Jan 02

your printers may not explode, but they might give hackers entree into your networks

By alberg best practices, hacks, malware Comments Off

No, this is NOT HP's latest printer...

So, remember a few weeks back, when the tech press got really silly, warning us that hackers could set our HP printers on fire remotely?  Well, it turns out that there was a security story about HP printers, but the press really missed the boat on what was actually important.  At the 28th Chaos Communications Congress (held in Berlin last week), the Columbia University researchers whose work was totally misconstrued by the press presented their work.  No, hackers cannot set your printer on fire – but they can install malware on hundreds of millions HP printers shipped since 2005, either by connecting to the printer and replacing its normal firmware with evil firmware or by getting one of your users to print out a specially crafted document which also carries their nefarious code.  Once this hack is done, your printer will become a silent (but deadly) bridgehead into your network.

UPDATE:  Here’s a list of all of the printers affected by this vulnerability.

The researchers had two demos.  In the first, they caused the infected printer to silently send a copy of every document it printed to an attacker’s printer out on the Internet.  Demo two had the infected printer acting looking for internal systems vulnerable to a Windows XP exploit and then acting as a relay for the attacker to control them from outside the firewall.  This was pretty scary stuff… let’s say I send a crafted document purporting to contain a 50% off coupon for a local restaurant to your users… how many times (and on how many printers) would this get printed?

This hack is made possible by the fact that some HP printers allow their firmware to be updated without any authentication or digital signature and that all of the code within the printer runs as a super user.  It also points out the need for anti malware protections for embedded devices like printers, routers and the like.  The guys at Columbia are working on a project to do this.

As an aside, these same researchers scanned the Internet for accessible HP printers – they found over 75,000 of them, located at private companies, governments, educational institutions and in other places.  Infecting just a small percentage of these systems would provide someone with a very stealthy botnet that would be extremely difficult to remove.  The researchers feel that it may be possible for the attackers to install their code permanently, so that the only ways to get rid of the infection would be by replacing (soldered on surface mount) hardware components or trashing the printer altogether,

So… what to do?

First, update your HP printers’ firmware to the latest (December 2011 or later) firmware version, which can be found over on the HP support website.  The new drivers require printer firmware updates to be digitally signed by HP.

Next, make sure that your printers cannot be accessed from the Internet.  For most of my readers, I don’t think this will be an issue, but you never know… scan your Internet facing IPs for port 9100, which is used to submit print jobs and firmware updates to HP printers.

Third, limit where your printers can send traffic to… is there any good reason to allow a printer outbound access to the Internet?  Not that I can think of.  Putting printers on an isolated VLAN which can ONLY talk to the print server limits the damage that can be done using this attack.  Of course you really need to make sure that your print servers are patched and properly isolated as well – and when eas the last time you took a look at your print servers?

We’ve all got some work to do, people but more importantly, we need to look at embedded systems like printers, routers, access points, and the like in a new way – as potential malware targets with the computing power to take down our networks and no antivirus protection.  I can just about guarantee that the bad guys will be researching this in 2012 – it is just too juicy a target to ignore.

If you are a security pro or are responsible for printers in your organization, I’d recommend spending an hour watching the video of this presentation to get the full story.

 

Happy New Year, all.

 

 

 

Share
Dec 26

beware the thumb (drive) of doom

By alberg best practices, malware Comments Off

So, you just found a USB thumb drive that someone left behind on a bus/train/taxi/spaceship… read this article BEFORE you plug it in to your computer… and, come to think of it, before you use a thumb drive to store anything remotely important or private.

Share
Oct 11

how malware gets in

By alberg best practices, malware, online security Comments Off

Heeeeeere's malware!

The latest edition of Microsoft’s Security Intelligence Report provides some interesting analysis as to how computers get infected with malware. Microsoft’s dataset is pretty large, comprising some 600 million computers equipped with Microsoft’s Malicious Software Removal Tool (MSRT) which reports details of malware infections back to the mother ship in Redmond. The numbers hold some important lessons for security professionals.

Don’t get your knickers in a twist about zero day exploits. While the press loves a good zero day story, only 0.12% of the infections seen by Microsoft used unpatched vulnerabilities. Zero day vulnerabilities are valuable commodities which attackers will not waste on run of the mill cyberattacks. Don’t center your anti malware program on the latest zero day vulnerability of the week.

Vulnerabilities are sooo last year – your users are the weakest link.  Only about 6% of malware infections seen by Microsoft were the result of vulnerability exploitation.  In contrast, almost half of all malware infections in the study required the user to take an action (clicking a link, running a program, opening an attachment, etc.) in order for the infection to be successful.   In most cases, no vulnerability was used – the user simply gave the malware permission to run.  Spending some time and effort edumacating your users to be skeptical and think before they click that link or open that attachment has the potential to significantly reduce your malware attack surface.

You still need to keep software up to date.  Testing and installing patches from Microsoft and other vendors will protect your systems from the 7% of attacks which use exploits to worm their way in (get it?) to your systems.  This is a small portion of the malware threat, but once you get patching and updating to be part of your normal automated business processes, it is a low touch, low cost addition to your malware defenses.

Filtering and monitoring your outbound web traffic is a must – if malware is unable to download code, connect to command and control servers or exfiltrate data, the threat it poses is greatly reduced.  Keep your filter lists up to date with the latest known malware URLs – the subscription fees are a small price to pay for preventing access to the malweb in the first place.

Monitoring your network traffic, proxy logs, and changes to the services running on your hosts for strange patterns can pay off big time.  Since we can’t count on signatures to find every type of malware you may encounter, look for strange behavior for the early warning signs.

I found Microsoft’s analysis of the malware problem to be pretty interesting and I am looking forward to reviewing the rest of the Security Intelligence Report for nuggets of wisdom – I’ll post more soon!

 

Share
Oct 03

the 80 percent solution

By alberg best practices, malware Comments Off

According to a study published by Danish security vendor CSIS

When a Microsoft Windows machine gets infected by viruses/malware it does so mainly because users forget to update the Java JRE, Adobe Reader/Acrobat and Adobe Flash

Most users (and many IT folks) don’t really think too much about these “helper” programs, even though they are installed on almost all workstations in our environments.  This makes sense, as users almost never run these programs knowingly – they get executed in the background when web pages are visited or documents are viewed.   Users do get reminders when new updates are available, but how often do your users take the time to let the updates install and reboot their systems?  Rolling these updates out is a pain in the nether regions, but the payoff (protection against 80% plus of the most commonly used attack vectors) is high.  Buy your IT guys and gals a beer and get this terrible trio on your periodic update schedule.  And remember to let users know when they need to update their personal systems…

 

Share
Jul 01

tdss/tdl4 malware – the arms race continues

By alberg malware Comments Off

Interesting analysis of yet another botnet

The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today. TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.

More evidence of the increasing sophistication of malware…

 

Share
Jul 01

in which i dare disagree with security industry luminary bruce schneier

By alberg CSO, hacks, malware, online security, Paranoid Peeps Comments Off

It’s not often that I disagree with Bruce Schneier, one of the leading lights of the security world… however, I do have a teensy weensy bone to pick with him regarding one of his recent blog postings.  A recent test conducted by the Department of Homeland Security on its employees found (to no one’s surprise) that people are prone to pick up unidentified USB drives and pop them into their computers with abandon, providing nefarious personages the ability to infect their systems with malware.  Schneier took issue with the following quote from a security expert regarding the study:

Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp., told Bloomberg: “There’s no device known to mankind that will prevent people from being idiots.”

In Schneier’s view, the idiocy really rests with operating system manufacturers who allow their products to access untrusted USB devices with providing the user with any protection and that the users are simply doing the best that they can under the circumstances.  This is where I disagree.

While OS manufacturers should be doing a better job of securing their products against unknown USB devices, in the current situation users need to exercise extreme caution in what they stick into their computers’ USB ports.  Until we have better tools to mitigate this risk, users have to play an active role in protecting themselves and their organizations from USB borne threats.  There has been a lot of news coverage (and at least at my organization, security awareness training) to let people know about the risks of USB devices of uncertain provenance.  I happen to think that the people in my organization are smart (and good looking) enough to remember a few very basic security messages and behaviors needed to protect our systems and networks:

  • Don’t open links or files from strangers
  • Don’t open unexpected/strange links or files (that seem to be) from friends
  • Don’t take USB candy from strangers

Yes, I know that application of these rules will not provide 100% protection from malware, but following them will definitely mitigate the risks involved, which is really the best we can hope for at this time.

So, Bruce, you are still my hero, but I think we need to hold our colleagues to a slightly higher standard in terms of their role in protecting our computers and networks.

Oh, and as for Mr. Rasch’s “idiot” comment, I think he was a bit rough on users in terms of his choice of language.  I would have said “boneheaded” or “Homer Simpson-like” instead.  This is why I am beloved at my workplace.

Share
Jun 20

more sophisticated delivery = more successful malware attacks?

By alberg malware Comments Off

mail's here!

Lourdian Mosuela over at CommTouch Cafe had an interesting post about some foreign exchange themed malware today.  The unsuspecting target receives what looks like a misdirected document that appears to be plans for some foreign exchange stat-arb trading in July.  Of course, opening the file installs malware, and does not reveal any secret plans.  The interesting thing here is that the attacker has taken some time to get to know their audience and has thus made the message more attractive.   This may have been an attack targeted against a foreign exchange firm, or against financial professionals and would probably be much more effective than the standard “I am a Nigerian prince and have I got a deal for you!” message.  The malware arms race continues.

Share
May 25

americans are more gullible in the morning…

By alberg best practices, hacks, malware, online security, useful stuff Comments Off

…at least according to this interesting blog post from OpenDNS’ Allison Rhodes.   It makes sense to me… in the AM, we are all going through our emails, getting ready for the day to come and in a hurry to get caught up with the latest news.  I saw this post as a result of being on OpenDNS’ site from here at the Agahozo Shalom Youth Village, where we are using OpenDNS to provide web filtering to keep the students away from some of the, um, racier sites on the Net.  OpenDNS seems to be a really good, easy to use solution for web filtering in the cloud.  If you have young web surfers at home, you might want to check it out.

Share
May 14

here… have a pill… what’s the worst that could happen?

By alberg deep thoughts, hacks, malware, Paranoid Peeps Comments Off

What's the worst that could happen?

Spear phishing has been in the news quite a bit lately – it seems like just about all of the recent high profile hacks began with someone clicking on a link or opening a document.  Here’s a data point which seems to corroborate the innate sense of trust that leads people to do really stupid things. According to an entry in Bruce Schneier’s blog… in Istanbul, police dressed up as doctors, knocking on doors unannounced, were able to persuade 86% of subjects to take a pill.  And this is after a rash of crimes in which people who are not police did the same thing, using powerful sedatives to disable victims and ransack their homes.  My belief in knowledge of human psychology as the most powerful hacking tool remains strong.  Or maybe there is something in the water in Istanbul…

 

 

They Might Be Giants – Istanbul (Not Constantinople) from They Might Be Giants on Vimeo.

Share
May 02

cloud security outlook… still, well, cloudy

By alberg best practices, CSO, malware, online security, worst practices Comments Off

Cloud storage provider DropBox provides a great example of some of the security issues that individuals and companies face when entrusting sensitive data to the cloud.  Over the past few weeks,  DropBox has made the news twice regarding its security and we all know that making the news is generally not a good thing when it comes to security.

Dropbox’s first issue came up in early April, when a security researcher named Derek Newton discovered a significant weakness in the service’s authentication mechanism.  One of the primary benefits of DropBox is that it allows the user to set up synchronized file systems across multiple devices.   When files are added to, modified on or deleted from any DropBox enabled computer, iPhone, iPad or other device, the changes are automatically replicated to all of the other devices associated with the user’s account.  This is a really useful feature for many people.  In order for this file synchronization to work properly, you need to install a piece of software on each device used to access your account.  Newton found that the Windows  DropBox  client stores the information needed to access the DropBox server in a configuration file which contains a “host ID” used to authenticate to DropBox.  Simply by copying this file to another computer with the DropBox software installed on it, an attacker would have full read/write access to the files in the DropBox account.

This opens up a whole range of possibilities for attackers.  For instance, it would be possible to write malware which specifically looks for the DropBox configuration file and sends it back to the attacker.  Once an attacker has the configuration file, they would have continued access to the compromised DropBox account even after the malware was removed from the user’s computer.  The user would have to remove their own computer from the list of devices allowed to access their DropBox account and reinstall the software to close the door on the attacker.

As of today, the vulnerability still exists… DropBox plans to rollout a software update which would make the configuration file useless on a second machine, but has not provided a timeline for remediation.  I would recommend not using DropBox until such a fix is made.

DropBox also made the news for a change in their terms of service.  The original terms of service assured users that since their files were stored in encrypted form on the DropBox servers, DropBox employees could not peek into their data.  Well, it turns out that this is not exactly the case.  A “limited number” of DropBox employees do, in fact, have the ability to decrypt user files in order to comply with law enforcement requests for data in connection with an investigation.  Now, I understand that DropBox wants to be a good corporate citizen, but there is a significant distinction between “our employees can’t read your data” and “only some of our employees can read your data.”  I applaud DropBox for making their terms of service clearer (and more accurate), but this incident (and the reaction from DropBox users) is an example of one of the major problems facing users and organizations when they make the decision to move their data to the cloud.

The problem is two fold… customers don’t know the right questions to ask and vendors just don’t seem to understand that users require security for their cloud data, even if they cannot exactly describe what security measures they are looking for.  A recent Ponemon survey on cloud computing providers’ views of the security of their services showed that among survey respondents (who we can assume are amongst the more security aware providers), vendors had the least confidence regarding some important security features of their services, such as

  • Their ability to authenticate users before granting access
  • Their ability to prevent or curtail external attacks
  • Their ability to encrypt sensitive or confidential information assets whenever feasible
  • Their ability to determine the root cause of cyber attacks

It is clear to me that many individuals and business are rushing in to take advantage of the cost advantages and convenience of cloud computing without knowing how safe or unsafe their information is while it rests in the cloud.  The efforts of organizations like the Cloud Security Alliance to develop baseline language, best practices and assessment tools are a step in the right direction, but the road to cloud security is still foggy and treacherous.

 

 

 

Share
Previous Entries
preload preload preload