Welcome to the SecAware blog

I spy with my beady eye ...

31 Mar 2007

SME Achilles heel = Well connected salesmen

IT Pro, reporting on a study by Vanson Bourne, points out that salemen's dependence on electronic communications makes them more vulnerable than most to targeted phishing attacks. Such attacks typically deliver Trojans in office files sent as email attachments. The problem is especially acute in SMEs (Small to Medium Sized Enterprises - also known as SMBs ...Businesses). The author emphasises that SMEs need security awareness but offers no suggestions on how this might actually be achieved in practice.

More security awareness and malware links

Internet Exploder

Microsoft acknowledges that a recent Internet Explorer security patch fixed IE6 but not the latest IE7. Exploit code is apparently 'in the wild'. Perhaps now is a good time to consider changing to Firefox or one of the other non-M$ browsers?

Another advisory concerns a security flaw in Windows' handling of animated cursor files, which is also being actively exploited 'in the wild'. Time to take a look at Linux, maybe?

More network security links

29 Mar 2007

Network security awareness module released

Is it a funnel or the business end of a vacuum cleaner?
We've released an updated and extended awareness module on network security for April 2007, incorporating materials on securing wireless networks, Web browsing and a variety of other networking security issues.

See the network security links collection here

23 Mar 2007

Forensic analysis of a Russian Trojan

The techoes at SecureWorks describe the painstaking forensic analysis of "Gozi", a Trojan horse program on a customer's PC. The Trojan (which was not at first recognized by antivirus packages) was found to be stealing sensitive data (prior to it being encrypted and sent to SSL websites by IE or Javascript) and secretly sending it to a remote server. From there, the stolen information was put up for sale on the black market, along with associated hacking services.

The description, like the Trojan, is complex and technical but makes fascinating reading for IT professionals. The analysts used virtual machines, Safe Mode, a debugger and tools from SysInternals and Wireshark/Ethereal to dissect the beast. Luckily the antivirus companies' tech gurus have the patience and skills to do this kind of analysis on our behalf.

More malware links

Pop it in the post

How does Torbay Council in sleepy Devonshire, England, send confidential information about council workers (names, addresses, salary, banking details - that sort of thing) to the auditors. Why, they simply cut a CD and pop it in an envelope ... and when the first one goes missing in the post, they do it again and that one also goes missing in action.

More links on keeping secrets

Any budding infosec authors out there?

EDPACS (Electronic Data Processing Audit Control and Security) is looking for authors to provide comprehensive views on topics of interest to the EDPACS readership. More information on EDPACS and its Editorial Board. If you simply want to read EDPACS rather than write for it, here's the subscription page.

21 Mar 2007

Measure twice, cut once

A computer technician reformatting a disk drive at the Alaska Department of Revenue accidentally deleted applicant information for a $38bn oil-funded account by reformatting the backup drive as well. Only then did the department discover its backup tapes were also unreadable ...

This kind of backup failure incident happens so often, and the impacts are so serious, that the risk must surely be assessed as high. The obvious controls (professionally designed data backup schemes, change controlled and regularly tested) are not unduly expensive. Is it really that hard to join the dots?

Carpenters have the saying "Measure twice, cut once". Designing and testing your backup regime beats finding out, when you really need it, that it doesn't work.

More incident management and IT operations links

Customer privacy 'a load of rubbish'

The Information Commissioner has found 11 big-name UK financial institutions in breach of the Data Protection Act for dumping paperwork containing their valued customers' personal details outdoors in waste bins. The investigation was prompted by a complaint by consumer pressure group Scamsdirect, "the indepdendent watchfrog", tagline "Reddit? Shreddit!". :-)

Scamsdirect is promoting an innovative scheme to cut down on fraudulent loan applications: they are encouraging Brits to send their thumbprints to the credit reporting agencies so that the agencies can validate paper-based applications. Some fraudsters may just be foolish enough to send their own thumbprints prior to making a fraudulent application, in which case the good ol' British Bobbies should have little trouble proving the fraudsters' identities ... Well, we can but hope.

More identity theft links

20 Mar 2007

Fraudulent CISA exam registration web sites

The websites www.cisaca.org and www.cisaca.com which claim to be authorized by ISACA to register candidates for the CISA exam and sell ISACA authored study material, are fraudulent according to ISACA.

Neither these web sites nor their owners are affiliated in any way with or endorsed by ISACA, nor have they been authorized as registrars for the CISA exam or as distributors of any CISA study materials.

Registration for the CISA exam or study aid purchase made through www.cisaca.org or www.cisaca.com, is NOT valid. ISACA is not responsible for any refund of registration fees or study materials purchased through these sites. The only legitimate online exam registration and study aid purchase web site is www.isaca.org.

Anyone that has been deceived by these web sites is asked to contact ISACA International Headquarters' certification department (certification@isaca.org) and provide the following information: their name, email address, to whom the payment was made, the amount paid, the exam registered for, and the web site accessed to register for the exam. ISACA highly encourages you to contact the ISACA certification department regarding registration for future CISA (or indeed CISM) exams.

This looks like a classic "domain lookalike" fraud or phishing incident, unusual only in that it involves an IT audit organization. The fraudsters are evidently looking for new/softer targets having milked the naive customers of most financial institutions for all they are worth. I guess trademark infringement may be enough for ISACA to get the copycat sites shut down ... eventually ...

More identity theft resources

19 Mar 2007

The State of Malware

The State of Malware is not, in fact, the name of some obscure far-off land where computers misbehave but the title of a free SANS webcast on Wednesday March 21st,1:00 PM EDT (1700 UTC).

Over the course of the past two years, information technology has seen
some amazing advances. Unfortunately, malware authors are keeping pace
with the industry. This webcast will reveal what's really going on "out
there" - from sophisticated phishing "worms" to a disturbing increase
in Trojans, extensive bot networks and new polymorphic viruses. Methods
of distribution are changing, too. For example, new Web technologies
are making it easier than ever to disseminate malware. So what can we
do? The webcast will also cover methods of detection and prevention,
including behavioral analysis and site reputation.

You need a free SANS portal account and either Real Audio Player or Windows Media Player to access this SANS webcast and the archive of past webcasts.

More malware links

15 Mar 2007

Of sloping baths and disk drive failure

Disk drive manufacturers quote MTBF (Mean Time Between Failures) of around a million hours under ideal conditions, suggesting a failure rate of less than 1% per year, but some studies show significantly worse performance (2-10% failure p.a.) in the Real World™. It seems the “bathtub” reliability curve has a sharply upward sloping or even stepped bottom, not the long flat period of stability often assumed.

Thanks to George Spafford's Daily News for both the above links :-)

If your data are vital and their availability is critical, the studies suggest the value of monitoring drive age, error rates and temperatures carefully. Also techniques such as RAID will help. However, the unpredictability of disk failure also implies the need to have contingency plans, backups and hot-swappable drives. Or, if money is no object, solid state disks might be the way to go (plus cosmic ray shielding!).

More availability resources

CERT cybertip on antivirus software

The latest update US CERT Cybertip covers antivirus software. As always, the tip sheet explains the basics in simple language, aiming at a non-technical audience. It is covered by a copyright license stating "You are permitted to reproduce and distribute documents on this web site in whole or in part, without changing the text you use, provided that you include the copyright statement or "produced by" statement and use the document for noncommercial or internal purposes.", in other words you can reproduce and distribute it within your organization with attribution to CERT but you (and we!) may not sell it on.

More malware links

13 Mar 2007

Malware trends on mobile devices

Antivirus vendors have been talking-up the malware threat to mobile devices such as smart phones and PDAs for a few years now. Naturally, those who offer antivirus software for such devices tend to be more vociferous about the problem but there comes a point when it's time to take their warnings seriously.

Kaspersky's summary of current mobile malware risks identifies trends during 2006 that point to the possibility of this getting serious before too long. The number of mobile viruses increased steadily from ~120 to ~180 in the year, still way short of the epidemic virus numbers seen on PC platforms. Of more interest is a perceived change in the nature of the threat, namely more emphasis on stealing money rather than simply annoying users. If true, that observation mirrors what others are saying about identity theft and other criminal activities in general in relation to information security incidents.

[That said, I feel pretty safe out here in the depths of rural New Zealand, several miles outside mobile coverage. We use jungle drums not cellphones.]

More malware links

Information Systems Security journal free (for now!)

Taylor & Francis has made numerous issues of the ISC2's official organ, the Information Systems Security journal, available for free, at least for the moment. They also made EDPACS available for a while but that freebie ended a week ago, I believe. In other words, take the opportunity today to browse the journal and download/read any interesting articles now before it's too late and you need to subscribe.

In a few moments browsing, I've found an interesting piece by Tom Peltier on social engineering, one on securing against insider attacks and several articles on security metrics, an enduring interest of mine.

More information security management links

Don't worry, the government is in charge

The Daily Mail is reporting that the British government is cooking up a cunning plan to sell personal data from the national identity card scheme to 'banks and other businesses' at 60p a pop. Please form an orderly queue. The idea is to offset the ID card scheme costs with some income. How very entrepreneurial of them. How very New Labour.

I assume the government has taken the privacy and legal implications fully into account. Presumably the system is perfectly secure. Presumably it has an opt-out field for those crazy Brits who are less than enamoured of the idea. Presumably the Data Protection Registrar is right behind the government on this one. Presumably there's no conflict with the Data Protection Act and Human Rights Act. Presumably squadrons of pigs are flying over parliament ...

More privacy/data protection and identity theft links

12 Mar 2007

Contingency planning for small businesses

The Australian Attorney-General, no less, has released a booklet of advice for small businesses called Good Security - Good Business. Contingency and continuity planning is the main subject with a little risk analysis thrown in for good measure.

Whilst I have no problem with the government producing useful booklets, I hope they are doing rather more than that to promote good security practices.

More contingency planning links

8 Mar 2007

Polymorphism gone bonkers

Over the past few months, the "Storm" worm has taken the idea of polymorphism to new extremes. To understand the context, here's a little history.

Once upon a time long long ago, cunning virus authors discovered they cold fool the early antivirus programs simply by making insignificant changes in their code. Adding the odd "null command", pointless loops or whatever was enough to make 'variants' that escaped detection, for a while anyway until the equally cunning antivirus analysts caught on, figuring out how to unravel the variations and find the common factors to make reliable virus signatures. Virus variants emerged every few months or weeks.

Next, even more cunning authors of automated virus generating engines added the ability to create variant or "polymorphic" viruses at will. A whole industry of polymoprphic cunningness developed, adding tricks such as self-modifying code, obfuscation and encryption to the pot and spewing out variants by the bucket-load. The antivirus wizz-kids spent their days searching through the layers of obfuscation for invariant code sequences such as the decryption routines, and toyed with the idea of "heuristic scanning" for "virus-like activity". Variants emerged every few weeks or days.

The author of "Storm" took the game to a new level. He/she released a few hundred worm variants simply to test the waters, then an absolute avalance of thousands or tens of thousands of variants all at once, seeded from tens or hundreds of thousands of compromised 'bot' machines all over the net. The worms use highly variable subject lines and code and through sheer numbers alone threaten to overload even the most assiduous antivirus team.

The next chapter in this thriling story is likely to be rather unpleasant.

More malware links

Antivirus product comparison

If you are curious to find out how antivirus products compare, AV-Comparatives.org regularly tests a reasonable selection of products against an up-to-date 'zoo' containing a million malware examples. Their February 2007 report is here.

The top three products in the latest assessment are AVK, TrustPort and AVIRA.

To be fair, most of the top products score very similarly.

More malware links

6 Mar 2007

Malware videos

Scott Pinzon and colleagues at Watchguard have produced and released some outstanding malware-related security awareness videos. The content is fairly technical but well presented and engaging.

Drive-by downloads demonstrates how simply browsing a malicious or compromised website may infect an inadequately-secured PC. Using Firefox with the NoScript add-in makes this kind of attack less likely compared to a standard Internet Exploder configuration.

Rootkits are explained in three parts (part 1 part 2 part 3). Avoidance tips in part 3 hint at the issues well-concealed rootkits can create even for security geeks.

More malware links

3 Mar 2007

Bot wars

A family of worms known variously as SDBOT, RINBOT, LOXBOT and DELBOT makes rude references in the code to the information security and antivirus companies trying to stamp it out. They spread by guessing/brute forcing simplistic passwords on network shares, or via Instant Messaging. The payload is a backdoor that allows hackers to remote-control compromised machines using IRC (Internet Relay Chat), generally to launch Distributed Denial of Service attacks.

Despite claims of novelty by CNN, these worms have been around for years.

More malware links

1 Mar 2007

Sun Telnet daemon worm in the wild

Sun Microsystems warns that a worm exploiting a security flaw in their Telnet daemon is 'in the wild' i.e. currently infecting Sun systems. Sun has evidently issued a patch but a better solution is, um, not to use Telnet, especially across the Internet. SSH is a simple, much more secure replacement in most situations, using SSL to encrypt the network traffic.

More network security links to follow next month