Security Insights from the Cisco Security Community

Congratulations FTC: Internet Heroes

Next week’s Cyber Risk Report (CRR) will cover the successful prosecution of a gang of Internet criminals by the United States Federal Trade Commission (FTC).  Their scam was selling “scareware,” bogus computer security software, including “Antivirus XP 2008,” from 2003-2008.  One of the co-defendants had in 2005 been ordered to pay Symantec 3.1 million dollars in compensation for selling pirated copies of its popular Norton brand.  Last week, the first of the defendants in the case settled with the FTC for the entirety of his assets less legal fees, a sum amounting to $116,697, in lieu of a much larger judgement of 1.9 million dollars.  The other defendants will have their days in court starting in July, barring any continuances.

The defendants used interactive advertisements that suggested that they had scanned a victim’s PC and found malware, tracking cookies and pornography that did not exist but that could be removed for $39.95.  If the initial approach was unsuccessful, the rogue anti-virus software would alter search engine results to include false warnings of spyware infections and would display pop-ups to the user warning of data loss.

Read More.

Posted by Henry Stern at 10:09AM PST

Automated Control Systems Risks

As discussed in the Cyber Risk Report (CRR) dated June 22–28, 2009, the recent crashes of Air France flight 447 and the Washington DC Metro Red Line commuter train have focused concerns over automated control systems, or computer-controlled systems. Preliminary findings in the ongoing investigations indicate that sensor systems malfunctioned or failed, and that the human interfaces of the systems either didn’t warn the air crew or train operator, or warned them too late. The preliminary investigations also indicate that the pilot disabled the autopilot and the train operator engaged the brake, but in both cases were unable to recover from their dire situation.

Automated control systems are widely deployed and normally highly reliable. The systems are used to improve efficiency, reliability, productivity, and safety and security. They are used increasingly within homes, vehicles, manufacturing, financial trading systems, critical infrastructure and many other instances. Automated control systems range from systems used for fairly simple repetitive actions to highly complex systems that are capable of collecting and interpreting data from multiple sources and initiating actions with speed, accuracy and reliability levels not possible by humans. But these systems also include weaknesses that should be understood and considered by all users, operators, and managers of the systems. The critical fail-safe in nearly all of these systems is the human interface or management console, where information is presented to a human that can interact, correct, or take full control.

Read More.

Posted by Jeff Shipley at 07:29AM PST

Auto Preview and File-based Attacks

Modern operating systems contain a feature to give previews of content in files without opening them.  So as you browse through a folder, you’ll see the layout of your office documents, thumbnails of your pictures, and the opening screen of your videos.  In usability terms, this is a great feature for some—documents are easily found if they have distinguishing characteristics that are obvious from the front page.

Unfortunately, in order to provide this functionality, the documents are processed by the operating system and potentially will expose users to security vulnerabilities.  At the end of May, Microsoft disclosed a vulnerability in DirectShow, and at the beginning of June Apple updated QuickTime for a number of security vulnerabilities.  In the wake of these releases, I’ve prepared a quick tip about an easy, complementary hardening step that can take away some automation from an attacker’s arsenal.

Read More.

Posted by Seth Hanford at 09:48AM PST

Data Loss Prevention: Insider Threats Demand Holistic Strategies

In preparation for my data loss prevention (DLP) talk at Cisco Live next week, I’ve been doing some reading and I thought I’d share my thoughts on some of the things I found.

Several recent surveys have demonstrated the frightening prospect of insider security threats.  Baseline Magazine cited an industry survey showing a marked increase in the number of IT pros that are willing to steal company information if they lost their jobs.  PC World cited a similar survey showing that almost two-thirds of employees steal data when they leave the company.  And Cisco’s own global data loss survey showed that nearly one in ten current employees have either stolen company equipment or data for profit or know someone at work who has.  These cases only describe malicious insiders and not the far greater number of users who inadvertently, through carelessness or negligence, allow protected data to escape the organization’s control.

Insider threats don’t always involve employees, either.  If external attackers should penetrate an organization’s network they become “insiders” themselves, with the ability to search for and access sensitive data.  Two recent high-profile data loss incidents at credit card processing companies involved not malicious insiders, but technical exploitation from outside the organization.  In the case of CardSystems Solutions, hackers used an initial SQL injection attack to access the network and install tools that facilitated further penetration and data theft.  In the Heartland Payment Systems breach, the initial culprit was a keystroke logger, which led to the installation of a sniffer that facilitated the theft of data.

Read More.

Posted by Lance Hayden at 07:47AM PST

Data Security and the Cloud

The rapid adoption of Web 2.0 technologies such as blogging, online media sharing, social networking, and web-based collaboration has pushed huge quantities of data onto Internet servers.  Along with this migration to web services has come a push for companies to adopt utility computing.  Much like traditional infrastructure utilities such as gas and electricity, utility or “cloud” computing seeks to abstract the supply and usage of computing from everyday use.  Under cloud computing, businesses can acquire services, platforms, or infrastructure on-demand and get billed for usage, returning resources to the cloud once they are no longer needed.

The massive, distributed Internet architecture of cloud computing has been leveraged to provide data redundancy, faster access times, and rapidly scalable service to support the high demand for next-generation web technology.  The architecture and services in the cloud have so far been a resounding business success, but cloud computing has raised a number of information assurance concerns.  The European Commission is currently investigating what sorts of privacy controls should govern the data that is residing in social networks, as we mentioned in this week’s Cyber Risk Report.

Read More.

Posted by Seth Hanford at 09:44AM PST

Collaboration: For Good and Bad Alike

As Marie and Pat have mentioned in previous posts, we are busy applying the final edits to the 2009 Cisco Midyear Security Report. Cisco will provide an overview of what Security Intelligence Operations analysts have observed during the first six months of 2009. In this forthcoming update, one theme has become evident: collaboration is a powerful force. Unfortunately, that force does not solely empower the virtuous.

To date in 2009, we have seen examples of collaboration on both sides of the security equation. Our industry has rallied together to address challenges such as Conficker, and at the same time our adversaries have matured their operations and increased the potency of the threats they introduce into the wild.

While our industry has certainly learned to respond, if we are going to change the security landscape in our favor it’s important that we evolve our ability to collaborate in order to move from transactional response to proactive defense.

Read More.

Posted by Russ Smoak at 07:44AM PST

Hello Waledac, My Old Friend

One highlight in our upcoming mid-year security report is the sophisticated business strategies employed by modern cybercriminals. I can’t think of a better example than Waledac…

We studied the Storm botnet in 2007.  And we weren’t alone, as Storm’s sophisticated socially engineered emails, peer-to-peer networking and prolific spamming innovations had every security researcher hot on Storm’s trail. My team’s research into the connection between Storm, Canadian Pharmacy and Glavmed/SpamIt.com unveiled a complex business ecosystem that was previously unknown — botnets like Storm sending spam for illegal pharmacy businesses like Glavmed.

The industry responded by shutting down Storm’s command-and-control ISP and removing the malware from PCs. Storm was dead — albeit after millions of infected PCs sent hundreds of billions of spam messages.

But the calm didn’t last long. Storm was reborn as Waledac in December 2008. While Waledac hadn’t advanced much technically — same P2P, same Canadian Pharmacy/Glavmed connection with template-based spamming, same social engineering tricks to spread the malware via email —  the Waledac business development team had been busy expanding their partnerships beyond Glavmed to include Yambo Financials, Conficker and Rogue Antivirus.

Read More.

Posted by Pat Peterson at 12:38PM PST

Securing the Network: It Takes a Village

In the past couple of weeks, I’ve been blogging about Smart Grid from a positive, green technology standpoint. But those of us in security know that it’s also rife with potential security risks. And recent events underscore that point. In April, The Wall Street Journal reported that spies from other countries had hacked into the grid, planting software that could have been used to disrupt service. While no such disruption occurred, the incident does point to the need for enhanced monitoring and control over such vital services.

The Obama administration is not taking the possibility of cyber threats lightly. In fact, it has undertaken several initiatives to make cybersecurity a top priority. To begin with, they’ve committed to developing a comprehensive policy for the United States. This positions the White House to assume a leadership role in protecting the nation’s information infrastructure, and fosters global cooperation on cybercrime to ensure a safer networking environment.

Read More.

Posted by Marie Hattar at 05:18PM PST