Smart Cards No Match for Online Spies

The U.S. government has been stepping up its use of smart cards to help lock down its computer networks, but hackers have found ways around them.

Over the past 18 months, security consultancy Mandiant has come across several cases where determined attackers were able to get onto computers or networks that required both smart cards and passwords. In a report set to be released Thursday, Mandiant calls this technique a “smart card proxy.”

The attack works in several steps. First, the criminals hack their way onto a PC. Often they’ll do this by sending a specially crafted e-mail message to someone at the network they’re trying to break into. The message will include an malicious attachment that, when opened, gives the hacker a foothold in the network.

After identifying the computers that have card readers, the bad guys install keystroke logging software on those computers to steal the password that is typically used in concert with the smart card.

Then they wait.

When the victim inserts the smart card into the hacked PC, the criminals then try to log into the server or network that requires the smart card for authentication. When the server asks for a digital token from the smart card, the bad guys simply redirect that request to the hacked system, and return it with the token and the previously stolen password.

This is similar to the techniques criminals have been using for several years now to get around the extra authentication technologies used in online banking.

Mandiant is the kind of company that businesses and government agencies call to clean up the mess after they’ve been hacked. It has done investigations at about 120 organizations overt the past year and a half. Most of them get hacked via a targeted e-mail. But in many cases, they were actually hacked years earlier, but never managed to remove the malicious software from their network, according to the report.

Companies or government agencies that assume that they are secure just because they use smart cards to authenticate, could be in for a nasty surprise some day, said Rob Lee, a director with Mandiant. “Everything is circumventable in the end,” he said.

China’s Internet Spying

Businessmen in major metropolitan hotels find their computers are penetrated.

A correspondent from Asia Sentinel wrote on January 24th, 2011, last June, at about the time of the anniversary of the Tiananmen Square massacre of 1989, several members of the internal investigation unit of a US company assembled at an international luxury chain hotel in Beijing for a conference.

The company does not want to be identified, or even to have its field of business identified more specifically. When the employees got back to their home base, they discovered that their computers had been penetrated through the hotel’s internet system. The penetration of some of the computers was so extensive that their hard disks crashed.

“They had been hacked through and through,” said a source. “It happened in the hotel through the internet connections. Whoever was on the other end had the ability to go clear into their hard disks.”
“As well as non-classified US government systems, the hackers accessed systems at the World Bank and at defense contractors such as Lockheed Martin. Defense, law enforcement and intelligence agencies in the UK, Canada, Australia and New Zealand alerted businesses to improve security procedures in light of these intrusions.”

It was unclear whether there was state involvement in these attacks, the report states. But, it continues, the US-China Economic and Security Review Commission concluded that “the depth of resources necessary to sustain the scope of computer network exploitation targeting the US and many countries around the world, coupled with the extremely focused targeting of defense engineering data, US military operational information, and China-related policy information is beyond the capabilities or profile of virtually all organized cybercriminal enterprises and is difficult at best without some type of state-sponsorship.”

The New Trend in “Malware Evolution”

Back in the days when malware was more about fun and less about profit, the talk about “Malware Evolution” was very simplistic. These discussions focused mainly on the new client side features of the malware and how it behaves on the infected machine.

Today, the malware authors are all about profit, and they are doing everything in their power to make their malware as stealthy as possible. This means trying to dodge common end-user security products (e.g., anti-virus), as well as evading security products that monitor the network traffic. For these reasons, it’s time to start using new terms when discussing “Malware Evolution”.

Rootkits are probably the most common feature in today’s “Malware Evolution.” In the case of rootkits, the malware abuses several operating system (OS) features in order to go undetected by both the OS itself and end point security solutions.

However, now that malicious code in the wild is getting updated and being controlled from remote cybercrime servers, the malware authors are also determined to remain invisible to network security products like firewalls, intrusion prevention systems (IPS), etc. which monitor network traffic.

Carberp as a case study

Let’s take the Carberp information stealing Trojan as an example. Many pundits speak of Carberp as the eventual successor to ZeuS in the realm of botnets.

In terms of network traffic, the first known version of Carberp started with a simple server side PHP script (task.php, first.php). The malware installed one plug-in (grabber.pcp) which was used to steal information. The stolen information was then sent to the Carberp drop server in clear text.

The next version of Carberp was a bit more complex. An htaccess file was used to redirect requests to specific HTML filenames (task.html, first.html) to one PHP server side script which handled all the botnet tasks. This version of the malware installed several plug-ins:
1) stopav.plug – Anti-Virus killer
2) miniav.plug – Removes other malware from the infected machine (much like the ZeuS killer feature that was introduced by SpyEye)
3) passw.plug – Information stealer
The stolen information was still sent in clear text.

Carberp evolves

Recently, Seculert Research Lab identified what seems to be a new version of Carberp. This new version includes several interesting new features:

1) Network traffic evolution: All communications with the Command & Control (C&C) server, as well as the stolen information sent to the malware drop, are encrypted using RC4. The interesting part is that the RC4 key is randomly generated and is sent as part of the HTTP request. This is the first time we have encountered such behavior. For example, other malware, such as ZeuS, only use one RC4 key which is embedded within the malware itself.
2) Anti-Virus statistics: While the new version of Carberp sends information about the running processes on the infected machine to the C&C server, as in previous versions, it now also checks which AV software is installed on the machine (see screenshot below). The following pie chart shows the distribution of different AV products which are installed on a specific botnet’s infected machines. The majority of the victims are using Kaspersky. This is probably because this botnet primarily targets people from Russia.

3) Malware name: Previous versions of Carberp didn’t seem to use this name, neither in the malware code nor in the administration panel. As you can see in the screenshot below, the name “Carberp” is mentioned in the logo of the new version’s Administration Panel. We suspect that the authors of this malware have embraced the security industry alias for this piece of malicious code.

Based on the “success” of Carberp, we expect to see other types of malware evolve similarly with respect to the way they communicate with Command & Control servers and the nature of information they collect about their victims.

It’s time that the security industry confronts this new type of “Malware Evolution” and starts to think out-of-the-box (literally) about malware detection and prevention.

Carberp Banking Malware Upgrades Itself

A piece of banking malware that researchers have been keeping an eye on is adding more sophisticated capabilities to stay hidden on victims’ PCs, according to the vendor Seculert.

Carberp, which targets computers running Microsoft’s Windows OS,was discovered last October by several security companies and noted for its ability to steal a range of data as well as disguise itself as legitimate Windows files and remove antivirus software. It has been billed as a rival to Zeus, another well-known piece of malware.

Carberp communicates with a command-and-controller (C&C) server using encrypted HTTP Web traffic. Previous versions of Carberp encrypted that traffic using RC4 encryption but always used the same encryption key.

Using the same key meant it was easier for intrusion protection systems to analyze traffic and pick out possible communication between the infected Carberp computers and the C&C servers, said Aviv Raff, CTO and co-founder of Seculert. Seculert runs a cloud-based service that alerts its customers to new malware, exploits and other cyberthreats.

A new version of Carberp is mixing it up, using a randomly different key when it makes an HTTP request, said Raff. When it uses the same key, there are some static patterns that can be detected. Even Zeus, which is begrudgingly respected for its high-quality engineering, uses the same key that is embedded in the malware.

“Most network based security solutions are using traffic signatures to detect bots trying to connect to the C&C,” Raff said. “This new feature is used to evade this type of detection and make it hard and almost impossible to create such signatures.”

Seculert has posted a writeup about Carberp.

Carberp has also expanded the scope of the victims it seeks to infect. The latest version is targeted users in Russian-speaking markets, Raff said. Previous versions targeted banks in the Netherlands and the U.S., he said.

Google and Mozilla take ‘Do Not Track’ steps

SAN FRANCISCO (AFP) – Mozilla and Google on Monday took steps toward giving people more online privacy but each said hurdles remain to creating simple “Do Not Track” buttons for Web browsing software.

Mozilla proposed adding a signal to its popular Firefox browser to let users automatically ask websites not to track their online activities.

Websites would then decide whether to grant the desire or continue to gather data for purposes such as targeting Internet advertising.

Firefox users would be able to broadcast that they want to opt out of third party, advertising-based tracking by setting browsers to transmit a “Do Not Track HTTP header” with every click or page view.

“The challenge with adding this to the header is that it requires both browsers and sites to implement it to be fully effective,” Mozilla technology and privacy officer Alex Fowler acknowledged in a blog post.

“Mozilla recognizes the chicken and egg problem and we are taking the step of proposing that this feature be considered for upcoming releases of Firefox.”

Google on Monday released extension software for its Chrome browser that lets users opt out of being tracked by a growing set of companies adopting industry privacy standards regarding online advertising.

“Keep My Opt-Outs” lets people opt out of having snippets of code referred to as “cookies” installed on their computers to track online behavior for the purpose of targeting ads.

“Keep in mind that once you install the Keep My Opt-Outs extension, your experience of online ads may change,” Google product managers Sean Harvey and Rajas Moonka said in a blog post.

“You may see the same ads repeatedly on particular websites, or see ads that are less relevant to you.”

The top 15 largest US ad networks are among the more than 50 companies involved in the opt-out program. Google is among the firms that also provide an option for people to specify what types of ads they are most interested in.

“Importantly, we’ve designed the extension so that it should not otherwise interfere with your Web browsing experience or website functionality,” Harvey and Moonka said.

“This new feature gives you significant control without compromising the revenue that fuels the Web content that we all consume every day.”

California-based Google said it is working to make the feature available to Web browsers other than Chrome.

Microsoft plans to increase privacy options in the upcoming version of its popular Web browser Internet Explorer 9 (IE9), including the ability to prevent tracking by third-party websites.

The US software giant said that the new feature, “Tracking Protection,” is designed to “help consumers be in control of potential online tracking as they move around the Web.”

The tool will be built into a test version of IE9 being released this year.

IE9 users will have to be savvy enough to create lists of third-party websites that they do not want to track their behavior.

Talk of Web browser privacy enhancements comes amid moves in Washington to create “Do Not Track” mechanisms in browsers to stop online services from collecting Web surfing or ad-targeting data.

Internet Explorer is the most widely used Web browser in the United States followed by Mozilla’s Firefox,Google’s Chrome and Apple’s Safari.

“Technology that supports something like a ‘Do Not Track’ button is needed,” Mozilla chief executive Gary Kovacs told AFP during a recent visit to Mozilla’s headquarters in Mountain View, California. “The user needs to be in control.”

Firefox debuted in 2004 as an innovative, communally crafted open-source browser released as an option to Internet Explorer.

OpenDNS: Facebook was most-blocked site in 2010

According to a new report (PDF) from DNS and online security service provider OpenDNS, social networking site Facebook was the most-blocked site during 2010. In this context, blocking means that OpenDNS customers specifically configured their DNS and security services to prevent their users from connecting, presumably out of security concerns, to prevent people from wasting time at work, or using company or organizational resources inappropriately. However, Facebook ranked highly on another list: it was the second most commonlywhitelisted site, meaning sites that were specifically granted exemptions from other security or blocking rules.

“Overall, 2010 was all about social, and this trend is reflected in the data we’re seeing,” said OpenDNS founder and CEO David Ulevitch, in a statement. “Facebook is both one of the most blocked and the most allowed Web sites, reflecting the push/pull of allowing social sites in schools and the workplace.”

OpenDNS found the top five most commonly blacklisted sites for 2010 were Facebook, MySpace, YouTube, Doubleclick (an advertising network now owned by Google), and Twitter. Other commonly-blocked sites included other ad networks and adult-oriented sites. However, the top five whitelisted sites included a few of the same times—YouTube and Facebook, followed by Gmail, Google, and Google’s translation service.

Overall, Facebook was blocked by 14.2 percent of networks using OpenDNS, and specifically whitelisted by 12.7 percent. However, amongst OpenDNS’s business users the proportions changed: a full 23 percent blocked Facebook.

OpenDNS also broke down Web content filtering into broad categories, finding that during 2010 Web sites classified as pornographic were blocked by 85 percent of users, followed by sites with “sexuality” (80.1 percent) and “tasteless” content (77.3 percent). Proxies and anonymizing sites were also blocked by 76.2 percent of users, meaning the organizations are attempting to prevent their users from circumventing Web content filtering.

OpenDNS also found that the United States hosts more phishing sites than any other country—by a significant margin. According to OpenDNS, some 53.8 percent of phishing Web sites were on systems hosted in the United States, with Germany coming in a distant second with 6.3 percent.

Cloud printing on the go

Back in April 2010 google  announced Google Cloud Print, a service that in Beta allows printing from any app on any device, OS or browser without the need to install any software. Just last month we opened Google Cloud Print to users in the Chrome notebook pilot program. Today we are very pleased to announce the beta launch of Google Cloud Print for mobile documents and Gmail for mobile, which we will be rolling out to users throughout the next few days.

Imagine printing an important document from your smartphone on the way to work and finding the printout waiting for you when you walk in the door. Just open a document in Google Docs or an email in Gmail in your mobile browser and choose “Print” from the dropdown menu in the top right corner. You can also print certain kinds of email attachments (such as .pdf or .doc) by clicking the “Print” link that appears next to them.

This feature will be rolling out today and tomorrow for English speaking users in the US and will work on most phones that support HTML5, such as devices running Android 2.1+ and iOS 3+. To get started, you’ll need to connect your printer to Google Cloud Print. This step requires a Windows PC for now, but Linux and Mac support are coming soon. You can learn more at the Google Cloud Print help center.

Happy printing!

(Cross-posted on the Docs Blog and Gmail Blog.)

What is Forefront: Microsoft Security Solutions

Forefront is a family (suite) of products that are all focused on security.  Together they offer a very comprehensive security solution protecting applications, systems, networks and other assets.  Individually they all have there own function and there is some overlap between some of the products that make up the family.  Because of the overlap, understanding what you need to solve a particular business need is sometimes not clear.  Over the course of the year, I will do my best to help you understand the Microsoft security story and in particular what products you might need to solve business problems.  If you are interested in security in any way, you should at least understand that the Microsoft offering exists and what it can provide you.  In this post, I will give you a brief introduction to the products and in subsequent posts, I will drill down into the products to show you how to solve different security challenges.  These challenges include viruses, malware, remote connectivity, protecting against hackers and even protecting your network from your own users.

Forefront Endpoint Protection

Let’s start the conversation with Forefront Endpoint Protection 2010 which is the NEXT desktop security solution from Microsoft.  It offers complete protection against viruses, trojans, and other types of malware. Instead of talking in terms of different types of malware (viruses, trojans, keyloggers, etc.) Microsoft refers to all of these as simply malware.  Malware is short for Malicious Software so all of these threats certainly qualify. The next release of Forefront Endpoint Protection {2010} is now in beta.  If you want to kick the tires, download Forefront Endpoint Protection 2010 beta.  As is the case with other malware protection packages you have the capability to run or schedule scans, update definitions view quarantine, etc.  Updates are usually configured to be delivered automatically.

There are many advantages to using Microsoft’s technology over other security clients.  Among them is the manageability of the product through group policy, the familiar management interface and integration with the System Center family of products.  What is likely even more interesting to many of my readers and subscribers is the cost.  Especially, for those that already have eCAL licenses deployed.  The Forefront Endpoint Protection client license is included with eCAL so the only cost (if you own eCAL) will be the time it take to implement the solution.  You might also want to investigate Intune as an online offering that includes endpoint protection.

System Requirements:

The server components of Forefront Endpoint Protection are installed on System Center Configuration Manager to leverage software distribution, management, etc.  You can install the server components on Windows Server 2003 SP2 or later.  The client will run on Windows XP SP3 or later (including Vista or Windows 7) or Windows Server 2003 SP2 and later (x64 and x86)

Learning more about The Forefront family of products

This would be a very, very long post if I supplied detail for all of the forefront applications.  Instead of doing that, I will give you a quick blurb on each of the products and provide links so you can get additional information. I hope to put video’s out for all or most of the Forefront family of products.  For now, you can get hands on labs, download the evals/beta’s or look on the product home page’s.

Microsoft Assessment and Planning Toolkit New release V5.5

Microsoft recently released the next version of MAP Toolkit and it has following new features

• Windows Azure Platform assessment for easier migration the cloud
• Heterogeneous database discovery for accelerated migration to SQL Server
• Microsoft Internet Explorer migration assessment for migration to Windows 7 compatible versions
• Enhanced server consolidation capabilities help save time and effort when creating virtualization assessments and proposals

If you have not heard about MAP Toolkit before, it has also following assessment capabilities apart from what is mentioned above

• Migration to Windows 7, Windows Server 2008 R2, and Microsoft Office 2010
• Migration to Windows 7 compatible versions of Internet Explorer
• Migration to cloud-based services
• Server virtualization with Hyper-V
• SQL Server consolidation and migration to SQL Server 2008 R2
• Assessment of current software usage and client access history for simplified software asset management
• PC security assessment and migration to Microsoft Forefront Client Security

For more information please visit

http://technet.microsoft.com/en-us/library/bb977556.aspx

Download Microsoft Assessment and Planning Toolkit

http://go.microsoft.com/fwlink/?LinkId=158988

Download Software Usage tracker Guide for MAP

http://go.microsoft.com/fwlink/?LinkId=195445

Training kit for MAP

http://go.microsoft.com/fwlink/?LinkID=196614

source – Microsoft Technet – Solution Accelerators

On Facebook military espionage and data theft.

BERNA – According to the Swiss institutions, in the first half of 2010 has been a significant increase in worldwide cases of espionage and theft of computer data.

MELANI Semi-annual report 2010/1:

Targeted attacks.
In the semi-annual report published today, Reporting and Analysis Centre for Information Assurance MELANI, lets go to statements of concern, “the largest firms in the ICT sector such as Google and Adobe have been the target of targeted cyber-attacks, assuming they leave clues In these cases, a common infrastructure is used, […] it is very likely that these attacks have been hiding behind the same hand. ” A detailed report explaining the reasons.

For the Central, behind the unauthorized acquisition of data “lie purely financial reasons or criminal interests but also the intelligence of the state”, something that the press does not hesitate to describe as “a threat mainly to businesses and public services.”
It is unclear, however, that virtually all so-called cyber attacks that come to fruition, can cause the lack of competence of the operators websites – including the corporate or government – or little attention to the users.
Even a rough culture of cybersecurity, as well as a less naive or hasty technologies by users, nipped in the bud a huge number of violations.

Facebook.
In this regard, MELANI cites the frequent cases of military intelligence that passes without any forcing through Facebook: unsuspecting military mission publish confidential information about positions, locations, and so on, often not even take care to set the minimum countermeasures for the protection of privacy the site provides. Transmitting highly confidential data that, at best, or when not fall into the hands of criminals, they become the property of a private company: Facebook.

But on the popular social networks are also many other confidential data available from industry data, economic, to those on their personal relationships. Data, as mentioned, when intercepted by non-indicated, however, end up legally in the hands of American society and its smoky management policies.

Countermeasures. In addition to a culture of personal security, the best way to avoid risks, to counter the increase in data theft via Internet and email from 2010 where there is suspicion that a Swiss internet address (. Ch) is used to steal private data or to spread malicious software, can and should be blocked.
From June 15, 2010, in fact, the Central MELANI is authorized by the Federal Communications to request the block at the registry of domains (SWITCH).
According to the data in June and August 2010 of 237,000 Swiss examined 145 web pages were infected.

Source: Reporting and Analysis Centre for Information Assurance MELANI