antiworm

Hands-on SQL Injection - Show me!

2008-02-23T19:28:00.001-05:00

Security training for application developers is an under-funded activity in most of the organizations that build software. Fixing security defects in custom applications remains an underfunded activity, even after defects are identified. Why does this continue to be the case?

It can be easier to find defects for a customer in a security penetration test than it is to convince the customer that the problem is serious enough to fix. Sometimes this is because the incentives are messed up. I'm not the only person who has observed that the Federal Information Security Management Act (FISMA) seem to have given Federal agencies a much higher incentive to find problems and write lengthy, complicated reports on those problems, than to fix them.

Other times, managers may not understand the technical details of various vulnerabilities, or may be interested in a certain category of defects, while wearing blinders to other types of defects, particularly outside their comfort zone. If the manager is familiar with viruses and worms from their experiences running their PC at home, then they might understand and be more interested in network configuration defects. This might come at the expense of less attention to application design or coding defects, like those that expose an application to SQL Injection attacks.

Occasionally the problem, unfortunately, is a more active dismissal of some threats. People sometimes say things along the lines of, "if I don't understand it, it must be too difficult to exploit in practice, so it can't be much of a real risk." I've even heard managers lambast their security advisers while trying to look cool, tossing in the MTV phrase, "Keep It Real". Well, folks, I hate to be the one to break it to you, but even allegedly unscripted reality television is sometimes scripted. Just like exploits to complicated security defects.

It only takes one person with the right combination of skills and maliciousness to write an exploit, and give it away. Suddenly the exploit is "zero cost" for the next attacker, and the flood of attackers after that.

Exploits are "scalable" in this sense, or, as an economist or MBA might say, the marginal cost of each additional use of an exploit, after it is developed, approaches zero arbitrarily close.

We see this pattern clearly in remotely exploitable buffer overflows, which might not be noticeably exploited for years after a product ships, and for months after the defect is discovered and publicized. Then, "suddenly" an exploit pops up. Within days there are dozens of worm or botnet variants exploiting the same defect. (We'll ignore for now the issue that some defects actually were exploited before the defect was publicized.) The same pattern applies to other types of defects that may not be exploited with quite the same high visibility. This type of scalability is inherent in software.

If you're having trouble convincing your manager do devote resources to sanitizing your web facing application, or having trouble getting a budget to train your developers in secure coding techniques, consider sharing some of these links with your manager.

This first one is a very clever web article by Gustavo Duarte, which demonstrates the attack using a simple online application built into the essay. Here you can see both the ease with which such defects can be exploited, and the relative complexity of the issues facing the defender.
Hands-on SQL Injection

Here is some additional information on SQL Injections.
SQL Injection Attacks by Example

Finally, here's an amusing cartoon that you can use to bring up the subject again, if you were given the smack down last time.
Exploits of a Mom (Little Bobby Drop Tables)

Microsoft Fingerprint Reader - The Fine Print

2008-02-15T14:57:00.004-05:00

If you haven't noticed, somehow lately computer keyboards and laptops in the Windows PC world are sporting a little pad for reading fingerprints.

Notice the fine print at the bottom of this page, which I'll quote here in case it goes away:

Microsoft Fingerprint Reader

"The Fingerprint Reader should not be used for protecting sensitive data such as financial information, or for accessing corporate networks. We continue to recommend that you use a strong password for these types of activities."

Why do you suppose Microsoft and all those hardware makers would go to all the trouble to add a fingerprint reader to laptops and keyboards, and then advise you not to use it?

Probably because they know something that the average consumer probably doesn't: these devices can be spoofed.

It's only a matter of time before there are clear, step by step instructions available on the internet for lifting a fingerprint and applying it to a model finger for spoofing purposes. Heck, there might be some online now, and I just haven't seen it yet.

Biometric Devices and Fingerprint Spoofing

Faking fingerprint readers (or other biometric devices) - a collection of links and papers

Failure of fingerprint locking system in prison in 2005

If you think about these things for a minute, you would never touch one without wearing a glove. Where is the digital fingerprint stored? That's right, on the same rootkit infested Windows PC prone to worm and virus attack.

Will rootkits soon be intercepting the fingerprint data and adding that to your stolen profile information in that giant hacker database in the sky? You can bet they will, because you can be assured that not everybody read the fine print. These devices are so common on laptops now that there are undoubtedly some juicy bank accounts "protected" by the Microsoft Fingerprint Reader.

The bad guys will have your biometric data in a database long before the FBI gets it done, because the bad guys do all this stuff with the lowest possible overhead. They just add another routine to their worm / virus / trojan / rootkit package and it flows out to all the zombie pc systems on the net that day. Since their data flows are mostly encrypted now-a-days, it might already be happening and we just haven't proven it yet.

Friends don't let friends use fingerprint readers. At least not today, when they are so clearly pandering a false, and perhaps even criminally negligent, sense of security. The people selling these things ought to know better. Oh, that's right. They do know better. Hence the fine print.

NOTE: Thanks to my good friend Joe S. in Tucson, Arizona for asking me, "would you touch one of these without a glove?"

Rogue DNS

2008-02-14T02:57:00.002-05:00

I haven't seen the original paper, but this article claims that researchers at Google and Georgia Institute of Technology estimate that there are 68,000 rogue DNS servers on the net.

Use of Rogue DNS Servers on Rise

Rogue DNS is one of the services provided by the zillions of malware, virus, worm, and rootkit infested zombie PC systems on the internet at any given time. The interesting part of this trick is that zombie PC systems might get "cleaned up" after an infestation has been detected, but their DNS configuration might (OK, probably does in nearly every case) remain pointing to a rogue DNS server, which occasionally, but not always, provides fraudulent data back to requesting clients. This is yet another reason why infested PC systems must be re-installed from clean original media whenever possible, in case you didn't have enough reasons already.

The paper:

Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority
David Dagon, Chris Lee, Wenke Lee - Georgia Institute of Technology; Niels Provos - Google Inc.

was presented today at the annual Network and IT Systems Symposium: NDSS 2008.

Better get cracking on DNSSec.
DNSSEC - DNS Security Extensions

Swatting - 911 and telephony systems are defective

2008-02-11T17:12:00.002-05:00

Several publications are running stories this week about Swatting, an extension of a prank phone call, which has the aim of eliciting response from emergency response teams, including SWAT (Special Weapons and Tactics) teams. The prank calls are made to 911 operators, who are tricked into dispatching SWAT, police, or other response units on the basis of false information. Obviously social engineering is peformed as well, operators are told of bomb threats, killings or hostages. According to some accounts, some type of caller id spoofing might be used in some of the Swatting calls, which have been directed at 911 operators in over 60 cities by the five people arrested thus far.

Several stories make a point to state that 911 systems are not defective, such as this otherwise excellent story, Swatting - a dangerous new game by KSBW TV in California which reports that the masochistic pranksters are not "exploiting any real technical flaws in the 911 system" and that these systems "are actually OK". It isn't necessary to know the intimate details to make a pretty safe bet that serious defects in the security of these systems do exist.

Many of the calls were apparently placed using the assistance of computer systems, and the 911 operators were led to believe that the calls were local, despite their origin hundreds of miles away. That sure waddles and quacks like a defect. It's certainly possible that the defects exploited are in the underlying telephony systems, such as the Caller ID system, and not in the 911 system itself. However, if it can result in the 911 operator being unable to reliably determine the local vs. non-local origin of the call, it's a defect directly relevant to the 911 system as a functioning whole, and certainly a defect with the potential of being significantly reduced or eliminated, given some thought and effort.

See this Wikipedia article for more information about Caller ID Spoofing.

According to widely publicized accounts, FBI agent Kevin Kolbye in Dallas indicated that Swatting seems at present to be a game played for bragging rights. The FBI and the Justice Department arrested and indicted folks a few months ago in Dallas, and made another announcement today.
DOJ - Swatters plead guilty to conspiracy
FBI Catches Five Swatters

Swatting has the potential to be much more dangerous. As it stands, innocent people might be killed if they open their door to investigate suspicious noises with a weapon in their hand.

It's a very short step from Swatting as a misguided or perverted game, to Swatting as a Denial of Service attack on emergency response units. A terrorist attack or other illicit activity might be coordinated with Swatting attacks, designed to slow response to the actual emergency, and thereby maximize damage, injury, and death from the attack, or increase the chances of a successful heist.

I'm reminded of a scene from the movie Air Force One, where POTUS (President of the United States) played by Harrison Ford, must use an ordinary phone line to call into the White House from an "outside" line into the public switchboard. The operator doesn't believe it is the POTUS and he finally convinces her not of his identity, but to run her "standard" security procedure and trace the call, which works in record time and reveals that he is in fact calling from Air Force One. In our current telephony universe, things don't always work quite that smoothly. Imagine how much more difficult 911 calls would be, if you needed to convince the operator of your identity, location, and the fact that the emergency was real, before assistance was dispatched.

Some of my colleagues design and build 911 systems. Undoubtedly Swatting will soon join the ranks of all-too-familiar terms in the field of information security.

Now Fear This: Phishers learn to craft a better spam email

2007-06-16T12:24:00.000-05:00

Phishers appear to be using techniques learned from the targeted advertising industry. Security professionals have long wondered why phishing emails are, in general, so poorly crafted, and why they don't use a handful of basic techniques which would undoubtedly improve their hit rate, and lead to increased revenue generation from phishing. In the "Today @ PC World blog, Erik Larkin discusses an email which alarms the PC World analysts (see: Threat Alert: Sophisticated E-mail Attacks Spread [PC World]). The email arrived with a well crafted text body which passed the usual "first glance" tests for spam or phishing: bad spelling, bad grammar, incorrect addressee name, mis-matched sender. It appeared to be a boring business email with a word document attached.

Security researchers have known for many years that phishers typically don't employ a handful of techniques which would pretty clearly boost their success rates, techniques which are not entirely unknown in the related adware "industry". Today the following ideas might seem obvious, but it has only been recently that phishers show signs of interest in these techniques.

Copy editing text and documents
Spam and phishing emails often contain many awkward phrases and other flaws which alert the intended victim that "something is amiss". Security researchers have long suspect that the simple step of using a word processor to perform spell checking and grammar checking the text of a phishing email would significantly increase the "hit rate" because many recipients cite poor grammar and spelling as the primary tip-off.
Matching the correct name to an email address for the recipient
Your email might be: "john.q.public@example.com"
but phishers and spammers will address their email to: "Sarah <john.q.public@example.com>"
rather than to the obvious: "John Q. Public <john.q.public@example.com>"
Internal consistency within the email of the spoofed sender
Spam and phishing often don't appear to be "From:" the same person who signed the bottom of the email.
Using modern software development tools and techniques to target their population of intended victims
Phishers often spam many millions of people with the same email. This allows anti-spam software both sufficient time and sufficient odds to capture, analyze, and block many, even the vast majority of those emails. If instead, phishers sent Wells Fargo phishing emails only to known Wells Fargo customers, then the time it takes to capture the emails goes up, and the number of potentially profitable victims (those with Wells Fargo accounts to be drained) who are reached in the critical first few days goes up, perhaps by a lot. Phishers and spammers have access to a great deal of data. They could use that data with the help of some custom software such as a web crawler, a few plugins to their existing bot, virus, and worm code, and a database, to dramatically improve their ability to target their phishing emails.

Security researchers have pondered these issues for several years. Some of these steps are relatively simple, particularly as compared to some of the technical aspects of developing and managing a botnet without getting caught. Why don't phishers employ them?

The answer, it has been thought, is simply that it wasn't necessary. Phishers were seeing a high enough hit rate and making enough money using their primitive spamming techniques. Spam was cheap to send, so sending millions of spam each time didn't cost them any more than sending a hundred spam. However, the techniques above required an expensive investment in software development.

Once spam filtering became good enough, it was thought, phishers would probably see a hit to their income, and find it necessary to start improving these other aspects of their phishing systems.

That time seems to have arrived. The big web mail providers, with a fire lit under them by competition from Google, have finally started to get better at spam filtering. Google and others are letting their users easily flag spam that does get through, and automatically feeding that back into their spam filters, thus protecting other users from spam and phishing.

This has apparently spurred some spammers and phishers to start developing more advanced techniques for targeted spamming.

Those techniques will include various ways to phish for the raw data which they can use to help map to other data already in their possession or collected in other ways. Phishers already have mountains of credit card numbers, stolen in various ways online, from compromised web servers like the recent TJX / TJMaxx incident, for example, but they may lack other details which make those numbers useful.

Here is one recent example of such a data phishing email, and probably related scam, which I received in my inbox this morning. It made it past a few layers of very effective spam filtering.

As you can see, the spelling and grammar of the email are not bad. Native speakers of English can pick out a few minor flaws, the most egregious of which I've noted by placing the correction in [] brackets immediately following the error. In general, however, this email is better crafted than many.

Attn:

American Deaf Network has several projects planned and in the process, we [in process. We] also work along side National Organizations to build safer communities for those affected in these rural areas.

American Deaf Network receives donations on a daily basses from all over the world. We are seeking your assistance to work for the foundation and get paid. We do not require your full time or effort

All you will need to do is to receive donations on behalf of the foundation. Donation comes in Checks and Money Orders.
You will be paid a montly salary of $1,105.00. Please get back at us [get back to us] indicating your interest on making the world a better place for the deafs [the deaf].

Send us the following information to immidiately process your application.

First Name.

Last Name.

Address.

Contact Phone

Make sure you send the requested information to the below email.

american_deaf2007@excite.com

Have a nice day.

American Deaf Network
30045 Alicia Parkway
#150 Laguna Niguel,
CA 92677 USA]

The first thing I did upon receiving this was wonder if there was an organization silly enough to send out such an email. I thought it unlikely, but certainly not impossible. I Googled "American Deaf Network", and found only one reference to it, declaring it to be a scam, as suspected.

These two examples, from PC World and above, are undoubtedly the tip of what will be an iceberg of more sophisticated and polished phishing email scams.

This is a new cycle in the phishing arms race.

Additional details on the "proforma-invoice.doc email can be found here: Avinti Security Briefing: Proforma Invoice [Avinti.com].

Technorati Tags: adware, antivirus, antiworm, botnets, credit cards, data broker, data loss, data security, debit card, malware, phishing, rootkit, virus, worm

Identity Theft with a happy ending, sorta.

2007-06-15T10:22:00.000-05:00

The San Francisco Chronicle has an interesting tale describing how identity theft victim Karen Lodrick recognized a woman who had been using her stolen identity in line at a Starbucks. She called 911 and pursued the woman, who was arrested, tried, convicted, and sentenced to time already served (44 days) plus probation.

I'm curious about one of the details, however. Ms. Lodrick and apparently the police believe that her identity was stolen when the perpetrator stole unsolicited bank cards which "she had not requested". Were these unsolicited accounts? Probably not. They are described as "debit/credit cards" and other details of the story indicate that the cards were used to extract cash (or equivalent) from her accounts. Banks routinely send renewal cards to account holders. The term "unsolicited" in this context is typically not used to describe this situation. If the bank sent her a debit/credit card for an account that she didn't want such a card for, then the bank needs to evaluate its policies.

Technorati Tags: Banks, fraud, debit card, credit card, identity theft, Karen Lodrick, police

Class action bank lawsuit against TJX: When the levee breaks

2007-04-26T11:35:00.000-05:00

Well this may have seemed inevitable, but the uneasy truce between retail vendors and merchant banks (credit card providers) has broken. Banks are gearing up a massive class action suit against TJX, the parent company of TJ Maxx, which recently revealed the shocking extent of the break-in which resulted in the theft of 45 million credit card numbers and other data from their network. Forty million credit card numbers were stolen over a period of two years or more by crackers who had extensive access to systems handling sensitive data throughout that time. Investigations of consumer fraud revealed a pattern of exposure at TJ Maxx stores, leading in turn to discovery of the break-in.

Banks Hit TJ Maxx Owner With Class-Action Law Suit

This is an interesting decision on the part of the banks, as the financial industry may one day find themselves on the receiving end of similar class action law suits brought about by other banks or consumer groups when data theft can be traced back to their own security foibles.

In fact, the TJX event became the largest on record to date by displacing the 2005 cracking of CardSystems Solutions, a credit card transaction processing company who suffered a network intrusion which exposed 40 million credit card accounts. (Regulators Start Inquiry in Data Loss)

If it keeps on rainin' levee's goin' to break
If it keeps on rainin' levee's goin' to break
When The Levee Breaks, got no place to stay.
-- Led Zeppelin

Technorati Tags: antivirus, antiworm, fraud, malware, class action, TJX, TJ Maxx, banks, rootkit, credit cards, identity theft, spyware, SSN, virus, worm, zero day worm

Punchscan voting system

2006-11-06T15:57:00.000-05:00

There has been a great deal of discussion about voting systems in the security community following the well documented problems with electronic voting systems in recent American elections, notably those of 2000 and 2004. A new system promises dramatic improvements in the security of voting systems. The Punchscan voting system looks like a big step in the right direction.

For background information, see this primer by Bruce Schneier on The Problem with Electronic Voting Machines.

To strike an even bigger blow for democracy, the Punchscan system should be extended so that it can support Instant Runoff Voting (aka Ranked Choice Voting).

Technorati Tags: democracy, election, encryption, punchscan, voting

tip of the data loss iceberg: worms == automated large scale intrusions

2006-06-29T17:22:00.000-05:00

Recently there have been a spate of incidents in which U.S. federal government agencies reported data theft or loss, particularly data which could result in identity theft. The losses include the contact information and social security numbers of, literally, millions of federal employees and contractors. Most of these recent incidents were the result of stolen laptop hardware, USB Key fobs, or other computer hardware, although at least two involved unspecified intrusions (electronic theft of the data following a break-in to an online system).

In the past several months, as the reports of stolen servers, hard drives, laptops, and USB key fobs have mounted, I've only seen two disclosed instance of an intrusion (in one case apparently targeted) which resulted in the theft of identity data concerning 1,502 people at the Department of Energy: Energy ups security efforts after loss of employee data and 26,000 people at the Department of Agriculture: U.S. Department of Agriculture hacked. Despite the sparse reports of such intrusions, we know that government PC systems are not uniquely protected from these threats.

Although it hasn't been reported, there is ample reason to believe that significant data loss has also occurred over the past several years through worm, botnet, spyware, trojan and rootkit infestations. Such malware routinely scans the infected PC and mounted network drives or shares and uploads files and data into the arms of organized crime. This type of loss is harder for organizations to detect and remains underreported as a result. However, it has has undoubtedly resulted in many more exposures of similar magnitude than have theft of laptops.

Many tens of thousands of computers in government agencies are infected with worms, bots, adware, spyware, viruses, trojans, and rootkits every year. The infection rates of many government agencies are not radically different from private industry.

Why do we see so few reports about data loss from these types of large scale intrusions?

The difference is that when a laptop is stolen, a bit of government-owned equipment goes missing. This produces a few unique circumstances that malware infections don't produce. Missing hardware:

can't be ignored due to strict property accounting requirements,

can't be denied due to the loss of a physical device,

and is more easily understood by all levels of oversight and management.

If hardware went missing, and bad guys have the hardware, they have the data that was on the hardware, too. People understand that.

Malware infections on the other hand (really, these are often large scale intrusions) are complex, involving many layers of abstraction. Just mitigating the spread and cleaning up often consumes all available resources of a given IT shop, and when the cleanup is over, they are crushed under the catch-up load of the regular duties which were postponed to battle the worm, bot or other malware. Analysis is often limited to finding and plugging the security hole that let the malware in. Few organizations have the ability to demonstrate conclusively that a worm uploaded files to a remote server. Worms and botnets have begun using encrypted tunnels, so even if organizations have the ability today, it won't be effective for very much longer.

We were able to uncover evidence of a large scale intrusion at a customer last year. It was clear that from the earliest moments of the outbreak remote attackers were under direct control of the infected PC systems on our Federal client's network. It was also clear that the techniques used were well-honed. Our client faced several variants of a particular worm within a short span of time, and one of those variants had a defect. Were it not for the defect, there would have been no direct evidence. Most of the time with automated large scale intrusions like worms and botnets, it's very easy for weary IT staff to assume that no real damage was done. The complexity of the attacks makes it easy for management and oversight to ignore the problem, too.

Many tens of thousands of infected PC systems are cleaned up each year on government networks. Those systems include servers and desktop and laptop computers with large amounts of valuable and sensitive data. The organizations performing the cleanup are understaffed and overworked and typically don't have the skills, processes, tools, and budgeted time in place to analyze the data loss which occurred.

Consequently, the problem is even bigger than it seems from the recent headlines.

Technorati Tags: adware, antivirus, antiworm, data loss, data security, identity theft, malware, rootkit, security, spyware, worm, zero day worm

OMB laptop security guidelines: implications for transparency in government?

2006-06-28T10:42:00.000-05:00

Within a few years it's possible that encryption will be the norm in government data storage, and probably large organizations, too. The historical inevitability of this process was given a boost recently. The OMB has provided guidance requiring Federal agencies to take the security of desktop and laptop systems more seriously (see: OMB Sets Guidelines for Federal Employee Laptop Security)in the wake of recent disclosure of several massive losses of data which could lead to identity identity theft.

Here are a few stories describing recent incidents which have prompted the concern and gained the attention of the OMB:
Navy Finds Data on Thousands of Sailors on Web Site
Afghan market sells US military flash drives
FTC Loses Personal Data on Identity-Theft Suspects
US veterans' data exposed after burglary
Veterans Affairs warns of massive privacy breach
Officials: Veterans Affairs Department Ignored Repeated Warnings on Data Security
Latest Information on Veterans Affairs Data Security
Additional background reading on the recent OBM security guidance: OMB targets desktop hole in cybersecurity

Before we leap headlong into encrypting everything in the government, however, we should really ponder the technology and its other implications. Earlier this week, President Bush chastised the North Koreans, who have been preparing to test an ICBM (Intercontinental Ballistic Missile), saying that it is worrisome that a "non-transparent regime" is developing such a capability. Transparency in government is a valued characteristic of modern democratic governments.

Consider, however, that even in a modern democracy there exists a tension between disclosure and transparency on the one hand, and the desire of government organizations to restrict information flow for a variety of purposes on the other. Also this week, the disclosure of further domestic spying activity highlights that very issue.

More directly, even one of the agencies hit by recent data theft ran aground on the sand bar of public relations spin control run amok: Source: Theft of vets' data kept secret for 19 days.

At least some organizations will opt to encrypt most data in most databases, most documents, and most filesystems, because it will be easier and cheaper to comply with directives like this by defaulting to encrypted storage for everything than it will be to analyze this mountain of content to determine if it should be encrypted or not. (Most of the stolen data that upsets people is personnel data, which is "sensitive but unclassified," for example.)

Although this may help prevent massive loss of data as seen recently, it might also reduce transparency in government. It may well be legitimately more difficult and expensive to satisfy a FOIA (Freedom of Information Act) request for organizations which rely on office documents and distributed (ad-hoc) content creation and storage. Most policy setting organizations do exactly that.

The recent OBM guidance is a welcome step in helping to limit the damage. (It should also be noted that encrypted storage doesn't completely solve this problem, as people tend to leave passwords laying about in plain text files to help them access their protected data, and passwords can be cracked with common tools, given sufficient CPU power and time to perform the crack.)

Congress should consider the implications of encryption as a response to data theft problems upon the desirable characteristic of transparency in governance, and should attempt to mitigate the potential damage to transparency before it occurs. They might require that all encrypted archvies be searchable, for example, similar to the way email applications search encrypted mail files. Some thought on this issue would undoubtedly produce a few basic guidelines which would help preserve transparency in governance.

Technorati Tags: Afghanistan, arms control, Army, data loss, data security, encryption, identity theft, North Korea, OMB, rootkit, security, spyware, transparency, Trojan, USB, USDA, veterans affairs, virus, worm

Microsoft Excel exploit: Let's be careful out there?

2006-06-16T23:42:00.000-05:00

A new zero-day exploit of Microsoft Excel has me pondering a standard bit of security advice, "be careful what you click." This meme survives to be repeated at nearly every outbreak, yet it simply isn't very effective.

You've probably seen a story or blog post about this already, but in case you haven't here's the alert from the Microsoft technet blog which got me thinking:

Reports of new vulnerability in Microsoft Excel
" In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker. (note that opening it out of email will prompt you to be careful about opening the attachment) So remember to be very careful opening unsolicited attachments from both known and unknown sources."

Many online article and blog postings repeated this advice, unquestioningly. Some folks even praised it, including the respected security professional Brian Krebs. In his post about the issue at the Security Fix blog, he says it's "always good advice" that one be very careful opening unsolicited attachments.

Recently similar advice was given to users of various Instant Messaging systems, as a "worm" affected users of Yahoo's system. In fact, the "worm" required the user to click it, meaning that its spread couldn't possibly achieve the "every vulnerable machine got hit" levels of a real automatically propagating network worm.

However, these Instant Message viruses and email viruses can affect large numbers of systems in a short amount of time. A year or so ago I saw an outbreak of an email virus hit 1.5% of the systems at a large customer. It hit so many people (over 500) so fast (within an hour or two) that we at first thought it was exploiting an automatic execution hole in the email client. In fact, it had just been a little more clever than average at social engineering—tricking people to click it.

I briefly interviewed a few of the victims, some of whom were trained IT professionals, who spent a lot of time during the course of the year explaining to users that they shouldn't click unexpected attachments. Well, the virus in question was somewhat clever. It nearly always appeared to be from someone you know. It sent an attachment which appeared to be a spreadsheet (it was instead an executable virus). It used cleverly mundane subject lines.

Nearly all of the victims had received a virus pretending to be a spreadsheet which appeared to be from someone that they regularly receive a spreadsheets from via email.

How careful must people be? Scanning a file first wouldn't have protected the victim against zero-day threats like the current Excel threat.

We give the same advice to people about web surfing. Be careful where you surf, be careful what you click. It doesn't work there, either. Corporate and home PCs alike see anywhere from 1% to 20% ambient levels of adware and spyware infestation.

But the web is a treasure trove of useful and wonderful things you might never discover if, sometimes, you don't click with essentially reckless abandon.

The sentiment is pure, but most users are not able to easily tell what to click from what to avoid. Only the most rudimentary of email viruses or phishing can most people filter out at a glance.

I've given this advice myself many times, trying to carefully explain how to tell good from bad emails, and good from bad free downloads. I think in general the advice hasn't been helpful to most people most of the time. High levels of ongoing infestation from adware and spyware, widespread damage from Instant Message "worms" and rampant identity theft all tell us that the advice isn't working.

Technorati Tags: adware, antivirus, antiworm, identity theft, malware, security, spyware, virus, Windows, worm, zero day worm

Beware of Your Auditors

2006-06-09T00:51:00.000-05:00

Security Auditors can be a clever lot, sometimes a bit too clever. You really need to have someone on staff looking over their shoulder throughout the entire audit, from planning through probing, and reporting. If you don't have someone on staff qualified to watch them, you need an independent consultant. A very sharp generalist would do, but someone experienced in security would be better. Basically you need a check and balance system in place, to keep stories like the following from happening to your organization.

First the context. The auditors created a custom Trojan, planted it in amidst various other files on USB drives, and seeded them in parking lots and areas of the client's work area where they would likely be discovered by customers. Which, of course, they were. Here's what they say about the experience:

Social Engineering, the USB Way

I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.
...
I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him.
...
After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.

Yes, you read that right. Their custom trojan emailed the client's account names and passwords and other (presumably important) data out to the auditors' off-site email accounts.

Now, unless these guys put rather a lot more effort into their custom trojan than they described, email is a plain text protocol. So, any fifteen year old kid with a summer job sitting on a router or an SMTP gateway at an ISP between the client and the auditor's email basket can read that email.

Of course, it's possible the trojan was equipped with an X.509 certificate and encryption system, but it seems to me that if the auditors had thought of this, they would have mentioned it. It would have been a source of pride. For either forgetting to encrypt the data, or failing to mention it in their storytelling, they will undoubtedly be punished by the flood of email they are bound to get from every GSEC and CISSP certified security analyst on the planet.

I don't want to be too critical, because they seem to have the best intentions, and their effort served to illustrate a point that clients often don't take seriously -- USB drives really can be dangerous, even if you don't inhale one. However, in their excitement to put the clever idea to the test, these auditors seem to have overlooked one important layer of the security cake and the important dictum, useful to all consultants, "first, do no harm."

Of course, this isn't the most egregious error ever committed by an auditor. Far from it, in fact. I've personally seen Auditor's laptops spewing worm traffic on a client's network. Of course, it's likely that the auditor's systems were infected by a worm on the client's network, rather than the other way around, but running 3 systems known to be vulnerable to the same defect that they were spanking the client for was, pardon the pun, an oversight.

In the last year or so, several incidents of auditors losing valuable client data including identity information have been reported, notably more than once incident involving Ernst & Young.

So, have someone on your staff work closely with the auditors as a sponsor of the audit, or have an independent consultant watching over their shoulder for you. People sometimes get carried away in their exuberance to do great work, and other times are following bureaucratic procedures that just don't make sense. In either case, your sponsor should have veto power over any actions during the audit, to protect your data from accidental exposure.

In case you're wondering, you don't need an "auditor for the auditor for the auditor" up an infinite chain. What we're really talking about here is a sponsor with veto power who isn't part of the audit team. This kind of outside watchdog can break the pattern of groupthink that causes people to run off with a half-baked idea and accidentally expose the data they are ostensibly trying to help you protect.

Technorati Tags: antivirus, auditor, security, Trojan

McAfee out of ideas - blames internet for rootkits.

2006-04-17T21:59:00.000-05:00

The recent article Does open source encourage rootkits? [NetworkWorld] discusses a McAfee report, "Rootkits", in which McAfee lays the blame for rootkits at the door of the open source community by name, security researchers by implication, and unwittingly at the very doorstep of information sharing -- books, libraries, and printed material. The report was issued due to a large jump in the number of rootkits they detected (nine times as many this quarter as the year ago quarter - a dramatic increase). They specifically blame rootkit.com.

The unstated basis for their argument is a classic tension between open sharing of information about security vulnerabilities on the one hand and secret cabals of security research on the other. McAfee is clearly coming down for the "keep it secret to be safe" camp. Most independent security researchers reject this argument, because industry has a very long track record of totally ignoring security issues until they are made public. Most researchers also practice a policy of advanced notification -- give the vendor a reasonable notice before publishing the findings to the world and attempt to work with them so that a fix is available when the notice is published. However, the threat of publication is sometimes the only thing that motivates software companies to fix security problems.

Blaming open source, web sites, and information sharing by implication is misguided.

The folks who are writing the real malware could (and do) use secret members-only web sites to share ideas and code and whatnot in their pursuit of malfeasance. It's better for the community of researchers to have open sites sharing these ideas.

The fact is that you don't need a web site. There are books that do a pretty good job of explaining how rootkits work and how to build them. Are libraries now to blame? Is the publishing division of McAfee's competitor, Symantec Press to blame? ( The Art of Computer Virus Research and Defense).

No. Information sharing is not to blame. Symantec is not to blame (at least not in this respect). Books are not to blame. The internet isn't to blame, web sites are not to blame, security researchers are not to blame.

I wonder if instead we can attribute the continuing and expensive thorn of malware to humanity's continuing struggle to ride a rapid wave of expanding technology while simultaneously attempting to preserving civil liberties and limit the destruction and damage that can be caused by Evil Doers(TM)? Frankly, we're not very good at it, and we will soon face analogous problems in the much more serious realm of biological engineering. Recall that open source specifications for the 1918 influenza have already been published. We need to get better at this stuff pretty quick, because the clock is ticking. The information genie can't be put back in the bottle, we had better figure out how to tame it.

* NOTE: Evil Doers is a Trademark of The Bush Administration.

Technorati Tags: adware, antivirus, antiworm, botnets, identity theft, malware, rootkit, puppy, spyware, Windows

Cyberstalking & identity theft

2006-04-17T18:22:00.000-05:00

The New York Times today features an interesting article today, "A Sinister Web Entraps Victims of Cybrerstalking" [annoying but free registration probably required].

The article does a nice job of describing the problem, but it doesn't say much about how to protect yourself. Unfortunately, it's pretty difficult.

Identity Theft and the Torn Up Credit Card Application

2006-03-15T22:22:00.000-05:00

You should never throw out any piece of paper with any contact information on it. Any such papers should be shredded, rather than tossed out. In particular, never throw out credit card statements, always shred them, preferably in a cross-cut shredder.

If you are not taking the risk of identity theft seriously, this article on "The Torn Up Credit Card Application" should strike an appropriate amount of fear, just enough to convince you to buy a small home-office shredder.

Technorati Tags: identity theft

Virus Vulnerability for RFID (Radio Frequency ID tags)?

2006-03-15T15:59:00.000-05:00

The breeding ground for the computer virus will be expanding continually and rapidly over the next decade as appliances, automobiles, and all manner of other things become equipped with wireless networking and miniature computers. Cell phone and similar networks may enable worms to leap between devices over long distances and other networks over short distances.

Researchers have recently demonstrated that RFID tags may be vulnerable next.

Articles on the topic:
RFID worm created in the lab [NewScientist.com]
Viruses leap to smart radio tags [BBC.co.uk]
RFID tags could carry computer viruses [SecurityFocus.com]

The details for the curious:
RFID Viruses and Worms

The AntiVirus paradigm that we [the IT community and industry] have foisted upon PC users is already breaking down under the strain of too many virus variants and too many non-technical PC users. The paradigm probably won't work at all for cell phones and the paradigm is completely broken for the typical RFID device which typically lack an end user administration interface of any kind.

The AntiVirus paradigm was invented for Enterprise users who were expected to be paid to devote time to protecting a valuable asset, and technical hobbyist users who loved tweaking their PC. It's not designed for users who want to use their PC as a simple household tool, like a television or a refrigerator.

The stuff people want to do with RFID technologies is truly amazing. It starts with automating inventory in retail stores, but goes all the way down to things like "washable RFID tags equipped with sensors on all my clothes will allow me to check to see if my favorite suit is at the cleaners, at home in the laundry bag, or at home ready to wear" and "RFID tags will enable my home pantry to let me check from work to see if I have all the ingredients needed to bake a birthday cake, or if I need to stop at the store on my way home".

If this stuff is going to work, we will need to be careful that we don't turn the average home into the administrative nightmare that is the average enterprise network. RFID would flop because consumers can't afford to hire an IT staff to maintain IDS and AntiVirus systems for their pantry, wardrobe, stereo, library and toolshed.

Technorati Tags: adware, antivirus, antiworm, botnets, RFID, virus, worm

McAfee AntiVirus false positives - older, "reliable" signatures pose risk too

2006-03-13T11:22:00.000-05:00

False positives are the bane of AntiVirus and IDS/IPS systems. On the one hand, hundreds and even thousands of new threats are released each week, where they must be discovered, submitted to vendors, analyzed by vendors, definitions, signature files or heuristic algorithms must be tweaked, tested, released to customers, and finally deployed to customer systems. All of this must be done in as short a time as possible, since the threats often spread in minutes and hours. AntiVirus signatures are often available within two days from the first appearance of a threat on the network. Polymorphic techniques, even simple ones like automatically generating dozens or more variants at the threat's compile time, are becoming more common making it more difficult for AntiVirus vendors to keep up with the expanding threat pool every year.

Today we learned that an error in a signature file caused the McAfee AntiVirus system to delete good files from production systems. This unfortunate accident affected at least a hundred of their customers and probably thousands of PC systems. The final tally of affected systems probably won't be announced. (A similar problem recently caused Microsoft AntiSpyware to zap Symantec AntiVirus from systems.)

This incident is receiving more press attention than they usually do. The real wonder is that things like this don't happen more often.

McAfee update exterminates Excel

Such problems with security software are called false positives and they happen occasionally. McAfee typically has to do an emergency release of a virus definition file once every three months because of a false positive issue, Telafici said. "This is our once for the quarter I think," he said.

Similar rates of false positives are probably seen from other vendors, but this might be the first time that an AntiVirus vendor publicly disclosed information about their false positive rate. Not every customer is affected by every false positive. Many affect 3rd party applications which were previously unknown to the AntiVirus vendor. In cases like these, a DLL from a valid production software system accidentally matches a signature file developed by the AntiVirus vendor, who doesn't have the system to test against. Tracking down these problems sometimes includes a finger-pointing exercise between the AntiVirus vendor and the 3rd party application vendor -- the AntiVirus companies sometimes uncover viruses in shipping code, too, and it may be difficult to tell where the problem lies at first.

McAfee update exterminates Excel

However, this time around it was a particularly big goof, because the company faulted Excel, Telafici admitted. "Usually, it is either custom applications or applications that did not exist at the time we wrote the signature file," he said.

That bit is particularly interesting. The implication is that after the initial creation and testing, a given signature may not be tested as thoroughly or as often down the line. Several months later, an update to your application software might cause a signature file to break, causing catastrophic damage. In retrospect it makes some sense, as full-on testing of this stuff takes time and resources, and the pressure to test and ship the newest definition or signature files is quite high.

However, this revelation probably indicates that the ongoing risks from signature or heuristic approaches may be somewhat higher than previously thought. With the number of threats multiplying every year, and with the number of signature files which require testing increasing concomitantly, older signatures which have been "thoroughly tested and validated in the customer environment" may no longer be assumed to be benign beyond doubt.

The current McAfee false positive incident is discussed here:
McAfee Anti-Virus Causes Widespread File Damage [Slashdot]
Excel = Virus ... At Least to McAfee [RealTechNews]

Technorati Tags: adware, antivirus, antiworm, botnets, malware

Citibank PINs and the botnet arms race

2006-03-11T12:27:00.000-05:00

I noticed this tidbit from a Gartner researcher quoted in a story about the recently disclosed PIN theft.

PIN Scandal "Worst Hack Ever;" Citibank Only The Start
"That's the irony, the PIN was supposed to make debit cards secure," Litan said. "Up until this breach, everyone thought ATMS and PINs could never be compromised."
- Avivah Litan, Gartner

I wish the reporter or Gartner researchers would have checked with me or someone else who has direct experience auditing software systems. I've been warning my clients for years about the security exposure from data retention for e-commerce and credit card transaction systems and I know a number of other security professionals who've been doing the same.

In fact, given the number of thefts of credit card data stolen from 3rd party web sites that have occurred in recent years it's unlikely that this is the first PIN number theft to have occurred, counter to the implication in this story. It might be the first that has occurred since legislation obligated disclosure of such thefts, but even that seems unlikely.

There are literally thousands if not tens of thousands of different bits of software involved in credit card transaction processing, custom made, derived from free code available on the internet, purchased from third parties, custom made by third parties. Most of those systems originate in the web development world where robust software development and testing practices are not fully realized and security inspection or auditing is an afterthought if it's a thought at all.

PIN numbers and the special security codes printed on credit cards are intended by the vendors to be "transient" data, used but not stored at the point of presence -- e.g. the cash register or web site where the transaction is initiated. However, it's impossible to audit all of the custom made systems in the world.

In a recent article here discussing the Verified by Visa program, I speculated that proxy agents could be placed in front of an e-commerce engine on a compromised web server to defeat the Verified by Visa security measures. This technique could be used to harvest PIN numbers and security codes even more transparently.

Without conducting a survey, I can tell you from my experience it appears that most organizations with e-commerce shopping carts on their web sites are not prepared to detect such an intrusion.

Shopping cart systems are only the tip of the iceberg. I've seen dramatic, gaping security problems in systems that existed for years and were easy to discover by accident through ordinary use of the system. One such system provided full identity information for all accounts within the system, including bank account information, phone numbers, addresses, date of birth and other information -- matched to Social Security Number. The system's entire database could be enumerated by fetching them one at a time, simply by poking a randomly generated Social Security Number into a field. By poking them all in, one at a time, one could fetch the entire database. This could be easily accomplished by a "script kiddie" in a very short time. The system was not instrumented with any logging which would reveal that this type of enumeration has been performed. The system's database included many members of Congress and the Senate. (Surprisingly, all of the information in this paragraph doesn't narrow down the field of applications enough to give away what the application was, nor the agency which ran it.)

Oftentimes when such issues are encountered it is a struggle to get the owners of the system to understand the exposure and act upon it. I spent two days trying to convince the Federal Agency that owned this system to act. I was only able to get the hole closed by identifying the private contractor who implemented the system and calling their CEO, who immediately understood the importance of the issue.

If you find holes like these that are relatively easy to discover and exist in systems for extended periods of time, you must assume that they have been discovered before. In some cases you may be legally obligated to notify the persons whose data has been exposed.

The complexity of e-commerce and other online software systems which handle sensitive data is high, and the cost of securing them and auditing them is very high. An audit performed by a commodity consulting shop may cost tens of thousands of dollars and take a couple weeks. Even then, the auditors will often be ill equipped to discover many of the weaknesses that exist in these systems. If you hire a specialty security firm which brings highly skilled and experienced security engineers and programmers to the table, the cost will likely be even higher.

Contrast that with the money that firms typically spend on these systems. Oftentimes they don't spend much at all. They got the internet and find a "free" shopping card, don't audit the code so they really have no idea of how it works internally or even if it has already been instrumented with a data harvesting routine, and slap it up on a web server. Even large corporations are guilty of this, as the division with the need may not be given the budget to "do it right".

Conventional wisdom says that the west won the Cold War by outspending the Soviet empire, leading to the eventual bankruptcy and collapse of the Soviet system. The economic principles behind this problem are similar to the issues with security and online software systems storing sensitive data like credit card, debit card, and identity information. The barrier to entry for the attacker is low. The cost to defend is high.

The botnet arms race continues, and this time the stakes are your identity information, and your bank account balance.

Technorati Tags: adware, antivirus, antiworm, botnets, Citibank, Gartner, hacker, identity theft, malware, puppy

Total Cost of 0wn3rsh1p

2006-03-11T11:58:00.000-05:00

This whitepaper spoof was written a couple years ago. I tripped over it by accident, and was rewarded with health boosting laughter.

Microsoft Windows: A lower Total Cost of 0wnership

Identity Theft & the Mail Box Meth Gang

2006-03-06T00:20:00.000-05:00

Botnets are the big guns in the Identity Theft world, ripping millions of identities from hard drives around the world -- not just home users, but web servers and database servers getting thousands or tens of thousands or millions pieces of data at once. However, low tech methods of data harvesting are still used.

Low tech methods, too, appear to be evolving as increasingly organized, larger scale efforts are being uncovered, paralleling what we see in the internet security world. The canonical examples of organized crime driving spyware, worms and botnets has been shady advertising schemes. However, it's clear that identity theft is also a driver. But what drives the identity theft? Well, money obviously, but apparently drugs are behind some of it, too.

The North County Times (San Diego) has an interesting story with quite a few details about one gang of Meth users turning to identity theft to pay for their habit. Apparently 14,000 credit card numbers were gathered by the gang of 20 people using a fairly low tech method -- they drove around suburbs looking for mailboxes with raised red flags, and extracted bills and other mail.

That may seem like a lot of identity for 20 people to harvest by driving around and stealing mail, but they could probably harvest that much in a month or maybe two at most, working in pairs, and working only a few hours a day.

The wonder is that they managed to do this for more than a couple days without getting caught. Neighborhood watch must not be watching the neighbor's mailboxes.

The basic organization behind turning stolen data into money has been the same for decades, but the scale is larger than it's ever been.

"There is the collector who steals your identity from mailboxes or trash bins," said Alameda police Sgt. Anthony Munoz, who teaches a class about the connection for the California Narcotics Officers Association. "Then there is the converter, who turns your identity into something, and lastly there is the passer, the person who uses the fraudulent identity."

From the perspective of an individual, the short term and low cost solution to this problem is prevention -- start by getting a lockable mailbox. Make sure you shred any paper or other media (floppy, zip disk, cdrom, etc.) that has any name and address information. This includes things like bills that you don't think of as sensitive.

However, on the scale of the society, this is problematic, partly because people don't always realize when they are throwing away sensitive data -- because they think of each item separately. "Here's a bill, it just has my name and address," for example. Well, it has other things. It's got your account number with the electric company. With enough different little bits of information stole from mailboxes and dug out of the trash, the Mail Box Meth Gang was able to steal identities and use them to fund expensive drug habits.

By picking up several different bits of information out of the trash, or inbound mail, it's possible to assemble a more complete picture of the data needed to steal an identity. We discussed this general technique recently in another context --it's known as "the aggregation problem".

In order to deter this kind of theft, a substantial majority of people would need to exercise careful practices with their sensitive data -- thereby raising the cost of gathering the raw data. In actual practice, most people don't realize it's that important, and won't go to the time and expense required.

Credit card vendors have responded to the growing identity theft problem by trying to make it more difficult to use a credit card number without the card. That's what those little three-digit and four-digit numbers that appear on the back of the card are about. Those numbers don't appear on the credit card statement, and are required for some online purchases, thus making it more difficult to use a stolen credit card number.

Unfortunately for the victims of identity theft, the classic trade-off between security and convenience hasn't been conquered. Further attempts to improve security of the credit card transaction system are clunky at best, typically problematic, and possibly open up new avenues for large scale identity harvesting at worst.

Technorati Tags: adware, antivirus, antiworm, botnets, malware, meth, postage, identity theft, virus

Phishing: more clever, more evil, every day

2006-03-03T14:30:00.000-05:00

This phishing scam, targeted at customers of Chase bank, is simple and direct.

Fear it.

Well, at least be aware of the general tendency of phishing scams to exploit basic human trust relationships with increasing sophistication. They get better and better every day, and they are building up quite a library of clever tricks.

It looks like it came from your bank.

The text is simple, direct, clear, and free from glaring grammatical errors.

It appears to be a simple request. The apparent source of the email is obscured.

It appears to be from: Chase Online Services Team

It exploits the HTML processing ability of most modern email clients to obscure the actual target of the "click here" link (which I've removed, but which was obviously something other than chase.com.)

Here's the simplest, most direct, most likely to succeed phishing scam email I've seen to date:

Dear Chase Member:
We have processed your request to change your e-mail address, based
upon the information you supplied.

Beginning immediately, we will send all future e-mail messages,
excluding Alerts, to you at allenbauer@aol.com. Any e-mail addresses that receive
Alerts about your accounts will need to be updated separately.

If you did not request this e-mail address change or have any
questions, please cancel this action and reactivate your account by clicking here.
Please do not respond to this confirmation e-mail.

Sincerely,
Online Services Team

Phishing scammers don't use their own systems to harvest data for identy theft and credit card fraud. They use systems that belong to other people, which they have taken over without the knowledge of the owner. Often they take over large numbers of systems with worms or botnets.

Intrinsic Security is working with Internet Service Providers to help stop botnets. Help us spread the word by linking to our site from your blog. Link to Intrinsic Security - join the antibotnet campaign.

Will monthly patch cycles survive the year?

2006-02-24T01:51:00.000-05:00

Microsoft's regularly scheduled (once a month) security updates have received a great deal of criticism in the security community. The practice delays (in theory up to a month) the rollout of vital Windows patches and leaves customers exposed to worms, viruses, adware, spyware and outright hacking for more calendar days than the previous ad-hoc rollout of patches (e.g. as soon as they were ready). In today's world, where exploit code and worms show up within hours or days, these delays can be devastating.

The monthly patch strategy has probably helped Microsoft with one key metric -- reducing the number of headlines per month about the latest vulnerability. In the months before Microsoft changed from ad-hoc security patch releases to a monthly schedule, negative security headlines were appearing almost daily. These headlines had begun percolating into the public unconscious, contributing generally to a vague but increasingly common perception that Windows is "insecure". Even though most people don't konw what that means, if you stop random folk on the street and ask about Windows, a significant percentage will tell you Windows is insecure. (RocketBoom dis this recently when they asked, Internet Explorer or firefox?)

That torrent of negative headlines was perceived in Redmond as creating potential switchers (to Macintosh or to Linux) not among the unwashed masses, but where it counts -- the corporations on whom Microsoft has had a mind lock for more than a full decade now.

The rapid growth of a tumor on the achilles heal of Windows may have contributed to the change in release policy, but that doesn't mean the change itself is entirely bad. By introducing some regularity into the patching lifecyle of Windows, Microsoft may have given IT shops everywhere the lever they needed to convince management to dedicate more resources to patching Windows, and to realize the true (substantial) expense involved.

Regular monthly updates have also forced the IT community -- vendors and customer alike -- to get better at patching Windows systems. Prior to this regular and predictable delivery, most companies were still in serious denial about the need to rapidly deploy patches. They were typically going through painful gyrations to determine if every single patch applied to them or not, if they could skip deploying them, etc. in a futile effort to contain workload. They tended to lump the patches themselves into deliveries a few times each year. Now they've been forced by the regular delivery of dozens of patches at once, each month, to come to grips with more or less the non-stop patch deployment process. It can still take many days or weeks to deploy patches in a typical medium sized enterprises (say, one with more than 10,000 nodes), but that's down significantly from many months.

Other vendors have been delivering patches in this regularly scheduled way, too, notably Oracle which has also been criticized by customers for untimely patch delivery (and poor documentation of patches).

Despite this little ray of sunshine, it's been looking like the monthly patch cycle won't remain viable. Vendors will soon see their customers demanding weekly patch cycles, at least. What will drive this? The Patch Gap is too large in the era of the botnet and the zero day worm, driven by organized crime and state sponsored espionage.

The problem with regular patch cycles is that the vendors and customers are both hoping that certain vulnerabilities have not yet been discovered by the cracker underground. Given the large number of vulnerabilities which are discovered each month, and the long period of time in which those vulnerabilities existed in widely deployed software (often years) it's almost certain that this hope is in vain. Crackers certainly know about some of these defects, and know how to exploit them, sometimes years before the script kiddies find them.

Evidence that some cracker groups are well funded, probably state or corporation sponsored is mounting. Most recently a few stories have appeared which suggest that several well organized attacks have been traced back to China where state sponsorship is suspected, and industrial and governmental espionage is the motivation. Organized crime and state sponsored internet espionage rings can and do use the same techniques to explore production software for defects in a laboratory environment. The bad guys have the same debuggers and virtual machines and compilers and sniffers and Nessus plugins and documentation that are available to security researchers. The main difference is that the good guys often do this kind of research on a shoestring budget in their spare time, whereas the bad guys are increasingly making a full time job of it.

The continual flood of high profile, high damage, automated exploitation of widely known and even long-patched defects which the script kiddies generate strains the security response infrastructure (trained admin and security staff, developers, testers, etc.) The enormous workload from the thousands of new viruses, worms, trojans, adware, spyware and keystroke loggers, combined with the endless stream of botnet attacks makes it more difficult for the industry to assess the real exposure to low-profile cracking from these industry practices of delayed (regularly scheduled) patch delivery.

Microsoft, Oracle, and other vendors will be under increasing pressure to shorten their patch cycles, as the organized nature of botnet attacks becomes more apparent to their customers.

Technorati Tags: adware, antivirus, botnets, hacker, malware, patches, patch gap, spyware, virus, worm, zero day worm

Intrinsic Security provides uniquely effective AntiWorm technology which detects zero-day worms and brings botnets to a crawl.