By Diego Ramirez

This past Thursday, one day after the Internet black out by many major websites in protest of SOPA/PIPA, the US government and it s agencies  as part of larger global crackdown, shutdown the popular file sharing site Megaupload. Almost immediately after,  hacker group  ”Anonymous” began a large scale DDoS attack directed at websites for  entertainment groups such as MPAA and RIAA along with various government sites including FBI.gov, justice.gov, etc…  Although this is not the first time these websites have been attacked by Anonymous, what made Thursdays attack so very interesting is how they went about it.

In the past, supporters of Anonymous and other groups would download a DDoS client, such as the infamous LOIC (Low Orbit Ion Cannon) or other similar applications in order to facilitate the DDoS attack.  On Thursday we observed links to a website with links to a site containing java script which acted as the DDoS client, with no configuring or no downloading required. These links was distributed via social networking sites such as twitter.

Image courtesy of http://nakedsecurity.sophos.com

While some speculate this could be used by participants for legal defense, where a user would claim that they would be tricked, or inadvertently participated in the attack without knowing” they were doing so. This can be indeed be a new way to click jack someone into participating in a DDoS without knowing it, and has the potential to make DDoS attacks even more common and far more devastating than it has been in the past.

Sources:

1. Naked Security
2. Threat Post

Security is a crucial component of WAN optimization, but the best way to implement a solid WAN security plan isn’t always clear. Choices abound, including the decision between a premise-based versus a network-based security strategy for your WAN. In this webinar Neil Carter, StillSecure SE, and Dan Toomey, XO Sr. Manager for WAN Solutions and Security Services Product Management, will talk about recent trends in WAN security, new threats arising for enterprise WANs, and the best WAN security options for enterprise-wide WAN optimization.

The network landscape is changing rapidly as companies move to a more connected presence across different geographic locations. With this geodiversity comes new challenges in network or WAN security. To help support and protect these types of networks companies must deploy multiple layers of security technology. These layers are necessary as no one security product will fully protect a network. Some of the products used in these situations are not new technologies like firewall and IDPS. While others while not new technologies are as highly deployed, web and content filtering and web application firewalls. Blending these types of network security products with a managed security service provider is possibly the best way to defend a WAN against attack.

We’re using the hashtag #XOComm on Twitter so feel free to join the conversation.

We hope you can join us 2pm Thursday, January 26. Register here for the webinar.

By Daniel Cabarcos,
StillSecure SOC Analyst

I’ve gone through the typical New Year’s resolution of eating healthier and losing some weight gained from the holidays (yes, I blame the last few decades on the holidays), so I decided that this year’s resolution will be to educate my friends and family on some good old information security. The beauty of this resolution is that something so simple can make such a huge difference all around and it is something that I know that people with an information security mindset take for granted at times. So many thoughts came into mind when I started to think of all the simple steps the average person can take to be more secure this year while prompted me to realize that some of these things I have taken for granted at times. Now, these things may sound so simple and yet they can make a monumental impact on a user’s Internet well-being. That’s why passwords and spam emails are at the top of my list.

I wouldn’t want to count to see how many times while helping someone with a computer issue that they would tell me their password and it would be something that would take a dictionary attack seconds to break. I plan to explain to them why passwords should not be a known word even with a number behind it, not a name with a date, not a password from last month with a 1 added at the end and then the next month a 2 then 3 etc… and definitely not “PASSWORD”. I will show them the image below on how long it takes to crack passwords and while I am aware that the new methods to use a GPU to enhance the amount of passwords attempted that dramatically lower the amount of time needed to crack a password it would still take about 1 year for a password with 8 characters long. So, I plan to explain to them that they should have a password with at least 8 characters long with lowercase, uppercase, numbers and symbols. At the same time we should not be using the same passwords for multiple sites and should use a program or a phone app to store their passwords. Not a sticky on your desk or monitor or somewhere in the line of sight.

Thank goodness for junk mail folders and spam folders but not all spam emails get caught by the filters in place and this is where so much damage can take place. A 15 letter password can be compromised with a simple email that has you looking into a fake site. Spam emails come in so many sneaky forms that anyone not paying attention can be caught by them. We have the Scams, the Adult, Financial, Stock, Pharmaceuticals, Phishing, educations (diplomas, degrees, certificates and any other type of training programs), replicas ( that purse she always wanted), software, gambling, dating, video games and others that have been crafted to steal your information from you and give it to the attacker. The rule of thumb I would explain to my friends and family is that if you do not know from who it is, not only a link in the email, not a file, not a free something you just won and not from someone guy across the world that died and just left you all his wealth and when I said around the world I meant it. Most of the spam comes from other countries and come from bot-nets as well. The image below displays statistics for spam sources by countries for the week of December 25th.

While these two policies if followed would make life much easier for my friends and family but also myself by not having to fix so many computers and leaving me with much more time for my hobbies. These are simple steps that could help the average person yet, would even help myself and others who take simple security polices for granted. What good is a strong password if your phone has no password on it to access your email and this goes with the ever so expanding world of the tablets? The biggest vulnerabilities are usually something simple and that’s why they are such a threat. We usually overlook them and/or don’t practice them at all. Following these policies would also make anyone’s place of work much more secure as well. The last thing I would recommend is that if they hear of ABC Company was compromised to go change their password for that site. So my 2012 New Year’s resolution is educate my friends and families and make sure I myself follow them. Who knows maybe this year my inbox will have less Fwd:Fwd:Fwd:Fwd emails and less calls to fix someone’s computer oh yea and lose some weight (another gym membership not used).

References

• Hack Attack: All You Need To Know [Infograph]
• http://www.m86security.com/labs
• http://en.wikipedia.org/wiki/Password_strength

By Sean Steadman, StillSecure SOC Analyst
Currently there is a lot of talk buzzing about smart phones giving away sensitive data without their users consent. Several cell phone carriers have been monitoring user data with software they install before handing the phone over to their consumers. The software is called Carrier IQ and it tracks the location of the phone, what keys were pressed, which Web pages were visited, when calls were placed, and other information on how the device is used and when.

This was first discovered by Android developer Trevor Eckhart who noticed his phone had hidden software that phoned home to the carrier. Eckhart had found that Carrier IQ can be shown as present on the phone to users or configured as hidden, which was the case on the HTC phones he analyzed. He also states that because customers do not give explicit permission for this data collection and don’t even know this software is on their phones, and they can’t opt out of it which is a clear privacy violation.

Carrier IQ representatives said that the data carriers collect with their software has a legitimate purpose and is handled responsibly. Carrier IQ says the software is designed to help carriers troubleshoot network failures and other problems. One example would be learning exactly where a phone call was dropped and can help a carrier discover network troubles in a geographic location. Also, information on keys that are pressed and how many times the phone is charged can provide activity information over the life of a phone, which is important for device manufacturers.

A Sprint (one of the many service providers involved) spokesman provided a statement about the use of Carrier IQ, but did not provide any information as to whether customers knew about the data collection and why they can’t opt out. Here is the Sprint statement:

At this moment Carrier IQ has several active law suits due to the privacy of their customers being breached. In the end whether or not they are using this tool for good or evil, they should notify their clients that the software is there and give them the opportunity to opt-out.

Curious if your phone has the Carrier IQ? Check out the application for Android users called Voodoo Carrier IQ Detector.

by Diego Ramirez SOC Analyst

During the Holidays many of us will be traveling, telecommuting and visiting with friends and family. More often than not, we use and rely on free Wi-Fi to do a variety of tasks from checking that email from the office to using social networking to keep in touch with everyone. As we use free/ public Wi-Fi at hotels and our favorite coffee shops and regular haunts, it is good to remember how prone Wi-Fi is to a variety of hacks and man in the middle attacks. Below we will discuss what a basic man in the middle attack is and some ways to protect one’s self and/or mitigate what data is exposed.

The Basics of a Wi-Fi Man in the Middle attack.
So when you go to a coffee shop for example and you sit down for a cup of coffee most of the time they have free Wi-Fi. You go to your Wi-Fi card setting see “CoffeShopWifi” you click connect and you are enjoying access to the Internet. You may do the same thing at hotels or in the airport to connect to their Wi-Fi offerings. The name you see when you connect to Wi-Fi is called an SSID, and it’s a basic name to tell one wireless network from the other. In a man in the middle attack, the attacker will set up a wifi appliance with the same SSID as a legitimate access point. So in our coffee shop example the attacker would configure his rouge appliance’s SSID to “CoffeeShopWifi” and tricking computers and people to connect to their rouge access point vs. the legitimate access point. The attacker will provide you with Internet access, but also at this point can see all your traffic traversing their appliance. Here you have your very basic man in the middle attack. Now any traffic in clear text such as SMTP, POP3, HTTP, etc… traffic is in clear text, and they can see what you’re doing where you going on the Internet and get as much information as you put out. You may say “I don’t even need to connect to Wi-Fi it just connects”. Well that is even worse since it’s even simpler to have you connect to rouge hot spot. There are even techniques to cause a Wi-Fi connections to disconnect and relying on auto connect and that it only checks for a SSID name to connect you to a rouge Wi-Fi and not even know it. Other things that can be done once we have Wi-Fi users in a man in the middle attack an attacker can use other techniques to provide you false DNS records which may redirect you to dummy websites which can try to record your user names and passwords or get malware/viri to be inadvertently installed on your machine that may allow the infected to machine to be later accessed.

Prevention:
So due to the basic way Wi-Fi works, it hard to stop these man in the middle attacks. Generally you don’t even know they are happening. Although there variety of ways you can keep your laptop or device secure.

Software Firewall:
Most modern operating systems come with a basic firewall which will keep people out. When you are using public Wi-Fi it is especially important to keep it on.

HTTPS vs. HTTP:
HTTPS can provide encryption point to point between you and a website. As security becomes more of a focus for high profile websites many of them do provide HTTPS versions of their website. So even in a man in the middle attack you can keep that traffic encrypted and thus safe. Most banks and financial institutions have SSL enabled by default. Many Webmail solutions and commerce sites also are now making HTTPS a default for payment. Also now, social network sites such as Twitter, Facebook, and Google+ all have these options but not all by default. There are “add-ons” or extensions you can use to help with this for your browsers of choice. If you use Firefox the Electronic Frontier Foundation has an extension called HTTPS everywhere which forces HTTPS where ever it can. On Chrome, you can use HTTPS Enforcer or KB SSL Enforcer try to do a similar thing but sadly not as well as the Firefox extension. This will not keep everything away from someone who has you in a man in the middle attack but prevents more sensitive data from being in clear text in a packet capture or dump. Although if they try any sort of DNS name spoofing all bets are off.

VPN
If you have a VPN and it’s configured correctly, you can use VPN connections to surf the web anonymously but also full encrypted from your computer to where ever your VPN terminates. So when you are in the victim of a man in the middle attack they can never see what you are doing. All they will see is encrypted traffic. Also, if your company doesn’t provide VPN access, there are a variety of third party companies that sell that have VPN services that allow for this that one can subscribe for this very purpose. They will have VPN end points spread around the country or in some cases around the world which can connect into to encrypt and even privatize web queries. This then creates a VPN session you can safely surf the web through even in public internet environments.

Turn off Wi-Fi auto-connect
This is the one that is the most annoying changes but yet one of the best tips to prevent getting caught in man in the middle attacks; turn off Wi-Fi auto connect. This is that handy feature where your computer remembers the Wi-Fi you connect to and connects you automatically to known hotspots. The down side it will always connect to any Wi-Fi with the same SSID or Network identifier. So in our previous example regarding the coffee shop Wi-Fi, if you constantly go there you will always connect automatically to the Wi-Fi SSID, and as such, you will always connect to the same SSID. If you have to pick and choose every time you want to connect it forces you to pick and if you see multiple “Coffee_Shop_Wifi” SSID as an example you might actually be seeing one legit and 1 rouge connection and then you may reconsider connecting at all. Disabling auto connect will vary system to system, but it comes highly recommended.

Final thoughts
One thing about these sorts of man in the middle of attacks is that they are platform agnostic. There is no safe bet when it comes to them but with a little preparation it is very easy to defend and protect yourself from these sorts of attacks and at least make any data that is intercepted useless. So don’t be afraid just stay informed and prepared.

We all have tasks we should work on but for some reason, they never seem to reach the top of the pile. In our personal lives, this can be anything from cleaning the oven to picking up the dry cleaning. In our work lives, these projects usually include things like expense reports, low priority emails, or calls back to vendors – which are usually left undone for weeks, months, or never.

Similarly, there’s also a very important task that many businesses know they should work on but for some reason never reaches the top of the pile: securing their IT resources.

We know from all the big stories around hacking, fraud, and identity theft in the media in the past couple of years that we need to secure our IT resources, but network security is complex and requires 24×7 vigilance if it’s to be done right.

So the issue is not really a matter of getting around to it: it’s a matter of not knowing where to start. Very few of us are willing to go study network security best practices for years so we can do work that’s not contributing to the bottom line. We know from all the big stories around hacking, fraud, and identity theft in the media in the past couple of years that we need to secure our IT resources, but network security is complex and requires 24×7 vigilance if it’s to be done right.

You can hire someone to pick up your dry cleaning and clean your oven. If you’re fortunate enough, you have an administrative assistant to take on your expense reports and respond to vendors. Fortunately, you can also hire experts to secure your IT resources, and for a fraction of the cost it would take for you to do it as effectively.

Hiring someone to pick up your dry cleaning, clean your oven, or even fill out your expense reports requires a certain amount of your time to manage the process, so it’s not truly bother-free, though it is a big help and ensures those simple tasks get done in relatively short order.

Let’s look at our new partnership with Hostway, when a customer uses their Managed Security Service (MSS) offerings delivered by StillSecure we set up the service according to their wishes, and then they can have as much or as little interaction with the process as they like.

Aaron Hollobaugh, a VP of Hostway put it best I think when he was talking about the needs of Hostway’s more than 600,000 customers, each of whom depend on Hostway for vastly different security requirements. He said “Not all of our customers need the same security solutions – some don’t need compliancy and many are unwilling to double their monthly costs with a dedicated security appliance. A partnership with StillSecure allows us to offer flexible options that can be tailored to each customer’s environment, including multiple packages that take advantage of StillSecure’s multi-tenant platform to dramatically lower costs.”

What it comes down to is — do you want to be awakened by a phone call in the middle of the night when an intruder attacks your system? Or do you want to sleep through the event, knowing the attack was stopped before it could do any damage by StillSecure’s 24×7 Security Operations Center, blissfully unaware of the issue until you get your email in the morning? You can have it either way and change it when you want.

We offer more than just customizable and sophisticated technology to Hostway because we understand that we need to go beyond a host-based firewall and ssh. The MSS offerings from Hostway and StillSecure include firewall, SSL or IPSEC VPN, intrusion prevention, log management, file integrity monitoring, web application firewall, content filtering, vulnerability scanning and more. If you’re facing a PCI audit, we can even help you to succeed and keep costs low by helping to meet some of the more onerous requirements and working with your auditor to help you through the process. We’ll help you stay in compliance throughout the year, so your annual visit from the auditor goes as smoothly and quickly as possible.

The bottom line is that there’s no reason why your IT assets need to go unprotected when you can have hassle-free world class protection at a small monthly price.

Once again Apache is up for discussion as another bug, similar in nature to CVE-2011-3368 identified on 10/05/2011, has been sighted in the wild. The vulnerability targets networks that utilize the reverse proxy feature provided by Apache. By utilizing reverse proxies, a Web server is able to mirror another, providing content from the server as well as improve performance with cache functionality. Additionally, reverse proxies are also used for load balancing services. A vulnerability has been discovered that, when utilizing the reverse proxy feature in apache HTTPD, will allow an attacker to access otherwise inaccessible systems on the internal network. The vulnerability in question, discovered by Prutha Parikh and currently tracked under CVE-2011-4317, currently allows for crafted requests to exploit the current stable fully patched Apache (Version 2.2.21) Web server.

The vulnerability is caused by the mod_proxy module that, when configured improperly in reverse proxy mode, will allow an attacker to send requests to various servers behind the proxy. In the proof of concept demonstrations, Prutha configures a vulnerable RewriteRule and ProxyPassMatch Rule that would leave the system vulnerable as seen below:

Viewing the rule in question, the vulnerability occurs at the $1. If this rule is left in place and an attacker crafts a packet such as “GET @localhost::<PORT> HTTP/1.0\r\n\r\n” , everything after the initial colon will get appended to the host in question, i.e. :8880 which will result in http://10.40.2.159:8880. Therefore, as shown in the proof of concept, by applying that crafted request, the fully patched Apache server returned http://10.40.2.159 on Port 8880 to the user. Applying the same logic, an attacker could utilize the exploit to access ports otherwise inaccessible externally.

The developers of Apache have acknowledged the vulnerability however no patch has been released to address the issue at the moment. As a workaround, modifying the Rewrite rule to include a “/” between the host and $1 will prevent the system from being vulnerable to this exploit.

References:

http://httpd.apache.org/download.cgi

http://thread.gmane.org/gmane.comp.apache.devel/46440

http://threatpost.com/en_us/blogs/new-apache-reverse-proxy-issue-uncovered-112611

https://community.qualys.com/blogs/securitylabs/2011/11/23/apache-reverse-proxy-bypass-issue

http://www.techworld.com.au/article/408532/unpatched_apache_reverse_proxy_flaw_allows_access_internal_network/

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3368

http://www.apachetutor.org/admin/reverseproxies

Recent discoveries in malicious links coming from Brazil have showed hidden block cipher code imbedded in images.  The discovery is assumed to be the first of its kind coming from the Latin American region. The art of hiding information in images is nothing new and in fact has been practiced for hundreds, if not thousands of years. The difference is that when our ancestors would hide secret encrypted codes in images, it was intended for a particular person or party.  These days, it is more common to use the secret code hidden within images for malicious intent.  For example, if I were to ask you to identify the image below, you would tell me that it’s the famous Mona Lisa painting by Leonardo Da Vinci. Then, I would proceed by asking if you knew that the original 500 year old painting contained hidden letters in each of her eyes which are only visible under a microscope. Chances are your response would be, “no”.

This Latin American attack used .bmp image file types to hide the malicious code content instead of artwork or a random picture.  This era’s way of hiding code in an image can make it very dangerous for whoever downloads the image by having them install malicious programs without their knowledge. This is because we don’t hide the code or message in the actual image, but rather within a layer inside the computer code that makes the image. The way the malware installs is by using several files, with the first one being the image with the hidden encrypted code.  Afterward, an .exe file that is also encrypted and contains the instructions for installing the malware on the infected host is run, allowing a total of 8 encrypted files to pass right by the anti-virus safe guards.

The malware has been named “Trojan-Banker.Win32.Delf.vh”, which originated from Brazilian hosted sites.  It looks like the authors of this malware are publishing new malware and on new hosted sites that would make it hard to pin point. However, the encryption algorithm has remained the same, enabling antivirus software to easily identify it.  The person credited with discovering this sneaky attack is Dmitry Bestuzhev with Kaspersky Lab Antivirus.

Images released by Dmitry of the block cipher encrypted bmp image.

And here is the decryption of the code.

Now this is what the script would look like.

This is an amazing find and shows how dangerous a picture can potentially be.  The saying “a picture is worth a thousand words” is very true and yet, it takes on a new meaning in this era.  One topic I will touch on in the future is in regards to images listed on Google when searching by images. There are so many images that are the same image resolution, but differ in size by only a few bytes. This makes me wonder how many images might be infected or have hidden messages.

References:

http://www.telegraph.co.uk/culture/art/art-news/8197896/Mona-Lisa-painting-contains-hidden-code.html

http://krebsonsecurity.com/2011/05/scammers-swap-google-images-for-malware/

http://www.securelist.com/en/blog/208193235/Steganography_or_encryption_in_bankers