Security Insights from the Cisco Security Community

The 3D Secure Protocol: Implementation Flaws and Possible Resolutions

National Data Privacy Day is celebrated annually on January 28th in the United States, Canada, and a few European countries, with a focus on educating computer users about the protection of personally identifiable information on the World Wide Web.  As we move towards a world where a significant portion of one’s daily life involves interaction with the World Wide Web, the National Data Privacy Day aims to bring about an increased awareness among users about protection of their online rights, methods to control personally identifiable information online, and regulations currently in place to that effect.  The focus revolves around end-user education, even in scenarios where the technology used to ensure end-user privacy may not be adequate due to implementation flaws. An example of such an unfortunate scenario was recently demonstrated by researchers at the University of Cambridge, United Kingdom (UK).  The researchers published a paper that describes implementation flaws in the 3D Secure (3DS) protocol, used for authentication verification when Visa or MasterCard based credit card transactions are performed (Verified by Visa/MasterCard SecureCode).  The paper suggests that the approach to securing credit card transactions is liability driven, rather than security driven, ultimately resulting in a protocol implementation that is not end-user friendly.

Read More.

Posted by Prasanna Sambasivan at 12:37PM PST

Mail - Got Mail? Got Criminals!

Who gets mail?  We all do.

Mail arrives from a variety of public sector sources such as the court system inviting you to jury duty or county assessor providing you with the annual assessment and tax bill.  You may also receive in your mail box your credit card statements, and personal correspondence.  Perhaps your medical service provider or insurer mails to you an explanation of benefits.  Merchants send you opportunities to appreciate their services.  Similarly, we all have e-mail addresses; some of us have more than one.  Our use of these addresses may be identical to that of our physical mail box.  Sadly, the mail, both physical and electronic, is also used by the criminal world to perpetrate fraud.

Ask yourself this question:  When mail is processed, arrives or is dispatched, where and how does this occur? Simple enough?  Let’s discuss.

Read More.

Posted by Christopher Burgess at 09:48AM PST

Text Message Donations May Revolutionize Giving, Scamming

The American Red Cross had a tremendously positive response when it announced a mobile phone giving campaign in the wake of the January 12, 2010 earthquake in Haiti. The campaign was announced at 9pm on Tuesday, Jan 12; by 10am Thursday, Jan 14, the group had collected $3.4 million through mobile donations alone. Each text of the word ‘HAITI’ to the number 90999 was a $10 donation. 340,000 people gave $10 each in just over 36 hours.

I didn’t give a dime via my cell phone. The whole thing smelled like a scam to me, but 340,000 of my fellow Americans did not agree. I was wrong on this one. But given the ubiquity of scams surrounding the Haiti disaster, it would be good to know how we can tell when to trust these campaigns, or when not trust them, down the road.

Read More.

Posted by Seth Hanford at 03:27PM PST

Exploring a Java Bot: Part 4

Before we begin this final installment, let’s review what we covered in the previous posts. In part 1 we learned how this bot was discovered and some basics about botnets. In part 2 we covered botnet fundamentals, like command and control (C&C) and various other capabilities. In part 3 we examined some of the features incorporated into a botnet designed to launch attacks and maintain control of hosts.

In this last part of the series we’re going to look at two features that were considered new and innovative this time last year. Normally, when we come across botnet source code it is fairly feature-slim and usually just made to be sold on various forums; occasionally you do find one or two that go the extra mile. What makes this bot cool?  Well in short it watches us and what processes (programs) we are running. We have seen this trend in lots of what I would consider “professional” quality malware. I’ve never seen it in anything designed to be used by script kiddies.

The first feature I want to talk about is something we started to notice in larger bots a little over a year ago. We began to notice that bots would actively scan running processes that may interfere with the malware. This alone is not unique. In fact, killing off virus scanners is very common. What was unique is that the malware not only tried evading detection by end users, it also attempted to avoid analysis by security researchers like myself. Pat Peterson blogged about our discovery here. At the time the discovery was even more notable due to the particular way the process was killed, namely that the executable and libpcap were deleted so that you could not rename and relaunch the software.

Read More.

Posted by Craig Williams at 11:14AM PST

Gartner Recognizes Cisco as a Leader in the Magic Quadrant for SSL VPNs

Mobility is changing the world we work in, and the recent launch of Google’s phone shows that smartphones are here to stay.  Whether we are talking about iPhones, Blackberries, or Nokia, Samsung, and Google smartphones, people are using these devices and their laptops to connect to work and personal information, no matter where they are located.

Workers must ensure that they have a secure connection when they are mobile and the key to ensuring secure remote connectivity is VPN technology.  Cisco continues to invest in VPN solutions to help the mobile workforce remain secure when they are out of the office with innovative solutions that provide a seamless and secure connectivity experience.

Last month, Gartner recognized and positioned Cisco as a leader in the 2009 Magic Quadrant for SSL VPNs.

Read More.

Posted by Fred Kost at 02:50PM PST

Wikileaks and the Economics of Information Disclosure

Wikileaks.org is currently experimenting with the economics of information disclosure.  As of January 21, the site was offline, soliciting donations that will assist its operators to continue to provide service.  That service, of course, is the coordinated disclosure of secret information that once belonged to governments, corporations, and other organizations, and the subsequent efforts to ensure that this information remains public.

When discussing the Wikileaks operational suspension, it is clear to see that there can be both positive and negative aspects to such a disclosure policy.  This is to be expected—information disclosure is a risk decision, and as with all risk decisions, there are issues of risk tolerance and risk acceptance that differ among organizations.  How Wikileaks chooses to approach information handling and disclosure should give some insight into their motivations and direction.  But it is especially interesting to see some of the economic factors behind Wikileaks, some of their operational challenges, and what kinds of risks they are preparing to face.

Read More.

Posted by Seth Hanford at 01:32PM PST

Exploring a Java Bot: Part 3

Before we begin part 3 in this series, let’s review what we’ve covered so far. In the first post we learned how this bot was discovered and some basics about botnets. In the second post we covered botnet fundamentals like command and control (C&C) and various other capabilities. In this post we will examine some of the offensive features incorporated into a botnet designed to launch attacks and maintain control of hosts (aka victims). First we will discuss how botnets spread and then we will look at flooding and how it’s implemented in this bot.

There are two main ways malware spreads. It’s important to note that these two methods are not mutually exclusive. The first method, made famous by the Morris worm, involves targeting a network-based vulnerability; the author designs an exploit to spread his malware. Once the malware takes over a machine it then infects other machines. Every time the binary moves from one machine to another the botnet has the potential to see exponential growth. Most vulnerabilities only affect a specific operating system at a specific range of patch levels. Malware of this nature often hits big and then its growth rate takes a steep dive as patches become available and as malware is removed. Once the vulnerability is patched, the malware must adapt or accept a shrinking attack surface. Two recent examples of this method are Conficker and Slammer. It is important to note the distinction between the growth rate slowing down and the number of compromised machines. There are still countless machines connected to the Internet running both worms.  Even as the growth rate approaches zero, many, many computers have already been infected and continue to run the malware. In two days time on a single Intrusion Prevention System (IPS) we saw over 178,000 slammer attacks.

An attacker simply needs to trick an unsuspecting user into running a binary that is under the control of the attacker. This attack vector is known as a trojan horse. A malware author would package his wares as a link from a friend, a new game of interest, or even a program to create keys for pirated software, etc.

Read More.

Posted by Craig Williams at 01:04PM PST

Security – Who is Responsible?

Do you view your security posture in the office as more or less important in comparison to your residence?  And how does that compare to the personal security profile that you exercise for you and your family?  Who should be shouldering the security responsibility?  I posit—you are responsible.  And I would add that you also need to hold yourself accountable.

At work you may rely on yourself. If you are fortunate to work for a company with resources focused on security, you may, dare I say, share reliance with a few groups. These groups include the “information security” team who attempts to keep information safe (be it data, network, laptop or smart phone), the “physical security” team who keeps your building safe from intruders, and the local “industrial police force” responsible for keeping your person safe and secure.  Such reliance is appropriate. In each instance the person or entity you are relying on the most is also relying on you at least as much, and often times more so.

An example from the physical world: when you ride public transport you rely on the operator of the vehicle to drive in a safe and secure manner and obey the “rules of the road.” These rules are designed to keep order as we meld in amongst the chaos we affectionately call “traffic.” The operators are also relying on you to make the right choices (how to enter and exit, pay fares, sit and stand, etc.) and to understand the consequences—be they intended or unintended—of your choices should you not follow the rules. This is the accountability part of the equation—you own the end result of your choices and actions.

Throughout my 30+ years involved in the practice of security it has been my experience that too often people ascribe responsibility for their security to others. When is the last time you heard someone say, “It is my responsibility to be secure!  It is my responsibility to maintain security!” or conversely, “Today I am going to be insecure!”  It just doesn’t happen.  Though the reality is that every single day my actions demonstrate my desire to be secure and maintain security, and perhaps yours do as well.  And yes, it has also been my experience that occasionally I’ve made choices which have caused others to say, “What was he thinking?” and conclude, “There wasn’t any thought process engaged.” I will try to keep those instances to a minimum. However, we all bear responsibility for our own security.

Let me share a few of my thoughts:

Read More.

Posted by Christopher Burgess at 10:37AM PST

Encryption is Essential, Except When it Isn’t

Insurgents in Iraq and Afghanistan used satellite recording software, commonly used to capture satellite broadcasts, to intercept video from US military warplanes and drones.  In the aftermath of the Wall Street Journal’s publication of this information, many security professionals have weighed in to offer their criticism of the US military’s oversight, and we have also provided our thoughts on the matter in our own Cyber Risk Report:  Concerns Raised over Unencrypted Military Video Feeds.

Certainly the military should be encrypting this content, right?  We have the technology, and it’s sensitive information, so there shouldn’t be any argument.  The CIA already encrypts these videos for all of their drones, according to Gartner analyst (and former National Security Agency analyst), John Pescatore.  Still, Bruce Schneier has dissented in a way—he does not argue that the feeds should be unencrypted. Rather he offers that encryption standards designed to thwart resourceful nation states are not necessary against today’s opponents with far fewer resources (but more advanced technology readily available).

What’s the verdict then: encrypt, or not?

Read More.

Posted by Seth Hanford at 11:43AM PST

A Culture Shift: IT Security to Smart Grid Security

With the global excitement and opportunity of the Smart Grid, a lot of historically IT-focused companies, including Cisco, are entering the market.  It’s important to note that there are unique characteristics of the grid when attempting to apply IT security solutions.  In this post I’ll focus on the primary goal of power generation and delivery: reliability.  In subsequent posts I’ll discuss other security requirements of the grid (such as integrity, authentication, and confidentiality), and how we can apply lessons learned from the IT sector.

To better understand the culture shift from securing IT systems, we need to clarify the focus of grid security.  In the IT world, we often focus on protecting information.  For example, in United States Department of Defense circles, security is usually referred to as Information Assurance.  Smart Grid security (usually called “cyber security,” or just “cyber” by electric sector practitioners) however, concerns itself with making sure that systems continue to operate in the case of a security event. An equivalent term for the grid would be “Continuation Assurance.” The smart grid community considers the potential to affect system reliability a cyber security issue, from disgruntled insiders to operator error or a deliberate attack from the outside that affects any portion of the grid – substations, data centers, operations centers, neighborhood area networks, and eventually homes.  The effectiveness of cyber security measures will be judged mainly on their contribution to keeping the systems running!

Why is reliability key to the grid?

Read More.

Posted by Dave Dalva at 03:17PM PST

Exploring a Java Bot: Part 2

When I first started this series my goal was to remove any mystery around botnets. In fact, most botnets, like this one, are relatively simple. In this post we will explore the command-and-control (C&C) infrastructure, as well as the bot’s update mechanism.

A C&C interface is the primary user interface between the botmaster and the legion of infected hosts participating in the botnet. Since it is present in every botnet (although there are many different types of interfaces), it is one of the primary things we look for when attempting to determine if any machines have been compromised. From a botmaster’s perspective, it would seem that this is a key feature that must be carefully designed to avoid detection. But surprisingly, a very large percentage we see are very simple, just like this one. That said, at times it can be very much a cat-and-mouse game between botmasters and people in my industry.

Remotely controlling multiple machines is a basic principal that botmasters must address.  You need to be able to command your nodes in a fairly efficient manner. If you have 10,000 nodes you do not want to issue a command 10,000 times. You want to issue it once and have all 10,000 nodes respond in a timely manner so that you know if the command was successful.

In this example the author decided to use internet relay chat (IRC). The use of IRC is very common among simple bots since it’s easy to understand and there are lots of implementations publicly available. There is a trade off though: because IRC is a well-documented protocol, it is extremely easy to detect and monitor. Infiltrating a Botnet that is IRC-based is a trivial task. Some botnets try to mitigate this issue by doing things like requiring server and channel passwords or even using SSL encryption, but none of those efforts are really effective. Passwords are easily sniffed off a network and anything being encrypted can be spied on with a debugger.

Read More.

Posted by Craig Williams at 09:44AM PST

Know What Data is Being Collected, and Why

Privacy and information leakage has become one of my favorite topics on the Security blog.  It seems that an enormous amount of information is being willingly plastered all over the Internet, from which significant value can be extracted (especially when combined with other public, or more likely private, datasets).  The results are mind-boggling, and the implications are not fully comprehensible.  Yet another example of this came to light recently from security professional Roger Thompson’s blog.

As we described in the Cyber Risk Report for the week of December 14, Thompson had a credit card suspended because of fraud concerns.  As he called to reactivate the card and prove his identity to the fraud division at his bank, he was asked questions regarding his daughter-in-law that were not things that should have been tied to him in traditional security questions.  His assumption is that the information was gleaned from a public source, such as a social networking site.

Read More.

Posted by Seth Hanford at 10:41AM PST

The Effectiveness of Antivirus on New Malware Samples

During the course of security research we often acquire new malware samples. We typically first try to determine what we have acquired and if it is a new or otherwise unknown malware sample or if it is a mutation of something that we have already seen. There are several ways in which a sample can be tested, but the simplest way is to compare the MD5 checksum of the malware sample against other known checksums—several services exist where you can look up the hash of a sample, such as Malware Hash Registry by Team Cymru, VirusTotal, and MalwareHash. These services work by analyzing samples against antivirus products from several vendors (often thirty or forty different products). If the sample has previously been analyzed, the results will often tell what percentage of antivirus products detect the sample.  Most of the time this method is sufficient on samples that are more than a few days old; however, on samples that are recent (perhaps discovered within the last twenty-four hours) the effectiveness of this method is marginal, illustrating the highly reactive nature of the industry.

Since antivirus products are often used as a cure for poor user discretion, I thought I would track the effectiveness of antivirus products on new malware samples that we received and test some of the samples a week later to note how the coverage improved. I think the results will show that new malware samples have a window of opportunity where end users are particularly vulnerable to the new malware strains.

Read More.

Posted by Kevin Timm at 01:21PM PST

Can Google improve microblogging security?

Social media security has been a major focus of the Cisco Security blog in the past several months. We believe so strongly in sharing the message of using social media in a secure way that it was also a prominent focus in the 2009 Cisco Annual Security Report. In the 2009 report, we discussed how criminals, like predators in the wild, migrate to where their victims can be found. Recently, that has been on social networking sites and services.

Now, Google has moved to include microblogging and other recent search index updates in their Real Time Search section (“Latest results for…”) of a standard search results page. Just as the existence of community lends trustworthiness to content found on social networks, the association with Google’s search results also lends validity to content.

Read More.

Posted by Seth Hanford at 07:48AM PST

Exploring a Java Bot: Part 1

These days botnets are all over the news. Often we hear them described in vague, ominous terms designed to grab people’s attention. In simple terms, a botnet is a group of computers networked together running a piece of malicious software that allows them to be controlled by a remote attacker, better known as a botmaster. Often I think people abuse their readers to a certain extent by over-hyping certain threats. I would like to take a more reasonable approach here.

Our team has a lab dedicated to running malicious software that we refer to as our malware lab. We use the lab to ensure our security products work against various real-world threats. Basically, we do things like intentionally leaving hosts un-patched behind security devices and purposefully infect and attack boxes protected by various devices. This helps to ensure that in a worst-case scenario we know our products work. To that end, I periodically track down new samples of malware. Recently, I came across a sample that could be used to create your own botnet.

I will explain exactly what this bot does; I’ll even show you some of the code. This is a very simple and generic example of a bot and is very likely no threat to your network. It’s designed as a kit to be distributed to inexperienced botmasters. It’s the Easy-Bake Oven of botnets, but the concepts I will cover extend to the most complex botnets.

This will be the first in a series of posts exploring a bot written in the Java programming language. Because the Java is easier to read than most, throughout this series we will explore the actual code for the more interesting features.

Read More.

Posted by Craig Williams at 05:53AM PST