« March 2009 | Main | May 2009 »

April 2009 Archives

April 9, 2009

Conficker wakes up to push spam and... scareware?

The Conficker worm has woken up to... drumroll please... push fake antivirus products and spam from an older piece of spam-generating malware. It appears that like many Bay-area startups, Conficker is long on technical ability and short on innovative business models.


I am not trashing the MMBA (Malware MBA)'s ability to extract money from criminal activities. There really are only a handful of ways malware authors have shown they can successfully make money: they can sniff keystrokes, send spam, DDoS websites, or re-sell access to their software and machines to do the same work. However, for all the hype that surrounded the worm I expected something far more sophisticated.


The story for the average consumer is pretty basic. First off, you should not be using any anti-virus software that magically pops up on your system that you have never heard of before. If you are reading this website, chances are you already know this. The spam engine sounds like a ripoff of older technology, so we should expect no dramatic shift in spam mutation techniques. We should expect an increase in spam delivered to people's inboxes due only to the increase in the volume of spam transmission attempts.


Then again, while it is unprofitable, tomorrow the Conficker writers could push down a DDoS package and melt the Internet. This isn't alarmism, it is just what is possible when a single group controls a very large botnet.

April 11, 2009

85% to 95% of all e-mail is spam? Yeah, that makes sense.

There is only one security problem that the average consumer will get visibly angry about, and that is spam. Well, that and identity theft, but spam ranks pretty far up there. When I tell people I work in anti-spam as my day job, I get a pat on the back and a comment about how they can't believe how much spam there is in their inbox. To reinforce what we already know, security companies publish statistics claiming that, depending upon the day of the week, 85% to 95% of all e-mail is spam. While this number is seemingly unbelievable, I can guarantee that it is correct. How did we get to the point that approximately 9 out of every 10 e-mails is spam? Paradoxically, the reason why we have so much spam is because our anti-spam is so incredibly effective today.


To understand why this number is not really that shocking, it is helpful to think of spam not as a singular entity but as a living, evolving creature that has responded to spam filters in new and unique ways. Let's imagine you are at a cocktail party in a nearly-full room with a number of people having a good time. As the evening progresses, the ambient noise in the room gets progressively louder. People respond to the increasing loudness in the room by straining their voices, and eventually the room is a 70dB cacophony of random chatter. The same kind of relationship exists between spam filters and spammers.


Spammers want to be heard, and will accept a certain rate of response to their content. Before the days of ubiquitous spam filters, they would generate content at a far lower rate, since they were getting responses at that rate. As decent spam filters became standard operating equipment on the Internet, the spammers needed to change their game to continue being heard. They did this by mutating their content and sending spam from more locations, resulting in a higher rate of delivery attempts. Again, anti-spam responded with better filters that looked at both content and the IP address of the send systems, and the spammers responded in kind by pushing their mutation rates and transmission rates further up, thus leading to these almost unbelievable spam rates.


If you are a home user, you shouldn't really need to think about this too much. Your ISP or your free webmail provider has to do at least a halfway decent job of filtering spam at this point. If your provider didn't do a good job, then they would have to over-provision their mail servers and mail stores by a factor of 10 or so. E-mail is a pretty cost-conscious business, and this kind of outlay would put them out of business. If your ISP is completely dropping the ball or you have a small business domain that is getting inundated with spam filtering, either call up the domain hosting company and complain or buy a desktop anti-spam product.

April 19, 2009

Have we reached the Mac Malware tipping point yet? Eh... maybe?

The technical media is all a twitter over what appears to be the emergence of the first mac botnet. The infector appears to be an updated version of a trojaned version of iWork that popped up earlier this year. Anyone who has worked as a Windows virus analyst would scoff at the relatively unsophistication exhibited by the malware, but nevertheless, it is a piece of malware, and it is out there. I wanted to take this opportunity to answer some of the most common questions people have about mac malware.

Does this mean that Mac users should rush to buy anti-virus software and expect their machines to end up as compromised as a PC? Probably not, but soon. For now, as long as you aren't downloading pirated software you are safe.

Does this mean mac malware is going to become endemic? Yes. If no one is running anti-virus, then there is nothing to clean up infected systems beyond end-of-life hardware replacement. Given the state of the economy and mac hardware longevity, that can take a very long time.

Does this mean we hit the mac malware tipping point? That I don't know. We can't say that we have reached the mac malware tipping point unless we come up with a definition for the tipping point itself. Dino Dai Zovi and I have been kicking around a potential "warning sign" that, when seen, indicates we are now in the mac malware epidemic state. Our current preferred indicator is the emergence of websites that perform drive-by exploits of the browser to install botnet-controllable malware, regardless if the exploit is a zero-day attack or not. In other words, when we see what happens every day on the PC side happen once on the Mac side, then we all need to run out and buy anti-virus software.

Some time ago you predicted that mac malware would hit its tipping point at 15%. Does this mean you are wrong? Well, my prediction was based on the difficulty to attack a PC versus the market share of a Mac. I assumed that the difficult of attacking a PC was strictly defined by the effectiveness of current anti-virus products on a new piece of malware. My back-of-the-envelope estimate put an attacker's success rate at compromising a PC at around 20%, which meant that Macs would have to around 16% market share before they attract the attention of serious malware authors. If the real success rate of an attacker is lower, then you should expect a mac malware epidemic far earlier. So the answer is: maybe I'm wrong, but I don't know yet.

In short, the story for mac malware hasn't changed this week contrary to popular opinion. However, as both users and as information security professionals, we need to remain vigilant and watch for the tipping point in mac malware, and use that as the trigger to install Mac AV software.

April 22, 2009

Breaking down the "electric grid is vulnerable" stories.

We have been seeing an increasing number of stories on the vulnerability of our electric grid to outside attackers, but determining whether or not these stories are legitimate is exceedingly difficult. The reports are, understandably, short on facts and real metrics and long on anonymous quotes, speculation, and recriminations from the various involved parties. We may not be able to discern what the true nature of the threat against our power grid is, but we can figure out what are the right questions to ask so we can cast a more critical eye to the various news reports.

When the media claims that the electric grid is compromised out the wazoo, it is important to know what exactly is compromised. We can break down the target systems into two classes, specifically non-critical and critical. The non-critical systems consist of desktops and laptops belonging to the administrative, operational, and executive staff of the firm. Anyone who provides statistics showing the percentage of total systems that are known to be compromised at a power plant is likely only providing statistics on these non-critical systems. It would be foolish to suspect that these figures are going to be any different than any other similarly-sized enterprise. Also, while the number of compromised non-critical systems is a proxy indicator for the general security posture of the firm, but it does not tell us anything concrete about the other class of systems.

The far more important question is how many of the systems that are directly attached to industrial hardware are compromised. A compromise of a desktop or a server that is connected to a controller or a process control monitor could directly lead to blackouts and equipment destruction. Remotely enumerating these critical systems is extremely difficult, and determining their level of compromise without the explicit support of the power industry is almost impossible. Therefore, getting a third-party verification of the "power systems are compromised" story is not achievable at this time.

I am not saying that the power grid is secure or insecure. I am saying, however, that we must cast a critical eye to these stories to make sure we don't fall victim to the fear-mongering that permeates all too many security stories.

April 27, 2009

On assuming that you are owned.

Security professionals made a comment at last week's RSA that organizations should assume that they are currently owned by an outside attacker. While this may strike some as paranoia, it is a good assumption for minimizing impact in the event of a serious compromise.


For both individuals and businesses, determining the impact of getting owned begins with listing all the things that you use that are own-able, and then determining a risk mitigation strategy, a containment strategy, and a recovery strategy for each system. These all boil down to a series of "what if" questions that anyone can think through. For the average user, the set of systems that can be compromised includes, but is not limited to, all physical systems, backup mechanisms, and hosted services like e-mail and social networks.


We start from the most "distant" system inwards -- the hosted services. How can an individual's hosted accounts become compromised? The easiest way an attacker could compromise your account is through weak passwords or by sniffing passwords off the wire; therefore, we can reduce the risk of compromise by using strong passwords for our accounts and not accessing them from public access terminals and insecure wireless networks. If you are using a weak password on one site, it is entirely likely you are using a weak password elsewhere. Preventing the attacker from hopping from one hosted account to another can be as simple as using a strong and unique password on every site you access. It isn't just access to the data we should be concerned about. If the service is compromised, it is possible that everything in the account could be deleted, in which case having a backup of, say, all blog posts and all e-mail transactions would be required to get back up and running.


Let's say that the attacker has moved beyond our hosted account and either remotely compromised our physical system or actually stolen the hardware. In both cases, we should expect that all of our unencrypted data is accessible to the world. Both scenarios necessitate file-by-file encryption and a combination of physically secured on-site or off-site backups. A remote compromise would be a far worse situation: even though you don't lose the hardware, the attacker has the opportunity to capture passwords used for hosted services as well as financial accounts. The only way to limit your exposure here is to use cryptographic key fobs (like a SecureID token) and hope they aren't controlling the entire session.


Ultimately the only way to minimize the impact of a compromise is to assume that all of your data is compromised and consequently reduce the amount of data you either keep accessible to content that would not be devastating if it was leaked. In other words, never commit anything to bytes that you don't want your spouse, children, parents, or coworkers to see; the data may only be a single attack away from leaking out into the ether.

April 30, 2009

*cough* Have to work from home *sneeze*?

Not that there is any reason to say this, but it is possible that a significant portion of the workforce will be either absent or working from home in the next few months. This could mean opening up the corporate network to far larger numbers of telecommuters whose systems may be in various states of security disrepair. IT managers should be planning on how give secure access to the corporate network to a batch of relatively untrained employees.


If you don't work in the IT department, the story is pretty simple. Get your laptop set up to connect to your work network if it cannot do so already. Laptops that are primarily home systems should be reformatted and installed from scratch if there is any concern that the machine may contain malware; just because you aren't going to work sick doesn't mean your system should.


For those of you who do work in the IT department, well, I don't envy the job ahead of you. If your network wasn't de-perimeterized before, it will be soon, whether you like it or not. Not only do you need to prep employees' personal systems to connect to the corporate infrastructure, you also need to educate them on the risks of bringing a relatively-unclean personal system into the corporate environment. Given that home systems are not nearly as well looked-after as corporate systems, you also are going to be dealing with all the infections that your employee's home PCs will be bringing past the firewall and NAT systems and into the core network.


There aren't too many recommendations I can make that aren't common sense. For example, you can distribute more laptops to employees who don't have them. Also, you should consider extending the corporate licenses for the anti-virus products to the home systems of employees who do not possess a company-managed PC but will be expected to work remotely.


Plans similar to the one described above should be in the dusty business continuity plans that many organizations created in late 2001. It's time to update them and get ready to put them to practice.

About April 2009

This page contains all entries posted to NP-Incomplete in April 2009. They are listed from oldest to newest.

March 2009 is the previous archive.

May 2009 is the next archive.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.33