[SecurityRatty] tag: relay

Stolen Credit Cards account for 59% of online criminal activity

Fri, 28 Nov 2008 13:09:24 +0000

Please dont become a statistic in this area.
Be careful online, make sure the site is safe and make sure your computer security products are up to date and functioning properly.

clipped from www.crime-research.org

Symantec takes cybercrime snapshot with ‘Underground Economy’ report

The “Underground Economy” report contains a snapshot of online criminal activity observed from July 2007 to June 2008 by a Symantec team monitoring activities in Internet Relay Chat (IRC) and Web-based forums where stolen goods are advertised. Symantec estimates the total value of the goods advertised on what it calls “underground servers” was about $276 million, with credit-card information accounting for 59% of the total.

Credit for Researchers

Thu, 13 Nov 2008 16:40:18 +0000

Computer security researchers are much like scientific researchers in several ways. We build on the research of those who come before us, we sometimes rediscover the same things independently, and other times we forget where we learned things and sometimes claim them as our own. We also occasionally take an engineer’s approach and implement research discovered by others and not credit them as it’s the implementation into a tool that matters to us.

The latest Microsoft patch MS08-68 is a great example. It is a problem with NTLM authentication where the attacker can force a client to authenticate to him and the credentials, while not exposed in cleartext, can be relayed to another server or brute forced to obtain the cleartext. This is a very classic crypto protocol vulnerability. It’s not the crypto algorithms that are the problem, but the protocol implementation.

Microsoft recently fixed the problem, perhaps due to the availability of exploit code, the availability of an easy to use Metasploit implementation, or perhaps Microsoft’s changed tolerance for vulnerabilities. We can sum it up as a change in the threat space that made it worth fixing. But make no mistake, this is a very old problem.

News reports have been citing Sir Dystic’s SMBrelay tool, which was published in March, 2001, as the first knowledge of this vulnerability. Eric Shultze who worked at MSRC in 2001 just yesterday is quoted as saying, “I have been holding my breath since 2001 for this patch.” Obviously it is a long time coming. But this wasn’t the first publication of the problem. In 2000, one of my collegues on the research team at @stake, Christian Rioux (aka Dildog) published the telnet NTLM authentication vulnerability.

Rioux’s advisory has a great description of the credential relay and cracking weaknesses. I have talked to him and he says he discovered these problems independently, but he didn’t find them first. Dominique Brezinski published exactly these NTLM vulnerabilities in the SMB protocol in 1996 in a paper titled, “A Weakness in CIFS Authentication”. The earliest reference I can find on the paper on the net is here where it is included in another paper published in 1997. Such is the ad-hoc world of independent security research of 12 years ago which still continues today.

It seems ridiculous that a field like security research, which is so important to the running of modern society is so ad-hoc. Shouldn’t we know who discovered a vulnerability? Shouldn’t all researchers and engineers know about it? More importantly if someone implements a tool that takes advantage of a vulnerability shouldn’t they credit the discoverer? Don’t get me wrong. Implementation takes a lot of work and sometimes makes all the difference in makeing people aware of a security problem. After all when I was at the L0pht our slogan was, “Making the theoretical, practical”. I still think researchers should get credit when credit is due.

The security community has gotten better at documentating our research but I still see instances of independent discovery, misplaced credit, and tools giving no credit to researchers. I hate to say it but getting a bit more academic is in order. Credit is the currency of a researcher and placing it well will reward the right people and we will all benefit.

The Bot Monsters are right outside your door!

Thu, 30 Oct 2008 12:48:57 +0000

GO Chicken Heart!
Sorry, a flashback to my days as a kid. Yes, I was a kid!
Make sure your Firewall is properly configured to thwart attacks or you may be getting a trick instead of a treat this Halloween.

clipped from www.pcworld.com

Don’t Be Dragooned Into the Botnet Army

A favorite multipurpose weapon of online thieves is growing larger and more powerful, according to those who combat the threat.

The malware armies are growing, with a sharp rise in the number of computers corralled into botnets–far-flung networks of infected PCs that digital crooks use to steal financial account data, relay spam, and launch crippling Internet attacks. Now that popular Web sites can invisibly and unwillingly spread malicious software, the days of staying safe just by being careful where you surf are sadly long gone. But you can take steps to protect yourself and your PC from these threats.

Pseudo Email Marketing Tools Empowering Spammers

Wed, 29 Oct 2008 16:28:30 +0000

Largely ignoring its real life applicability, a vendor of "email marketing" tools continues the development of a DIY spamming tools, whose features greatly evolved throughout the last couple of years. Originally released in 2004, the vendor appears to have been actively improving the real-time metrics of the campaigns, next to building interactivity into the spamming process through the WYSIWYG editor.

For better or worse, despite that these applications are empowering spammers and lowering down the entry barriers into spamming, the tools have gotten largely replaced by the increasing number of managed spamming services, whose quality assurance features of bypassing spam filters act as a main differentiation factor. Here are some of this tool's features :

"- High speed distribution - 200,000 letters per hour.
- Contains an embedded SMTP server that allows you to send letters directly to the recipient's mailbox without using your provider's SMTP server.
- If you are accessing the Internet via modem, and distribution using the SMTP server, you do not fit - also allowed to send mail through any number of remote SMTP servers (relay), or via SMTP server provider.
- Support for SMTP authentication.

- Supports up to 500 concurrent streams to send to each mailing.
- Automatic caching DNS requests to speed up distribution and reducing the load on the DNS server.
- Ability to run multiple independent shots at the same time.
- Ability to suspend delivery and continue later with a point.
- All modes distribution - TO, CC, BCC and PersonalCopy. In the latter case, the program generates a personal letter to each recipient.

- Ability to specify the size of BCC package regimes TO, CC, and BCC.
- Ability to specify the TO: field for mailing regimes and CS BCC.
- Full emulation signature letters Outlook Express to increase cross-your-mails through spam filters.
- Support for distribution via a proxy server.
- Automatically detect the bad (non-existent) and not by E-Mail addresses directly in the process of distribution based on a flexible, user SMTP rules. Thanks SMTP rules achieved a very precise definition of bad addresses virtually no false positives.

- Ability to create lists of addresses, depending on the specific responses of remote servers for SMTP commands.
- Organize automatically subscribe / unsubscribe to the mailing addresses.
- Perform any processing of existing lists.
- Develop a letter to the powerful WYSIWYG Html editor.

- Automatically apply to each recipient by name, as well as paste in a letter to a specific, personalized information through powerful Mail Merge templates.

- Set the calendar to automatically launch shots at the right time.
- Quickly send out mail."

With managed spam services' on-demand, risk forwarding and completely outsourced processes, they're not only going to replace such DIY tools, but also, position them as a dynamically evolving cybercrime platforms.

Eye-Fi Adds Upgrade Track at Yearly Fee

Mon, 22 Sep 2008 18:07:12 +0000

The Wi-Fi sharing digital memory card Eye-Fi adds another option for its product line: If you've purchased or plan to purchase an Eye-Fi, starting 5-Oct-2008, you can upgrade the model of card you purchased by paying a yearly subscription fee. This provides more of a try-and-see mode for Eye-Fi's slightly more expensive offerings.

Eye-Fi divided its Wi-Fi SD card line-up into three parts earlier in the year: Home, which transfers to a computer ($80); Share, which uploads to a computer and to Eye-Fi's servers, which relay them to gallery, print, and social services ($100); and Explore, which ties in Wi-Fi positioning and one year of a Wayport hotspot subscription for uploads ($130). I wrote a long review of the Eye-Fi Explore on 12-Aug-2008.

If you bought a Home, you can upgrade to the Share service for $10 per year, and if you bought either a Home or Share, you can add geotagging for $15 per year and hotspot access for $15 per year. It's a smart move, since original Eye-Fi card buyers already had a firmware upgrade that converted their card into a Share model; they'll now be able upgrade to the full featureset. This is something I thought the company was offering at launch months ago, and I speculated it would be easy to add.

Eye-Fi also added two new photo sharing services: Apple's MobileMe and AdoramaPix. I cannot think of any other firm that Apple has partnered with to allow direct MobileMe uploads, although this may be technically less a big deal than it sounds. But I believe it's unique--only the iPhone and iPhoto software can transfers images into MobileMe's galleries; I'll need to investigate further. It's a good feather in Eye-Fi's cap.

Finally, Eye-Fi says they'll release tweaked firmware on 5-Oct as well that will double the speed of photo transfers from their cards to a computer on the local network.

Security in Mobile Ad Hoc Networks

Thu, 22 May 2008 02:22:47 +0000

One of the most critical roles security researchers have is keeping up with new technologies and considering the security implications that go along with them—essentially, ensuring that security is "baked in" to new ideas from the earliest possible moment. Because of this, researchers have had significant interest in the field of mobile ad hoc networks (Manets). Such networks are frequently viewed as a key communications technology enabler for network-centric warfare and disaster relief operations, and as the technology matures, Manets are increasingly reaching many other applications in areas such as intelligent transportation systems and fault-tolerant mobile sensor grids. Manets can operate in isolation or in coordination with a wired infrastructure, often through a gateway node participating in both networks for traffic relay. This flexibility, along with their self-organizing capabilities, are some of Manet's biggest strengths, as well as their biggest security weaknesses.

Security Flaw Turns Gmail into Open-Relay Server

Sun, 11 May 2008 00:02:32 +0000

A newfound flaw in Google's Gmail allows would-be spammers to treat the service as an open-relay server. Compounding the issue is the fact that services such as Hotmail and Yahoo "trust" Gmail. This may facilitate e-mail delivery, but it also makes it easier for spammers to reach their intended targets.

Sitting on your hands is not an option - FUD, Compliance, what will it take to sell security?

Wed, 12 Mar 2008 21:17:43 +0000

Michael Farnum has a good post up today about a customer of his over at Accuvant. In a real life reenactment of every security vendors dream (come on, admit it), while the customer was procrastinating about whether to spend the money on security or not they were pwned. Michael says this is the second time this has happened since he has been at Accuvant. Obviously nothing loosens up the purse strings like a real live security "incident". However, we can't as an industry rely on a security breach happening at the moment a customer is contemplating a security purchase to drive the sale through.

What does drive the security sale? Over my years in security I have seen the answer change from FUD to compliance. There was a time when to sell security you would ask your customer, what would happen to your business if your network was brought down? What would happen if your IP was stolen? What would the negative publicity of a security breach cost you? Of course some of these questions could be turned on their side into the infamous Security ROI argument. But whether or not security can show a true ROI is highly questionable and I am from the school that it does not really exist. Than about 5 or 6 years ago, we started to see compliance becoming the driver. The first big driver in compliance for me was the Graham-Leach-Biley Act for the financial industry (when was the last time you heard that as a driver for security). Then always on the horizon and promising more than it actually delivered was HIPAA. Of course as Ilena Armstrong says "...HIPAA, say it with me now, "had no teeth." After HIPAA, California's breach notification law served as a model for many other states and finally brought some real compliance drivers to business outside of finance and health. FISMA brought the fear of God to the federal space.

Of course these all paled in comparison to the twin giants and darlings of the security industry, SOX and PCI. Have there ever been two sweeter words to the security industry. I remember speaking to security consultants who would relay how in their sales pitch to C-level execs they would tell them that failure to do something now about SOX could put them in jail. How did they look in stripes? PCI is still driving the merchant world security business and I don't think we have seen it peek yet. Yes, how sweet it is.

But what is next for the security industry? What is going to make people buy security next. Can we rely on the next gimmick or sales angle? Will there be a new statute, rule or regulation? Will a security breach scare the rest of us into doing something. Should we just wait around for our customers to get pwned and than come in like the cat that swallowed the canary with the magic bullet (even if there is no such thing as magic bullets). Or maybe as Bruce Schneier says people will just start expecting security as part of what they buy, not as a separate entity. They don't need to buy products that secure their network, they buy a network that is secure. Bruce says it better than I here:

Honestly, no one wants to buy IT security. People want to buy whatever they want -- connectivity, a Web presence, email, networked applications, whatever -- and they want it to be secure. That they're forced to spend money on IT security is an artifact of the youth of the computer industry. And sooner or later the need to buy security will disappear. It will disappear because IT vendors are starting to realize they have to provide security as part of whatever they're selling.

It will disappear because organizations are starting to buy services instead of products, and demanding security as part of those services. It will disappear because the security industry will disappear as a consumer category, and will instead market to the IT industry.

To be fair Mike Rothman has preached a similar heresy for sometime as well. I use the term heresy because writing this article I feel a little like Jerry Maguire having a moral epiphany. However, the more I see and hear and learn, I become more convinced that StillSecure's emphasis on convergence is actually an off shoot of this truth. People are going to want secure networks, secure endpoints, secure products. Not products that secure them. Security companies that recognize this fact will succeed in the years to come, companies that do not will be the dinosaurs of tomorrow.

High Availability Security In Your Virtual Environment

Wed, 12 Mar 2008 18:41:15 +0000

How many times have security products been the blame for network outages? Many right?

If something goes down and the network team gets a call, they immediately point their finger at the Firewall. If a user can't access something on the network, its the Firewall. If something is running slow on the network, guess what!

Its the firewall.

And with Intrusion Prevention products, because they were very unstable during the early years and would crash or generate false positives a lot, customers started demanding that these devices had some failure mechanisms in them. Customers demanded "Fail Open". Fail Open to a security guy doesn't make a whole lot of sense because it basically says, if there is a problem with the metal detector at the airport, it should just "Fail Open" and let everyone into the gate area to board airplanes!

I'd rather block all traffic until I know it was secure, but I live in a world where most people don't think like me. So.... Why the heck am I blogging about this in a virtualization blog?

Well, I know that Virtual Networks function much like Physical Networks and since network engineers don't always trust security devices I understand that the same set of requirements placed on physical security products will be placed on virtual security products.

Why wouldn't the networking guys demand that virtual security products have either "Fail Open" or what I feel is a better solution "Fail Over".

"Fail Open" is not really possible with virtual security products because true fail open means that you have some sort of physical relay or in the case of optical networks, mirrors that short circuit software to allow bits to bypass and flow around the software application.

"Fail Over" however is possible and customers are going to ask for the same things I believe when it comes to uptime on a virtual network as they do a physical network.

Take a look at the attached picture. It depicts a software solution that has two firewall type products running in Active / Passive.

CLICK PIC TO ENLARGE

So, as you are looking at security solutions for your virtual environment, you should ask the question of whether or not they provide any high availability and if so, what level of high availability. Active / Active, Active / Passive, Statefull, Stateless, and everything you've asked of your physical vendors.

My guess is that if you ask and they don't have it, they will start developing it and marketing its ability. Its a battle that cant be won completely. Customers will always want high availability be it virtual or physical.

Until the next post...