Security Watch: September 2009

Wednesday, September 30, 2009

Why NAC is failing?

Interesting paper addressing the failure of NAC released 2 weeks ago.

Key findings
-NAC will not succeed as a niche market.
-NAC will be a feature set, not a product.
-Much confusion of NAC stems from ambiguous terminology, a result of NAC’s evolution from other products.
-The hindrances in adoption of NAC are due to technical challenges.

Key recommendations
-Vendors should focus on standards of interoperability in order to succeed.
-NAC solutions should be renamed, based on the feature components they offer.
-Consumers of NAC technology must demand standards and roadmaps from vendors.a way to make it work.

Monday, September 28, 2009

Mariposa, the new botnet

50 of the world’s Fortune 100 companies are actively participating in this new botnet named Mariposa, discovered by Defense Intelligence on May 2009.

- 70 variants
- Seems to be driven from butterfly bot kit
- Butterfly bot kit uses 3 methods for propagation: MSN, USB, and P2P
- Features: password stealing, email harvesting, DDOS, browser password harvesting, ....
- Detection: check your DNS records for queries to "butterfly.sinip.es" or domains contains "butterfly"

Updated:
- Several Anti-Virus vendors claim that this malware is not a new one and they are already detecting it.

- Mariposa Analysis

- Wireshark plugin for obfuscated Mariposa traffic.

- STATS

Sunday, September 27, 2009

A Cartoon Guide to AES Encryption Protocol

A fantastic way of understanding AES protocol by Jeff Moser.

Saturday, September 26, 2009

Detecting Malicious Tweets, VB2009

Detecting malicious tweets, slides from VB2009 Conference. The concept is simple and effective, I should utilize something similar.

Wednesday, September 23, 2009

Torpig Takeover, presentation

Do you remember Torpig botnet takeover? Now a presentation is available online with more details revealed.

Monday, September 21, 2009

Anti-Virus Comparison

August report from av-comparatives is online now, summary in the graphs.

False Positive:

Missed Samples:

Sunday, September 20, 2009

Websense Security Report, H1, 2009

Websense Security Report for H1, 2009 released few days ago, here is the summary of findings:

- 233% growth in malicious web sites in 6 months
- 77% of web sites hosting malicious code are legitimate compromised web sites
- 61% of top 100 sites (mostly social networking and search) lead to malicious content
- 95% of user generated comments to blogs, chat rooms are spam or malicious
- 57% of data-stealing attacks are conducted over the web
- 69% of all web pages with objectionable content link (e.g. Sex, Adult Content, Gambling, Drugs) are serving malicious content
- WebSense detected more thsn 900,000 instance of 623 unique pieces malware

Friday, September 18, 2009

Turn off AutoPlay functionality in Windows

Microsoft is now providing an update to turn off USB AutoPlay functionality for all Windows versions . Do it now!

Thursday, September 17, 2009

IETF Draft, Remediation of Bots in ISP Networks

IETF released a new draft for the ISPs for detection, notification and remediation of botnets on their networks, it is time for ISPs to take actions and take the responsibility of cleaning the pipes. Only enforcement on the countries level will make this happen, otherwise it is up to the ISP to decide (many will not bother!)

Detection techniques:
- netflow, and anomaly detection
- Data sharing with 3dr party, like Block listing services and data clearing house
- DNS-based techniques
- Sinkholing or honeynets
- Scan for vulnerable user's hosts (Questionable !)
- User complaints

Notification methods:
- email
- postal mail (bad suggestion)
- phone call (another bad suggestion)
- Quarantine the user
- Instant message notification (one more bad idea)
- SMS
- Web browser notification, with no quarantine

Remediation techniques:
- Provide tools and education to the user, to perform remediation himself (good examples are given)

Update:
Dutch ISPs have agreed to launch a botnet eradication agreement to fight botnets, check the details.

Comcast in USA is implementing a pop-up notification system, to notify users of infected machines.

Wednesday, September 16, 2009

Enterprise Secure DNS Service, OpenDNS

OpenDNS guys are going to extend the free service and provide a paid secure DNS service for enterprises, I am a big fan of what they are doing, will be waiting for the general availability of the service.

Tuesday, September 15, 2009

SANS Top Cyber Security Risks

SANS Top Cyber Security Risks report highlighted two major issues:
- Unpatched client-side software
- Vulnerable web sites

No surprises in the report. Here are some points to summarize:
- Client-side vulnerabilities are the primary initial infection vector
- Major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities
- 60% of attacks observed are targeting web applications.
- 80% of web applications attacks are SQL injection and XSS

Saturday, September 12, 2009

Botnets using Google Groups

The recent discovery of a Trojan that uses Google Groups as a C&C method is a similar technique to the one uses twitter as C&C channel.

Both techniques have a drawback for the attacker, all commands, updates and communication can be easily traced and analyzed.

Friday, September 11, 2009

How much your identity worth in underground market?

Symantec has an online risk calculator, just answer few questions about your behavior on the internet, and you will get the value that cyber criminals will sell your identity information for.
My digital life worth 10$, not bad .... :)

Tuesday, September 8, 2009

Free Personal Security Tools

This is my preferred list of free security tools.

Must-have:
- Install 2 different types of Anti-Virus, example: Avira+Threatfire or MS Essentials + Threatfire
- Install a Spyware Removal, Spybot-Search-and-Destroy
- Make sure that all your software, tools, plugins, add-ons are up-to-date, Secunia PSI will help a lot
- Use a secure DNS service, OpenDNS

Optional:
- Encrypt hard drive, TrueCrypt
- Wipe your confidential data, FileShredder
- Rescue CD, Trinity Live-CD

- Private browsing, Comodo Dragon Internet Browser

- Protect your privacy from google, Googlesharing firefox addon