ESET Threat Blog

While serving in the Marine Corps, one activity that I felt was effective in preparing both myself and my unit to be able to handle real-world scenarios, was getting as much experience as possible from military training exercises. In most cases multiple branches worked together or, as in the case with NATO exercises, multiple countries worked together. The goal was always to prepare us for various potential scenarios as well as learning to quickly adapt due to the impossible-to-calculate number of permutations of attacker, weapons, target, collateral damage, etc. 

Today the Bipartisan Policy Center (BPC) held a simulated cyber attack against the United States. The goal was to take a group of former high-ranking Cabinet and national security officials and successfully complete the mission of advising the president throughout the crisis. Their responses will be in real-time as will be  the intelligence and news feeds. The full list of participants is available from the PRNewsWire press release (http://www.prnewswire.com/news-releases/cyber-shockwave-hits-washington-83570087.html). 

The exercise began at 10 am EST and lasted for three hours. During that time, the attack escalated from cellular networks to electrical utilities. The exercise was designed by former CIA Director Michael Hayden in partnership with the BPC. 

To understand the scope and capabilities of the adversaries we are facing in today's connected world, I selected what I thought was a very applicable report: Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence. This report is from the congressional testimony on February 2, 2010, by US Director of National Intelligence, Dennis Blair. Below are samplings of his comments: 

"The cyber criminal sector in particular has displayed remarkable technical innovation with an agility presently exceeding the response capability of network defenders. Criminals are developing new, difficult-to-counter tools."

"Criminals are collaborating globally and exchanging tools and expertise to circumvent defensive efforts, which makes it increasingly difficult for network defenders and law enforcement to detect and disrupt malicious activities."

The full testimony (PDF) is available here (http://www.dni.gov/testimonies/20100202_testimony.pdf)

This brings to mind the old adage, "fight fire with fire" – which is applicable when combating cybercrime and cyber attackers. Continually increasing global cooperation (for instance: laws, extradition agreements, criminal sentences) coupled with fast-paced innovation can have the direct impact of not only closing the gap, but also plain and simply putting them in a "hurt locker" (aka "world of hurt") since, in many cases, cybercriminals/attackers don't feel pain commensurate with the scale and scope of their crimes. 

I brought up cybercrime because a number of the tools and techniques are similar or identical between cybercriminals and those that would wage cyber warfare. In fact, if you were to follow the money trail of all cybercrime activity there is a very high probability that you will ultimately encounter an adversary that is planning, or conducting, cyber attacks against the United States.  

By now you can read about operation Cyber ShockWave from just about anywhere on the 'net. You can also go to the Bipartisan Policy Center's web site directly: http://www.bipartisanpolicy.org/events/cyber2010. This weekend CNN will be providing special coverage of Cyber ShockWave (Saturday February 20). 

Hopefully this exercise provided realistic attacks and the video coverage will show the decision-makers "making the call" in different scenarios. For obvious reasons, the "big gaping holes" shouldn't be exposed to the world, but at the very least, it does bring awareness to a problem that governments across the world face on a daily basis – how to handle the dynamic nature of threats as they continually evolve. 

Jeff Debrosse

Sr. Research Director

I recently learned a new acronym: SODDI (Some Other Dude Did It). What this refers to is the defense that criminals routinely use (plausible deniability) – and even more so when it comes to illicit activities on the Internet.

On Sunday, November 8th 2009 the Associated Press published an article regarding an individual that was accused of possessing child pornography. After 11 months, and at a personal expense of $250,000, computer forensics proved that the computer had become infected with malware that was designed to download illegal content. Malicious software was the culprit at work behind the scenes.

This activity is a topic that had been discussed for quite a few years as a potential liability for any computer that has been infected. Software that is designed to conduct remote operations can surreptitiously download any kind of digital material to a person’s machine or establish connections (or probe/attack) any target. This would cause the owner of the infected computer to appear to have broken one, or more, of many laws including illegally accessing a network, theft of intellectual property (IP) and child pornography – to name a few. Basically, any action that an attacker or criminal can directly perform on the Internet, can also be duplicated and executed from a victim’s computer. The end result is truly horrific for the victims who have to defend themselves when the trail leads to them – and seemingly stops at their computers.

There are numerous examples of this occurring. For instance, substitute school teacher Julie Amero’s life was undeniably, and tragically, altered after the school computer she was using in a 7th grade classroom started displaying pornographic images to her students. After significant expense, loss of a teaching career and other losses she was finally convicted of a lesser charge (in 2008) and a reduced fine.

Cases like these are where several (of many) cybercrime issues converge:

• Laws: many legal systems still struggle to catch up with cybercrimes
• Plausible deniability: the challenge of proving that a person is the one that used their computer to commit an act (usually a criminal act)
• Attribution: lack of attribution across the Internet impairs the ability to accurately, and with a high degree of confidence, trace internet connections/packets back to their source(s)

When two or more of these elements are combined, the end result is typically a confusing, and potentially indefensible, gathering of forensic data that can both let a criminal “walk” or cause an innocent person to be charged, tried and sentenced.

In any war there is a term known as “collateral damage”. In the war against cybercriminals, the collateral damage is clear and unmistakable. As a society, when we  gain more overall forensic analysis experience and systems are capable of providing more accurate attributable information, we should see a diminishing number of cases of innocent victims and more/stiffer convictions for the bad guys.
   
Jeff Debrosse
Senior Research Director

Update, 19th October. I was recently contacted indirectly by Eddy Nigg of StartCom, who points out, quite rightly, that this issue is not specific to StartCom, nor a problem created by StartCom. He commented further in a comment to Dan Raywood’s article for SC Magazine arising from this blog entry, and I think it’s only fair to quote it in full. In fact, I’m delighted that Eddy has elected to provide this reassurance about StartCom’s security model.

"StartCom makes a 100% effort to prevent any misuse for all certificates (paid and free), I believe the success rate is pretty good as well. Obviously any CA may fail to completely prevent misuse in some form or the other and at some point. But I don’t think this depends on the amount a subscriber paid for the certificate. StartCom is very committed to provide the best services and security in the appropriate level to the Internet community, I hope for the benefit of all."

Here’s another item from Sebastián Bortnik, my colleague at ESET Latin America, translated from his blog at http://blogs.eset-la.com/laboratorio/2009/10/02/mito-https.

One of the tips we frequently see given regarding phishing (and other related Internet attacks) is the importance of checking in the address bar for the presence of the HTTPS protocol to access web sites where you enter personal information.

Although this advice still holds true, it is very frequently misinterpreted as meaning that "whenever a site has HTPPS, it’s safe."

Without going into too much detail, HTTPS (HyperText Transfer Protocol Secure) is intended to ensure that the information transmitted from a user’s computer to a remote website is encrypted during transmission. An analogy might be that if you were sending a letter, the protocol would be like a sealed envelope that guarantees that the contents can’t be read by anyone until it reaches the recipient.

However, once information reaches the web server, it is no longer encrypted. Therefore, if the server belongs to an attacker rather than the legitimate individual or organization you think you’re sending information to, it’s easy for him to read this information. For various reasons, malicious web servers have generally had to work directly with the HTTP protocol, where information in transit is not encrypted. This is why the advice is so commonly given to check which protocol is being used. However, while it doesn’t commonly happen, an attacker can use the HTTPS protocol on a false (spoofed) or malicious website. To return to our postal analogy, it doesn’t matter if the envelope keeps the letter’s contents secret in transit if the person who eventually receives it has malicious intentions, because there’s nothing to stop them opening the envelope.

Further to this idea, many people will have read the news this week that Internet Explorer is to support free certificates [http://www.h-online.com/security/Internet-Explorer-supports-free-certificates--/news/114332]. The article explains that  StartCom (a company that provides SSL certificates for free) has been added as a valid certifying authority to the Internet Explorer browser. As The H (a major source of security information in Europe) explains, StartCom certificates are now pre-installed as root certificates in Microsoft’s operating system, so that Internet Explorer now accepts StartCom certificates  "without prompting the user or requiring any special configurations for the certificates. Third-party programs that use the operating system’s certificate memory will also accept the certificates without asking further questions."

One of the main reasons that attackers don’t purchase SSL certificates has, historically, been its cost (and the need to provide information when applying to buy them). The opportunity of getting certificates for free provides a significant potential opportunity for attackers. They can now register a domain, create an email account and set up malicious servers to work with the HTTPS protocol (and a valid certificate). Thus, if potential victims see the all-important letter "S" (httpS), and this persuades them that the web site is safe, this will provide attackers with a great opportunity to commit some form of malicious act.

Reading the Startcom post in which the news was announced [https://blog.startcom.org/?p=205], it is important to mention that other browsers (like Google Chrome or Firefox – see picture) already accept Startcome’s free certificates from the company.

Although we’ve specifically considered the possibility that an attacker might install a server with HTTPS legitimately, it’s worth mentioning that other attack vectors have existed previously that simulate the existence of a secure protocol: consider, for instance, the research work carried by Moxie Marlinspike (Null Attacks Against Prefix SSL Certificates [http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf]).

In summary:

- "When you access a site that presents a form where you enter personal information, you should verify that it uses the HTTPS protocol" -> TRUE
- "A place where you enter sensitive information and that does not have HTTPS is not safe" -> TRUE
- "Using the HTTPS protocol, information is transmitted encrypted" -> TRUE
- "Whenever a site has HTTPS, it can be considered safe" -> FALSE

Certainly you should verify that sites where you are expected to enter sensitive information use a secure protocol to preserve confidentiality.  However, the existence of a safe protocol certainly doesn’t prove that you are connected to a safe, non-malicious website. 

Sebastián Bortnik
Security Analyst
ESET Latin-America

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET LLC

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

I was speaking with our friend David Perry at Trend Micro about the insecurity of social networking services and what steps users could take to strengthen their security online. In the course of our conversation, we came up with a list of simple steps you could take to better protect yourselves.

• Be careful about whom you befriend. Many social networking services seem to be structured around an online popularity model, making prominent note of how many friends, links, nodes or other connections you have. This is definitely a smart move on their part, since it not only encourages you to spend more time on their site, but it also greatly reduces their marketing and customer acquisition costs, since you do the work for them. Think about whether or not you really need to add that person to your network before linking to them. While it may be fun to be a social butterfly in the real world, it might be better to be something of an armadillo online.
   
• Think before you click. Do not take it for granted that URL shortening services like bit.ly and TinyURL are redirecting you to trustworthy web sites. URL shortening is great for micro-blogging services like Twitter; however, because you typically cannot see the destination URL beforehand, there is a certain amount of risk. Also, there is an issue as to what happens to shortened URLs over the life of the service. What happens if they get recycled or hijacked and re-pointed to a new malicious web site? Also, what happens if the business goes under and the domain name gets acquired by a malicious (or merely incompetent) organization? Twitter and Bit.Ly use Google’s Safe Browsing API to check for malicious sites, and TinyURL provides a Preview option which allows you to see the address of a web site before visiting it. While these are good security steps, they are not a replacement for protecting your computer with security software. For additional information, see the following ESET ThreatBlog articles: "Shorteners/Redirectors: short of ideas," "Compressed URLs & Twitter," "TinyURL: The Tiny Terror," and "TinyURL and Anti-Spyware Toolbar." 
• It’s a matter of trust. Many social networking sites have APIs (application programming interfaces) that allow developers to create various add-ons, plugins, web applications and programs that connect with the service. Just because a social networking site has security and privacy policies does not necessarily mean that third-party tools have them as well, or that they take them as seriously. Know the difference between a social networking site and applications from other parties used to interact with it, and find out what policies each party has with respect to information you might enter, such as your username and password. 
• Browse differently. Consider using a different web browser to visit social networking web sites. If you normally use the web browser provided by your operating system vendor, consider using one by an independent software provider. While these may not have the same features or look-and-feel as the web browser provided with your operating system, criminals are less likely to take the time to look for exploits in web browsers used by fewer people, and to target them as they do more popular web browsers. Cybercriminals nowadays are in search of a good ROI (return on investment) and it is much more profitable for them to look for holes in a web browser that can be found running on 70% of computers than it is to spend time proving  web browsers used by the remaining 30% of users. 
• Get unplugged. When visiting social networking sites, disable scripting, plugins, Java and Flash and only enable each feature as and when it is needed. Running your web browser in a sandbox or a virtual machine can provide an additional layer of protection as well. 
• Truth is relative, and so are your relatives. Social networking sites often collect a wide variety of biographical information, not just to allow you to reset your password, but to allow people to find each other on their site. This kind of searchable information is a goldmine for identity fraudsters. So, think about the answers to questions you are being asked, and consider when it might be appropriate to lie a little. For example, the answers to questions about birthdays, mother’s maiden names, first pets and the like are commonly used to reset a password. Knowing or being able to find the answers to these types of questions easily makes it easier for someone to steal your identity, even if you aren’t an Alaskan governor running for the office of Vice-President.   If you use false answers, though, consider keeping a small notebook or stack of index cards near your computer to keep track of the data you enter into each social networking site should you ever need to reset your password. For more information about keeping your personally-identifiable information safe, see ESET ThreatBlog article "Honesty Is Not The Best Policy For Password Resets." Keep in mind also that if you aren’t sure of the identity of all your Twitter followers and Facebook buddies, telling the world that you’re on vacation for the next three weeks might be opening the door to a physical intruder. 
• tRuSt_no_1. Use a strong and a different password for each social networking site. If you have a methodology  for creating strong passwords, make sure it is complex and distinctive enough that the accidental disclosure of two or three passwords on social networking sites will not compromise all the others. Because passwords are such an integral part of the computing experience, we frequently discuss them. For additional information you can read the following ESET ThreatBlog articles: "Password Mythology," "Emotions Are Poor Passwords" and "%$^& is Fine for Cussing, But Not a Great Password" as well ESET’s white paper on creating secure passwords, "Keeping Secrets." 
• Dial it up to 11. Many social networking sites offer different levels of privacy and security, and the default values are usually to allow others to see your information and contact or otherwise connect with you. While it may seem like overkill to increase the security so that only your peers and friends can see you and to approve all invitations to connect manually, it actually requires far less effort (and embarrassment) than having to de-louse your computer. And it saves you from having to apologize to all your online buddies about the message they received from your stolen credentials asking them visit web sites containing pictures of naked Hollywood starlets. Note: This may be less of an issue for you if you normally tell your friends to visit these types of web sites. 
• Make friends with The Man. Many social networking sites have an official security web page, group or address that you can follow, join or otherwise befriend. Stay abreast of site-specific security issues by reading what they have to say.  Here are the privacy and security pages for several social networking sites: Digg, Facebook, Friendster, Hi5, MySpace, Orkut, StumbleUpon, Twitter and Xbox LIVE. Keep in mind, though, that the quality of such pages can be highly variable, as is the speed of response from each site. Sometimes, what is best for them commercially may not always be the best for your personal safety. 
• Staying safer in the aether. If you regularly access social networking sites from a wireless connection make sure you have taken appropriate precautions to secure your computer. For more information, see the ESET ThreatBlog article, "Fly By Wireless." 
• Advanced tip: Limiting access. More advanced users and network administrators might want to consider using site blocking to limit access to social networking sites, or at least ancillary sites used by programs that interface with them by way of their APIs. This can be done in many ways, such as blocking through the hosts file, using an RBL (real-time block list) in conjunction with your security software and/or gateway router, or even implementing a pseudo-caching DNS server on your network.

Social networking sites are meant to be fun places where you can network and spend time online with your friends. However, the Internet is just like the real world when it comes to which neighborhoods you choose to spend time in. Keep aware of your surroundings and protect yourself appropriately. For further information about staying safe online, I would suggest, as a jumping off point, visiting Securing Our eCity, a public and private initiative in which ESET and other companies, organizations and agencies participate.

A new advisory from the Anti-Phishing Working Group (APWG) offers advice to website owners on what actions to take when notified that their site or server has been compromised for use by phishers.

At 18 pages, it’s a substantial high-level document, including:

• Some web site phishing attack and response scenarios
• Identifying an attack
• Reporting a compromise (how and to whom)
• Containment and damage limitation
• Recovery (This actually includes some proactive approaches to facilitating recovery before the problem arises, which seems a very sound approach to me.)
• Follow-up (lessons learned, tightening up…)
• The references section is actually more of a collection of relevant resources (short, but useful and relevant: the OWASP site alone could keep a site administrator wanting to improve site security busy for weeks).

So, a useful document dealing with an aspect of the phishing problem that receives far less attention from the media than the phishing emails that are all too visible to the everyday user. My only suggestion is that rather than pitching this as reading material for a site that’s just been compromised, APWG might consider pushing it as something to read before a compromise takes place: it would actually be a sound basis for establishing strategies and policies to mitigate future attacks.

If you’re in a position where you might need to know this stuff to deal with a compromise on your site, I’d suggest that you read it (and check out the resources it contains) now and start planning. Sometimes it pays to have your shields up before the enemy opens fire.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence