A Lesson in Cloud

A recent Threatpost article where Greg Hoglund comes pretty close to ranting about the actions of Anon and that they did not "hack" HBGary - they just weaseled their way into the HBGary Google account - does illuminate some of the issues with using Cloud services.

You see, Greg tried to do some damage control upon discovering some level of intrusion was underway, but had to go through a Google call center in India where he got no love.  In the article Hoglund has a few pointers of his own, but I would advise doing your research and consider what all the possibilities are.

If this had been a physical server in an accessible location, a sysadmin could isolate the affected system, remove it from the network, image the drive for forensic purposes and start the incident response machine.

I remain ambivalent about the cloud - it's not all lollypops and candy canes.


Microsoft ASP.Net OOB Patch

sorry to interrupt the flow of the Making the Web Work for You series, but this is somewhat important. Microsoft issued a patch last week for the outstanding .Net issue that could pose a significant threat to those of you with Internet facing IIS servers. Although all .Net systems are vulnerable, the affected IIS boxes do pose the greatest risk for exploit. For some reason the OOB (out of band) patch is only available through MS Download Center.


Intrusion Detection – not just for the enterprise

Intrusion Detection can really be a variety of technologies - NIDS, IPS, HIPS (Network Intrustion Detection, Intrusion Prevention System, Host Intrusion Prevention System).  The difference between these is pretty straight-forward, NIDS uses a sensor or sensors to monitor network traffic and alert on anomalies, detection is usually signature-based.  IPS is a NIDS setup that is inline with your Internet feed, this allows your IPS solution to actively block attacks.  Some firewalls or UTMs have some IPS abilities, other IPS solutions are dedicated boxes.  HIPS is an software solution that runs on endpoints (workstations, notebooks), the detection is usually behavioural-based, HIPS can be considered a last line of defense and is sometimes a component of modern endpoint security suites.  HIPS, due to it's interaction with the system at a fairly low-level, can have adverse effects like stability and performance issues.

At AppliedUsers HQ (Parallel42) we use Snort in a NIDS configurable, although it is fully capable of being an IPS as well.  I prefer NIDS over IPS because the ever-changing security landscape can make IPS management quite a chore.  There can be significant tweaking of configs, signatures, thresholds and alerts to really get an IDS tuned - so in an IPS configuration you could be blocking traffic you want to let through.  Snort is open source, free and often considered the de facto IDS.  Detection rules are available from SourceFire as well as other sources (EmergingThreats) and you can write your own fairly easily.  We have Snort running with BASE, which is a web front-end to display and manage the alerts.  You can also combine Snort with Barnyard2, Squil or ACID.

An IDS can do so much more than just detect intrusion attempts - I also manage a Snort install in an enterprise environment and often it detects malware before our antivirus.  It can also be used to detect network policy violations such as connections to certain websites, P2P traffic, IM traffic, porn - pretty much anything you can think up.

I think almost every network should deploy an IDS of some kind, a Snort solution is free but requires a little expertise or willingness to RTFM, but it pays off huge dividends in securing your network.  There are a good number of drop-in solutions as well from your typical network vendors like Cisco, WatchGuard, etc.






Taking down the botnets

Botnet, by and large, are responsible either directly or indirectly, for most of the malicious activity on the internet.  When it's spam, viruses, drive-by downloaded, rogueware, scareware or all-out DDoS attacks, these large, distributed networks of zombie computers are usually behind it.

Recently a couple of the big ones have been taken down (or at least cut down in size) by the legal manoeuverings of Microsoft and the investigation and arrests of some key players.  The Microsoft actions were against the Waledac botnet and the Spanish authorities caught up with some crafty characters responsible for the Mariposa botnet.


straight from the horse's mouth -->Waledac

Panda helps in arrests -->Mariposa


Anti-Virus to become obselete?

Who doesn't run anti-virus these days (ok all you Mac users put your hands down) - the use of anti-virus, or anti-malware applications is practically a given, to the point where it seems that no matter how poorly it may perform, we keep using it.  AVG itself declares that only 3% of today's viruses are of your typical old school variant, moreover, time and time again real world AV protection seems to be nowhere near the vendors' claimed detection rates.  We are all running some kind of AV product, yet it never fails, some user gets infected anyway and off we go with our little toolkits of clean-up utilities, wasting countless hours trying to pry that insidious, pervasive malware from every nook and cranny only to do it all again at some later date.  All this despite have invested good money in "protection".

What am I getting at?  It's pretty clear, signature-based anti-malware does not work - to be fair, I should say, it works, but only sometimes.  We have to ask ourselves though - is sometimes good enough?  I'm sure the sales reps will say that some protection is better than none, but then again is a false sense of protection better than none?  Malware writers have been ahead of anti-malware vendors for years, it is a constant game of catch-up where the good guys are always trailing behind.

An analogy of signature-based anti-malware:  "anti-cat 2010"

Anti-Cat 2010 is the latest in stray feline infiltration technology that will prevent stray cats from roaming free on your property.  Now we have to define what a stray cat is so that they can be accurately detected and effectively shoo'd.  We also have to be careful not to shoo other animals or friendly felines, so the definition needs to be exact, to the point where really we need a sample stray to model our first signature out of.  Therefore we catch a stray and create a signature that matches it exactly- number of hairs, meow frequency, weight, height, eye colour, dna sequence and so on.  Now that cat will surely be detected, unless it loses some hair, or weight, or gets a cold.  Nor will it's offspring be detected.  Nor will any of the other cats be detected.  So starts the cat and mouse game of collecting strays to sample and adding those definitions to Anti-Cat; problem is there is no end to the number and variation of strays one will encounter.

Turns out it might be somewhat easier to do this job inclusively rather than exclusively, that is, build a list of acceptable animals, albeit equally detailed, that you will allow on your property.  In essence a critter whitelist, any animal that happens upon your golden acre that does not match the list gets shoo'd.

This is synonymous with application whitelisting, which is a burgeoning technology already proven superior to the current standard of malware blacklisting.  One of the things that makes this technology feasible is the speed of today's computers, this technology would not have been possible a few years back, the performance hit would have been too great.

Some of the current big AV vendors are looking long and hard at this technology because they know that the current technology has had it's day and it's time to move on.  While they try to shuffle the deck, there are already a number of players in the market who have lead the charge and currently offer very capable enterprise class products.


Page optimized by WP Minify WordPress Plugin