We all have tasks we should work on but for some reason, they never seem to reach the top of the pile. In our personal lives, this can be anything from cleaning the oven to picking up the dry cleaning. In our work lives, these projects usually include things like expense reports, low priority emails, or calls back to vendors – which are usually left undone for weeks, months, or never.

Similarly, there’s also a very important task that many businesses know they should work on but for some reason never reaches the top of the pile: securing their IT resources.

We know from all the big stories around hacking, fraud, and identity theft in the media in the past couple of years that we need to secure our IT resources, but network security is complex and requires 24×7 vigilance if it’s to be done right.

So the issue is not really a matter of getting around to it: it’s a matter of not knowing where to start. Very few of us are willing to go study network security best practices for years so we can do work that’s not contributing to the bottom line. We know from all the big stories around hacking, fraud, and identity theft in the media in the past couple of years that we need to secure our IT resources, but network security is complex and requires 24×7 vigilance if it’s to be done right.

You can hire someone to pick up your dry cleaning and clean your oven. If you’re fortunate enough, you have an administrative assistant to take on your expense reports and respond to vendors. Fortunately, you can also hire experts to secure your IT resources, and for a fraction of the cost it would take for you to do it as effectively.

Hiring someone to pick up your dry cleaning, clean your oven, or even fill out your expense reports requires a certain amount of your time to manage the process, so it’s not truly bother-free, though it is a big help and ensures those simple tasks get done in relatively short order.

Let’s look at our new partnership with Hostway, when a customer uses their Managed Security Service (MSS) offerings delivered by StillSecure we set up the service according to their wishes, and then they can have as much or as little interaction with the process as they like.

Aaron Hollobaugh, a VP of Hostway put it best I think when he was talking about the needs of Hostway’s more than 600,000 customers, each of whom depend on Hostway for vastly different security requirements. He said “Not all of our customers need the same security solutions – some don’t need compliancy and many are unwilling to double their monthly costs with a dedicated security appliance. A partnership with StillSecure allows us to offer flexible options that can be tailored to each customer’s environment, including multiple packages that take advantage of StillSecure’s multi-tenant platform to dramatically lower costs.”

What it comes down to is — do you want to be awakened by a phone call in the middle of the night when an intruder attacks your system? Or do you want to sleep through the event, knowing the attack was stopped before it could do any damage by StillSecure’s 24×7 Security Operations Center, blissfully unaware of the issue until you get your email in the morning? You can have it either way and change it when you want.

We offer more than just customizable and sophisticated technology to Hostway because we understand that we need to go beyond a host-based firewall and ssh. The MSS offerings from Hostway and StillSecure include firewall, SSL or IPSEC VPN, intrusion prevention, log management, file integrity monitoring, web application firewall, content filtering, vulnerability scanning and more. If you’re facing a PCI audit, we can even help you to succeed and keep costs low by helping to meet some of the more onerous requirements and working with your auditor to help you through the process. We’ll help you stay in compliance throughout the year, so your annual visit from the auditor goes as smoothly and quickly as possible.

The bottom line is that there’s no reason why your IT assets need to go unprotected when you can have hassle-free world class protection at a small monthly price.

Once again Apache is up for discussion as another bug, similar in nature to CVE-2011-3368 identified on 10/05/2011, has been sighted in the wild. The vulnerability targets networks that utilize the reverse proxy feature provided by Apache. By utilizing reverse proxies, a Web server is able to mirror another, providing content from the server as well as improve performance with cache functionality. Additionally, reverse proxies are also used for load balancing services. A vulnerability has been discovered that, when utilizing the reverse proxy feature in apache HTTPD, will allow an attacker to access otherwise inaccessible systems on the internal network. The vulnerability in question, discovered by Prutha Parikh and currently tracked under CVE-2011-4317, currently allows for crafted requests to exploit the current stable fully patched Apache (Version 2.2.21) Web server.

The vulnerability is caused by the mod_proxy module that, when configured improperly in reverse proxy mode, will allow an attacker to send requests to various servers behind the proxy. In the proof of concept demonstrations, Prutha configures a vulnerable RewriteRule and ProxyPassMatch Rule that would leave the system vulnerable as seen below:

Viewing the rule in question, the vulnerability occurs at the $1. If this rule is left in place and an attacker crafts a packet such as “GET @localhost::<PORT> HTTP/1.0\r\n\r\n” , everything after the initial colon will get appended to the host in question, i.e. :8880 which will result in http://10.40.2.159:8880. Therefore, as shown in the proof of concept, by applying that crafted request, the fully patched Apache server returned http://10.40.2.159 on Port 8880 to the user. Applying the same logic, an attacker could utilize the exploit to access ports otherwise inaccessible externally.

The developers of Apache have acknowledged the vulnerability however no patch has been released to address the issue at the moment. As a workaround, modifying the Rewrite rule to include a “/” between the host and $1 will prevent the system from being vulnerable to this exploit.

References:

http://httpd.apache.org/download.cgi

http://thread.gmane.org/gmane.comp.apache.devel/46440

http://threatpost.com/en_us/blogs/new-apache-reverse-proxy-issue-uncovered-112611

https://community.qualys.com/blogs/securitylabs/2011/11/23/apache-reverse-proxy-bypass-issue

http://www.techworld.com.au/article/408532/unpatched_apache_reverse_proxy_flaw_allows_access_internal_network/

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3368

http://www.apachetutor.org/admin/reverseproxies

Recent discoveries in malicious links coming from Brazil have showed hidden block cipher code imbedded in images.  The discovery is assumed to be the first of its kind coming from the Latin American region. The art of hiding information in images is nothing new and in fact has been practiced for hundreds, if not thousands of years. The difference is that when our ancestors would hide secret encrypted codes in images, it was intended for a particular person or party.  These days, it is more common to use the secret code hidden within images for malicious intent.  For example, if I were to ask you to identify the image below, you would tell me that it’s the famous Mona Lisa painting by Leonardo Da Vinci. Then, I would proceed by asking if you knew that the original 500 year old painting contained hidden letters in each of her eyes which are only visible under a microscope. Chances are your response would be, “no”.

This Latin American attack used .bmp image file types to hide the malicious code content instead of artwork or a random picture.  This era’s way of hiding code in an image can make it very dangerous for whoever downloads the image by having them install malicious programs without their knowledge. This is because we don’t hide the code or message in the actual image, but rather within a layer inside the computer code that makes the image. The way the malware installs is by using several files, with the first one being the image with the hidden encrypted code.  Afterward, an .exe file that is also encrypted and contains the instructions for installing the malware on the infected host is run, allowing a total of 8 encrypted files to pass right by the anti-virus safe guards.

The malware has been named “Trojan-Banker.Win32.Delf.vh”, which originated from Brazilian hosted sites.  It looks like the authors of this malware are publishing new malware and on new hosted sites that would make it hard to pin point. However, the encryption algorithm has remained the same, enabling antivirus software to easily identify it.  The person credited with discovering this sneaky attack is Dmitry Bestuzhev with Kaspersky Lab Antivirus.

Images released by Dmitry of the block cipher encrypted bmp image.

And here is the decryption of the code.

Now this is what the script would look like.

This is an amazing find and shows how dangerous a picture can potentially be.  The saying “a picture is worth a thousand words” is very true and yet, it takes on a new meaning in this era.  One topic I will touch on in the future is in regards to images listed on Google when searching by images. There are so many images that are the same image resolution, but differ in size by only a few bytes. This makes me wonder how many images might be infected or have hidden messages.

References:

http://www.telegraph.co.uk/culture/art/art-news/8197896/Mona-Lisa-painting-contains-hidden-code.html

http://krebsonsecurity.com/2011/05/scammers-swap-google-images-for-malware/

http://www.securelist.com/en/blog/208193235/Steganography_or_encryption_in_bankers

Forbes recently released an article entitled “The Cybercrime Boom: It’s A Good Time to Be a Hacker”, and unless you are completely oblivious to the direction technology has been heading for the past several years now, you should agree that it is indeed, a good time to be a hacker.

It seems like just about every single electronic product one can purchase these days is Wi-Fi capable in some way, shape or form. Even automobile manufacturers have begun to include features enabling passengers to browse the Internet, so it’s only a matter of time before we’re social networking from our cars. While one might assume that given the ridiculous degree of exposure we as a people living in the age of the Internet are given, that pretty much everyone, even those who aren’t necessarily “technologically savvy”, would be aware of the dangers associated with the World Wide Web by now.

Sadly, it appears that many people still don’t get the picture, despite the fact that almost every other day there’s a new report of some sort of security incident/breach, or how the amount of security threats our mobile devices are exposed to continue to grow exponentially. Regardless of all this knowledge, many somehow still overlook security, a fact that you can be sure all hackers are well aware of. The risks created by businesses, governments, schools, healthcare, and financial institutions in their attempts to meet their customers’ needs have already made a vast majority of sensitive data accessible via the Internet and by extension, vulnerable to attack.

The increasing use of smart phones, tablet PC, or any of the other mobile devices, while often convenient, they have also increased the platforms susceptible to attack. A recent study released by Juniper Networks found that mobile devices have experienced a 250 percent increase in malware targeting smart phones from 2009 to 2010, and a 400 percent increase in Android malware since this past summer alone.  We all know technology is becoming both more powerful and more affordable each day. We can also agree that today’s hackers are much more sophisticated than ever. Now, add to that equation the world’s many struggling economies and what we have now are sophisticated and hungry hackers, armed with the some of the latest and greatest technology.

Due to the lack of attention paid by users in regards to securing their mobile devices, many hackers have been taking advantage of the lucrative opportunities in this area. One of the typical scams works by tricking the user into downloading an app designed to send premium rate text message without the user even knowing, until they take a look at their bill.  Remember also that many of these same users who fall victim to the Apps containing malicious software masquerading as a reputable app or a popular game, run the risk of causing headaches for us IT Professionals as we have to struggle with these users introducing their infected devices to your network.

In summation, you really are not as safe as you think you are, so always exercise caution and common sense when using your mobile devices.  That is, if you want to make it harder for today’s hacker to make a buck or two off of you!

References

http://www.forbes.com/sites/ciocentral/2011/11/06/the-cybercrime-boom-its-a-good-time-to-be-a-hacker/

http://www.bbc.co.uk/news/uk-15600697

Duqu is the latest worm making noise in security circles and main stream media.  What’s interesting is how much we still don’t know about it. Even Virus/malware researchers at both Symantec and MacAfee can’t seem to agree specifically on the goal or exact purpose of Duqu.  The alarming thing is not only its modular design and potential to easily deploy with pin point accuracy, but its ability for stealth and modification, offering a significant challenge for the IT security sector.

The worm is composed of two independent modules. The primary module is responsible for installation, and deployment; similar to the Stuxnet worm, which attacked an Iranian nuclear centrifuge control system last year.  Most researchers believe Duqu utilized Stuxnet source code minimally, if not some of the same team.  The secondary module is a separate component, with initial findings showing low association with the main module.  While the secondary module has been a key logger, theoretically it can be replaced with any payload.

The key logger initially triggered antivirus software although the main module passed undetected.  Luckily, those findings would quickly lead to the discovery of the main module by researchers.  There seems to be a split among researchers whether this will attack industrial control systems or be used more for information reconnaissance.  The fact that the secondary module was a key logger, and the first targets may have been certificate authorities is alarming, especially with a perceived rise in similar cyber-attacks against CA’s in general. Currently it is unclear how long Duqu has been in the wild,  and the discovery of its use as a reconnaissance tool, in combination with current threats against CA’s raises serious concern as to the existing level of exploitation.

As of this writing a Command and Control server in India has been identified and black listed by their ISP.  Virus and IDPS signatures for the first variants of this worm have been released. As researchers continue to investigate, I don’t believe we have heard the last of this.

References:

Duqu

http://threatpost.com/en_us/blogs/mystery-duqu-102011

http://www.computerworld.com/s/article/9221028/Symantec_McAfee_differ_on_Duqu_threat

http://blogs.mcafee.com/mcafee-labs/the-day-of-the-golden-jackal-%e2%80%93-further-tales-of-the-stuxnet-files

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf

http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/231901226/waiting-for-son-of-stuxnet-to-attack.html

Certificate Authority attacks

https://www.infosecisland.com/blogview/16383-Hacked-Certificate-Authorities-Nothing-Left-to-Trust.html

http://www.darkreading.com/authentication/167901072/security/attacks-breaches/231600498/digital-certificate-authority-hacked-dozens-of-phony-digital-certificates-issued.html

DHCP snooping is a relatively new feature that exists in most switch feature sets. While it may have different names from one switch vendor to another, the concept remains the same. DHCP snooping allows network administrators to force the allocation of IP space on specific switch ports to only be provisioned through DHCP from an approved DHCP vendor in the network. DHCP snooping assists administrators with endpoint IP allocation and network protection from rogue DHCP servers without disrupting how users view IP address space.

This relatively new feature has a number of benefits. First, by protecting against static IP assignment, administrators are able to track endpoints connecting to switch access ports through vended DHCP leases. Secondly, this feature can prevent IP conflicts from developing in DHCP IP space due to users statically assigning a previously vended DHCP address. Preventing unwanted static IP addresses helps secure your network and also allows for newer security technologies like Network Access Control (NAC) to function smoothly.

While DHCP snooping can protect against endpoints connecting to the network with a static IP, it can also protect your network from rogue DHCP servers. A few years ago, a couple of wireless access points had a bug where the wired interface would start responding to DHCP requests and vending out IP space that was designated for wireless users. Back then, the only way to protect against this was fine grained allocation of subnets and VLANs as well as significant manual labor to isolate the device and shut off the offending port. Today, with DHCP snooping, DHCP responses vended from unauthorized DHCP sources in the network are considered invalid and endpoints with bogus IP addresses are not allowed to access the network.

Network security must always be balanced with network usability. For users requiring a consistent IP address while using DHCP snooping, DHCP reservations are recommended. This not only allows for centralized tracking, but also administratively designated IP allocation. A consistent IP can be changed simply be altering the IP address reserved for a given MAC address in the DHCP server. Alternatively, you could also selectively disable DHCP snooping on a port by port basis.

DHCP snooping enables administrators to protect against unwanted static IP designation, protect their networks from rogue DHCP servers, and further centralizes IP address management and designation for further ease of use and management. It also works hand in hand with NAC products to deliver a secure and easy alternative for layer 3 enforcement of network compliance policy.

Note that in some cases (citing Cisco here), DHCP snooping will have to be enabled with “DHCP snooping MAC address verification” to perform packet level verification matching to ensure that all packets are sent with the MAC address to which DHCP was assigned.

One of the latest interactive marketing trends has centered on the use of QR codes.   A QR code is a small, square, bar-code like image which, when scanned by a QR Code scanner, can perform instructions on a smart phone.  Most of these codes send the user’s smart phone web browser to the creator’s website, where additional information is available about their product or service.

Researchers have found certain codes that, when scanned, redirect an Android browser to a malicious site that installs a Trojan virus that has been specifically created for Android devices.  These Trojans can perform a number of operations, such as track user usage information, automatically send out SMS messages, or install custom applications which allow the smart phone to be managed remotely by the attacker.

Many of these malicious sites place a malicious app on the smart phone itself.  With that in mind, it is important to install a mobile anti-virus solution if the user must allow downloads from unknown sources.

If you’re a large enterprise, you’re in pretty good shape for the cloud:  you know what kind of security you want and need, you have security staff who can validate what you’re getting from the provider, and you can hold up your end of the deal – since it takes both customer and provider working together to build a complete security program.  Most of the security providers out there are building for you, because that’s where the money is; and they’re eager to work on scaling up to meet the requirements for your big business.  If you want custom security clauses in a contract, chances are, you’ll get them.

But at the other end of the scale there are the cloud customers I refer to as being “below the security poverty line.”  These are the small shops (like your doctor’s medical practice) that may not have an IT staff at all.  These small businesses tend to be very dependent on third party providers, and when it comes to security, they have no way to know what they need.  Do they really need DLP, a web application firewall, single sign-on, log management, and all the premium security bells and whistles?  Even if you gave them a free appliance or a dedicated firewall VM, they wouldn’t know what to do with it or have anyone to run it.

And when a small business has only a couple of servers in a decommissioned restroom*, the provider may be able to move them to their cloud, but it may not be able to scale a security solution down far enough to make it simple to run and cost-effective for either side.  This is the great challenge today:  to make cloud security both effective and affordable, both above and below 10,000 feet, no matter whether you’re flying a jumbo airliner or a Cessna.

*True story. I had to run some there.

One of the biggest challenges and roadblocks to realizing the full potential of cloud computing is security. All the benefits of sharing IT infrastructure go out the window unless issues of privacy and data integrity are addressed. Security breaches are costly—both financially and in terms of credibility. That’s why SoftLayer is working with StillSecure to deliver its managed security services, which include intrusion detection and prevention, Web application firewall, log management, and other applications through our Technology Partners Marketplace.

Today, we’re the first to offer StillSecure’s New Cloud Security Monitoring Service (SMS) application free of charge for CloudLayer and Dedicated customers. StillSecure’s Cloud SMS is a host-based firewall management solution that places a small agent on the virtual instance or dedicated server and provides an easy-to-use Web-based UI allowing users to search for the right ports and protocols to block or allow. This saves an incredible amount of time by automating and streamlining the security process.

We’re excited to be bringing these types of solutions to a broader mainstream audience. Working with StillSecure has given us additional security capabilities for both cloud and dedicated server environments. It’s about bringing value to our customers who are looking for a less complex way to secure their physical, virtual, or cloud-based IT resources. We think we have a “winner” with StillSecure! Let us know what you think.