Remember the RSA hack? The thing which started to freak out companies who distributed those handy little RSA tokens in hopes of securing their data? (If not do not worry, you can read about it here).... Well apparently F-Secure, who run the super awesome site VirusTotal, say the e-mail was submitted to their database a few days after the email was sent, namely 2 days after EMC Corp. released the news of the leak.
The verdict? It was not that sophisticated.
Sure, it was a spoofed e-mail, but the user grabbed it out of the junk box to open it. It was supposed to look like legit traffic from beyond.com, a job recruitment website.
The message? "I forward this file to you for review. Please open and view it."
If that seriously was only what was in the e-mail, that does not seem like something a job recruitment company would send. They would definitely make it sound more-- professional?
Regardless, user opened the attachment, and voila. Meltdown!
Just goes to show you don't have to have the best spear phishing email, all you need is one nibble... and you got em hook, line and sinker.
Friday, August 26, 2011
Friday, August 19, 2011
The Safest Browser: IE9??
So, although the title of the article was "Google Chrome improves anti-malware blocking score by 340%", what the article really ended up saying was regardless of these improvements, Safari, Firefox, and Chrome do not beat IE9's 99.2% score in blocking malicious sites. It must be noted that this study did not include drive-by malware, it required a user's interaction (ie downloading a file).
How did Microsoft pull it off? With a feature called 'Application Reputation'
which uses hashes, history, and reputation. So for example, one downloads "minecraft.exe". Based on its history (has this been around for a while?) and reputation (has it ever been flagged as malicious?) it may be passed as ok. However, if IE has never seen that hash associated with the download, it would notify the user. Now granted, you probably will ignore this because, dangnabbit you really want to minecraft... but don't blame Microsoft for your woes.
This concept reminded me of something I was discussing with friends a while back. Something like cloud-AV. If one could input a hash of a file into a cloud which was seen by all AV-companies, and then based on the same criteria inn Application Reputation "rate" the file as being malicious/clean. This obviously has issues, the main one being what AV company would buy into this, as having a cloud would make competition (ergo making more money than the other guy) obsolete because it wouldnt matter what AV vendor you used as as long as they all put their data (but who really would honestly). Also, what to do if AV comes back saying something has a 45% probability of being malicious... what is a user to do? You would have to still have an override button, so once again you have the weakest link to worry about.
For minecrafting though... I would accept 45%, as would any other human being.
Thursday, August 11, 2011
APT: What is it really?
Ira Winkler recently wrote an article about McAfee's latest report on Shady Rat. This brings about the buzz word Advanced Persistent Threat (APT) out again. Its always interesting to see this word being tossed around. What is it really? It's just putting a fancy name to something which has been around since goodness knows when. Ira breaks down the attacks as generally how all attacks are, except APT tends to have a bit more sophisticated malware than your standard drive-by exploit.
Delivery is never complicated, because generally it doesn't have to be. Sending phishing emails with malicious links/attachments, sometimes spoofed, sometimes not. You only need one user to click on a link to gain access to a system. It is of course always better to gain access to an executives computer/account, but not always necessary.
The shady RAT malware used steganography, something I personally have never seen in the field. APT generally uses something more devious than stand drive by exploits: rootkits, infected MBR's, and even patching holes that other malware utilizes.
Personally- I think the main difference between APTs and other nefarious actors is that nefarious actors are usually after two things: money or CPU time (for botnets etc). APTs are generally after information, and willing to go low and slow to get in, establish persistence (backdoor), and exfilrate data in a secure manner. The other guys don't really care about that because if 5 out of 50 computers get hijacked, its good enough for them (that any they just blast out e-mails/infect websites like crazy).
Regardless of my opinion, Ira makes a good point: Why do vendors over-exaggerate claims and their competitors come out with rebuttals saying it really is no big deal and here's why. Shouldn't collaboration be a better buzzword to be dropping? If we had better dialogue between vendors and security teams from various fields (private and public), maybe we could help the community as a whole.
Delivery is never complicated, because generally it doesn't have to be. Sending phishing emails with malicious links/attachments, sometimes spoofed, sometimes not. You only need one user to click on a link to gain access to a system. It is of course always better to gain access to an executives computer/account, but not always necessary.
The shady RAT malware used steganography, something I personally have never seen in the field. APT generally uses something more devious than stand drive by exploits: rootkits, infected MBR's, and even patching holes that other malware utilizes.
Personally- I think the main difference between APTs and other nefarious actors is that nefarious actors are usually after two things: money or CPU time (for botnets etc). APTs are generally after information, and willing to go low and slow to get in, establish persistence (backdoor), and exfilrate data in a secure manner. The other guys don't really care about that because if 5 out of 50 computers get hijacked, its good enough for them (that any they just blast out e-mails/infect websites like crazy).
Regardless of my opinion, Ira makes a good point: Why do vendors over-exaggerate claims and their competitors come out with rebuttals saying it really is no big deal and here's why. Shouldn't collaboration be a better buzzword to be dropping? If we had better dialogue between vendors and security teams from various fields (private and public), maybe we could help the community as a whole.
Saturday, August 06, 2011
Black Hat/DefCon Funness
Ahhh... two weeks in Las Vegas. It's enough to drive a person insane. This year is no different. Lotsa interesting hacks and gizmos seem to have come out this year, not to mention AnonymousSabu and th3j35t3r taking shots at each other on their respective Twitter feeds.
A brief synopsis is available on CW for those who just want a quick overview.
Perhaps one of the more interesting hacks revealed was the vulnerability in OSPF routing by a security researcher in Israel. Open Shortest Path First is the most popular routing protocols within an autonomous system (AS). What exactly is an AS? Wikipedia says its "Within the Internet, an Autonomous System (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet." So think large corporations, ISPs, or Universities.
OSPF works by link-state routing. An interface is a link (so every NIC in a router for example). I remembered this from my Computer Security class days. Lets say you have a few routers in an AS. Routers share link status for themselves using unicast or multicast packets, thereby creating a topology in their databases of router links. There is a designated router (king router) which receives these updates from all the routers and then sends updates to all the routers.
So, below is a horrible mockup of visual link costs for a tiny AS. Link costs are determined by the overhead required to send a packet over the link. So in theory, a 56k modem would have a higher link cost than say a T1 line. Higher bandwidth = lower cost. (Cisco)
So for router A to send to router E you essentially add up the links to determine which is the best path to take. There are a few different possibilities, but the best choice here is A-D-C-E (10).
The Dijkstra algorithm is used to calculate the shortest path, you can read more about it here. This is obviously more complicated than I explained here, and every AS consists of much more than 5 routers.
So ANYWAYS, the security researcher discovered that there is a flaw in the protocol (via the Link State Advertisement sequence number) and he could now send link updates from 'phantom routers' which basically screw up routing tables. So, now traffic can get congested, or be rerouted thru a certain point (maybe one with a sniffer?)
Of course there are some requirements. From the article:
"The exploit requires one compromised router on the network so the encryption key used for LSA traffic among the routers on the network can be lifted and used by the phantom router. The exploit also requires that the phantom router is connected to the network, Nakibly says. To initiate the attack the phantom router introduces itself as being adjacent to the victim router, which must be the designated router on the network. " (ComputerWorld)
Made fun of your boyfriend because of his obsession with model airplanes? Well two researchers unveiled a homemade spy airplane which can intercept phone conversations and hack weak wifi. Well the airplane was an army surplus purchase, but the point is anyone can buy these things and with some elbow grease and time... come up with something a bit nasty. I can totally see geeky parents making this to spy on their kids... intercepting their cell conversations... or making sure they are not talking while driving.
Also fun to note: Metasploit 4 is out... now with more exploits and a database for storing information discovered about the hosts scanned, and which hosts would be able to be possibly susceptible to exploits (RHOST). This makes Metasploit better for IT staff who want to scan their entire networks, where pen-testers usually only test against a sample of machines. This now makes Metasploit more marketable... the man is getting to us all.
A brief synopsis is available on CW for those who just want a quick overview.
Perhaps one of the more interesting hacks revealed was the vulnerability in OSPF routing by a security researcher in Israel. Open Shortest Path First is the most popular routing protocols within an autonomous system (AS). What exactly is an AS? Wikipedia says its "Within the Internet, an Autonomous System (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet." So think large corporations, ISPs, or Universities.
OSPF works by link-state routing. An interface is a link (so every NIC in a router for example). I remembered this from my Computer Security class days. Lets say you have a few routers in an AS. Routers share link status for themselves using unicast or multicast packets, thereby creating a topology in their databases of router links. There is a designated router (king router) which receives these updates from all the routers and then sends updates to all the routers.
So, below is a horrible mockup of visual link costs for a tiny AS. Link costs are determined by the overhead required to send a packet over the link. So in theory, a 56k modem would have a higher link cost than say a T1 line. Higher bandwidth = lower cost. (Cisco)
So for router A to send to router E you essentially add up the links to determine which is the best path to take. There are a few different possibilities, but the best choice here is A-D-C-E (10).The Dijkstra algorithm is used to calculate the shortest path, you can read more about it here. This is obviously more complicated than I explained here, and every AS consists of much more than 5 routers.
So ANYWAYS, the security researcher discovered that there is a flaw in the protocol (via the Link State Advertisement sequence number) and he could now send link updates from 'phantom routers' which basically screw up routing tables. So, now traffic can get congested, or be rerouted thru a certain point (maybe one with a sniffer?)
Of course there are some requirements. From the article:
"The exploit requires one compromised router on the network so the encryption key used for LSA traffic among the routers on the network can be lifted and used by the phantom router. The exploit also requires that the phantom router is connected to the network, Nakibly says. To initiate the attack the phantom router introduces itself as being adjacent to the victim router, which must be the designated router on the network. " (ComputerWorld)
Made fun of your boyfriend because of his obsession with model airplanes? Well two researchers unveiled a homemade spy airplane which can intercept phone conversations and hack weak wifi. Well the airplane was an army surplus purchase, but the point is anyone can buy these things and with some elbow grease and time... come up with something a bit nasty. I can totally see geeky parents making this to spy on their kids... intercepting their cell conversations... or making sure they are not talking while driving.
Also fun to note: Metasploit 4 is out... now with more exploits and a database for storing information discovered about the hosts scanned, and which hosts would be able to be possibly susceptible to exploits (RHOST). This makes Metasploit better for IT staff who want to scan their entire networks, where pen-testers usually only test against a sample of machines. This now makes Metasploit more marketable... the man is getting to us all.
Subscribe to:
Posts (Atom)