Remote Backup Software Powering Successful
Online Backup Services for More Than 20 Years Brandable, Scalable, Full-Featured, Customizable, Complete Solution

Internet Security News
Breaking news and updates in Internet security
Last Updated: August 20th, 2008 11:53:29 CDT -0500

Oracle WebLogic Hit With Zero-Day Exploit
A workaround emerged from Oracle as news circulated of a remotely exploitable flaw, without requiring authentication, involving the WebLogic platform.

Both the WebLogic Server and WebLogic Express products, acquired by Oracle when the company purchased BEA, suffer from the newly disclosed vulnerability.

SANS Internet Storm Center said the problem stems from the Apache Connector used by the products. A WebLogic advisory noted the flaw could be exploited without authentication.

Sites using Apache servers that are already configured with the mod_security module are protected from this vulnerability by the default core ruleset, according to the advisory. Using mod_security with the WebLogic plug-in for Apache serves as one workaround suggested by Oracle.

The other workaround calls for an edit to httpd.conf and a restart:

It is possible to configure Apache and avert this vulnerability by rejecting certain invalid requests. To do so, add the following parameter to the httpd.conf file and restart Apache:

LimitRequestLine 4000

See: Apache LimitRequestLine documentation for more information

Note: This parameter limits the maximum URL length to less than 4000 bytes.

Metasploit's Moore Sapped Via DNS Flaw
The same critical DNS issue that HD Moore and his associates raced to include in their security testing toolkit, the Metasploit Project, bounced back against the noteworthy security researcher.

Security pros and other techies who see the boundary-pushing actions of Moore and Metasploit as more of a hindrance than a help to security may have enjoyed the schadenfreude surrounding Moore today.

Moore detailed what happened on a blog post at Metasploit. The incident hit an AT&T DNS cache server; the affected machine coincidentally served "as an upstream forwarder for an internal DNS machine at BreakingPoint Systems," which is Moore's company.

"This attack affected anyone in the Austin, Texas region using that AT&T Internet Services (previously SBC) DNS server. The attack itself was not malicious, did not load malware, and from an operational standpoint, had zero impact," said Moore.

Employees at his company noticed problems when the cache-poisoned DNS machine at AT&T returned a 404 error when they tried to reach a particular Google page, a personalized iGoogle one. The phony server "was returning four iframes, one of which showed a fake version of the Google web site, the other three loaded automated ad-clickers from three other compromised servers."

Anyone who has yet to fix DNS machines with the patch that has been widely available since early July needs to take the problem seriously. Within telco giant AT&T, someone did not, and inadvertently demonstrated how rapidly a vulnerable system will see exploit attempts against.

Some of those attacks may even succeed, and it only takes one to pose at least an annoyance, at most a critical data loss threat, to Internet users.

Regulatory Compliance and the Real Risk of Undetected Malware
With the emergence of regulatory laws borne out of experience from a variety of embarrassing security breaches, today's corporate leaders face a myriad of repercussions.

These range from serious fines to jail time when found not in compliance with regulations such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB), and Payment Card Industry (PCI), etc.

These regulations are designed to protect the privacy of individuals and to ensure the proper internal controls are in place to maintain confidentiality and integrity of sensitive information.

For example it mandates in the Sarbanes-Oxley act section 404 that any publicly traded corporation must maintain adequate internal controls, ranging from proper financial reporting to the protection of critical assets. This includes designing controls around the premise of protecting consumer data from an information security perspective.

Normally, these controls are defined and established through a risk analysis that identifies potential threats and weaknesses. The development of a policy framework based on this audit untimely drives the definition of what would be considered "adequate" controls.

However, in 2007 the industry suffered a record-breaking loss of information stemming from data security breaches ranging from stolen laptops to hijacked advertising. This was exemplified in the highly publicized Monster.com attack. According to an article in CIO Magazine, a Trojan stole more than 1.6 million records belonging to several hundred thousand people from Monster Worldwide Inc.'s job search service.

Despite established security policy, these breaches lead to public dismay and a loss of consumer confidence. Take for example the TJ Maxx incident that exposed 45.7 million credit card numbers, according to details in a filing with the Securities and Exchange Commission last year. The breach eventually cost the retailer millions of dollars in both hard costs incurred and stock value reduction.

These incidents raise several interesting questions. Were these security breaches a result of undetected malware, perhaps a targeted attack orchestrated by a foreign hacker group? This certainly appears to be the case as more and more targeted attacks are involving malware of some shape or form. Take for example the recent incident with popular supermarket chain Hannaford. Why did the internal controls established according to company policy fail to protect assets from being compromised? And what are the real risks and implications of undetected malware as it pertains to regulatory compliance?

These are all good questions, especially concerning the changing crimeware landscape and its evolution from curiosity to financial gain. Not surprisingly, this trend has a considerable part do with the dramatic increase in information exposure in 2007.

According to the PandaLabs 2007 Annual Report, a majority of identity theft and financial fraud incidents in 2007 were related to Banker Trojans that infected individual consumers, thus, stealing credentials and other personal information that could be used to gain profit.

Furthermore, if we put this into perspective we are more at risk then we were a few years ago when the primary concern was the prevention of network worms that caused data destruction.

In that day and age, controls were designed around the need to ensure the integrity and availability of information assets. CIOs and IT Managers designed and implemented systems that had the primary goal of ensuring that their users had access to information. At that time security was a secondary concern in this scenario, because the threats were different and much less sophisticated.

Today we face a new breed of threats with different motives: financial gain through targeted attacks. In fact targeted attacks in 2007 showed a marked increase over previous years with respect to online fraud.

The mentality of CIOs and IT Managers has shifted to a security focused mind-set, especially with the advent of recent high-profile security breaches. What's alarming is the rate at which malware is developed and released to infect victims on a daily basis. In a 2007 report published by Panda Research, entitled "From Traditional Antivirus to Collective Intelligence," PandaLabs saw over 4000 new strains per day last year.

This is mainly due to the overwhelming inability for security vendors to respond to an ever increasing rate of new malware strains, thus, the anti-virus industry is not really protecting their customers. Signatures are generated on the basis of what the vendor considers a threat and thereby traditional AV products may not reflect actual reality. As a result, we are witnessing a literal denial of service against vendor resources.

Therefore, a large number of malware currently circulates the Internet undetected, thus, resulting in a large number of companies infected despite having up-to-date security solutions.

The rapid pace at which cyber criminals seed the industry with new threats contributes to the overall problem that is causing technical safeguards to fail, thus, putting the corporation at risk of violating regulatory standards which could untimely lead to serious consequences if sensitive information is leaked.

For example, in a health care organization one undetected Trojan could make a case for a serious risk of violation of HIPAA §164.308(a) (4) that pertains to protecting health information: "implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a) (4) [Information Access Management]"
A False Sense of Security - Audit and Assessment Standards

When doing a security audit to ensure that adequate controls are in place from an information security perspective, the auditor is normally looking at whether the corporation is in adherence to a defined policy. Furthermore, a security audit encompasses some of the following questions:

- Are passwords difficult to break?

- Are computers up-to-date with the latest security patches?

- Do any vulnerabilities exist in the operating system or applications installed?

- Are there Access Control Lists (ACLs) implemented on shared resources to control access to them?

- Have unnecessary services or applications been removed from computers that could potentially expose the resource?

- Are computers regularly scanned for malware?

From Traditional Anti-Virus to Security-as-a-Service
Over the past five years, the anti-virus market has experienced tremendous growth as many new technologies have emerged in response to current conditions.

What was once a market consisting of very few players has evolved into a multi-billion dollar enterprise consisting of dozens of companies with huge assortment of anti-virus products varying in focus and quality.

According to analysts, the global anti-virus market is forecasted to surpass $58 billion by 2010 with the introduction of new technologies in the areas of data loss prevention, virtualization security, security-as-a-service and many others.

Despite this growth, the technology behind anti-virus today is highly inefficient when it comes to protecting against modernized threats. This is fueled by the fact that vendors simply can't keep up with all of the new malware surfacing each and every day. The situation has created a breakdown in the quality and effectiveness of their underlying core technology. ¹

This problem is evident in today's high-profile security incidents. According to the Identity Theft Resource Center (an organization that tracks incidents relating to exposure of confidential information), the number of recorded breaches more than doubled in the first quarter of 2008. ²

This problem is even more visible when you take into account the current application delivery model employed by various end-point technologies today.

This agent-based delivery model introduces several challenges, not only on the side of administration, management and ease of use, but to the degree necessary to provide an adequate level of protection against zero-day, zero-hour, and zero-minute threats.

This traditional model has the following characteristics:

· Upgrades require time and effort to implement, leaving a dangerous window of opportunity to become infected. This problem is amplified if the upgrade includes engine revisions to detect new strains of malware.

· Enterprise protection suites require deployment of a dedicated management infrastructure that in some cases will require additional hardware.

· Some end-point protection suites that use a policy driven system are particularly complex to manage and maintain, therefore the total cost of ownership will increase overtime.

· Anti-malware intelligence has traditionally resided on the end-point, thus, the trade-off between security and resource consumption has always been a challenge.

· The memory and CPU foot-print is directly proportional to the size of the signature file. Therefore, the growth of new threats will ultimately affect the user's experience.

· On average, the foot-print for leading products is anywhere from 100MB to 150MB, depending on the modules enabled (i.e. firewall, anti-virus, anti-spam, host intrusion prevention, etc).

· Most end-point products on the market today have a very narrow, short sighted view of the threat-landscape and do not provide protection for all malware currently in circulation and affecting users.

· Nodes do not share intelligence amongst themselves, thus, reducing the overall efficiency to detect and prevent against targeted attacks.

When we examine this security model further, the small and medium size business (SMB) market will be affected the most. The traditional anti-virus model introduces significant challenges for SMBs who have tight budgets for security. This is especially true as they often do not have the expertise or resources in-house to manage and administer complex anti-malware solutions.

The best alternative that an SMB can take when it comes to security is out-sourcing their services to a hosted infrastructure and/or adopting a Security-as-a-Service model. This helps reduce complexity and time to market when implementing new security technologies and will not require a high degree of skill to maintain the solution.

Security-as-Service revolves around the concept known as Software-as-Service or SaaS. SaaS changes the way that applications are currently delivered to customers by hosting them "in the cloud" and providing a web interface to interact with the applications. Previously, software had to be installed directly on the user's system and managed inside the business or manually remote controlled by an outside service provider.

Customers of an SaaS solution benefit from real-time up-to-the-minute content provided on a continuous basis through a subscription model making life a lot easier. This model allows companies, their IT consultants, managed service providers or value added resellers to more efficiently manage protection against malicious malware, freeing up valuable time and resources to stay focused on the business.

In conclusion, the SaaS model offers an alternative approach to the way that end-point security is delivered today. Since 2008 and 2009 will certainly focus on consolidation (anti-virus, data leakage prevention, end-point encryption, etc), it is essential that SaaS be adopted as an industry standard in end-point security protecting businesses from the SMB to the very large enterprise.

¹ PandaLabs Research Study 2007:
http://research.pandasecurity.com/
archive/Think-you_2700_re-protected_3F00_-Think-again.aspx

² http://www.idtheftcenter.org/artman2/publish/
m_press/Breach_List_2008_Q1.shtml

Don't Overlook the Online Channel: Combating Multi-Channel Fraud at the Source
The latest threat to online banking accounts involves fraudsters using multi-step schemes that involve different interaction points with financial institutions.

Cyber-criminals commit this multi-channel fraud by first breaching an account via the online channel to steal valuable information such as account balances, check images, or signature blocks, in order to commit wire, check and other types of offline fraud that never gets linked to the original breach online.

Unfortunately, the online channel's role in these schemes is often overlooked. This is precisely what makes this kind of fraud so effective - and hard to catch. Financial institutions only register the final transaction fraud, and cannot account for the original breach, which often occurs in the online channel. Add this to the fact that consumers don't know it is happening, and the fraudsters have a perfect opportunity to continuously get away with this crime.

Case in point is what happened recently to a leading financial institution that serves tens of thousands of customers daily. Despite aggressive efforts to safeguard its online environment, fraudsters pulled off a startling multi-channel fraud scheme.

Here's how the fraud scheme worked:

1. The fraudster called the institution's customer service number and, using social engineering techniques, reset the online account password and contact phone number.

2. The fraudster accessed the online account, learned more about the customer's online activities, and downloaded check images containing the customer's signature.

3. The fraudster then called on a separate institution using the stolen information to open a new account in the victim's name.

4. A wire transfer was arranged to empty the victimized account and credit the new account at institution #2. Because the names on the accounts were the same and the fraudster had provided a phone number under his/her control and a valid signature, an offline verification of the transfer by phone, as a second means of identification, passed and was authorized.

5. The fraudster withdrew his loot piecemeal, visiting separate branches in a state different than the victim's.

Legacy Fraud Detection Methods Blind to Online Activity

When fraudsters use schemes involving multiple interactions with different touch-points across an institution, they aren't caught because the precursor online channel breach is often overlooked.

Common industry practice registers the final fraud transaction as the breach point, and case forensics employ limited resources to return insight that cannot trace the original breach to the online channel. When accessed only for reconnaissance, the online channel records no "transaction" for detection. This is precisely what makes multi-channel fraud so effective - and so hard to catch. Moreover, what kind of fraud is our previous example to be classified? Is such a loss wire fraud, check fraud, or simply "online account fraud"?

A next-generation approach to online fraud prevention is needed if we are to continue to inspire customer confidence in the online channel. According to Javelin Research's 2007 Identity Fraud Survey Report, it takes an average of 60 days for consumers to even detect that fraud has occurred. This leaves fraudsters with a perfect opportunity to commit successful multi-channel fraud crimes if financial services providers don't take pre-emptive steps to protect both their customers and their bottom line. New best practices and back-end technologies that focus on online behavior can better isolate and prevent multi-channel fraud at the source.

Modeling Individual Account Behavior Stops Fraud at Its Source

An emergent best practice is to employ predictive models of individual customer online behavior to detect when the "customer" logging in isn't who they say they are, even if they pass authentication. Beyond simple machine signature technology, user profiling technologies rely on trended analysis of behavior account by account. They start by understanding what "normal" behavior is for each individual customer - and admit that there is no single pattern of "normal" behavior to write an anti-fraud rule against.

Dynamic, model-based analysis of account activity "does the math" - piecing together what are by themselves may seem like weak indicators of fraud until a powerful pattern emerges. Behavior that deviates from what is expected becomes suspicious - the more the deviation, the deeper the suspicion. This comprehensive analysis allows for more granular risk scoring and better correlation with offline activity patterns. A byproduct of this behavioral analysis also allows for a rich history of online activity that aids investigation and forensics.

Using these techniques, institutions can identify the fraudster via the alerts to online activity outside the customer's predicted behavior. Deploying strong analytics at the source - the online channel - ensures that fraudsters' attacks are shut down before any damage is done.

Storm Botnet Subsides
Something new may be on tap to replace Storm as the big botnet pest, as its size decreased substantially in April.

Efforts to clean up the Storm botnet drove it down to 5 percent of its original size in April. This puts current estimates of Storm-botnetted machines at around 100,000 machines.

Security vendor MessageLabs said ongoing efforts associated with new Storm cleanup tools purged the malware from infected computers. Some estimates put Storm's botnet at 2 million machines before the big purge took place.

"April was a month of unpredictability, Mark Sunner, Chief Security Analyst at MessageLabs, said in a statement. Storm's decline happened while incidents of attacks escalated.

MessageLabs claimed to observe 70 targeted spam attacks with Trojans per day in April. The upcoming Beijing Olympics persists as a major factor in such spam, with Olympics-related subject lines common for those attacks.

An old spam standby received a bit of a makeover, MessageLabs noted. Criminals are creating fake profiles on business networking sites like LinkedIn to lend credence to the typical 419 scam. They direct recipients to check out their "credentials" on the site to assure them they are dealing with a real person and not some common criminal.

eBay Has Its Romanian Hacker
An arrest in Budapest turned up one Vlad Constantin Duiculescu, aka Vladuz, a thorn in the side of the online marketplace.

A business deal turned out to be a sting, and Vladuz took a deep wound from it. His time roaming around eBay's forums using pilfered credentials and generally making a nuisance of himself to the company has been at least interrupted for now.

The Register cited Romanian news reports that Vladuz ended up wearing handcuffs after his attempt to sell a software application to interested buyers instead brought police to his door. EBay has been chasing Vladuz for over a year.

His exploits reached eBay's forums, where he managed to pose as an official eBay representative. He and eBay disputed how far he was able to get in to their systems; Vladuz claimed extensive access, while eBay denied that.

If eBay's account is accurate, they believe Vladuz caused about a million dollars in damages from his exploits. For now, Vladuz will enjoy jail cuisine for a 29-day period. Further details about the 20-year-old's fate have not been revealed.

Google Builds Tools To Fight Child Porn
An ongoing effort with the National Center for Missing and Exploited Children (NCMEC) by Google produced video tools for use in finding exploitative images and videos.

Google research scientist Shumeet Baluja described the search giant's work on the company blog in developing these tools. Through 2007, Baluja and co-workers crafted tools to help NCMEC find child predators.

"The tools we provided will aid in organizing and indexing NCMEC's information so that analysts can both deal with new images and videos more efficiently and also reference historical material more effectively," said Baluja.

NCMEC said in a statement the group and law enforcement agent partners have reviewed over 13 million images and videos to help rescue victims and identify criminals.

"Criminals are using cutting edge technology to commit their crimes of child sexual exploitation, and in fighting to solve those crimes and keep children safe, we must do the same," said Ernie Allen, president and CEO of NCMEC.

The tools come from Google's ongoing work in video and image search. This research-stage technology helped NCMEC handle the multitude of such content arriving at their CyberTipline and from police agencies.

"We hope the tools we've built for NCMEC will help its analysts make the important and often time-sensitive work of investigating child predators faster and more efficient," Baluja said.

PayPal Calls For Partnerships Against Phishing
One of the most popular phishing targets on the Internet wants to thwart criminals, but needs a lot of help to do so.

Stamping out phishing won't happen with one company pushing for a fix. Payment processor and eBay component PayPal needs cooperation to accomplish this.

"We know we're always going to be an attractive target for criminals. But what I don't want is PayPal to be protected and the rest of the industry not. Phishing could be solved, there's no need for it to happen," PayPal chief info security officer said at a security conference recently.

Phishing for PayPal details happens on an immense scale. A report at Silicon.com said Yahoo's efforts to block PayPal-related messages alone kept 50 million phishes out of Yahoo Mail since last fall.

That happened thanks to digital signatures appended to PayPal's legitimate messages. When a phish lacking that signature hits Yahoo, the message gets tossed.

Microsoft received some credit from Barrett, as the company's Internet Explorer 7 browser may be helping stop people from going to phishing sites thanks to its anti-phishing technologies. (Firefox and Opera also carry phishing protection in their browsers.)

Phishing persists as a standby for criminals. Through the use of botnets, phishers send out millions of messages. It doesn't take many to make the crime profitable, as the distributed nature of spamming this way costs the phishers little.

Couple that with how the phishing types tend to be hiding out in countries where effective prosecution against computer crime is a pipe dream for security pros at best, and one can see where Barrett is coming from with his call for more partnerships against phishing activities.

Online Criminals Outsource Their Work
A study by security vendor Finjan suggested a trend in criminal behavior has them farming work out to established rings with a technology infrastructure in place.

Among the trends cited by Finjan in its Web Security Trends Report, the company found criminals with sufficient capital opting to engage in a business practice normally associated with legitimate businesses: outsourcing.

Botnet creators have been known to let spammers pay for access to compromised servers, which are then used to crank out millions of messages to inboxes all over the world.

Finjan dubbed the next iteration of this practice, "crimeware." It isn't only about botnet rental, or even using pre-made kits to create exploits, as Finjan observed:

After maturing into a full-fledged market driven by economical forces, we are now seeing a trend for cybercriminals to deploy the B2B model (business to business, or more accurately Criminal to Criminal, C2C). Owners of malicious sites share their victims with other site owners in order to leverage the strength of one site and provide business to the other.

Currently, we see the rise of the Crimeware-as-a-Service (CaaS) model in the Crimeware-toolkit market.

It enables such a toolkit to gather the data from the victims and sort it according to some rough criteria for the users, since all the data and networking is already built-in and available for the criminals and attackers.

This development will further distant the criminals from the techies - a trend that we have seen evolving over the past couple of years. This trend will get a further boost with the catching on of the CaaS model.