. A corporate network should have a know port topology - ie we should be able to define exactly which ports are needed for communication with the outside world, and in which direction that communication should be. So, for example, if we needed port 6346 to be open (which is Limewire’s default communication port), we could easily define which direction traffic was allowed. We could block outbond traffic with a simple rule in the firewall and so stop all outbound traffic dead in its tracks. We could work through all the ports (OK there are a lot) and define a full firewall map and so manage corporate network traffic exactly as we needed to. The remaining ports could be monitored if required, but this would be a more manageable task.

Quick reference lists of common port numbers abound, and so a network administrator would be able to quickly present a route-map to securing their corporate network and earn a few brownie points from their CIO. Of course, implementing or even suggesting such a plan of action might be met with blank stares because few people are fully aware of the risk to their sensitive data from unctontrolled P2P applications.

IRC Beginners Reference
List of Common TCP/IP numbers (PDF)

Let’s hope this article helps IT departments get a head start on securing their networks, or at least raising awareness of the issue to the execs.

Article inspired by: File-sharing breach at investment firm highlights dangers of P2P networks — again

It’s been a while since I last wrote on systems security, but the latest revelation of a couple of “mainstream” trojans to affect Mac OS X suggests a new wave in Internet security threats.

The most notable is a security hole in the latest versions of Tiger and Leopard that allows attackers to install malware on a Mac without first requiring a user to enter an administrator’s password. A flaw in OS X makes it possible to circumvent the safety measure by funneling Applescript commands through the Apple Remote Desktop Agent (ARDAgent). Because the commands run as the root user, they have almost unfettered access to sensitive parts of a machine.

Interestingly, the exploit was was written modularly, so that the code that actually exploits the Mac weakness can be bundled with other malware code. That means the same weakness could be targeted over and over by a variety of other Trojans.

Full story: Trojan heralds OS X’s ‘new phase of exposure to malware’

The last bit - about the code being modular and thus more portable to other applications - implies there is a growing trend to target the once “safe” bastion of the Apple Macintosh. There are a lot of them in use now, and many owners see them as safe alternatives to the Windows PC. However, is now the time to get on board the Mac security train?

The bottom line?

Nothing is totally secure, but you can add differing layers of security to provide your desired level of protection.

I have had a couple of emails and MSN messages in the last couple of days from people I know. These messages are invitations to sign up to a service that allows you to see who has blocked you from their MSN Messenger contacts list.

This sounds like an interesting service - a kind of “who doesn’t like me any more” service feeding off our online social insecurities made all the more visible by the huge growth of online social networking on sites like Facebook, Bebo, etc, etc.

However, in the terms and conditions of these services there is a clause which allows the service to contact anybody on your contacts list with promotional messages. Given that these people did not opt in to receive such promotional messages, this clause is clearly in violation of online privacy rights and is a clever attempt to steal the email addresses of a large proportion of registered MSN Messenger users for spamming.

If you get invited to use a service such as blokr or anything to do with blocked MSN Messenger users, AVOID IT! If you have friends who have already signed up, be prepared to receive a torrent of spam and MSN Messenger messages (which you should also AVOID!) Given that the sign-up sites seem to be “here today, gone tomorrow” this should be a clear sign that they are not to be trusted.

An article published today on The Register says that a security vulnerability has been discovered in one of the Web’s most widely distributed third-party applications. Flash applets - the executable SWF file that are produced by numerous authoring tools, including Abode’s own Creative Suite, TechSmith Camtasia, InfoSoft FusionCharts, software from Autodemo and many more - are vulnerable to attacks in which malicious strings are injected into the legitimate code through a technique known as cross-site scripting, or XSS.

The particular exploit is documented in a soon-to-be-release Web 2.0 security book (”Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions“), but, in essence, the vulnerability allows hackers to exploit Internet users’ ignorance and phish (steal by deception) private information from them. Here is a summary of how the exploit could work:

A bank website hosts marketing graphics in the form of a vulnerable Flash applet. Attackers who trick a customer into clicking on a malicious link are able to execute the SWF file but inject malicious code variables that cause the customer’s authentication cookies or login credentials to be sent to the attacker.

“Lots of people are vulnerable, and right now there are no protections available other than to remove those SWFs and wait for the authoring tools and/or Flash player to be updated,” says Alex Stamos, one of the book’s authors. “In the mean time, people will have to think: ‘What kind of flash am I using on my site,’ and manually test for vulnerabilities.”

And he’s not joking - the book’s authors (who work for penetration testing firm iSEC Partners as well as for Google) say a web search reveals more than 500,000 vulnerable applets on major corporate, government and media sites (the most likely targets of phishing attacks).

Stamos said Adobe is likely to update its Flash Player so it does a better job of vetting code variables before executing SWF files. But he said interaction with third-party code is such a core part of the way Flash works that updates to the player would likely provide only a partial fix. Eradicating the problem will require updates to all of the authoring tools so they no longer generate buggy Flash content. And even then, security professionals will have to analyze all of a website’s SWF files and recompile any that are found to be vulnerable.

Full story: Serious Flash vulns menace tens of thousands websites | The Register

Peer to peer (P2P) computing is a technology which allows programs installed on individual PCs to communicate with each other without the need for a central [web] server. There are numerous collaboration tools around that operate on P2P principles, and there are also numerous file sharing tools which work on the same basis (e.g. Limewire), and the earliest example of a P2P system was Usenet.

However, as with all technologies, there is a darker side. And the dark side of P2P is the botnet. Botnets are groups of PCs which are infected with malware programs designed to steal information or to relay spam. The programs are covertly installed onto the target PC as a result of the users’ normal surfing or email behaviour (just like getting a regular virus), but because the program operates as a P2P node, it can leverage the power of an entire network of other versions of the program installed on many, many other PCs.

Consequently, botnets have emerged as one of the leading threats to corporate and personal computers. More so that a traditional virus, trojan or other spyware.

Once installed [inside a network or on a PC], these malicious bots can launch phishing or denial-of-service attacks, relay spam that appears to come from the infected machine’s network, or install software that can log keystrokes. Bots go one stage further and receive instructions from control nodes - this is different to the usual “all nodes are equal” in a conventional P2P network. By maintaining a two-way communication with the botnet, hackers can update their activities. For instance, infected machines on a botnet that distributes stock-related spam could easily be repurposed to launch phishing attacks at the push of a button.

“Botnets have become more sophisticated,” says Avi Chesla, vice president of security for software provider Radware. “Some are using encrypted channels [to communicate], and they can be controlled through [Web] traffic, which makes it harder to detect and prevent the activities of these bots.”

“A botnet of 400 [infected machines] is worth more than twice as much as a network of 200,” says Sam Curry, vice president of threat product management for network management software provider CA. “Botnets increase the risk to the community because when you’re dealing with 10,000 of these acting in concert, they can bring parts of the Internet grinding to its knees.”

The largest known botnet operating today is the StormWorm botnet, named because malware was first distributed through viral e-mail that promised photos of damage from European ice storms earlier this year. However, the payload contained the bot which was installed on the visitor’s PC.

Collectively, StormWorm machines offer more computing power than the largest supercomputers. Security firm MessageLabs estimates the StormWorm botnet controls at least 1.8 million computers to relay spam and distribute malicious code. In late August, StormWorm-infected PCs sent an estimated 57 million malicious e-mails in 24 hours, according to Postini, a security provider.

Security researchers say botnets are more insidious than traditional virus or worm attacks because they’re designed to remain hidden, and can compromise a PC or a network without users noticing that their devices have been infected.

Bots first appeared on the security landscape a few years ago in denial-of-service attacks. When several thousand infected machines received a remote command, they sent repeated information requests to a targeted server in an effort to overwhelm the server and knock it or a Web site offline.

Because botnets are designed to resemble legitimate Internet traffic, blocking them focuses on either preventing delivery of the bots or from letting infected computers receive instructions from the botnet controller.

“Bots used to violate protocols by sending too many request per second, but now their behaviour appears completely legitimate,” says Radware’s Chesla. “Until about two years ago, bots could only create packet floods or scan a network. Now the bots generate [legitimate-appearing] requests to a server.”

Botnets are the latest manifestation of hacking’s increasing professionalism. Once the goal of hackers was simply bragging rights, but now malware developers are stealing financial information or relaying spam. Professional hackers, often financed by organized crime syndicates, are interested in avoiding discovery and controlling infected machines for as long as possible.

“Malware developers have become very talented, they have a lot of tools at their disposal and they’re doing it for profit,” says Roddy. “They’re not doing Internet-wide virus attacks any more, now they’re targeting attacks to steal information.”

To avoid discovery, bots may try to prevent the machine they’ve infected from being attacked by other malware. For instance, one bot may try to disable others to prevent both from competing over a PC’s system resources. The StormWorm botnet has also apparently attacked Web sites belonging to anti-malware or anti-spam researchers.

In other instances, hackers combine malicious payloads and install each other’s bots on infected machines.

“The bad guys make a lot of money in doing this, and they’re motivated to find new ways to make money,” says CA’s Curry. “These guys collaborate, and we might see three or four outfits deciding to work together and leverage each other’s install base. They realize that if you have 100 victims and I’ve got 100 victims, we might as well combine them and work together.”

For larger organisations, effective firewalls and security systems are essential to monitor and statistically analyse network traffic. This heuristic approach allows such tools to detect a potential threat, alert sysadmins and suspend traffic from potentially rogue bot nodes.

For small companies individuals, the same tools are essential - firewalls and security software - to help combat the threat of the botnet. Other tools such as anti-spyware systems are also essential and frequent scans helps you keep your network free of potential threats.

However, first and foremost, the best defence is vigilance. Don’t click on links which may be suspect (especially in emails), and don’t open emails which you don’t trust. With an increased awareness of what causes infection, we can help prevent it and reduce the reliance on security software to clean up the mess our lazy behaviour creates!

Story: KPMG Digital Insider Focus