Eleonore Exploits Pack, Liberty Exploit System, Yes Exploit System, ZueEsta Exploit Pack and Fragus Exploit Pack are all “exploit” systems that a miscreant can purchase to aid in building and monitoring a botnet. These exploit systems will set the botmaster back a few hundred dollars, but in return they provide the aspiring botmaster with several exploits, an administration and tracking panel and some sort of software support. These crimeware systems are often grouped as “Russian Crimeware” and are often times advertised for sale in various forums on the Internet. These crimeware systems advertise varying levels of effectiveness, and often times additional modules can be purchased to increase that effectiveness. The systems work by essentially aiding a botmaster in putting up a malicious website. The botmaster then uses social engineering to lure victims to the malicious site where, once infected, the victims become a part of the botmaster’s botnet. Once the victim system is part of the botnet, the botmaster uses the endpoint for profit, either through leasing the systems to provide service such as spam or denial of service, or by stealing credentials from the victims and bundling these credentials and selling them.
During the course of research, I decided to take a look at the YES exploit system to learn more about it and to see how effective a system it really was. This post will give an overview of the YES exploit system, as well as look more in depth at the first exploit the it delivered during testing, which was an older PDF exploit.
Read More »
The Cyber Risk Report this week contained a short mention of the attacks against the Apache Software Foundation (ASF). These attacks were documented last week in fantastic detail by Philip M. Gollucci of the ASF. The attackers used a previously undisclosed cross-site scripting vulnerability and password brute forcing to gain initial access to the ASF systems. They then used additional attacks to learn user credentials, browse file systems, and access other computers. The level of openness demonstrated last week is not a first for the ASF; in May 2001 and in August 2009 they published similar reports in response to security incidents.
When reading the ASF report several things came to mind. For example, “wow, if they only did…” or “people always say that is not a big deal…” Well, hindsight is always 20/20 and, in this case, it was a relatively big deal.
There was a somewhat lively debate among my teammates about the ASF blog post. Nobody disagreed that it provided a great window through which to examine a real world attack. But of course, there were many opinions presented as to what the key takeaways for organizations should be. I have listed some of these takeaways below.
Read More »
If you are reading this post, you probably have a smart phone in your pocket. You may, in fact, be reading this on your Blackberry or iPhone in line at the movies or sitting at home eating breakfast. You might next check your work e-mail — a common practice, and in most cases supported and even encouraged by your employer.
But as smart phones get more powerful and, well, smarter, you’ll be interacting with robust business applications and company data from anywhere and you may be doing this without the support, protection or even the knowledge of your IT organization. Additionally, you may be bringing devices you’ve acquired outside your company’s IT organization. This process of using outside devices for company business we call the consumerization of IT — consumers are making the choices.
Like a lot of folks, I browse sites like Facebook, Twitter and other social sites daily — sometimes hourly — and have come to expect to use them on my mobile phone. This type of mingled use of business applications and personal sites on smart phones along with the consumerization of IT means organizations have a bigger challenge than ever managing and protecting active mobile users. Access to a robust computing infrastructure can be found in a phone the size of a deck of cards, and if you’re in charge of your company’s IT you have to deal with users who want to unleash that productivity potential.
So how do you balance the needs and wants of smart phone users with your business’ requirement to protect them and your valuable corporate data no matter where they are? Well, lets talk about that a bit.
Read More »
The recent decision for employee e-mail privacy and lawyer-client privilege by the New Jersey Supreme Court produced celebratory fist-bumps by groups ranging from the Employers Association of New Jersey (EANJ) to the National Employment Lawyers Association of New Jersey (NELA-NJ), the Association of Criminal Defense Lawyers of New Jersey (ACDL-NJ), and the New Jersey State Bar Association (NJSBA). As noted in last week’s Cyber Risk Report, the justices ruled that an employee “could reasonably expect that e-mail communications with her lawyer through her personal account would remain private, and that sending and receiving them via a company laptop did not eliminate the attorney-client privilege that protected them.”
Only a few years ago, the case of Stengart v Loving Care might never have gone to court because most companies didn’t pay much attention to employees’ electronic communications except to avoid human resource department issues. Today, corporations have cyber and insider risks to guard against, regulatory and compliance requirements to adhere to, and legitimate business concerns that make monitoring a necessity, not an option. The risk of not knowing what employees may be electronically communicating has increased dramatically.
Read More »
This is the third post in a series that focuses on a view from the trenches. In this post I will examine inline and passive intrusion prevention/detection installations. Although the industry trend is that the automation aspects of inline IPS make it more useful, does that mean that passive intrusion detection as a technology is obsolete? While the benefits of inline IPS are easy to see, I want to point out a few situations where it may still be useful to use passive intrusion detection.
There is a debate today on the value of IDS/IPS and whether IDS has to be inline to be valuable. (See my previous posts for more background on the merits of IPS.) At first, all intrusion detection was passive, looking for attack signatures on the wire. Of course predictively analyzing and detecting all attacks has an inherent conflict: if we can predict it enough to analyze it with a high degree of fidelity, we could just prevent it. This set the stage for an inline preventative IDS (IPS). The intrusion detection market has been progressively moving in this direction. One of the business influences leading to that trend could be described as follows:
A company has a small security team, they purchase and deploy IDS for $1000 and get many alerts; their security posture remains static. The company purchases SIM for $1000 to help manage alerts and their security posture remains static. The company then hires more people to tune, manage, and respond to their IDS deployment and, a year or two down the road and $100,000 later, they start to identify and reduce issues.
In today’s fast-changing world, the return on investment (ROI) is hard to justify and is a long time coming. Switch to IPS and that same small security team buys and deploy something inline for $1000 and their security posture starts to improve immediately. Is IDS dead? Is IPS the only way to go? Read on to find out.
Read More »
Tags: APT, CSIRT, security, TRAC