May

12

There’s been a lot of news lately about botnets. But what exactly is one?

A botnet is a collection of computers that are under remote control. These compromised computers are typically called “zombies.” Zombie computers connect to a command-and-control system created by the owner of the botnet, and listen for commands. These commands can direct them to scan the zombie computer for personal information (such as bank account numbers, credit card numbers and passwords), search for other computers that have known security vulnerabilities that haven’t been patched and infect them as well, or to perform pretty much any action the botnet creator wants. In fact, many botnets have the ability to update the botnet software itself at the direction of the controller, adding new functions as needed. The largest botnets can have hundreds of thousands or even millions of computers under the control of a single individual or group.

Botnets have been used to extort money from internet gambling sites, by establishing so many connections from computers scattered across the internet that real, legitimate users can’t get through. Experts estimate that about 80% of the unsolicited commercial email, or spam, that you receive in your email box comes from 6 botnets.

But how does a computer become a zombie?

It can happen in a number of ways. As I already mentioned, if you don’t keep your computer up to date with patches, another zombie can find your computer and infect it. Another way your computer can become a zombie is if you visit a web site that installs software on your computer without your knowledge. Don’t think that only pornography or “warez” sites are dangerous: malicious software has been discovered on prominent companies web sites as well, as a result of a hacker compromising their security.

Programs such as Yahoo messenger and AOL instant messenger can also be used to compromise your computer. In fact any flaw in a program could potentially infect your computer causing it to become a zombie.

Wouldn’t you notice if your computer was doing things without you telling it to? Not at all. Botnet zombie programs are carefully designed to avoid detection, and anti-virus and anti-spyware programs are typically only as good as their signature creators can make them. They come with no user interface, so it’s likely you wouldn’t notice them.

So what can you do? You should always run your computers behind a firewall, particularly if you’re a home user. Internet sites are available to help you determine how secure your firewall makes you, but don’t rely on just one: try as many as you can find.

The same applies to anti-virus and anti-spyware programs: don’t rely on just one. If you suspect that your computer has been compromised, such as unexplained crashes and strange files, get your hands on three or four of these programs and run them in turn. That way you stand a better chance of finding and fixing the problem.

What are the authorities doing about botnets? Unfortunately, usually precious little. Internet crime is hard to investigate, and since it’s frequently trans-national, even harder to prosecute. There have been some successes.

Ironically enough, sometimes the botnet owner’s worst enemy is another botnet owner. Since these networks can download new programs, it’s possible for one botnet owner to steal another’s network by compromising his or her command-and-control servers, and directing the network to download different software, adding the new network to their existing one.

There has been some research in the last couple of years working on understanding, detecting and fighting botnets, but as of now, the fight is long from over. Be careful out there.

Apr

30

IMAGINATION is a new candidate for replacing CAPTCHA, the recently fallen test for trying to determine if a computer or a person is on the other end of a connection. You’re probably familiar with CAPTCHA as that weird image composed of letters and numbers that you’re asked to read and type in to a box in order to do some operation on the web.

CAPTCHA was cracked some months ago (as I’ve previously mentioned) and one by one, the various implementations have fallen prey to the bots sending you spam.

The IMAGINATION program (click to try it out!) asks you to do two things: recognize images among a tiled set, clicking on the center of any one you choose, and then annotate an image with the correct description from a list of captions.

It will be interesting to see if this stands up to the hackers now that CAPTCHA is all but dead.

[ via Slashdot ]

Apr

30

Recently, the Kraken botnet has come into focus as the worlds largest, with an estimated number of zombie computers between 165,000 and 600,000. Each of these computers is probably sending you spam right now, and many have probably probed your computer to see if it can be compromised as well. Who knows, maybe your computer is already one of them.

Researchers at TippingPoint started out to determine the size of the network, which they did by building a server of their own, and waiting for zombies to connect to them for instructions. They eventually managed to attract a 25,000 in a week’s worth of time. Here’s where things get interesting.

Most botnets include a feature that lets the controller upgrade the zombie computer with a new version, so the researchers could use their new-found power for good, directing these machines to remove the infection, or render it benign. Due to liability concerns, TippingPoint, the good guys, decided they could not remove the infection.

In a comment attached to Amini’s initial blog post, Endler put it plainly. “Cleansing the systems would probably help 99% of the infected user base,” he said. “It’s just the 1% of corner cases that scares me from a corporate liability standpoint.”

I sympathize with TippingPoint, but it’s a sad commentary on the world when the good guys are afraid of doing something that’s clearly right out of liability concerns. While accessing a computer without the owner’s consent is illegal in the US, shouldn’t a Good Samaritan law apply in cases like this?

[ via CompuWorld ]

Apr

16

Back in the days of yore, security professionals used to be interested in things called covert channels. These are ways of communicating information into or out of a secured environment. Admittedly, most people interested in this also dealt with information that had access restrictions on them called things like “Top Secret” and “Special Access Required”. They also had prison sentences attached to disclosing them. Today, there are new covert channels that are far more of a concern. Read more

Mar

26

Paper Enigma

March 26, 2008 | Leave a Comment

During World War II, the Germans widely used several variants of the Enigma machine, which was actually created by a Polish inventor. This same Polish inventor helped the British with their famous project to crack the Enigma, and run by Alan Turing and centered at Bletchley Park.

The basic theory of the Enigma was that you had a number of wheels that had contacts on each side. If you picture a donut, think of sprinkles on both sides and you’ve got the basic idea. Now, if you connect a sprinkle on one side with a sprinkle on the other, but don’t go straight through the donut, you get a degree of obfuscation.

Stack three donuts side by side. The analogy goes a bit awry here, because imagine that we assign each of the sprinkles on each side a letter or number. We pick the letter we want to encode on the left donut, and then run a current through that sprinkle, and you get a current coming out in a pseudo-unpredictable sprinkle on the donut on the right, corresponding to the encoded letter or number. Each time you do encode  a character, you rotate the donuts one step. The outer donuts you rotate towards you, and the inner one away. Now run the next current through. That’s how an Enigma works. Here’s an exploded view of an Enigma machine rotor, created by Wapcaplet in Blender.

Enigma machine rotor exploded view by Wapcaplet
Later versions of the Enigma added a fourth rotor, and some used reflection, which ran the signal back through the rotors once it reached the right hand side.

If you want to try your hand at an Enigma, and don’t want to machine one yourself, Mike Koss has created a nifty paper Enigma for you to try.

Mar

17

One of the most distressing things about being a security professional in today’s IT environment is what seems like a lax attitude towards securing customer information. All that could change if a ruling by the FTC against ValueClick, a spammer, stands up in court. In addition to settling with ValueClick regarding violations of the CAN-SPAM act, the FTC claims that ValueClick is also liable for not following their own advertised security policies.

“In the past, companies that failed to protect customer data have argued that they are immune from prosecution unless consumers can directly prove that they suffered harm from the breach of their personal information,” Kamber explains. “Given that hackers are generally pretty good at covering their tracks, this argument — if accepted — would mean that few companies would have to account for their negligence.”

quotes an article at Dark Reading. Kamber is Scott Kamber, a partner at Kamber Edelson LLC, a legal firm that specializes in cyber security law.

This would be a novel first, and a good one as well. To date, companies and other organizations that disclose their customers confidential information have been in for not much more than credit counseling and fraud monitoring on these customers behalf. This, frankly, is a slap on the wrist. Until organizations are held liable, in a significant way, for disclosing sensitive information, they will see little incentive for taking preventative measures.

For some context, in the last few years, hundreds of millions of people have had their confidential information disclosed to unauthorized parties. While it might prove burdensome for businesses to have to pay any sort of real damages when they fail to take adequate measures to protect confidential information, I believe that’s the only way to see that the necessary measures are actually taken, since it’s clear that the market can’t police itself.

Mar

13

The expanding use of RFID chips, and their ever-decreasing size, has led to what sounds like science fiction to me. A company called Nox Defense has created RFID tags so small that they are calling it “RFID dust”, and saying these tags can be scattered on the ground and then, per the original article on HelpNet:

People pick up the ID-Dust on their shoes, which covert RFID readers track, triggering video surveillance and alerting security personnel on hand-held devices. The Nox software creates a complete history of exactly where the person travels and when, and combines a facility map with real-time video surveillance.

It’s pretty incredible to me that we can now make these chips so small that they are 1) unnoticable and 2) small enough to stick to your shoes yet still have the ability to transmit radio signals any significant distance. Add to that doing so with any sort of encryption, which they also claim. I’d say it sounds like witchcraft, but the world moves on, and perhaps it’s true.

Years ago, Xerox developed active badges that would track your presence in the PARC as you moved around. Doors would unlock for you as you approached if you had access. The phones were also hooked into the system: if the phone rang, it was for someone in the room at the time.

So what’s the point of that story? The employees at Xerox were aware that they were being tracked, and being the type of people who worked at PARC, they had in some sense signed up for that sort of treatment. But even Xerox didn’t track you in the bathroom.

The creation of RFID tags that are now embedded in passports, computer equipment, and now even small enough to be scattered on the ground is enabling a culture of surveillance that’s deeply troubling to me. I don’t have enough faith left to believe that people won’t abuse that power, and the continuing abuse of National Surveillance Letters doesn’t do much to convince me that I’m being overly suspicious.

I don’t dispute that employers should be able to protect their equipment, that they should put up with employees stealing from them. This leaves me conflicted: I don’t support theft, I don’t support a culture of surveillance either. There has to be a way to balance these things out, but it’s gonna take someone smarter than me.

Feb

28

Six botnets are responsible for generating 85% of all spam emails, acccording to an article at Dark Reading today. I’ve known for a while that botnets are a serious threat, including in their arsenal of naughty tricks spam, vulnerability scanning, infecting other computers, stealing information from their host computers (you don’t keep your credit card numbers in Quicken, do you?) and distributed denial of service attacks. It was a shock to find that so few botnets send all that spam that clutters up inboxes.

Researchers with Marshal’s TRACE team have identified six botnets that together are currently responsible for distributing 85 percent of all spam, Dark Reading has learned.

This article came at a an opportune time. I’ve been thinking lately that in addition to all these current problems, which involve fairly visible (and traceable) activities, botnets could be very useful in cyberwarfare. I’m thinking here of the true cyberwarfare, where a foreign power decides to take out the information infrastructure of a rival country or group.

Such a militarily-oriented botnet would not need to draw attention to itself by sending out spam messages or participating in a DDOS attack, at least not until it was directed to spring into action. It would need minimal direction, and so much like a mole in an espionage novel, such a botnet could exist for years, dormant, waiting only for the command to attack the military, government or civilian IT infrastructure of the rival country.

Alternatively, you wouldn’t even really need to attack anyone. Can you imagine the economic damage to the US if every computer infected by a large botnet (these can number in the millions of computers) was suddenly directed to reformat it’s hard drive?

Feb

27

Newly discovered flaws in VMWare allow malware applictions running in VMWare to escape the sandbox. These application can view and modify files in the underlying host operating systems, according to this article on Compuworld, although to be fair it’s popping up on a number of sites.

As of Sunday, there was no patch available for the flaw, which affects VMware’s Windows client virtualization programs, including Workstation, Player and ACE. The company’s virtual machine software for Windows servers and for Mac- and Linux-based hosts are not at risk.

“Why should we care?” you might ask. Over the couple of years, there’s been a movement towards virtualized infrastructure in larger IT shops, and even some smaller ones. This allows companies to provide “part” of a server to an individual user, application, or team, but host that partial server on another larger server, or even a cluster or grid computer. These virutual servers can be scaled and reconfigured more easily than a real, physical server as well. This makes more efficient use of the computing infrastructure, plus makes it very easy to set up and tear down new virtual servers. It’s a win-win situation.

The discovery of this flaw that allows applications to “see” the underlying host OS could be a significant problem for the budding trend towards virtualization if it’s not addressed soon. VMWare isn’t currently telling us when a patch will be available, but they provide a work-around in the meantime:

“On Windows hosts, if you have configured a VMware host-to-guest shared folder, it is possible for a program running in the guest to gain access to the host’s complete file system and create or modify executable files in sensitive locations,” confirmed VMware.

VMware has not posted a fix, but it instead told users to disable shared folders.

So until a fix is available, if you’re running VMWare in Windows, disable those shared folders, folks.

Feb

20

Botnets, those pernicious threats to internet life, liberty and pursuit of happiness, may have a new enemy. Researchers at the Georgia Tech are using traffic analysis of IRC and HTTP to try to identify botnets in the wild. The theory is that botnets need to communicate with their command and control infrastructure, and that they tend to look like, well botnets rather than people when they do so.

While my description above is a bit tongue-in-cheek, botnets are really a serious threat. There are estimates that they contribute up to 80% of spam email, and they’re regularly used in denial of service attacks like the one we see ongoing right now with  WordPress.com blogs. They’re particularly difficult to identify, track, and combat, and there are documented instances of hundreds of thousands and over a million botnet zombie computers under the control of a single individual.

While it’s too early to tell if this new approach will help significantly in the fight, any means we have to help combat botnets are welcome at the party.

[Georgia Tech via Ars Technica]

keep looking »

Blogroll

WP Themes