About these ads

Archive

Posts Tagged ‘Exploit’

Consumer AVs And Exploit Prevention

August 23, 2012 Leave a comment

Targeted attacks exploiting endpoint vulnerabilities are becoming more and more common and increasingly aggressive.

For this reason I could not help but notice the last report from NSS Labs dealing with the capability of 13 consumer grade AV products, to protect against two critical Microsoft vulnerabilities (CVE-2012-1875 and CVE-2012-1889). The successful exploitation of these critical vulnerabilities could result in arbitrary remote code execution by the attacker leading to very harmful consequences for the victim, such as, for instance, to make it become part of a botnet. Unfortunately a very common scenario in these troubled days.

Even if these vulnerabilities are a couple of months old (and patched), the resulting report is not so encouraging, and renews the dramatic question: are endpoint protection technologies, on their own, capable to offer adequate protection in the current cyber-landscape?

Probably not, considering the the findings which are quite frustrating:

  • Only 4 of the 13 products blocked all attacks: exploit prevention remains a challenge for most products;
  • More than half of the products failed to protect against attacks over HTTPS that were blocked over HTTP, a serious deficiency for a desktop AV / host intrusion prevention system (HIPS.);
  • Researchers are not the only ones testing security products – criminal organizations also have sophisticated testing processes in order to determine which product detects which malware, and how the various products can be evaded. Some crimewares will (already) include various one-click buttons to “Bypass VendorX,” for example.

Ok, you might argue that only consumer-grade AV products were tested, so enterprise organizations are not so exposed against exploit attacks. Mmh… Do not jump to conclusions, as I believe the reality is pretty much different and enterprise organizations are even more exposed for the following reasons:

  • More and more organizations are approaching the BYOD philosophy policy in which users are free to use their own devices. Even worse, too often these are equipped with outdated EPPs (how many organizations enforce NAC policies to check the integrity of the endpoint?).
  • Most of all… If cyber criminals have sophisticated testing processes in place, aimed to test the detection capability of the various products, why should they use them only for consumer products and not (also) for the most appealing enterprise crime market?

Yes, definitively I believe endpoint protection technologies, on their own, do not offer adequate protection for exploit prevention, and the time has come for Advanced Threat Detection/Prevention technologies (like Lastline :-)).

About these ads

January 2012 Cyber Attacks Timeline (Part 1)

January 15, 2012 2 comments

Click here for part 2.

New year, new Cyber Attacks Timeline. Let us start our Information Security Travel in 2012 with the chart of the attacks occurred in the first fifteen days of January. This month has been characterized so far by the leak of Symantec Source Code and the strange story of alleged Cyber Espionage revolving around it. But this was not the only remarkable event: chronicles tell the endless Cyber-war between Israel and a Saudi Hacker (and more in general the Arab World), but also a revamped activity of the Anonymous against SOPA (with peak in Finland). The end of the month has also reserved several remarkable events (such as the breaches to T-Mobile and Zappos, the latter affecting potentially 24,000,000 of users). In general this has been a very active period. For 2012 this is only the beginning, and if a good beginning makes a good ending, there is little to be quiet…

Browse the chart and follows @paulsparrows to be updated on a biweekly basis. As usual after the jump you will find all the references. Feel free to report wrong/missing links or attacks.

Read more…

Categories: Cyber Attacks Timeline, Security Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Advanced Persistent Threats and Security Information Management

October 13, 2011 3 comments

Advanced Persistent Threats are probably the most remarkable events for Information Security in 2011 since they are redefining the infosec landscape from both technology and market perspective.

I consider the recent shopping in the SIEM arena made by IBM and McAfee a sign of the times and a demonstration of this trend. This is not a coincidence: as a matter of fact the only way to stop an APT before it reaches its goal (the Organization data), is an accurate analysis and correlation of data collected by security devices. An APT attack deploys different stages with different tactics, different techniques and different timeframes, which moreover affect different portion of the infrastructure. As a consequence an holistic view and an holistic information management are needed in order to correlate pieces of information spread in different pieces of the networks and collected by different, somewhat heterogeneous and apparently unrelated, security devices.

Consider for instance the typical cycle of an attack carried on by an APT:

Of course the picture does not take into consideration the user, which is the greatest vulnerability (but unfortunately an user does not generate logs except in a verbal format not so easy to analyze for a SIEM). Moreover the model should be multiplied for the numbers of victims since it is “unlikely” that such a similar attack could be performed on a single user at a time.

At the end, however, it is clear that an APT affects different components of the information security infrastructure at different times with different threat vectors:

  • Usually stage 1 of an APT attack involves a spear phishing E-mail containing appealing subject and argument, and a malicious payload in form of an attachment or a link. In both cases the Email AV or Antispam are impacted in the ingress stream (and should be supposed to detect the attack, am I naive if I suggest that a DNS lookup could have avoided attacks like this?). The impacted security device produce some logs (even if they are not straightforward to detect if the malicious E-mail has not been detected as a possible threat or also has been detected with a low confidence threshold). In this stage of the attack the time interval between the receipt of the e-mail and its reading can take from few minutes up to several hours.
  • The following stage involves user interaction. Unfortunately there is no human firewall so far (it is something we are working on) but user education (a very rare gift). As a consequence the victim is lured to follow the malicious link or click on the malicious attachment. In the first scenario the user is directed to a compromised (or crafted) web site where he downloads and installs a malware (or also insert some credentials which are used to steal his identity for instance for a remote access login). In the second scenario the user clicks on the attached file that exploits a 0-day vulnerability to install a Remote Administration Tool. The interval between reading the malicious email and installing the RAT takes likely several seconds. In any case Endpoint Security Tools may help to avoid surfing to malicious site or, if leveraging behavioral analysis, to detect anomalous pattern from an application (a 0-day is always a 0-day and often they are released after making reasonably sure not to be detected by traditional AV). Hopefully In both cases some suspicious logs are generated by the endpoint.
  • RAT Control is the following stage: after installation the malware uses the HTTP protocol to fetch commands from a remote C&C Server. Of course the malicious traffic is forged so that it may be hidden inside legitimate traffic. In any case the traffic pass through Firewalls and NIDS at the perimeter (matching allowed rules on the traffic). In this case both kind of devices should be supposed to produce related logs;
  • Once in full control of the Attacker, the compromised machine is used as a hop for the attacker to reach other hosts (now he is inside) or also to sweep the internal network looking for the target data. In this case a NIDS/anomaly detector should be able to detect the attack, monitoring, for instance, the number of attempted authentications or wrong logins: that is the way in which Lockheed Martin prevented an attack perpetrated by mean of compromised RSA seeds, and also, during the infamous breach, RSA detected the attack using a technology of anomaly detection Netwitness, acquired by EMC, its parent company immediately after the event.

At this point should be clear that this lethal blend of threats is pushing the security firms to redefine their product strategies, since they face the double crucial challenge to dramatically improve not only their 0-day detection ability, but also to dramatically improve the capability to manage and correlate the data collected from their security solutions.

As far as 0-day detection ability is concerned, next-gen technologies will include processor assisted endpoint security or also a new class of network devices such as DNS Firewalls (thanks to @nientenomi for reporting the article).

As far data management and correlation are concerned, yes of course a SIEM is beautiful concept… until one needs to face the issue of correlation, which definitively mean that often SIEM projects become useless because of correlation patterns, which are too complex and not straightforward. This is the reason why the leading vendors are rushing to include an integrated SIEM technology in their product portfolio in order to  provide an out-of-the-box correlation engine optimized for their products. The price to pay will probably be a segmentation and verticalization of SIEM Market in which lead vendors will have their own solution (not so optimized for competitor technologies) at the expense of generalist SIEM vendors.

On the other hand APT are alive and kicking, keep on targeting US Defense contractors (Raytheon is the latest) and are also learning to fly though the clouds. Moreover they are also well hidden considered that, according to the Security Intelligence Report Volume 11 issued by Microsoft, less than one per cent of exploits in the first half of 2011 were against zero-day vulnerabilities. The 1% makes the difference! And it is a big difference!

Mobile Warfare

March 23, 2011 13 comments

It has been recognized that mobile technologies have had a significant impact on the events that occurred in North Africa. In my opinion, their impact was so impressive that I refer to them with the term of “mobile warfare” indicating with this term the fact that they are going to play a crucial role in the (let us hope fewer and fewer) wars of the future.

Since the Wikileaks affaire, and the consequent possibility to convert an Android Device into a Wikileaks Mirror during the attempt to put the main site off-line by mean of massive DDoS Attacks, it was clear to me that Mobile Technologies would have played a very important (never uncovered before) role in 2011, not only in Hacktivism, but, more in general, in human rights related issues.

I had a dramatic confirmation of this role during the Jasmin Revolution in Tunisia, where mobile technologies made every single citizen a reporter, capable of sharing in real time with the rest of the world information such as images, videos and  tweets pertaining the dramatic events happening inside the country.

But it was with the #Jan25 and #Egypt tweets that the World discovered for the first time the power of the mobile warfare.  In those dramatic days every single person of the planet only needed to access her Twitter account in order to become a virtual witness of the events; dramatic facts reported in great detail by hundreds of extemporaneous reporters “armed” only with a Smartphone, and made available in real time to the rest of the world thanks to the “six degrees of separation allowed by Social Networks”. The strength and the impact of this mobile warfare were so huge to force the declining Egyptian Government to shut the internet off for several days starting from January, the 27th.

Can we really understand what does it mean for a country to shut the Internet off? As single persons we are so used to the Web that we could not resist a single hour without checking the status of our mates. But for a country, an Internet connection disruption means a nearly complete stop for all economic and financial activities, including banking, trading, and so on. The only fact to have enforced such a dramatic decision (and the upcoming consequences) is particularly meaningful of the threat led by the Mobile Warfare and perceived by the Egyptian Government. But to have a clear understanding, we must also consider the fact that, at the same time, also the Egyptian Government tried to unleash the power of the mobile warfare with its clumsy attempt to stop the revolution by broadcasting Pro-Government SMS, thanks to country’s emergency laws, causing the following protests of Vodafone.

And what about Libya? I have a direct experience since I was in Tripoli for work at the beginning of last February (so one month and half ago even if it looks like a century has passed since then). I was not even completely out of the finger leading me from the aircraft to the airport facility, that I was impressed in noticing so many Libyan pepole playing with their iPhones. Since I just could not help thinking  to the Egyptian situation, I asked to some of them if they had the feeling that something similar to Egypt could happen in Libya. Guess what they answered? They all simply agreed on the fact that, due to the different economic and political situation, it was impossible! Of course the point is not their answer rather than the fact that I was surprised to see so many smartphones (ok we are speaking about the airport which maybe is not so meaningful in terms of statistics) and more in general so many devices capable to provide an high level internet user experience (even if with the bottleneck of the local mobile networks) and be potentially used as a mobile warfare.

That event was just a kind of premonition since, a couple of weeks later, during the first days of the protests, and in particular during the reaction of the regime, smartphones and social networks once again played a leading role, allowing the world to witness in real time those dramatic events with a spreading rate unknown before. For the second time, approximately three weeks after Egypt, a country decided to disconnect the Internet in order to prevent the spread of information via the Social Networks. This time it was Libya’s turn, which decided to unplug the Web on February, the 18th. Once again the power of the mobile warfare was unleashed, disconnecting a country from the Internet in few minutes (how long would a real army have taken to do a similar sabotage?).

Is mobile warfare the cause or effect?

We must not make the mistake to consider the mobile warfare as an effect of the movements raised first in Tunisia, than in Egypt, and finally in Libya. Mobile warfare is simply the cause, since it is just for the action of mobile warfare that events could spread rapidly inside a single country, and later among different countries (in both cases with an unprecedented speed), encouraging other people to follow the example and acting, in turn, as a powerful catalyzer for the movements. As an example, consider the following article, which in my opinion is particular meaningful: it shows the Middle East Internet Scorecard, that is the dips of Internet connections registered in different countries belonging to Middle East in the week between February 11 and February 17 (that is when the social temperature in Libya was getting extremely hot): one can clearly recognize a viral spread of the “unplugging infection”.

What should we expect for the future?

Mobile Warfare has played and is still playing a significant role in the wind of changes that are blowing in North Africa.  Thanks (also) to mobile technologies, people (most of all students) living in countries where human rights suffer some kind of limitations, have the possibility to keep continuously in touch with people living in different countries, learning their habits, and, in turn being encouraged to “fight” for achieving (or at least for attempting to achieve) a comparable condition. This revolution is not only technological but it is most of all cultural since it is destroying all the barriers that kept many countries separated each other and that allowed many population to live (apparently) in peace simply because they completely ignored the existence of a world outside: we could consider this as the equivalent of the old infosec paradigm (Homeland) Security Through Obscurity”.

At the opposite side, it is likely that all those Governments, having a peculiar idea about what human rights are, will deploy some kind of countermeasure to fight the mobile warfare and its inseparable companion: the social network. I do not think that completely preventing the use of mobile technologies is an applicable weapon, since they became too many important for a country (politics, economics, finance, etc.): nowadays each kind of information flows in real time, consequently no country may allow to go slower.

Moreover,  for the reasons I explained above, the Internet disconnection is not a sustainable countermeasure as well, since no government in the world may allow to be cut-out for too long, in order to simply prevent people from tweeting or sharing ideas or videos on social networks. Even because, for instance, U.S. has secret tools to force Internet in case of disruption, which include the Commando Solo, the Air Force’s airborne broadcasting center, capable to get back to full strength the Wi-Fi signal in a bandwidth-denied area; satellite- and nonsatellite-based assets that can provide access points to get people back online; and finally cell towers in the sky, hooking up cellular pods to the belly of a drone, granting 3G coverage for a radius of a few kilometers on the ground would have 3G coverage underneath the drone. Would be interesting to verify if any of these technologies are currently being used in the Odissey Dawn operation.

For all the above quoted reasons, according to my personal opinion the countermeasures will aim to make unusable the resources of information collection (that is mobile devices), and the resources of information sharing (that is social networks).

So this new generation of Cyber-warfare will involve:

  • A preventive block of Social Network in order to prevent whatever attempt to preventively share information. For the above quoted reason a total block will damage the whole economy (even if I must confess a preventive block of this kind will be quite easily bypassable by external proxies);
  • A massive Denial of Service for mobile devices through massive exploit of vulnerabilities (more and more common and pervasive on this kind of devices), through massive mobile malware deployment or also by mean of massive execution of mobile malware (as, for instance, Google did in order to remotely swipe the DroidDream malware). Honestly speaking I consider the latter option the less likely since I can easily imagine that no manufacturer will provide cooperation on this (but this does not prevent the fact that a single country could consider to leverage this channel).
  • Spoofing the mobile devices in order to make them unreachable or also in order to discredit them as source of reputable information.
  • A “more traditional” Denial Of Service in order to put Social Networks offline (even if this would need a very huge DDoS due to the distribution of the resources of the Social Network providers.

In all the above quoted cases would be legitimate to expect a reaction, as done for instance, by the infamous Anonymous group.

L’Androide Minacciato Alla Radice

Questa mattina, il buongiorno non ce lo porta l’aroma di caffè e un bel croissant al burro, ma l’ennesima nota di Lookout che segnala l’ennesimo malware per il mai troppo cagionevole Androide. La minaccia viene ancora dall’Estremo Oriente, ed in particolare dalla Cina che si conferma terra ostica per la salute virtuale del Sistema Operativo di Mountain View (mi verrebbe da dire che l’Androide è proprio sensibile alla Cinese).

I sintomi usuali ci sono tutti: il Market Parallelo ed un eseguibile chiamato zHash, che ricalca l’orma del predecessore DroidDream, in grado di rootare (non è una parolaccia ma un improbabile improvvisato neologismo a cui dovremo purtroppo abituarci) il dispositivo mediante il medesimo exploit exploid.

Naturalmente, per non farsi mancare niente, è stata registrata una versione della stessa applicazione anche nel Market Ufficiale, con lo stesso nome, contenente quindi lo stesso exploit, ma priva del codice necessario per invocarlo. Magra consolazione in quanto è sempre meglio non avere il nemico in casa anche se dormiente.

Ad ogni modo l’applicazione, che sembra abbia avuto 5000 download, è stata già rimossa da Google che ha esercitato ancora una volta (sta diventando un’abitudine troppo frequente) la possibilità di disinstallare l’applicazione da remoto (ovviamente la rimozione “coatta” è stata attuata solo per le versioni scaricate dal market ufficiale).

Per inciso la pericolosità del malware sembra relativamente bassa. Ovviamente una volta che il terminale è stato compromesso illecitamente (all’insaputa dell’utente), potrebbe poi essere vittima di altre applicazioni malevole facenti leva sui permessi di root indebitamente acquisiti.

Per ora nessuna altra informazione, rimangono comunque valide le, mai troppo citate, usuali raccomandazioni:

  • Evitare, a meno che non sia strettamente necessario, di abilitare l’opzione di installazione delle applicazioni da Sorgenti Sconosciute (pratica definita anche “sideloading”).
  • Fare attenzione in generale a ciò che si scarica e comunque installare esclusivamente applicazioni da sorgenti fidate (ad esempio l’Android Market ufficiale, le cui applicazioni non sono infette). Buona abitudine è anche quella di verificare il nome dello sviluppatore, le recensioni e i voti degli utenti;
  • Controllare sempre i permessi delle applicazioni durante l’installazione. Naturalmente il buon senso corrisponde al migliore anti-malware per verificare se i permessi sono adeguati allo scopo dell’applicazione;
  • Fare attenzione ai sintomi comportamenti inusuali del telefono (ad esempio strani SMS o una sospetta attività di rete) che potrebbero essere indicatori di una possibile infezione;
  • A questo punto, aimé (e torniamo al tema da poco discusso relativo al costo della sicurezza, valutare una applicazione anti-malware tra le molteplici offertae, destinata oramai a diventare un inseparabile companion.

Non C’è Pace Per l’Androide

January 30, 2011 3 comments

Non c’e’ dubbio, le facili previsioni che davano l’Androide al centro dei problemi di sicurezza per il 2011 hanno centrato l’obiettivo.
Non sono passate che poche ore dall’annuncio di un proof of concept per trasformare l’Androide in un telefono zombie e già nel web rimbalzano i cinguettii di una nuova grave vulnerabilità nel browser fornito di default che rende possibile il furto di informazioni sensibili da parte di un malintenzionato.

La vulnerabilità, che interessa l’ultima versione del sistema operativo, la 2.3 caratterizzata dal Pan di Zenzero (Gingerbread), è stata scoperta da Xuxian Jiang, professore presso la North Caroline University, ed è la medesima che era stata scoperta (e apparentemente patchata) a novembre 2010 per l’omino di Yogurt Froyo (Android 2.2) da Thomas Cannon.

Sembra proprio che la patch contenuta nel Pan di Zenzero 2.3 non sia definitiva e possa essere bypassata. Perlomeno questo è quello che è stato provato con un proof-of-concept su un Nexus S (ultimo nato di casa Google), la cui vulnerabilità, opportunamente sfruttata (o exploitata come come si dice in termini tecnici) potrebbe essere sfruttata per rubare dati semplicemente spingendo l’utente ignaro a visitare un link malizioso.

Il ricercatore è riuscito a sfruttare la vulnerabilità sull’androide cavia per:

  • Ottenere la lista delle applicazioni attualmente installate sul telefono;
  • Caricare le applicazioni (installate sulle partizioni /system e /sdcard) verso un server remoto;
  • Leggere e caricare il contenuto di ogni file (incluse foto, messaggi vocali, etc,) contenuta sulla sdcard del terminale..

Google è stata avvisata il 26 gennaio ed ha risposto dopo 10 minuti. Dopo le opportune verifiche ha riconosciuto la vulnerabilità ed ha indicato che verrà sanata non più tardi della prossima major release del sistema operativo.

Ad ogni modo l’attacco, di cui non sono noti attuali exploit, non utilizza i privilegi di root ed è attivo all’interno della sandbox del sistema operativo, per cui è in grado di catturare “solamente” i file della sdcard e pochi altri.

Follow

Get every new post delivered to your Inbox.

Join 3,088 other followers