Roger's Security Blog : Critical Infrastructure Protection

Security Intelligence Report: “Scareware” on the Raise

rhalbh — Wed, 08 Apr 2009 09:50:58 GMT

You know that we release our Security Intelligence Report twice an year: Today Version 6 is due.

Let me try to give you an overview of the “highlights” of the report from my point of view:

As I wrote in the title and as I blogged about this summer („Scareware“ on the Raise) one if the biggest growing threats we see is what I call “Scareware” or what we call in the report “Rogue Security Software”. I guess you know the feeling of visiting a website which then tells you that you are infected by malware and you should download a piece of software to protect you (or to clean your PC). Here you see a screenshot of how this can look like:

So, we have seen this growing over the last three periods and therefore we decided to feature a focus section on this growing threat.

A standard topic in the report is about vulnerability disclosures. Here you find the chart you are used to if you read our Security Intelligence Report, my blog or heard me talking recently:

So, looking at the chart there is good and bad news:

The good news is that vulnerability disclosures (industry-wide) is decreasing.
However, there are still more than 2500 vulnerabilities per 6 months (to be clear again: this is the whole industry, not us)
And, roughly 52% of all the vulnerabilities where high severity ones!

Looking at Microsoft’s vulnerabilities, this is the picture:

One thing I always mention, when I talk about this: If you are planning your Patch Management processes and you look at the figures above, make sure you cover your whole IT and not “just” Microsoft. In H2 2008 we had roughly 100 vulnerabilities out of 2500! So, think about patching the others as well (see 98% unpatched – and I am one of them :()

There are a few other charts in the report like the percentage of vulnerabilities responsibly disclosed or attacks on applications which I do not want to put in there (there has to be a reason you read the report J). But one thing I want to take up here as it was so important in H2, which is the PDF attacks as this underlines the statement I made above about Patch Management. Look at the exploits by months targeting Adobe Acrobat Reader:

To be crystal clear with the graph above: This is not finger-pointing at Adobe. We were working closely together to address this and for both vulnerabilities there are updates available today. What I wanted to show you is that you have to extend your risk management to applications outside Microsoft.

Another standing set of graphs are world heatmaps. There are three of them in this Security Intelligence Report:

The “classic” malware infection rate based on the Malicious Software Removal Tool:

Even though we changed the way to determine where a computer is based (and therefore last report’s map cannot be compared with this one), EMEA does not look that bad. We have some challenges in the Middle East, Russias and – surprisingly to me – in Spain but the rest looks not great but ok.

But there is more. This time we look at the source of the malware based on infected websites and where they are hosted:

Here we have quite some green spots – which is good. It is interesting to see that Russia and Spain are red again here…

And last but not least the heatmap on where phishing sites are hosted:

If you take a different angle and look at it from a Windows perspective with regards to malware infection, it once more shows the progress we made with the different OSs:

This re-enforces the message I am delivering as often as possible: If I could give you one single advice from security person to security person (I am not measured on quota), this would be “stay on the latest version of your software – everywhere”. This includes Patch Management as well as Lifecycle management. Jus think about every piece of software you have (including embedded systems), think about when it was designed and then think about the threat landscape back then… Do you really have to think twice then?

If you want to hear Vinny Gullotto (General Manager, Microsoft Malware Protection Center) talk about the Security Intelligence Report, you can look at and interview he did with Tim Rains: Vinny and Tim show - SIR Volume 6 .

So, this and much more you can find in our Security Intelligence Report. Download it and have fun!

Roger

Bill would give Obama power to shut down Internet, networks during cyber attacks

rhalbh — Fri, 03 Apr 2009 10:28:32 GMT

Interesting: Bill would give Obama power to shut down Internet, networks during cyber attacks

Roger

Comments on US-CERTs Advisory on Auto-Run

rhalbh — Thu, 22 Jan 2009 17:41:46 GMT

You might have seen the advisory of the US-CERT titled Microsoft Windows Does Not Disable AutoRun Properly – if not, you will definitely have seen one of the articles covering this issue and telling you that our advice on how to prevent Conficker is flawed.

This statement is not quite true the way it came out initially and US-CERT in the meantime already adjusted their advisory:

Our advice in http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx?mfr=true works if you apply http://support.microsoft.com/kb/953252

US-CERT already updated their advisory:

Update:

Microsoft has provided support document KB953252, which describes how to correct the problem of NoDriveTypeAutoRun registry value enforcement. After the update is installed, Windows will obey the NoDriveTypeAutorun registry value. Note that this fix has been released via Microsoft Update to Windows Vista and Server 2008 systems as part of the MS08-038 Security Bulletin. Windows 2000, XP, and Server 2003 users must install the update manually. Our testing has shown that installing this update and setting the NoDriveTypeAutoRun registry value to 0xFF will disable AutoRun as well as the workaround described above.

Roger

Additional Information on Conficker – MSRT removing Conficker

rhalbh — Tue, 13 Jan 2009 21:11:00 GMT

Over the last few days I blogged several times about Conficker and some of the posts caught quite some press attention. Especially when I talked about the Russian Roulette.

Today I have very, very good news: The Malicious Software Removal Tool (MSRT) which we will release today includes signatures to remove Conficker as far as we know this beast today. Let me be clear upfront: MSRT is cleaning up after the fact and is no replacement for an updated Anti-Malware solution!

The information in this post is the information as far as I have it as of today. The links below give you the ultimate guidance:

How do you realize that you are infected?

Trust me, you will know! If you have Account Lockout Policies set, your accounts will be locked as Conficker.B does a brute-force against the accounts. In parallel, you will see a significant increase of authentication requests on your DCs due to that fact. Most probably you find a significant increase of network traffic as well and last but not least your clients may behave strange.

If you have it what can you do against it?

Patch first! So, before you do anything else, deploy MS08-067. I already said once, that you played Russian Roulette if you did not. From there on, you have to clean the mess. But first, make sure you use strong passwords (Conficker is trying to break them). Here you find some good information and guidance on passwords:

What you should know about strong passwords:

http://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.asp

http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspx

http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/windows_password_tips.asp

Password Best Practices:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/windows_password_protect.asp

Accounts Passwords and Lockout Policies:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

Account Lockout and Management Tools:
http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&displaylang=en

If you want to change all your local Admin passwords and manage them, Steve Riley provided a tool called Passgen

Then clean up…

You have different options to do the clean up:

Forefront and OneCare have been one of the first solutions to clean Conficker since quite a while. Our free online scanner does it too (since quite a while). You can find it on http://safety.live.com
The updated Malicious Software Removal Tool removes it as well. However, remember that Conficker breaks Automatic Updates too. So, if you are infected you have to manually download and deploy it. Here are the relevant KBs:
- KB890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000 http://support.microsoft.com/kb/890830
- KB891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment http://support.microsoft.com/kb/891716
There are definitely other AV products that remove it as well. Make sure and check back with your vendor whether it removes or just detects it.

One final thing: If you are infected, do NOT log onto the system with a Domain account, if at all possible. Especially NOT a Domain Admin account. Log on as a local user account. The malware appears to impersonate the logged on user and access network resources under those users credentials so it can spread.

So, that’s it for the moment.

I hope it helps

Roger

Technology in the Mumbai Attacks

rhalbh — Tue, 02 Dec 2008 12:10:42 GMT

One of the questions I often get is my position on Cyber-Terrorism. I doubt that there will be “isolated” technology-related terrorism. What we see much more is the use of high-tech during classical terrorism attacks.

If you look at the recent terrorism events in Mumbai, there was some pretty interesting background on it:

In order to prepare for the attacks, the terrorists seem to have used Google Maps (as any tourist would do) and GPS and Satellite Phones. This is definitely not surprising but shows the development in this area. In this article Update: Google Earth used by terrorists in India attacks on Infoworld there is an interesting quote: Google Earth has previously come in for criticism in India, including from the country's former President, A.P.J. Abdul Kalam. Kalam warned in a 2005 lecture that the easy availability online of detailed maps of countries from services such as Google Earth could be misused by terrorists. I do not think that it would have live much harder for terrorists if they would not have had Google Earth available but it shows the tension between economy (and technology) and law enforcement. In certain countries I have been in recently, the pure possession of a GPS device is illegal.
The terrorists used everyday technology like Blackberries to stay ahead of Law Enforcement: Terrorists turn technology into weapon of war in Mumbai: The use of BlackBerrys by the terrorists to monitor international reaction to the atrocities, and to check on the police response via the internet, provided further evidence of the highly organized and sophisticated nature of the attacks.
The organization in these teams seems to have been very good (and scaring therefore): Analysis: Mumbai attack differs from past terror strikes

So, this is a really disgusting example of how terrorists use and leverage today’s technology in order to commit their attacks. Therefore I beleive that we will unfortunately see more of this rather than “Internet-only” terrorism but this is just a guess

Roger

Attacks on MS08-067

rhalbh — Wed, 26 Nov 2008 16:09:00 GMT

As we were pushing on our Out-of-Band release earlier this month we tried to make you understand that immediate deployment is needed as the vulnerability is high risk. Otherwise we would not have gone out of band…

Interestingly enough, we have not seen widespread attacks since now. Earlier today now we released different pieces of information on the two key blogs on that:

Microsoft Security Response Center: MS08-067 Update: November 25
Microsoft Malware Protection Center: More MS08-067 Exploits

The reason why I post and why this attacks makes me a little bit nervous is that I hear from too many customers still that they did not yet deploy and the reason behind is that “they heard that we might have issues with this update”. Sorry, this is blank nonsense.

To be clear: Out of all support cases Microsoft has received regarding MS08-067, all of them (and I mean all – no exception) turned out to be caused by another issue and/or mis-configuration and not MS08-067! So, there were no issues with this update so far.

It is your choice now to decide whom you base your risk assessment on: On some web pages telling you that they heard or on us.

Whatever you do, base your risk assessment on the fact that there is somebody out there exploiting the vulnerability

Roger

Security Risks in the Supply Chain?

rhalbh — Mon, 24 Nov 2008 18:40:20 GMT

At the moment I am travelling through the Gulf in order to launch the Security Intelligence Report v5 with local data. During one of the discussions today, a question was raised which I was thinking about quite some while (but – honestly - do not have an answer yet): How do you manage the risks in your supply chain? I am not talking about the risks of a supplier not delivering on time. I am talking about the trustworthiness of your hardware and software vendors. There are different things that happened recently that started to raise this question – let me just pick two of them to illustrate what I mean:

Lenovo ships an update with malware: Things like that happened before, this time it is Lenovo’s turn. I once had a discussion with our former Chief Security Officer. She told me that she was asked pretty often what was keeping her up at night. Her answer was a pretty interesting one: “Imagine us shipping a security update to 400 Mio PCs around the world – and we have a virus/backdoor/Trojan in”. Do you manage this risk?
FBI and other US government agencies are concerned about counterfeit Cisco routers: This is not only because they want to be legally compliant but who knows what is in these routers and what they record and send when to whom. Do you manage this risk?

I guess if we would think about it in depth, there would be quite some additional areas you would come up with. One of the questions you will definitely put into the comments is: How are we sue Microsoft does not build in some backdoors either? At least here I can give you an answer: We have a shared source program where governments around the world can look at our source code – and they do and governments like Russia certify our products as backdoor free.

But I am more interested to hear whether you manage these risks and how?

Roger

Estonia’s Cyber Security Strategy

rhalbh — Wed, 08 Oct 2008 22:56:00 GMT

Following the attacks on Estonia, they published a pretty interesting paper called Cyber Security Strategy by the Ministry of Defense in Estonia. One thing which I see again and again is that most of the people looking into such strategies conclude that strong collaboration is needed between the different players as well as across country borders. I recently made the statement that the only people profiting from missing collaboration are the criminals – and I am serious about that.

So, there are five policies identified by Estonia to work on:

The development and large-scale implementation of a system of security measures
Increasing competence in cyber security
Improvement of the legal framework for supporting cyber security
Bolstering international co-operation
Raising awareness on cyber security

You will find the whole report here.

Roger

Hacking is destroying economic growth

rhalbh — Fri, 26 Sep 2008 09:54:09 GMT

As usual (and probably as most of you) I started today scanning through my mails and RSS feeds for important and urgent information. By doing that, I stumbled across an article called Hackers and Nigeria vulnerability to cyber terrorism and I started to read it.

As you know, I blogged several times already on the developing countries and the challenges they face. There are some pretty interesting statements in this article:

For many experts in the Nigerian IT industry, the impact of hackers is so colossal that it has the capability of wiping out development gains of a nation and retarding her growth fortunes by many decades. In terms of Gross Domestic Product, (GDP), experts have expressed fears saying that if proper steps are not taken to fight the ugly trend to the barest minimum, it will continue to cause more than good.

Pretty tough, isn't it: So, the criminals on the net are able to destroy all the good things that are done within a country to grow economy…

To many informed countries, according to him [Chris Uwaje , President of Global Network For Cyber Solutions] , it has become a matter of life or death – because the survivability of their nations now revolve on the dynamics of Information and Communications Technology. "ICT is now accepted, not only as the common currency, but indeed, represents the centre of gravity of the new world and new economy of the universe!

So, try to put yourself in the shoes of a government elite in a country like Nigeria. You have to ensure the true basics (water, power etc.), public safety, fight corruption (if you are not part of),… and then somebody asks you to fight cybercrime? As most of the politicians today did not grow up with this technology, it is extremely hard to convince them.

And then Uwaje pointed out the size of the problem:

Also a common knowledge in the ICT domain reveals that globally, "ID theft costs banks $1 billion a year. In the USA, nearly 10,000 victims had home loans _ totaling about $300 million _ taken out in their name in 2002 and another 68,000 had new credit cards issued in their name"

"While the FTC received 161,000 identity theft complaints last year, the FBI estimates the actual number of victims is probably closer to 500,000" What is the situation in the Nigerian Banks? We are reliably informed that a colossal N7.3billion Naira was lost to fraud in our banks, last year. Can that be all or is it more in this era of e_transactions and Cyber Space operation and life style? What will it cost the Nation to recover from this and similar future damages?" Uwaje explained.

Roger

Why I do not like e-Voting (Part 2)

rhalbh — Tue, 09 Sep 2008 19:31:55 GMT

As you might know, I blogged on e-Voting recently (Why I do not like e-Voting) and got quite some reactions. A few here but most of them privately. Most of you seem to like e-Voting. Now, think again! Look at this article here Evaluating the Security of Electronic Voting Systems. There is a video in there showing what they did and how they hacked the system in order to fake the votes. If you are (like me) not to go to install QuickTime, the video is on YouTube (Part 1, Part 2).

Have fun and re-think your view on e-Voting. The reason why I am so pushy on that is, that I think that voting is in the heart on every modern democracy

Roger

SANS Commits $1 Million to Fight Cybercrime in Developing Countries

rhalbh — Sat, 24 May 2008 17:25:21 GMT

You know that I criticize SANS from time to time. Especially when it come to their handlers, I am convinced that they are creating the problem rather than solving it.

This time I have to say that I am impressed as they are helping developing countries to help to fight Cybercrime. This is as "we are all in this together". As I say often, that we have to collaborate and build partnerships in order to fight the criminals.

Read the announcement by SANS: SANS Institute Commits $1 Million for Joint Cyber Defence Program with International Multilateral Partnership Against Cyber-Terrorism (IMPACT)

Roger

Analysis of the Estonian Attacks

rhalbh — Wed, 21 May 2008 19:25:01 GMT

I just read a paper on the political analysis of the Estonian Attack. If you are interested reading my post on my other blog (as the analysis is not really technical but interesting) there you go: Analysis of the Estonian Attacks

Roger

How long does it take to hack a Power Plant?

rhalbh — Mon, 14 Apr 2008 22:19:00 GMT

I start to get scared – more and more. Back in September I blogged on Critical Infrastructure Protection – Live which shows what would happen if somebody would be able to tamper with power generators. Now, during RSA there was a guy called Ira Winkler telling the audience that they had the job to do a penetration testing on a power company network and that they got in in a day. I do not think that this is surprising especially as part of their successful attack was using social engineering techniques (which the attackers usually do heavily) but it is still very, very scary! It is said that they gained access to the grid. The question is – how far. Read it yourself.

Roger