Credit Union InfoSec

Haven’t you ever wondered what the criminals do with all the virus infected PC’s. what we know for sure is they are used for, sending spam, performing dDoS attacks, and other misc evil activities.

As every is aware (I hope) , the StormWorm has been making it’s rounds over the internet the past few months and adding to its botnet a tremendous amount of PC’s. Today Peter Gutmann posted to the Full-Disclosure mailing list a quick summary of the estimated power of this botnet.

This doesn’t seem to have received much attention, but the world’s most powerful supercomputer entered operation recently. Comprising between 1 and 10 million CPUs (depending on whose estimates you believe), the Storm botnet easily outperforms the currently top-ranked system, BlueGene/L, with a mere 128K CPU cores. Using the figures from Valve’s online survey, http://www.steampowered.com/status/survey.html, for which the typical machine has a 2.3 - 3.3 GHz single core CPU with about 1GB of RAM, the Storm cluster has the equivalent of 1-10M (approximately) 2.8 GHz P4s with 1-10 petabytes of RAM (BlueGene/L has a paltry 32 terabytes). In fact this composite system has better hardware resources than what’s listed at http://www.top500.org for the entire world’s top 10 supercomputers:

BlueGene/L: 128K CPUs, 32TB
Jaguar: 22K CPUs, 46TB
Red Storm: 26K CPUs, 40TB
BGW: 40K CPUs, 10TB
New York Blue: 37K CPUs, 18TB
ASC Purple: 12K CPUs, 49TB
eServer Blue Gene: ?
Abe: 10K CPUs, 10TB
MareNostrum: 10K CPUs, 20GB
HLRB-II: 10K CPUs, 39GB

This may be the first time that a top 10 supercomputer has been controlled not by a government or megacorporation but by criminals. The question remains, now that they have the world’s most powerful supercomputer system at their disposal, what are they going to do with it?

Here is another good source of information on botnets.

We can not change (insert your typical phrase), it has always been done this way. As I read a post at Different River titled Be Consistent, I came to realize that in security this is something that is extremely common. I know it is an older post but some how I ran across it today. Here is an excerpt from the blog entry.

The Monkey Cage

Start with a cage containing five monkeys. Inside the cage, hang a banana on a string and place a set of stairs underneath it. Before long, a monkey will go to the stairs and start to climb towards the banana. As soon as he touches the stairs, spray all of the other monkeys with cold water. After awhile, another monkey makes the attempt with the same result - all the other monkeys are sprayed with cold water. Pretty soon, when another monkey tries to climb the stairs, the other monkeys will prevent it.

Now, put away the cold water. Remove one monkey from the cage and replace that monkey with a new one. The new monkey sees the banana and wants to climb the stairs. To his surprise and horror, all the other monkeys attack him. After another attempt and another attack, he knows that if he tries to climb the stairs, he will be assaulted.

Next, remove another one of the original monkeys and replace it with a new one. The newcomer goes to the stairs and is attacked. the previous newcomer takes part in the punishment with enthusiasm! Likewise, replace a third original monkey with a new one, then a fourth, then the fifth.

Every time the newest monkey takes to the stairs, he is attacked. Most of the monkeys that are beating him have no idea why they are not permitted to climb the stairs or why or why they are participating in the beating of the newest monkey. After replacing all of the original monkeys, none of the remaining monkeys have ever been sprayed with cold water. Nevertheless, no monkey ever again approaches the stairs to try for the banana.
Why not?

Because as far as they know, that’s the way it’s always been done around here.

When it comes to security one has to remember, “Keep an Open Mind”, the criminals are. Risks change everyday and so must we. Don’t take the answer of, they have done it this way for years. If you can show that it could, or should, be changed for the better then recommend the change.

Keep up the good fight.

A good read here, “Sophos Facebook ID probe shows 41% of users happy to reveal all to potential identity thieves“.

Sophos Facebook ID Probe findings:

 

• 87 of the 200 Facebook users contacted responded to Freddi, with 82 leaking personal information (41% of those approached)
• 72% of respondents divulged one or more email address
• 84% of respondents listed their full date of birth
• 87% of respondents provided details about their education or workplace
• 78% of respondents listed their current address or location
• 23% of respondents listed their current phone number
• 26% of respondents provided their instant messaging screenname

Talk about an opportunity to educate our members. This type of information could also be used in Spear Phishing attacks.

If you have not noticed lately, the Storm Worm is in an ever changing email attempting to infect users.

The Basics of Storm Worm - an email gets sent out to ??? number of users with a link to a web server that attempts to compromise a users system. In the beginning it masked itself as a greeting card email, then it was a registration confirmation email.

Now it has taken a turn that I feel will be able to fool many users into clicking on it. The email hides the know Storm IP link with a youtube link. With the use of this site being so big, I am pretty sure that the botnet size will grow even bigger. The current size of the BotNet is different based upon the article read, but you can be assured that it is large and will continue to grow. One estimate has it at 250 K to 1 Million while another has it 5 to 10 million machines.

In case you are interested here are some sample subject lines and email body text. I have removed links of course.

Subject Lines

• LOL, dude what are you doing
• LOL, that is too cool…..
• oh man your nutz
• Where did you take that?
• ROTFLMAO, who is that your …
• I cant belive you did this

And for the body.

• What are you thinking…if pat sees this your divorced dude. :-{) check it out yourself
• this i not good. If this video gets to her husband your both dead. this is the link to it.
• You can see your face right in the video. its all over the web dude. take a look, lol…
• this i not good. If this video gets to her husband your both dead. go look at it…
• this i not good. If this video gets to her husband your both dead. check it out yourself
• What are you thinking…if pat sees this your divorced dude. :-{) see for yourself…

Recently there seems to have been a rash in Data Breaches, and one of them in particular (SAIC warns of possible data breach) made start to analyze Incident Response Programs in detail. Just how prepared is an organization for a Data Breach and how well are our Preparation and Identification phases documented and “Followed”.

This breach was not a hacking incident, loss of backup tapes, stolen or misplaced documents, or accidental posting of sensitive information on the internet. It was, based on their web site, a mis-configured FTP server that was not placed behind a firewall, against SAIC policy.

What worries me, and should worry other Info Sec personnel is, how prepared are we to detect an issue before it goes into a production environment. Here is how I see it, there should be a strong change management process in place that alerts the info sec personnel to new systems going online, a strong SDLC in place, and a process in place that continuously scans IP space for potential new systems placed on line with out info sec’s knowledge (this could also be performed in a passive way by using a product like arpwatch). These principles should be applied to internal systems and teams, and built into any contract with a vendor the CU may have.

In the six step incident handling process (As taught in the SANS SEC504 class), the first two phases, preparation and identification, are the most important.

Phase 1. Preparation speaks for itself, make sure you have a defined incident response program that would cover most, if not all, of the types of incidents you could encounter. With all the data breach laws going in place and different types of breaches happengin, I would recommend you include all types of incidents. Here is a list of just a few.

1. Lost or stolen back up tapes
2. Member information lost of stolen in paper form
3. Phishing incidents
4. Configuration issues
5. Improper disposal of member information in any form
6. Web based application attacks
7. System or network based attacks
8. Malware attacks our outbreaks

Phase 2. Identification is another key phase in this process. I can not stress enough how important this phase is in the over all process. In January of this year TJX Companies Inc. announced that they had suffered a breach of security that exposed 46.5 Mil card numbers. It was determined that the intruder(s) had access to the system(s) for an estimated 18 months. With this data breach alone it shows you how important the Identification phase is. Here is a list of just a few items that can be done to aide in Identification.

1. Log review
2. Intrusion Detection/Prevention systems (host and network based)
   1. These should be placed on all networks and systems
3. Proper auditing and controls in place
   1. This can be a daunting task if you really sit down and think about it
4. Anti-Malware programs
5. Email filtering
   1. Both for content and attachments
6. Ingress and Egress filtering on the firewall
   1. Make sure you review the drops in the log, they can be very revealing
7. Scan your systems
   1. Port and Vulnerability
   2. Internal and External
8. Monitor and audit the change management process, make sure that all changes are following the procedure

It has been some time since I last posted anything to this blog. I remember reading on another blog somewhere, that one of the basics of blogging is, if you do not have anything to say then stay away from the key board. I have took that advise, probably a little too far though.

I have had numerous conversations with people on the reviewing of web server logs and with that comes many different ideas on the importance of web server logs. For marketing staff it is of course web analytics, for network/system staff it is for determining why the site is not displaying images, and of course for security persons it is much more.

What do you review your web server logs for.

Yesterday Michal Zalewski posted to Full-Disclosure 4 new browser based vulnerabilities. Normally I would not post about browser based vulnerabilities but these are worth mentioning. I can see how the bad guys would use each one of these for purposes of performing fraud on our members.

1. Title : MSIE page update race condition (CRITICAL) Impact : cookie stealing / setting, page hijacking, memory corruption
2. Title : Firefox Cross-site IFRAME hijacking (MAJOR) Impact : keyboard snooping, content spoofing, etc
3. Title : Firefox file prompt delay bypass (MEDIUM) Impact : non-consentual download or execution of files
4. Title : MSIE6 URL bar spoofing (MEDIUM) Impact : mimicking an arbitrary site, possibly including SSL data

I hope i am wrong, but if the bad guys start to use these they would be able to steal many login credentials for online banking applications, e-commerce sites, etc….

This is being covered by Computerworld and by the Sans Incident handlers on duty.

According to Secureworks and others, SANS and SunBelt, there are two different phishing scams making their way around email.

While both of them are extremely dangerous in their own respects, one of them I find very interesting. It is a highly targeted attack against executive level managers at companies. It uses an email with which claims to link you to documents pertaining to your case. Here are some of the highlights from Secureworks.

Highlights

• Highly-targeted attack – aimed at specific executive-level company managers
• Steals all interactive data sent from victim’s IE browser to remote websites
• Uses browser helper object to access form data before it is SSL-encrypted
• One stolen data repository located. As of Friday, May 25, there are 1, 400 victims and 145 megabytes of data in the repository. Approximately 70 megabytes of data is being collected daily.

The other email contains an attachment (RTF Document) when executed installs several pieces of malware onto the computer opening to attachment. The problem with this one is that for some reason it is easier to get virus through email content scanners with RTF documents.

For more information click on one of the reports above.

This story shows how complicated virus writers and ID Theft criminals are getting. Multiple sites, multiple malware, and the targeting of specific countries. This one inparticular targeted users in France.

Read it here.