Sunday, August 23, 2009

Data breach news and analysis

Folks at Open Security Foundation have started a new web site BreachCenter.com which will offer news and analysis on the various data breaches. From the announcement,  
"BreachCenter.com is a free and dynamic community of interest dedicated to helping companies mitigate the damages associated with the loss of personally identifiable information. We provide news, opinions, expert analysis, white papers, dialogue and reviews on data breach recovery."  


Following are some other sites where we can get data breach and identity theft information.  
http://datalossdb.org  
http://www.privacyrights.org  
http://zone-h.org  
www.voltage.com/data-breach  
http://attrition.org/dataloss (pre 2008)  


FTC lists the cases involving the privacy of consumer information under Section 5 of the FTC Act: http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html http://www.ftc.gov/privacy/privacyinitiatives/safeguards_enf.html

Friday, August 14, 2009

Online reputation

One of the readers asked about RBLs, so here you go.

What is your reputation on the Internet world? How do you know that you don't have any zombie machines in the inside of your network sending out spam emails? Your domain name and IP address gets classified as spam originators by various reputation authorities if they identify any systems or networks within the domain sends out spam. Such reputation authorities lets you identify if they classified any devices in your domain as spam originators. Commercial spam filtering devices does regular lookups to these authorities to determine and block such spam sources.

http://www.spamhaus.org/
http://uribl.com/index.shtml
http://www.spamcop.net/bl.shtml
http://www.barracudacentral.org/lookups
http://www.senderbase.org/
http://cbl.abuseat.org/
http://www.njabl.org/lookup.html
http://www.sendmail.com/sm/resources/tools/ip_reputation/

Saturday, August 8, 2009

Cisco IPS - new feature

For those who use Cisco IPS devices, check the following announcement,

"IPS 7.0 contains a new security capability, Cisco Global Correlation, which uses the immense security intelligence that we have amassed over the years. At regular intervals, Cisco IPS receives threat updates from the Cisco SensorBase Network, which contain detailed information about known threats on the Internet, including serial attackers, Botnet harvesters, Malware outbreaks, and dark nets. The IPS uses this information to filter out the worst attackers before they have a chance to attack critical assets. It then incorporates the global threat data in to its system to detect and prevent malicious activity even earlier."

Read the release notes to get more information.

SNORT and IPTABLES users may be familiar with a similar concept wherein you could do the lookups to various Realtime Blackhole Lists or RBLs

Friday, August 7, 2009

Clampi Virus

As the world deal with the swine flu virus, there is an equally destructive virus / trojan that affects the computing world. It is known as Clampi  and it is one of the deadliest trojans that is making the rounds on the Internet, According to a report, it is operated by a serious and sophisticated organized crime group from Eastern Europe and has been implicated in numerous high-dollar thefts from banking institutions.

Typically, trojans such as this gets installed when people open infected attachments or even by simply visiting a web page using a vulnerable browser or other applications such flash, pdf, etc. Such web sites that people visit could be intentionally or they may be taken to those web sites unintentionally by clicking on some links on a regular / normal site and that site may have some XSS or other types of vulnerabilities.

In any case, once the trojan gets installed it copies itself as one of the system executable such as svchosts.exe or event.exe in one of the folders. These are legitimate looking applications, so if you look in task manager, it is difficult to identify. However, the key here is that these files gets installed in a folder other than "C:\WINDOWS\system32" (in Windows XP). There are various tools such as "tlist" to identify which application (with the path) launched a process. The Trojan also make many registry changes, so understanding the registry structure and monitoring for changes is key here.

The Trojan then makes connections to various web sites that act as command and control centers and downloads tools that are required for 1) spreading to other machines 2) grab personal information from the machine, encrypt it and send it back the command and control center. One such tool it downloads is psexec, which is used to make connection to other machines in the network and then install the trojan there. In order to identify this behavior, security practitioners should have a good understanding of the normal behavior on the network and block unusual or unnecessary outbound connections from the internal network.

Some of the other key takeaways are:


  • Don't use or provide administrative credentials to the regular users, use of administrative credentials enable the ability to install programs.
  • Block all or unnecessary outbound access.
  • Monitor unusual traffic on the network, should have a good understanding of the baseline traffic.
  • Keep open file shares to a minimum or remove it altogether if possible. Periodically scan for open shares and audit it thoroughly.
  • Users should be made aware of the dangers of visiting unknown web sites, clicking on unknown links, and downloading unknown files.
  • Patch. Follow a strict vulnerability management process.
  • Keep the antivirus signatures up to date. Automate identification of infected machines
  • Be ready for incidents like this, practice incident response skills

Read some of the interesting write-ups on the Clampi virus / trojan.

http://www.secureworks.com/research/threats/clampi-trojan/?threat=clampi-trojan

http://voices.washingtonpost.com/securityfix/2009/07/clampi_trojan_the_rise_of_matr.html?wprss=securityfix