Bit9

Microsoft has finally released a public Beta of their next major browser release. IE 8.0, among many other great features, has an "InPrivate" mode, popularly dubbed the "Porn Mode", as if "InPrivate" was not subtle enough. Irish Times then went a bit further and labeled it the "porn browser". This all recalls the debate over Heatseek browser from two years ago. Heatseak is an alternate browser built on IE.

Mention of Porn does get people excited. Just Google IE and "porn mode" and you'll find more than 76K pages.

So why do we really need InPrivate mode?

As it has been repeated everywhere, it disables page caching, browser history and remembering of any session states such as form fields and cookies. Caching has annoyed me in the past. As Internet connection became rather fast, it made the caching irrelevant. Still, if you did not frequently clear your cache, you were likely to severely fragment your hard drive. Unlike the rest of your file system each page generates hundreds of small files that take ever more hard disk space, all in small blocks, which in turn clog large contiguous spaces and make the drive go back and forth just to cache a simple web page. Imagine dumping garbage down your drain. It clogs. Hence, if you ever wondered why your machine slows down by simply browsing the Internet, check your fragmentation levels, wipe that cache and defragment your drive. It is no wonder that Firefox offers automatic cache cleanup ("always clear my private data" feature). If this indeed is your experience, you may want to consider buying Diskeeper.

But there are better reasons

Keeping your cache or browser history has serious implications in Enterprise:

(1) Web Mail Privacy: Do you really want Google Desktop or any other desktop indexing software to be indexing your private mail along with your corporate data? If you don't care about it, you may still want to think twice as Web mail is protected private mail and your Employer should not be intercepting it without a warrant. As soon as it becomes a part of Google Desktop index, the story changes. Yet if it was not kept on the disk in the first place, you wouldn't have had the problem in the first place.

(2) Custom Web Application and Proporiatary Portals: Every Enterprise has one internal facing portal or another, tracking customers, partners, IT resource, you name it. As we all take our laptops home, should potentially sensitive data about our businesses and people be easily available for malware to grab it? If it is in cache, it is usually in clear text form and hence easily extractable by an outside piece of malicious code. How does that relate to any of the HIPA regulations? Think Medical records, Pharma Trial results. (3) Browser Cache based malware will need to work harder to infect your system as they will not be written to the disk by default. We could hence expect better protection from our Anti-Malware suites as there will be less things to scan and better heuristics for catching rogue buffer overflow attacks that are forcing their way onto disk.

Yes, porn will squeeze by too. Cheapening the discussion to simply a "porn mode" does make Microsoft sexier, something from which Microsoft could always benefit, but it doesn't do much to help us refine our security postures and do things better.

Yet concerns raised are valid as well. Without web cache, it will be more difficult to pinpoint a certain crime to a location and time. Did you surf that web site? Not everybody has implemented a DLP solution like Vontu, Vericept or Tablus. Web cache, and for that matter any HD analysis that you can imagine, was a treasure trove for Forensics professionals in the past. It may be less so in the future.

That is all to change. Forensics will require new tools and new solutions. So in a tug of war, we fix some security scenarios which surely break other security solutions that worked around them, knowing full well that what was working before shouldn't have been working in the first place.

The stars are aligned for application whitelisting in the marketplace -- all the big players are talking about it now and analysts are predicting that it is the future.

The new Gartner analyst  research report - "Application Control Market Update," 4 August 2008, by Neil MacDonald and Michael A. Silver - is a great one. To Gartner, the terms "application control" and "application whitelisting" are synonymous.

Copied below are some top quotes from the Gartner Research Note.

• "Organizations are looking to application control solutions to augment signature-based antivirus protection and to exert more control over endpoints."
• "We continue to advise organizations adopting application control solutions that the key to successful tool selection and implementation is the capability to automate the exception management process and to automate list management. Bit9 has delivered significant innovation in this area by enabling organizations to query their "whitelist/blacklist in the cloud" knowledge base as a subscription service (see "Cool Vendors in Infrastructure Protection, 2007")."
• "Application "whitelisting" and "blacklisting" techniques are becoming increasingly useful to supplement shortcomings in antivirus systems. These techniques deliver more flexibility to reduce diversity, improve operations and manage PC configuration than merely locking down desktops."
• "When antivirus agents and patching aren't possible, consider application control and system hardening as alternative security controls for point-of-sale (POS) terminals, supervisory control and data acquisition (SCADA) systems, and other devices that fall under regulatory requirements."
• "Application control solutions address shortcomings in antivirus and other signature-based approaches and provide security and operational benefits."
• "In most cases, application control software (see Figure 1) doesn't replace traditional antivirus and personal firewall offerings. Instead, it acts as an additional layer of protection for endpoints to supplement the increasing ineffectiveness of signature-based antivirus solutions, which can't keep up with the explosion in malware variants and the increases in targeted attacks. Application control solutions are of interest to information security and operations managers, typically for reducing the chances for image corruption, system damage or data loss by end users, rogue applications or malware."

And this whole section:

 

"Application Control Is a Gentler Form of Lockdown

 

In addition to security protection, application control solutions provide operational benefits by preventing the arbitrary introduction and execution of unknown code ("lockdown") on endpoints, even for administrators. There are several security and operational reasons that organizations may want to use application control solutions:

• To ensure that unlicensed software isn't being used
• To manage known PC configurations so that enterprise software is easier to deploy and maintain
• To restrict users from running software that could be detrimental to enterprise systems or the network
• To prevent users from adding applications to the organization's application portfolio that will require increased support and cost

Many organizations mistakenly believe that they've accomplished lockdown by removing administrative access from users and designating them as standard users. However, this can cause a number of problems:

 

• Users who have a real business need to install applications to do their jobs won't have that right, which hampers creativity.
• Client software components that Web sites upgrade on a regular basis (such as Flash, Acrobat Reader and Web conferencing software) cannot be updated, potentially obstructing user access to important business content or causing lost productivity, as users look for workarounds. It's nearly impossible for organizations to have the latest clients packaged for software distribution so that they can be delivered to users as needed, and standard user access does not allow exceptions.
• Contrary to common perception, running users as standard users does not prevent them from installing and running unknown applications. Depending on the level of lockdown, standard users may be able to download and install well-behaved applications that don't require administrative privileges to install or run. Furthermore, without additional restrictions or tools, users are able to load and execute single executables from the network (including via the browser) or removable media. Organizations are also at risk from malware that targets user data and settings, rather than system files.

 

Application control solutions address these issues and provide organizations with more flexibility and granularity for all users regarding the applications that can and cannot be run. Users can be left running as administrators, allowing them to update client software as needed, including Web applications. Software that's detrimental can be automatically blacklisted, but resources (and/or subscription models) may be needed to keep the list current. Depending on the user, new software can be allowed or blocked by policy. In either case, it is always logged, so that the organization can monitor, at a granular level. what software users are looking to run. Even if users are running as standard users, application control products can plug the gap created by applications that don't require administrator privileges to install and run or single file executables."

 

As an aside, we are now registering our blog with Technorati.

Intego came up recently with the first AV product for the iPhone Platform. What struck us is the awesome User Interface that it carries, as would only be expected for Apple based products. True to the form, we have ignored its functionality and any protection benefits that it may carry.

Hence we'd like to have some fun and have an informal poll. Who do you think has the sexiest Anti-Malware product and why? Functionality does not apply, we are only talking about the looks, even though some beautiful products are really good. Please send us more screenshots of relevant products if you can, and we'll add it to the list. Of course, subjectivity matters, as this is about taste, that is guessing the consumer's taste.

Why is this important? It is really not, but many companies heavily invest into making their security products visually exiciting. They even excessively stress about it, hiring expensive PR firms, as is the case with Symantec.  It ended up being dinged in reviews for its Yellow Fever theme. Why do we think that customers care about their AV UI is a topic for another discussion.

Feel free to be biased. We are too, although saying that anything Apple is sexier than anything Windows is as an objective statement as possible. Whitelabel products are absolutely welcome.

So here are our top 3 sexiest AV contenders:

1. Intego - Obvious, eye candy makes us more secure

2. HelloKitty AV - As long as it protects from HelloKitty Malware, Kitty's in

3. Suze Orman AV - Because security starts with a face

 

REST OF THE LIST, TBD.  Please vote!

Finally, here's the trailing bunch. Supporting documentation was liberally borrowed from Download.Com and Softpedia.  Here are some screenshots.  Obviously there're more interesting products. 

Intego iPhone AV



Hello Kitty AV



Suze Orman's Identity Theft Kit



F-Secure



iolo



PCTools



Symantec



McAfee



K7 Total Security



Eset NOD32



Trend Micro



Kaspersky KIS 2009



AVAST



AVG



AVIRA



BitDefender Total Security



Panda Platinum Internet Security

 
Technorati Profile

In this pre-election season, we seldom step back and think about potential threats to our democracy. All eyes are on picking the best candidate. Yet, we need to be very concerned about the influx of Internet into our election process. For one, most candidates fundraise on the web today. They also heavily use their web sites and email as communication vehicles and as means to mobilize the party faithful.

Internet opens up a great opportunity for a qualitative electoral advantage, but it also opens gates to serious fraud and a potential for significant campaign disruption. We have seen heavy usage of technology in the past elections. Democrats may have seemed technologically challenged (curious with so many young and Silicon Valley pundits). Republicans seemed savvier with their palmtops and electronic lists of party faithful.

2004 Election was a watershed election bringing a number of firsts:

• - First use of E-mail solicitation
•       • 45% of Democrat donors received Email daily Organizing of supporters on web
• – Political BLOGs - Online fund raising with Kerry campaign taking a lead
•      • 70% of Online Donors forwarded emails to others
• - Candidates raised:

•      John Kerry - $82MM 
•      Howard Dean - $20MM
•      George Bush - $14MM
  
Serious concerns were raised by Oliver Friedrichs at Black Hat 2008 in talk titled "Threats to the 2008 Presidential Election".

Key takeaways are the following:

Online campaign donations can be tampered with.

Given the significant amounts being raised online, phishing attacks could defraud donors, dampen enthusiasm & seriously shortchange candidates. Opponents or foreign elements could easily be behind these effort. It all stems from the adhoc structure of campaign web sites.

 

  Political Campaign SPAM

We should worry about campaign SPAM, that may lead to phishing attacks, or simply could spread misinformation, false rumors or could be generating artificial scandals. Successful attacks against your support base could pollute email as a communications medium, intimidate potential voters, and hurt those grassroots efforts. Imagine fake scandals, subtle suggestions of legal or health trouble or of a position change.

Vulnerable campaign web sites & blogs

Ease of SQL Injection attacks has demonstrated that the best way to infect a large number of users is to go where they are. Infecting a campaign web site is a perfect way to get to the most trusted campaign volunteers or staff. They could be tagged with stealthy (rootkitted) and bespoke malware undetected by anti-malware solutions. Potential criminal elements could own your campaign. Being owned could mean sensitive data leakage, redirection of campaign funds, and more, all by forces that are not necessarily U.S. based.

Given the speed of Internet, these attacks could be perpetrated few days before the election, thus influencing the election outcome.

Should we worry now?

Vista Enterprise rollouts seem to be hitting a significant snag, according to Devil Mountain Software, with 35% of Windows VISTA installs being uninstalled in favor of Windows XP. HP & Dell have been downgrading new Vista machines to XP in response to customer demands. Even though Microsoft no longer supports XP, HP & Dell will allow customers to downgrade XP until July of 2009. Still, a sample of 3,000 machines is not a too convincing statistic. There're more than 200 million desktops and laptops shipped annually. The vast majority of them carry the latest Microsoft OS of record, VISTA. Hence, we need to question results based on less that 0.0015% of the sample.

Bit9's experience speaks to the contrary. Even though the adoption of VISTA is slow and the migration path lengthy, organizations are planning their moves to VISTA. Software compatibility problems are offset with new functionality, better user interface and significant security improvements. Even though some organizations are clamoring about skipping the Windows VISTA refresh, they may simply be waiting for others to work out software and driver incompatibilities for them.

As for downgrades, many organizations need new hardware to replace decommissioned machines. That new hardware needs to be running XP at least until VISTA migration procedures are in place, as not to impact internal security and operational procedures. Not that downgrading is inconceivable, yet 35% seems to be overtly exaggerated.

Max blogs about difficulties in getting Apple to acknowledge their vulnerabilities.

Yet, according to ISS X-FORCE Security Report, Apple has overtaken Microsoft in the number of vulnerability disclosures. Microsoft still leads the race in the number of exploits. It seems that it still pays more to exploit Windows instead of MacOS, even though this discrepancy is narrowing.

Note the high positions for Joomla and Drupal. It is a testament to their success, as well as Sql Injection attack exploitability.

What galvanizes Apple's effort is popularity of iPhone. Vulnerabilities affecting iPhone are taken more seriously, which helps users like me, but is also bound to filter down to other products that are based on the same OS.

Fake Adobe Flash downloads seem to be a perfect social engineering attack. After all, we are all used to automatically accept updates of Flash and similar technologies. In a sense, this is a similar strategy to last year's Fake XP Re-Activation case. Let's hope that this will be the demise of release-poor-code patch-later philosophies.

Yet we are all news junkies, and as such will be hearing more about these types of attacks in the coming weeks. As of today "CNN Top 10" emails have gotten a bit more sophisticated. They now read: "CNN Alerts: Breaking news". Much less suspect message, as I never cared much about Top 10 of anything, but would be curious about that Breaking News event.

What makes it more exciting is a hint. Latest Fake Adobe Flash peddling SPAM tries to guess my economic, wellness or political interest. It becomes a worthy marketing study: "what would it take to make me click on a news link?"

For example,

if I was following latest business news, I could pick:
msnbc.com - BREAKING NEWS: Jerry Yang relinquishes control over Yahoo

If I was incensed about the state of the economy:
msnbc.com - BREAKING NEWS: Oil prices rises due to attacks

If I was keeping up with the pre-election madness:
msnbc.com - BREAKING NEWS: Abortion outlawed in California

If I was tracking foreclosure fiasco:
msnbc.com - BREAKING NEWS: Fredie Mac losses mount, loses billions every month

If I was wellness junkie:
msnbc.com - BREAKING NEWS: Vitamin C shows promise in anti-cancer trials

If I was technology mad:
msnbc.com - BREAKING NEWS: Microsoft announces takeover bid for Intel

Best of all, social engineering tactics are well positioned for attacking social networks. Kaspersky researchers have recently discovered fake Adobe Flash downloads attached to picture links posted in Twitter updates. As identity theft shifts to stealing social network identities, it will no longer be necessary to create bogus social network account on Twitter or Facebook. Stolen identities will be sufficient for the next iteration of these attacks.

Sadly, good mitigation strategies are few. Our SPAM protection would have to be stellar, which is not. SPAM still gets through. We would have to be able to trust digital certificates, which we cannot, thanks to loose certificate issuance policies. We would need to assess from where automatic downloads originate, something that is not trivial even for expert users. Adobe recommends that you only install Flash and its updates from official sites, as if my grandmother knows where Flash comes from. It is also contrary to the viral marketing strategy that was always behind Flash. This strategy has been for years providing automatic download of Flash behind each and every flash animation. Adobe's advice is what it is, provided "AS IS". Nice touch.

I've been wondering what's up with all the "CNN Top 10 News" spam. I was happy top read that someone has spent the time investigating it.

It turns out that compelling headlines led victims to infected web site which, not surprisingly, were prompting you to install an infected Flash player. So far not very exciting.

What strikes me is the following: isn't Flash just a perfect ruse? There are multiple versions of it, Flash, Shockwave, Flex, AIR, plus several retired players. Not all require a free new player to view content, but they all build a complacence saying, if it says that it is Flash and seems benign, just install it and be done with it.

So as a security professional, you scream gotcha. Installer was most likely not signed, and if signed, it was not signed by Adobe Inc, as that would certainly make all the news outlets at the same time. It was a user mistake, hence not so exciting. Social trickery takes advantage of unsophisticated users, making this into a laughable matter, into a not very sophisticated attack.

Yet we are dealing with very fair questions. How many people know that Flash is made by Adobe? Wasn't it made by Macromedia until not so long ago? How many people understand why Flash is installing in the first place? How many people know what Adobe is? How does an average person know for sure what should really be installed on their machines and what not?

Dan Hubbard's Websense Research Team produces very interesting research reports. I have attended their latest web presentation and found the following slide interesting, if not all that surprising:

One day and a half before a first signature is written for a popular piece of malware! You can only imagine what happens with custom tailored pieces of malware that you identify and ask your anti-malware vendor to write a signature for. We have heard from our customers that they have been waiting 3 days or more (factory floors at standstill) to get a definition written.

Websense data does not cover proactive technology. It does cover samples that have been seen upwards from 100K times in the wild and require a signature ASAP. We cannot leave it up to user to decide whether to allow, block or ignore. 

Furthermore, Websense suggests that most infections are web born, coming from top 100 web properties, either compromised through the likes of compromised via SEO Script Injection Attack or by simply using free accounts to host malware on sites like googlepages, blogspot, or rapidshare. As much as 29 percent of malicious Web attacks included data-stealing code.

These figures tell us that you cannot trust new and unknown components on the web, even if your favorite anti-malware scanner does not flag them. But what you can do is enforce rules of what is allowed. You can trust people, companies, signature models, your grandmother if wish, but you need to have a trust model. Letting just about anything execute is a recipe for disaster. It is Marcus Ranum's "Default Deny" policy.

Ellen Messmer of Network World has interviewed Stephan Chenette, manager of the Websense Security Labs. He said that "Sixty percent of the of 100 most-popular Web sites have been hosting malicious code or inadvertently distributing it." Even more disturbing is that "75% of malicious Web sites in general are actually legitimate Web sites that are compromised." That's a huge jump from last year when Websense surmised that number stood at 51% and a testament to the effectiveness of Sql Injection attacks.

Quite a few popular Web sites were listed as inadvertently hosting malicious code during the last half of 2008 including CNET.com, MSNBC.com, ZDNet.com, Wired.Com, News.com, Yahoo.com, Excite.com and perl.com."

Not much detail was given, but it was cited that banner ads distributed by Yahoo's network were used for malicious code. If you look at comScore's Ad Network June propagation report, this can indeed be eyebrow rising. Top five add distribution networks (AOL, Yahoo, Google, SpecificMedia, ValueClick) have each a reach of over 75% of 190M unique Internet users tracked by comScore.

We need better protection from injections against trusted web sites and trusted advertising networks. All web based exploits require writing of payload to your local file system, be it rootkit or trojan components. These elements are unknown and unwanted. Any Application Whitelisting solution will be able to help you in determining which files are new and unknown. That should be our model from defending ourselves from increasingly complex web-based attacks. It will not be long before web-based attacks migrate inside of flash and flex widgets and start heavily using AJAX technologies.

Microsoft's luminary Vinny Gulloto, and a fellow Bostonian, talked about latest findings of his threat response team. Few incredible results were shared demonstrating just how many infected end points are there.

For example, Gulloto claims that Windows Defender, Microsoft's Anti-Spyware application, finds in average two pieces of unwanted code per machine. The program runs on 62M machines! But that's not all. His team has performed 42M disinfections over last 6 months, claiming that each day 15M pieces of malicious code executes successfully. Even though most of their tracked end points belong into a consumer segment, and do not represent a corporate end point, these are very sobering statistics.

This certainly proves time and time again that traditional blacklisting is not rising to the challenge. One can certainly argue that proactive protection would do a better job. Heuristic, HIPS, or Behavioral approaches would certainly be beneficial. Yet, the downside of pro-active protection is its false positives and the ubiquitous user prompts. [image] What does an average user do when you ask him or her "Hey there's something potentially malicious or unwanted on your machine. What do you want to do?" User knows what to do, and researcher is absolved of any other responsibility. Sounds odd? It does to almost any researcher that I have ever spoken to, but there was no tangible evidence.

 

Yet, the latest data available in Microsoft's Security Report shows what we needed to know. Anywhere from 10% to 25% of users ignore warnings that there is something malicious on their machine, that is, if they are given a choice. If you are running an enterprise, these are shocking findings and you wish that you have locked down every one of your personal computers. Application Whitelisting is here a better choice for a concerned IT administrator as it allows him or her to set policies on what types of applications are automatically allowed to run. This set it and forget it approach makes choices up front and does not require an end user downloading an infected video codec to guess whether "do you want to block a trojan?" message is real or not.

In case you hit the empty page on the Black Hat site, and were looking for Dan Kaminsky's presentation here's the presentation that he gave on Black Hat 2008 in Las Vegas. It is titled "Black Ops 2008: It’s The End Of The Cache As We Know It" and available on his blog DoxPara.

We have written a lot about the need to clamp down POS terminals. Today's news is particularly important as they provide much speculated evidence about the largest case of identity fraud on record.

Right here in Boston, 11 defendants got away with 40 Million Credit Card Numbers, defrauding organizations such as OfficeMax, Barnes & Noble, Boston Market, Sports Authority, Forever 21, DSW, BJ's Wholesale Club and TJX Companies.

How did they do it? Mass Attorney General Michael Mukasey explained that defendants used "sniffer" programs to "breach security systems and then install computer programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves." This is the first confirmation of the criminal method. We are not talking about simple "Wardriving", but a criminal enterprise designed to steal as much as possible.

And to make the matter worse, 1 of the defendants was double dealing, according to ABC News, as he was involved in the heist and at the same time working with government on other cases.

People speculated for awhile that most of the losses were caused by simple Wardriving or sniffing poorly secured networks for credit card data in transit. This may sound plausible in Dave & Buster's case which allegedly involved some 5,000 credit cards (even though it is not true). But it could never explain theft of 40M credit card numbers.

It turns out that it was all work of a single gang that at least in the case of Dave & Buster's, have installed the "packet sniffer" software directly onto Dave & Buster's computers, intercepted networked computer transmissions of 11 cash registers over 4 months, yielding 5,100 credit cards. 675 "good numbers" were used to generate $600K of damages.

If 5K stolen credit cards can generate $600K, then 40M stolen credit cards could easily generate $40B in damages. That's more than the federal bailout of Bear Stearns.

These kinds of breaches could seriously undermine the global economy if left unchecked. POS entrypoints, as well as all the systems involved in handling of personal financial data, have to be locked down, insuring only that only allowed applications run, with "sniffing" software safely blocked. Anti-Malware suites are not designed to help in these scenarios as "sniffing" software can be a useful tool in the hands of IT administrators, and yet deadly in the hands of criminals.

With advent of Application Whitelisting, behavioral approaches to security gain new prominence. It is much easier to determine a bad behavior when you have removed all the known good suspects from the line-up. ISS Mid-Year report on reports that the Top Bad Behavior is to no surprise a dropping of a file into the Windows/System folder.

Why is this important? Windows/System folder is reserved for known good elements, your system device drivers. All files there should have been placed by the Operation System or any of its trusted derivatives. Even more so, under Vista, and in the ideal world, all of those components should be signed to run.

So it is absolutely correct to concluded that if an unknown device driver is ever placed in the Windows/System folder, it should be treated as unwanted if not malicious. Modern Behavioral approaches utilizing Application Whitelisting or a complete lockdown of a system where no unauthorized software is allowed to run are the proper solutions.

In this Brave New World, fads fade quickly. For example, we have been accustomed on ignoring DDOS attacks. Organizations like Yahoo and anti-spam heavyweight http://www.spamhaus.org">SPAMHAUS seem to be continuously under attack. In one of the more recent instances, it took a coordinated ISP effort to reverse the bot net armies and tell them to shut up for an instant to stop the attack.

But now we wake up to a new type of problem, courtesy of friendly faces at Hewlett Packard. (By the way, it would be nice to hear more on their security strategy). Welcome PDOS, or permanent denial of service attacks. This type of attack claims that botched firmware updates can permanentely destroy hardware beyond repair. There are still quite a few embedded solutions that do not require a authentication for firmware updates. These are obviously the most vulnerable. Actually, it has been like that as long as we can remember and no one has attempted to truly exploit this vector. Infinite variety of hardware platforms and firmware must have something to do with it. Does anybody remembers this old article? It is about software killing hardware, relevant but not cataclysmic.

Yet, the beauty behind a PDOS attack, according to HP, is that it is much cheaper. A single attack can easily knock down your entire infrastructure. You do not need to continue paying bot herders their outrageous fees. Or not, depending on your point of view, as bot rental fees become dirt cheap. Should we say they are pegged to the market?

One thing that seems a natural solution is that all firmware updates as well as all OS updates need to be validated and only installed from trusted sources. Trusted Computing Group has spent years working on various plumbing to make this exercise fully feasibile. We are looking forward to see Application Whitelisting being overlayed as the controlling element of what is a trusted firmware or trusted OS update.