Way back in 1984, Ken Thompson theorized about a type of virus that could infect the tools that create programs, rather than the programs themselves. In this way, a virus would remain undetected in the program creator but be inserted in every program created.
Now, in 2009, this theoretical virus is now a reality. Win32.Induc or Induc is a virus that targets development environments in order to infiltrate applications at the point they are written and compiled. Specifically, Induc infects files that are used to create programs in versions 4.0 to 7.0 of Delphi resulting in Induc infected applications and files when they are compiled. Whenever these Induc-infected applications are run on another PC, the virus searches for a Delphi installation and attaches itself to it, thus spreading the virus to any new software compiled in the infected environment, and so on.
The Induc virus seems to have no malicious payload, but serves as a proof-of-concept to test how such a virus might spread. The challenge in dealing with such a virus is that the infection must be traced back to the original Delphi compilers to correct the source. With the virus removed, all software would have to be recompiled. It is believed that a number of software houses specializing in developing applications with Delphi must have been infected already.
Induc has been hiding out and replicating itself for more than a year before it was discovered in August. Researchers believe it’s one of the top most common viruses. Even though Induc does not have a malicious payload, current AV software updated to detect the virus will cause disruptions as infected applications and files will be quarantined. AV vendors will be flooded with false positive claims in applications that are actually Delphi files infected with the virus. Chaos and confusion will ensue and the AV people are going to have to sort through this mess.
Additionally, the virus has the potential to bypass AV because it can affect whitelisted programs which are ignored and regarded as safe by AV software. Even if the programs are whitelisted, the compilers used to make them may become infected and pass on the infection to these whitelisted programs.
Since the virus corrupts tools that create programs, innocent programmers are the unintentional distributors of the virus. As Ken Thompson said in 1984, “The moral is obvious. You can’t trust code that you did not totally create yourself. No amount of source-level verification or scrutiny will protect you from using untrusted code.” Pretty scary stuff, huh?
2009 is becoming a year of record breaking in the field of cybercrime. First we have the largest data breach in history with more than 130 million credit and debit cards stolen by Albert Golzales and his crew. Now we have the largest cybercriminal bust in history.
53 phishers in the US have been charged in the largest cybercrime case in history. Another 47 members of the phishing ring are based in Egypt, making this an international coordination for a total 100 members strong. The Egyption hackers allegedly set up the phishing scam and captured the banking information and other details, while the US members withdrew the funds using the stolen credentials. They then wired the money back to their Egyptian associates while keeping a portion for themselves. The scam affected hundreds of thousands of bank customers.
Phishing scam attempted to convince users to provide banking credentials, login details, and other sensitive information by creating fraudulent websites designed to appear like legitimate sites. They may attract visitors to these sites by sending fraudulent emails claiming that there is a problem with their account and they must login to fix it.
The case is the culmination of a two and a half year investigation, dubbed Operation Phish Phry,” that began in 2007. This multinational investigation was a coordinated effort between both the US and Egypt.
There are two things that should disturb you about this story. The first is the size and scope of this scam. It involved 100 people in two different countries. The organization required for this scam must have been staggering. When scammers pool their skills and resources, they become much more powerful and much harder to take down. I wish security professionals from different companies would come together in the same way to protect against these coordinated attacks.
The other disturbing factor is that this is yet another example of a social engineering scam which has been on the rise. Social engineering is easy for any criminal to pull off because it doesn’t require a lot of technical knowledge. It’s also impossible for security engineers to protect against. You can’t protect a user’s private information when they voluntarily give it away.
Experts have estimated that in 2009, businesses worldwide will spend over $44.6 billion dollars on security software, services, and equipment to protect information from hackers. But all the money in the world spent on IT infrastructure is useless when someone can just physically walk into your company building and walk out with a laptop full of your company’s most sensitive information.
“Physical hackers” or “social engineers” may be the most overlooked and underestimated form of hacking. Also known as “analog hackers,” these criminals will bypass office security measures and trick gullible employees into allowing them to enter an office building and steal all the confidential information they want. These criminals do not have to know anything about electronic hacking and there’s no firewall to trace them.
Since we’ve seen hacking mature this year in terms of social engineering rather than technical proficiency, it’s safe to assume that physical social engineering will rise as well.
At one FTSE-listed financial institution, the managing director himself allowed in a stranger who was, in 20 minutes, able to steal a highly sensitive document outlining a half a billion pound merger that was just lying on a desk. In another incident, a physical hacker pretended to be an IT engineer and managed to obtain the usernames and passwords of five BBC employees with just a phone call. Fortunately, these incidents were just tests by security consultants.
The problem is that no amount of sophisticated security software will protect the most vulnerable system, the HumanOS. 70% of data breaches are caused by insider negligence rather than outside hacking. It’s time businesses stopped relying on simply barricading their IT infrastructure and realize that their employees are the weakest security link.
Social engineering is a growing phenomenon, and the enemy is becoming bolder. It’s one thing to manipulate someone through online communications, it’s bolder to contact them over the phone, but now we may start seeing criminals physically enter the office. The sheer boldness of the con may disguise it – would your employees really suspect that a thief could be among them?
Companies need to start conducting physical penetration tests on their own offices and employees. This is the best way to find human vulnerabilities in your security system and correct them before they are exploited.
It’s a fact that every company, no matter how big or small, deals with security issues. And each company accumulates their own vault of secret knowledge and best practices on how to protect their information. However, it is this fragmentation of knowledge and experience that give attackers their biggest advantage.
Most major data loss events are surprises to the organization, which signifies that there is a lack of knowledge and awareness for that entity. But most likely the breach was also experienced by another company that now knows how it could have been prevented with hindsight. From a security perspective, it makes sense for companies to share this kind of information. But from a business perspective, there are obvious alarms:
Why give something away for free? Businesses may spend a huge chunk of their budgets building security defenses. Their current security practices may have been forged from a history of breaches, recoveries, and improvements. Why share it with a new company that has yet to earn the discipline for themselves? It is simply unfair to give this information away for free.
Why help competitors? The security disciplines earned by one business would be most applicable to other businesses with similar enterprise architectures – most likely competitors. It’s a dog eat dog world, and business entities by nature have no incentive to be kind to competitors.
Why voluntarily damage your reputation? In order to save other businesses from the same breach, a company would have to divulge the sordid details of their breach, including data loss and monetary loss. Why would any company want to advertise this embarrassment to their competitors, their customers, and the rest of the world?
The only solution is for businesses to let go of this “every man for himself” approach to security and instead adopt an “all for one and one for all” stance. An organized security knowledge sharing system must be supported to prevent unnecessary breaches and redundant, wasteful security spending. The question is, how can such a system be organized so that every business, no matter the size or the security budget, has an incentive to join?
The AV software industry has ballooned into billions and billions of dollars in the US alone; even in the face of the longstanding cries that Anti-Virus is dead. While the economy cripples other markets, the security software market continues to grow 8 percent, year over year. The sheer volume of security products, followed by a swift rate of upgrades and versions, has saturated the market to the point where organizations and users cannot keep up.
Yet, despite all this money being pumped into the AV industry, users and organizations are worse than ever when it comes to protecting their PCs from infection. How can this be?
I prefer to take the skeptical approach, as is the nature of the security analyst, even if the reality of the situation is not as dark as I can imagine. The AV industry is not driven by a need to truly protect their users, but, like all businesses, driven by profit. For this reason, AV vendors have little incentive to provide the best security products. In fact, it’s in their best interests not to.
Malware not only creates the market for AV, but the AV industry thrives on malware and continues to profit from it. Every time a new botnet, like Storm, takes control of a staggering amount of PCs despite installed AV, it only serves to advertise the need for AV further. New malware creates new FUD – fear, uncertainty, and doubt – that AV vendors can capitalize on to sell new security products.
At the same time, the existence of new malware means users must buy new versions or upgrade their existing AV to combat the new threat – at a price of course.
The truth is, AV does not need to stay ahead of malware, it only needs to stay ahead of buyers to be profitable. This way, vendors can continue to maintain relevancy and pedal new products to users. The most lucrative position for AV is to be ahead of the user and behind the malware.
This is a grim interpretation of the situation; I’d like to think it isn’t this bad. But the truth remains that AV cannot seem to keep up with their current approach. AV software should drop the approach of reacting to existing malware by releasing an upgraded or new version of their product. Think prevention, not reaction. Rather than employ a blacklist approach of collected malware to deny, adopt a whitelist approach that only allows white-hat software to run.
Bruce Scheiner is talking about a great post at the Boston Review about the new age of cyber-warfare, and how cyber-warfare is greatly exaggerated. I couldn’t agree more. Granted, the US government has a cyber-warfare problem. All governments do, however, the bigger problem that is more real today is cyber-crime. I spoke at the Federal Reserve last week on this exact topic.
Small businesses are now being targeted because they have more money in their accounts and it is easier to transfer larger sums of money out of their accounts without fraud detection going off at banks.
A quote from the review sums it all up:
So why is there so much concern about “cyber-terrorism”? Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies—which need to justify their own existence—and cyber-security companies—which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.
I try very hard not to do what they describe when I speak but it can be difficult especially to those that are not familiar with the problem.Cyber-crime is the death by a thousands cuts type of problem. $3,000 here, $5,000 there, but it all adds up pretty quickly. Cyber-warfare is much bigger and easier to point at than these small little fraud issues.
If you have 10 minutes of time, read the Boston Review article and give me some feedback. Are we in a situation where we as citizens have to be concerned about cyber-warfare like we were concerned about nukes in years past?
There is a bill, S.773, floating around the Senate that will require cybersecurity professionals in the future to be licensed, similar to how a general contractor, electrician etc is licensed. Furthermore, according to CNET News, “[the bill] appears to permit the president to seize temporary control of private-sector networks during a so-called cybersecurity emergency.”
Will this bill pass? Or even more important, is it a good idea?
I don’t think we will see a license requirement anytime soon. When I was at Blackhat I saw Booz, Northrup, and the like executing a massive recruiting effort. The government is trying to hire thousands of cybersecurity professionals. Requiring licensing will delay this by years as those in the field get licensed. With the various security certifications we have now, who will be the governing body to determine what data goes into the certification? Most of the certifications in my view are worthless and I would take a guy (or girl) that has been “on the front lines” before I take a person with 4 certifications and little experience.
What about the ability to take control of private networks in an emergency? From my experiance, there is no way in hell I want the government touching my private network. most government networks are LESS secure than their private counterparts! Furthermore, there has been a massive brain drain from government to the private sector for cyber security positions so who will have the best skilled people available in case of an emergency? Perhaps we should let the private sector take control of government networks during a crisis?
Interested in reading the 55 page excerpt?
“Are you a manufacturer of male enhancement pills, online gambling sites, or illegal pharmaceuticals? Would you like the personal information of thousands of strangers? Well come on down to Botmaster’s Bargain Basement Botnet where you can purchase botnets in bulk at low, low prices! Take advantage of our summer savings extravaganza where you can purchase bots for as little as 10 to 20 cents each!”
Posing as a botmaster, a Cisco researcher interviewed a botmaster who recently made $800 off a sale of 10,000 bots. At 8 cents a piece, it seems the going rate for a bot-infected computer has diminished somewhat since we last reported the going rate as $1.
The price of bots frequently fluctuates, and underground botmasters will buy, sell, and trade infected PCs like stocks.
What is the role of a botmaster? Botmasters aren’t interested in stealing your private information off your computer or performing identity theft, though they could if they wanted. They also aren’t concerned with installing malware or spyware. These criminal endeavors are decided upon by their buyers. A botmaster simply creates the bots and sells them to somebody else who then uses the botnet for whatever fiendish purpose they choose.
The botmaster interviewed by Cisco admitted that he didn’t focus on exploiting vulnerabilities, but mostly used social engineering via instant messages. If you’ve ever clicked on an unsolicited link in an instant message asking you to “check this out”, then you’re among the one percent who fall into the trap. It’s a small percentage, but the botmaster can spam the link to 10,000 users at a time.
So what criminal mastermind is able to create and sell a botnet? Well, according to this botmaster, anyone with basic computer experience is able to run a botnet. In fact, only about 20 percent of botmasters actually understand the bot code they get via online forums, and only three to five percent right their own. It turns out that “botmaster” is not a highly exclusive job – anyone can be one.
It’s scary to think that the best protection we have from botmasters is that people do not realize how easy it is to become one and make easy money.
The folks over at Securosis have the right idea. Their “Project Quant” intends to provide a framework for evaluating the costs of patch management, while providing information to help optimize the associated processes. And from the looks of their recent data survey, corporations are more in need of patch management maturity than we thought.
The results are scary indeed for security-minded individuals concerned with systematic vulnerability management. Out of 100 companies surveyed about their patch management processes:
• 70% don’t currently measure how well, or efficiently, they roll out their software patch updates.
• Most companies were driven by compliance regulation, usually more than one regulation applied
• Process maturity was generally high for operating systems, but low for other asset types such as applications and drivers (see chart)
• Companies tend to utilize multiple vendor and 3rd-party tools in their patch management process
• 40% of companies depend on user complaints as one factor for patch validation
But what is most alarming about these results is that this data was collected through self-selective participation – meaning the participants were companies that already have active patch management efforts. The results would look even worse if a random sampling of companies were surveyed.
How has patch management fallen by the wayside? We’ve had decades to become accustomed to patch management, yet so few companies have developed an effective patch management system?
We can point the finger at conflicting priorities, a lack of industry standards, vendor inconsistencies, and a variance in maturity between technology platforms. There is plenty of blame to throw around, but in the end we must take personal responsibility.
In order to constrain patch management costs and enable us to develop more sophisticated systems of patch management, we need better tools to measure them. Project Quant is a step in the right direction.
After seven years of distressing over the issue of P2P leaks of sensitive information, it seems the government is finally gearing up to introduce new legislation to ban P2P file sharing software from government and government contractor computers.
Leading the witch hunt is Representative Edolphus Towns (D-NY), who wants to burn file-sharing programs, like LimeWire, BitTorrent, and Morpheus, at the stake for being “unwilling or unable to ensure user safety.” Adding, “As far as I am concerned, the days of self-regulation should be over for the file-sharing industry.”
Towns is planning to introducing a bill, and he may have the support of his constituency behind him. Sensitive information leaks in the past have included, data on the President’s helicopter Marine One being leaked to Iran, details on the President’s motorcade route, and the locations of the First Family’s safe houses, just to name a few.
Thomas Sydnor, a director at the Progress & Freedom Foundation, demonstrated the dangers of P2P at the hearing by installing the latest version of LimeWire5 on a computer. The program’s default settings very quickly put all 16,798 files in the My Documents folder up for sharing. However, LimeWire Group Chair Mark Gorton, contended that LimeWire does not share user-originated files or Word Documents, pdfs, Excel spreadsheets, and other such presentation documents in its default settings.
Many companies have already taken this step and banned P2P use by their employees. Businesses have their own sensitive data that they must secure, including customer credit card numbers, private emails, etc. By intentionally allowing file sharing, P2P essentially undoes everything IT security is trying to do.
This isn’t the first time the issue was brought before Congress, the House oversight committee has raised concerns about the risks associated with data leaks from the use of P2P software in two previous hearings. However, on this occasion Towns is now stating his intention to introduce a bill, and it’s likely he will follow through.
While I agree with Towns that P2P software obviously presents a risk of leaking sensitive or classified information, I’m not sure I agree with using government regulation to simply ban P2P. As P2P continues to develop it may eventually overcome its security flaws, but with an antiquated law banning their use, we would be unable to utilize the advantages of the software.
I would prefer to see P2P software developers take a stronger approach to securing their products. This push for banning P2P may be the incentive they need to make the necessary changes. But it may be too late.
