Bit9

Vista Enterprise rollouts seem to be hitting a significant snag, according to Devil Mountain Software, with 35% of Windows VISTA installs being uninstalled in favor of Windows XP. HP & Dell have been downgrading new Vista machines to XP in response to customer demands. Even though Microsoft no longer supports XP, HP & Dell will allow customers to downgrade XP until July of 2009. Still, a sample of 3,000 machines is not a too convincing statistic. There're more than 200 million desktops and laptops shipped annually. The vast majority of them carry the latest Microsoft OS of record, VISTA. Hence, we need to question results based on less that 0.0015% of the sample.

Bit9's experience speaks to the contrary. Even though the adoption of VISTA is slow and the migration path lengthy, organizations are planning their moves to VISTA. Software compatibility problems are offset with new functionality, better user interface and significant security improvements. Even though some organizations are clamoring about skipping the Windows VISTA refresh, they may simply be waiting for others to work out software and driver incompatibilities for them.

As for downgrades, many organizations need new hardware to replace decommissioned machines. That new hardware needs to be running XP at least until VISTA migration procedures are in place, as not to impact internal security and operational procedures. Not that downgrading is inconceivable, yet 35% seems to be overtly exaggerated.

Max blogs about difficulties in getting Apple to acknowledge their vulnerabilities.

Yet, according to ISS X-FORCE Security Report, Apple has overtaken Microsoft in the number of vulnerability disclosures. Microsoft still leads the race in the number of exploits. It seems that it still pays more to exploit Windows instead of MacOS, even though this discrepancy is narrowing.

Note the high positions for Joomla and Drupal. It is a testament to their success, as well as Sql Injection attack exploitability.

What galvanizes Apple's effort is popularity of iPhone. Vulnerabilities affecting iPhone are taken more seriously, which helps users like me, but is also bound to filter down to other products that are based on the same OS.

Fake Adobe Flash downloads seem to be a perfect social engineering attack. After all, we are all used to automatically accept updates of Flash and similar technologies. In a sense, this is a similar strategy to last year's Fake XP Re-Activation case. Let's hope that this will be the demise of release-poor-code patch-later philosophies.

Yet we are all news junkies, and as such will be hearing more about these types of attacks in the coming weeks. As of today "CNN Top 10" emails have gotten a bit more sophisticated. They now read: "CNN Alerts: Breaking news". Much less suspect message, as I never cared much about Top 10 of anything, but would be curious about that Breaking News event.

What makes it more exciting is a hint. Latest Fake Adobe Flash peddling SPAM tries to guess my economic, wellness or political interest. It becomes a worthy marketing study: "what would it take to make me click on a news link?"

For example,

if I was following latest business news, I could pick:
msnbc.com - BREAKING NEWS: Jerry Yang relinquishes control over Yahoo

If I was incensed about the state of the economy:
msnbc.com - BREAKING NEWS: Oil prices rises due to attacks

If I was keeping up with the pre-election madness:
msnbc.com - BREAKING NEWS: Abortion outlawed in California

If I was tracking foreclosure fiasco:
msnbc.com - BREAKING NEWS: Fredie Mac losses mount, loses billions every month

If I was wellness junkie:
msnbc.com - BREAKING NEWS: Vitamin C shows promise in anti-cancer trials

If I was technology mad:
msnbc.com - BREAKING NEWS: Microsoft announces takeover bid for Intel

Best of all, social engineering tactics are well positioned for attacking social networks. Kaspersky researchers have recently discovered fake Adobe Flash downloads attached to picture links posted in Twitter updates. As identity theft shifts to stealing social network identities, it will no longer be necessary to create bogus social network account on Twitter or Facebook. Stolen identities will be sufficient for the next iteration of these attacks.

Sadly, good mitigation strategies are few. Our SPAM protection would have to be stellar, which is not. SPAM still gets through. We would have to be able to trust digital certificates, which we cannot, thanks to loose certificate issuance policies. We would need to assess from where automatic downloads originate, something that is not trivial even for expert users. Adobe recommends that you only install Flash and its updates from official sites, as if my grandmother knows where Flash comes from. It is also contrary to the viral marketing strategy that was always behind Flash. This strategy has been for years providing automatic download of Flash behind each and every flash animation. Adobe's advice is what it is, provided "AS IS". Nice touch.

I've been wondering what's up with all the "CNN Top 10 News" spam. I was happy top read that someone has spent the time investigating it.

It turns out that compelling headlines led victims to infected web site which, not surprisingly, were prompting you to install an infected Flash player. So far not very exciting.

What strikes me is the following: isn't Flash just a perfect ruse? There are multiple versions of it, Flash, Shockwave, Flex, AIR, plus several retired players. Not all require a free new player to view content, but they all build a complacence saying, if it says that it is Flash and seems benign, just install it and be done with it.

So as a security professional, you scream gotcha. Installer was most likely not signed, and if signed, it was not signed by Adobe Inc, as that would certainly make all the news outlets at the same time. It was a user mistake, hence not so exciting. Social trickery takes advantage of unsophisticated users, making this into a laughable matter, into a not very sophisticated attack.

Yet we are dealing with very fair questions. How many people know that Flash is made by Adobe? Wasn't it made by Macromedia until not so long ago? How many people understand why Flash is installing in the first place? How many people know what Adobe is? How does an average person know for sure what should really be installed on their machines and what not?

Dan Hubbard's Websense Research Team produces very interesting research reports. I have attended their latest web presentation and found the following slide interesting, if not all that surprising:

One day and a half before a first signature is written for a popular piece of malware! You can only imagine what happens with custom tailored pieces of malware that you identify and ask your anti-malware vendor to write a signature for. We have heard from our customers that they have been waiting 3 days or more (factory floors at standstill) to get a definition written.

Websense data does not cover proactive technology. It does cover samples that have been seen upwards from 100K times in the wild and require a signature ASAP. We cannot leave it up to user to decide whether to allow, block or ignore. 

Furthermore, Websense suggests that most infections are web born, coming from top 100 web properties, either compromised through the likes of compromised via SEO Script Injection Attack or by simply using free accounts to host malware on sites like googlepages, blogspot, or rapidshare. As much as 29 percent of malicious Web attacks included data-stealing code.

These figures tell us that you cannot trust new and unknown components on the web, even if your favorite anti-malware scanner does not flag them. But what you can do is enforce rules of what is allowed. You can trust people, companies, signature models, your grandmother if wish, but you need to have a trust model. Letting just about anything execute is a recipe for disaster. It is Marcus Ranum's "Default Deny" policy.

Ellen Messmer of Network World has interviewed Stephan Chenette, manager of the Websense Security Labs. He said that "Sixty percent of the of 100 most-popular Web sites have been hosting malicious code or inadvertently distributing it." Even more disturbing is that "75% of malicious Web sites in general are actually legitimate Web sites that are compromised." That's a huge jump from last year when Websense surmised that number stood at 51% and a testament to the effectiveness of Sql Injection attacks.

Quite a few popular Web sites were listed as inadvertently hosting malicious code during the last half of 2008 including CNET.com, MSNBC.com, ZDNet.com, Wired.Com, News.com, Yahoo.com, Excite.com and perl.com."

Not much detail was given, but it was cited that banner ads distributed by Yahoo's network were used for malicious code. If you look at comScore's Ad Network June propagation report, this can indeed be eyebrow rising. Top five add distribution networks (AOL, Yahoo, Google, SpecificMedia, ValueClick) have each a reach of over 75% of 190M unique Internet users tracked by comScore.

We need better protection from injections against trusted web sites and trusted advertising networks. All web based exploits require writing of payload to your local file system, be it rootkit or trojan components. These elements are unknown and unwanted. Any Application Whitelisting solution will be able to help you in determining which files are new and unknown. That should be our model from defending ourselves from increasingly complex web-based attacks. It will not be long before web-based attacks migrate inside of flash and flex widgets and start heavily using AJAX technologies.

Microsoft's luminary Vinny Gulloto, and a fellow Bostonian, talked about latest findings of his threat response team. Few incredible results were shared demonstrating just how many infected end points are there.

For example, Gulloto claims that Windows Defender, Microsoft's Anti-Spyware application, finds in average two pieces of unwanted code per machine. The program runs on 62M machines! But that's not all. His team has performed 42M disinfections over last 6 months, claiming that each day 15M pieces of malicious code executes successfully. Even though most of their tracked end points belong into a consumer segment, and do not represent a corporate end point, these are very sobering statistics.

This certainly proves time and time again that traditional blacklisting is not rising to the challenge. One can certainly argue that proactive protection would do a better job. Heuristic, HIPS, or Behavioral approaches would certainly be beneficial. Yet, the downside of pro-active protection is its false positives and the ubiquitous user prompts. [image] What does an average user do when you ask him or her "Hey there's something potentially malicious or unwanted on your machine. What do you want to do?" User knows what to do, and researcher is absolved of any other responsibility. Sounds odd? It does to almost any researcher that I have ever spoken to, but there was no tangible evidence.

 

Yet, the latest data available in Microsoft's Security Report shows what we needed to know. Anywhere from 10% to 25% of users ignore warnings that there is something malicious on their machine, that is, if they are given a choice. If you are running an enterprise, these are shocking findings and you wish that you have locked down every one of your personal computers. Application Whitelisting is here a better choice for a concerned IT administrator as it allows him or her to set policies on what types of applications are automatically allowed to run. This set it and forget it approach makes choices up front and does not require an end user downloading an infected video codec to guess whether "do you want to block a trojan?" message is real or not.

We have written a lot about the need to clamp down POS terminals. Today's news is particularly important as they provide much speculated evidence about the largest case of identity fraud on record.

Right here in Boston, 11 defendants got away with 40 Million Credit Card Numbers, defrauding organizations such as OfficeMax, Barnes & Noble, Boston Market, Sports Authority, Forever 21, DSW, BJ's Wholesale Club and TJX Companies.

How did they do it? Mass Attorney General Michael Mukasey explained that defendants used "sniffer" programs to "breach security systems and then install computer programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves." This is the first confirmation of the criminal method. We are not talking about simple "Wardriving", but a criminal enterprise designed to steal as much as possible.

And to make the matter worse, 1 of the defendants was double dealing, according to ABC News, as he was involved in the heist and at the same time working with government on other cases.

People speculated for awhile that most of the losses were caused by simple Wardriving or sniffing poorly secured networks for credit card data in transit. This may sound plausible in Dave & Buster's case which allegedly involved some 5,000 credit cards (even though it is not true). But it could never explain theft of 40M credit card numbers.

It turns out that it was all work of a single gang that at least in the case of Dave & Buster's, have installed the "packet sniffer" software directly onto Dave & Buster's computers, intercepted networked computer transmissions of 11 cash registers over 4 months, yielding 5,100 credit cards. 675 "good numbers" were used to generate $600K of damages.

If 5K stolen credit cards can generate $600K, then 40M stolen credit cards could easily generate $40B in damages. That's more than the federal bailout of Bear Stearns.

These kinds of breaches could seriously undermine the global economy if left unchecked. POS entrypoints, as well as all the systems involved in handling of personal financial data, have to be locked down, insuring only that only allowed applications run, with "sniffing" software safely blocked. Anti-Malware suites are not designed to help in these scenarios as "sniffing" software can be a useful tool in the hands of IT administrators, and yet deadly in the hands of criminals.

With advent of Application Whitelisting, behavioral approaches to security gain new prominence. It is much easier to determine a bad behavior when you have removed all the known good suspects from the line-up. ISS Mid-Year report on reports that the Top Bad Behavior is to no surprise a dropping of a file into the Windows/System folder.

Why is this important? Windows/System folder is reserved for known good elements, your system device drivers. All files there should have been placed by the Operation System or any of its trusted derivatives. Even more so, under Vista, and in the ideal world, all of those components should be signed to run.

So it is absolutely correct to concluded that if an unknown device driver is ever placed in the Windows/System folder, it should be treated as unwanted if not malicious. Modern Behavioral approaches utilizing Application Whitelisting or a complete lockdown of a system where no unauthorized software is allowed to run are the proper solutions.

In this Brave New World, fads fade quickly. For example, we have been accustomed on ignoring DDOS attacks. Organizations like Yahoo and anti-spam heavyweight http://www.spamhaus.org">SPAMHAUS seem to be continuously under attack. In one of the more recent instances, it took a coordinated ISP effort to reverse the bot net armies and tell them to shut up for an instant to stop the attack.

But now we wake up to a new type of problem, courtesy of friendly faces at Hewlett Packard. (By the way, it would be nice to hear more on their security strategy). Welcome PDOS, or permanent denial of service attacks. This type of attack claims that botched firmware updates can permanentely destroy hardware beyond repair. There are still quite a few embedded solutions that do not require a authentication for firmware updates. These are obviously the most vulnerable. Actually, it has been like that as long as we can remember and no one has attempted to truly exploit this vector. Infinite variety of hardware platforms and firmware must have something to do with it. Does anybody remembers this old article? It is about software killing hardware, relevant but not cataclysmic.

Yet, the beauty behind a PDOS attack, according to HP, is that it is much cheaper. A single attack can easily knock down your entire infrastructure. You do not need to continue paying bot herders their outrageous fees. Or not, depending on your point of view, as bot rental fees become dirt cheap. Should we say they are pegged to the market?

One thing that seems a natural solution is that all firmware updates as well as all OS updates need to be validated and only installed from trusted sources. Trusted Computing Group has spent years working on various plumbing to make this exercise fully feasibile. We are looking forward to see Application Whitelisting being overlayed as the controlling element of what is a trusted firmware or trusted OS update.