[SecurityRatty] tag: represents

The Commercialization of Anti Debugging Tactics in Malware

Mon, 29 Sep 2008 12:55:54 +0000

Commoditization or commercialization, Themida or Code Virtualizer, individually crypting or outsourcing to an experienced malware crypting service offering discounts on a volume basis next to detection rates of the crypted binary offered by a trusted online scanner that is NOT distributing the samples to the vendors? These are just some of the questions malware authors often ask themselves, while others distribute pirated copies of Code Virtualizer urging everyone to start taking advantage of commercial anti-reverse engineering tools to make their malware harder to analyze. Once again, just like we've seen before, a legitimate commercial application can come handy in the hands of the wrong people :

"Code Virtualizer will convert your original code (Intel x86 instructions) into Virtual Opcodes that will only be understood by an internal Virtual Machine. Those Virtual Opcodes and the Virtual Machine itself are unique for every protected application, avoiding a general attack over Code Virtualizer. Code Virtualizer can protect your sensitive code areas in any x32 and x64 native PE files (like executable files/EXEs, system services, DLLs , OCXs , ActiveX controls, screen savers and device drivers).

Code Virtualizer can generate multiple types of virtual machines with a different instruction set for each one. This means that a specific block of Intel x86 instructions can be converted into different instruction set for each machine, preventing an attacker from recognizing any generated virtual opcode after the transformation from x86 instructions. The following picture represents how a block of Intel x86 instructions is converted into different kinds of virtual opcodes, which could be emulated by different virtual machines.

When an attacker tries to decompile a block of code that was protected by Code Virtualizer, he will not find the original x86 instructions. Instead, he will find a completely new instruction set which is not recognized by him or any other special decompiler. This will force the attacker to go through the extremely hard work of identifying how each opcode is executed and how the specific virtual machine works for each protected application. Code Virtualizer totally obfuscates the execution of the virtual opcodes and the study of each unique virtual machine in order to prevent someone from studying how the virtual opcodes are executed."

With Cyber-as-a-Service business model becoming increasingly common, the entire quality assurance model in respect to malware is slowly maturing from individual malware crypting propositions, where the seller of the service is basically taking advantage of a diverse set of public/private tools, into DIY web services offering crypting discounts on a volume basis, and perhaps most importantly - improving the customer's experience by letting him take advantage of the inventory of crypting tools and bypassing verification services. Within the tool's inventory are naturally lots of (pirated) commercial anti-reverse engineering tools.

As we've seen before, whenever someone starts commercializing what used to be a self-selving process, others will either follow, or disintermediate their services by persistently releasing crypting tools for free in the wild. At the end of the day, it's all a matter of how serious they're about commercializing this market segment, and taking into consideration that a spamming vendor is offering malware crypting services "in between" the rest of the services in their portfolio, this underground cash cow is yet to prove itself in the long term.

Online Security Issues in Regulated Industries

Thu, 11 Sep 2008 09:00:00 +0000

(Source: Webroot Software) In June 2008, Computerworld invited IT and business leaders to participate in a survey on online security initiatives at their organizations. The goal of the survey was to better understand Web and e-mail security issues faced today within the regulated education, financial services, government and health care industries. The following report represents top-line results of that survey.

Employee Fraud Spiralling Out of Control in the UK

Tue, 09 Sep 2008 06:08:00 +0000

You have read it before on TheBulletProofBlog - the tougher times get, the more likelihood that people will resort to criminal measures.

We reported it regarding the theft of copper from Churches, Hospitals, Schools - even from new homes still under construction. We brought to your attention the fact that thieves have become bolder, evidenced by the theft of manhole covers in public streets and drilling into fuel tanks on vehicles as petrol and diesel prices rise.

In "Personneltoday", it is reported that employers have been put on "red alert" as the downturn in the economy is prompting employees to make ends meet by dishonest means. One figure that employers every where are bound to find shocking is the fact that employee fraud has cost UK companies more than 77 Million Pounds Sterling (approx. $150,000,000.00),just in the first half of this year alone.

The most disturbing aspect of this figure is the fact that it is up from 10 Million Pounds Sterling (approx. $18,000,000.00)in the same period last year. This represents more than an 8 fold increase in employee fraud in a 12 month period.

The report was conducted by the accountancy firm BDO Stoy Hayward. Mr. Simon Bevan, the head of fraud services there attributes the escalation in criminal activity amongst employees to; "spiralling personal debt as a result of mortgage,food and fuel price hike". Sound familiar?

The population of the UK is one sixth that of the United States. It is frightening to imagine what the figures will look like from U.S. businesses at the end of this year and beyond. In 2002, employee fraud and abuse cost U.S. businesses $6 Billion Dollars (independently reported by the "Association of Certified Fraud Examiners" of which SEXTON is a member).

What would be the outcome to U.S, businesses if fraud costs escalated 8 fold to $48 Billion Dollars by year's end? How many would go under? How much further damage would that inflict on the already struggling economy? The economic circumstances in the U.S. are certainly similar to those of the UK.

U.S. businesses beware. Be proactive and fight fraud and abuse before it is too late. Your very survival just may depend upon it.

A layered approach to data leak prevention

Sun, 07 Sep 2008 20:00:00 +0000

My company is increasingly deploying SSL applications and that traffic already represents 40 percent of my network capacity. With this encrypted traffic on the rise, how can I build an effective protection against the loss of sensitive data?

EPTS: Proposed Event Processing Definitions, September 20, 2006

Thu, 21 Aug 2008 01:47:11 +0000

For interested readers, here are the event processing definitions we provided to the (future) EPTS working group on September 20, 2006, coordinated (edited) by David Luckham and Roy Schulte;

adaptive process management (n.) an element of resource and business process management, adaptive search and event processing. Sometimes referred to as “Level 4” event processing or process refinement.

application concept (n.) a definition of a set of properties that represent the data fields of an application entity. An application concept can describe relationships among themselves. For example, an order concept might have a parent/child relationship with an item concept. A department concept might be related to a purchase requisition concept based on the shared property, department_id. Application concepts can include an application state model.

application state modeler (n.) a UML-compliant application that allows you to model the life cycle of a concept instance — that is, for each instance of a given concept, you can define which states it will pass through and how it will transition from state to state. States have entry actions, exit actions, and conditions, providing precision control over the behavior of an event processing agent. Transitions between states also may have rules. Multiple types of states and transitions maximize the versatility and power of the application state modeler.

derived event (n.) an event that is created as a result of processing one or more other events.

complex event (n.) an event that is a situation-entity abstraction of two or more simple, derived or other complex events.

complex event processing (n.) CEP is a technology for extracting information from message-based systems. CEP is primarily an event processing concept that deals with the task of processing multiple events from an event cloud with the goal of identifying the meaningful events within the event cloud. CEP employs techniques such as detection of complex patterns of many events, event correlation and abstraction, event hierarchies, and relationships between events such as causality, membership, and timing, and event-driven processes.

event (n.) a instance of an event definition. It is an immutable object that represents a business activity that happened at a single point in time. Just as one cannot change the fact that a given activity occurred, one cannot change an event — events are immutable.

event aggregation (n.) the aggregation of simple, derived or complex events into higher levels of event abstractions.

event definition (n.) a set of properties related to a given activity that represents an important or interesting change of state in a human, system or computational activity. An event definition includes event properties such as event priority, event time to live (TTL), and a description of the payload, which is comprehensive information related to the activity that occurred. Events expire when the TTL has elapsed, unless the event processing agent has instructions to consume them prior to that time.

event channel (n.) a communications channel in which events are transmitted from event source to event receivers, typically received as electronic messages. Each channel can have multiple destination and. events can be configured to transmit to a default destination. JMS is an example of an event channel.

event cloud (n.) a partially ordered set of events (poset), either bounded or unbounded, where the partial orderings are imposed by the causal, timing and other relationships between the events. Typically an event cloud is created by the events produced by one or more distributed systems. An event cloud may contain many event types, event streams and event channels. The difference between a cloud and a stream is that there is no event relationship that totally orders the events in a cloud.

event-driven (n.) the behavior of a human, system or computational entity whose execution or actuation is in response to events, typically received as electronic messages.

event-driven architecture (n.) an architectural style for distributed computing applications in which some of the components are event-driven and communicate by means of events.

event processing (n.) computing that performs operations on events, including modifying, creating and destroying events.

event-object (n.) an software object that represents an event, generally for the purpose of computer processing, that exhibits both encapsulation, inheritance and polymorphism.

event prediction (n.) computational activity where the impact of events, complex events, and situations caused by events identified, including both opportunity or threat. Sometimes referred to as “Level 2” event processing, impact assessment or predictive analytics.

event pre-processing (n.) computational activity where events are cleansed or normalized to produce semantically understandable data. Sometimes referred to as “Level 0” event processing.

event processing (n.) computational activities on events dealing with the association, correlation, and combination of event data and information from single and multiple event sources to achieve refined identity and situation estimates for observed event objects, and to achieve complete and timely assessments of opportunities, threats, and their significance. Event processing is characterized by continuous refinements of event estimates and assessments and by evaluation of the need for additional sources, or modification of the process itself, to achieve improved results.

event processing agent (n.) an EPA is a computational entity that performs event processing.

event processing network (n.) a set of event processing agents and a set of event channels connecting them.

event properties (n.) data representation of an event, typically by name-value pairs of type string, integer, real, boolean or a complex data type.

event refinement (n.) filter, identify and track events & make initial processing decisions based on association, correlation and state estimation. Sometimes referred to as “Level 1” event, or event-object, track and trace.

event stream (n.) a time-ordered sequence of events. An event stream may be bounded by a certain time interval or other contextual dimension (content, space, source, certainty), or be open ended and unbounded.

event stream processing (n.) a time-ordered sequence of events. An event stream may be bounded by a certain time interval or other contextual dimension (content, space, source, certainty), or be open ended and unbounded.

rule (n.) defines what triggers unusual, suspicious, problematic, or advantageous activity within an event processing agent and what the EPA does when it discovers these types of activities. Rules execute actions based on certain conditions on events, instances, or a combination of both. A rule includes a group of condition-rule statements and action-rule statements. The condition statements instruct the EPA what to look for in events, and action statements instruct the EPA how to respond when conditions are met. If all the conditions in a rule are satisfied by events or instances or both, the EPA fires the actions. The action might be to execute tasks, create an event instance, modify property values in an event instance, create and send an event, or something else.

rules engine (n.) a type of event processing agent that uses a declarative programming model to process events. Formally described as “an abstract structure that describes a formal language precisely, i.e., a set of rules that mathematically delineates a (usually infinite) set of finite-length strings over a (usually finite) alphabet“. Informally, it can be any system that uses rules, in any form, that can be applied to data to produce outcomes.

rule language (n.) is an artificial language that is used to control the behavior of an event processing agent. Rules languages, like human languages, have syntactic and semantic rules to define meaning.

situation refinement (n.) identify situations, or complex events, based on event clustering, event-event relationships and relationship analysis and context. Sometimes referred to as “Level 2” event processing.

simple event (n.) an event that is not an abstraction or composition of other events.

virtual event (n.) an event that is imagined, modeled or simulated.

Note: The Emerging Technologies Engineering Team at TIBCO Software significantly contributed to these event processing terms and definitions.

PCI Compliance: Reaction to the Summary of Changes

Mon, 18 Aug 2008 20:00:00 +0000

On August 18 the PCI Security Standards Council formally announced (http://www.pcisecuritystandards.org/pdfs/08-18-08_2.pdf) forthcoming changes to the Payment Card Industry's Data Security Standard (PCI DSS) as it moves from version 1.1 to version 1.2 in October 2008. The release represents the first major update since September 2006.

What's my take on the summary of changes? Most merchants will be pleased to see that these are relatively minor changes...

On Stratfor

Tue, 12 Aug 2008 07:35:00 +0000

I love Stratfor. I am addicted. They have a unique way of saying things, an elegant mix of insight, cynicism and humor. How about this one, for instance:

"But in Georgia’s twilight hour, Stratfor’s gaze is not particularly riveted on Tbilisi. Georgia’s fate is more or less sealed. At dawn either the bombs will fall and the tanks will advance and depose the Georgian government by force, or a siege will begin that will depose it in time. Either way, the government of what is currently known as Georgia will evolve into a form that slavishly respects Russian wishes. The only reason Russian officials have not said they will enforce “regime change” is because they feel the term is too American. Whatever the nomenclature, the details of how this change happens pale in comparison to what such a change represents."

Red Herring Fallacies: The Straw Man Argument

Thu, 07 Aug 2008 05:40:11 +0000

According to our friend Wikipedia, the Straw Man argument is a red-herring fallacy where one party in a debate describes a position that, on the surface, resembles an opponent’s actual view but is easier to refute. Then, in counterpoint, the debating partner attributes an easily refutable position to the opponent (for example, deliberately overstating the opponent’s position). Wikipedia says:

1. Person A has position X.

2. Person B ignores X and instead presents position Y.
Y is a distorted version of X and can be set up in several ways, including:

Presenting a misrepresentation of the opponent’s position and then refuting it, thus giving the appearance that the opponent’s actual position has been refuted.

Quoting an opponent’s words out of context — i.e., choosing quotations that are not representative of the opponent’s actual intentions.

Presenting someone who defends a position poorly as the defender and then refuting that person’s arguments, thus giving the appearance that every upholder of that position, and thus the position itself, has been defeated.

Inventing a fictitious persona with actions or beliefs that are criticized, such that the person represents a group of whom the speaker is critical.

Oversimplifying an opponent’s argument, then attacking the simplified version.

3. Person B attacks position Y.

4. Person B draws a conclusion that X is false/incorrect/flawed.
This sort of “reasoning” is fallacious because attacking a distorted version of a position simply does not constitute an attack on the position itself.

For example, there has been some lively discussions recently around the notion that CEP is overhyped.

Debate:      “CEP is Overhyped.”

Person A:   “CEP has been overhyped.”

Person B:     “CEP is just hype.”

The point of the discussion by person A was to point out that CEP has been overhyped. Person B has exaggerated this to a harder to defend position, “CEP is mere hype.” or “CEP is just hype.”

From the customer perspective, I don’t think that fallacies and red-herring arguments are good for CEP. Believe me, if we could take an “out of the box” stream processing rules-engine and bolt it on to a network and insure a client it would detect complex fraud, or diagnose network faults accurately, and not put my entire professional reputation on the line, I would do it in a heartbeat.

It is not the speed of the an engine which makes a good CEP engine, it is the capability of the analytics to deliver high-quality, high-confidence complex event detection in real-time.

Italians Use Soldiers to Prevent Crime

Tue, 05 Aug 2008 02:36:44 +0000

Interesting:

Soldiers were deployed throughout Italy on Monday to embassies, subway and railway stations, as part of broader government measures to fight violent crime here for which illegal immigrants are broadly blamed.
[...]

The conservative government of Silvio Berlusconi won elections in April while promising to crack down on petty crime and illegal immigrants. The new patrols of soldiers, who are not empowered to make arrests, do not seem aimed only at illegal immigrants, though the patrols were deployed to centers where illegal immigrants are housed.

“Security is something concrete,” Mr. La Russa said on Monday. The troops, he said, will be a “deterrent to criminals.”

That reminds me of one of my favorite logical fallacies: "We must do something. This is something. Therefore, we must do it." It does seem largely to be a demonstration of "doing something" by the Berlusconi government. The legitimate police, of course, think it's a terrible idea.

“You need to be specially trained to carry out some kinds of controls,” Nicola Tanzi, the secretary of a trade union that represents Italian police officers. “Soldiers just aren’t qualified.”
He also questioned whether the $93.6 million that will be spent for the extra deployment, called Operation Safe Streets, might not have been better used to increase the budgets for Italy’s police and military.

Long Island Proposal Snags Again, on Poles

Mon, 28 Jul 2008 07:07:26 +0000

Long Island proposal still mired: The plan to put Wi-Fi up across two Long Island counties has seemed doomed to me from the start. The company that won the bid was untested, and its other in-deployment or in-proposal networks are off the table. Expertise aside, it needs tens of millions to build such a network, and financing for company-funded metro-scale projects is not available. The counties involved have pledged no purchases of services. And, perhaps the final stroke, the local utility says that E-Path doesn't meet the test of being a telecom and paying less than $10 per year for pole placement, but instead must pay the all-comer rate of $50 per year.

This is a critical distinction. Telecoms are covered under the Telecom Act of 1996 that requires non-discriminatory access to utility poles to avoid incumbent local exchange carriers (ILECs) and utilities from being gatekeepers that prevent competitive service from emerging. There are a series of tests in the law and local qualifications, too, that allow a firm to be a registered telecom. An FCC decision last year ruled that companies that mix telecom and unregulated information services on the same wires aren't disqualified from getting the Telecom Act deal, however.

But E-Path seems to meet none of the criteria except their desire to pay $10 instead of $50 per year per pole. Utility poles have held up many other municipal networks. We're not hearing more about them these days because such networks are now being built on a smaller scale for different purposes, where the number of nodes and their placement is rather different than networks built with the intent of providing indoor coverage.

Cablevision, by the way, qualifies as a telecom, this article states, which helps them in placing nodes for their planned $300m network across their coverage territory. They can also mount nodes in-line with their cable lines, using power from their cable plant on the lines already.

E-Path appears to have a variety of communication problems as well. The article notes, "Tortoretti said his Washington, D.C., attorneys disagree with LIPA's interpretation. But the attorney Tortoretti said represents E-Path, Charles Rohe, said he couldn't speak about the company or the dispute."

Later, E-Path's "chief executive said he hopes the county will help with his LIPA dispute." But an aide to the Suffolk County executive said, "That's not really our issue. That's out of our control."

Correspondent Craig Plunkett, quoted near the end, points out that if the counties were to change their minds and want to buy services on the network, the proposal would have to be rebid (appears as the sound-alike "rebuild" by accident in the online article at this moment).