Monday, January 31, 2011

What The World's Biggest Bank Heist Tells Us About Cloud Security

A sophisticated attempt to steal $440m from Sumitomo Mitsui bank's London offices in 2005 showed that what is within the four walls of one’s own building are just as vulnerable to attack as those outside them. The criminal case was tried in 2009, convicting everyone involved and providing the following details.

Bribed security staff disabled security cameras and let in hired hackers under the cover of an after-hours poker game. The hackers installed key logging and "screen scraping" software onto Sumitomo's inter-bank transfer systems. Armed with credentials collected from these systems, the would-be thieves returned a month later disguised as office cleaners and attempted to transfer 229 million Pounds Sterling (approximately $440m at the time) to accounts in Dubai, Spain, Hong Kong and Singapore.

The key takeaway is this: security is about transparent risk management, whether it is implemented inside the walls of your building or someone else's. Yet security teams are often correct that their own datacenters are more secure than some of the best-known public clouds, because internal security controls are fully transparent -- all physical and logical controls are known and can be audited.

Many public cloud providers take the approach of "security by obscurity", the reverse of transparent security. It's characterized by refusing "for security reasons" to provide details on the actual security controls implemented in the public cloud datacenter and infrastructure, and refusal to provide logs and documentation for security audits. You don't need to be a security professional to see that "just trust us" is a triumph of hope over experience.

True cloud security requires service providers who offers transparent security operations, where you know what security is in place and can audit the logs and records from the security controls. 

Fortunately for the bank’s customers, the hackers knew more about programming than they did about inter-bank transfers and tidiness: they were unable to complete the transfer screens correctly, and the transactions failed. Returning bank staff found unplugged cables on their computers, leading them to conduct checks which uncovered the bogus transfer attempts. Fundamentally, this story illustrates that transparent, audited security controls – whether internal or external – are key.

Posted by Mathew Lodge
VM Ware


Sunday, January 30, 2011

The Transition from Tape to Disk

As the IT industry progressively transitions to using disk for backup, recovery and archiving (and, correspondingly, moving away from tape), customers need solutionsEMC's BRS division is in an enviable position in terms of differentiated product features, leading market share and great customer enthusiasm.
Right now, I think this game belongs to EMC.



From Tape To Disk

Mega-Launch Keynote5
If you've seen the market revenue stats for tape drives, libraries, media, etc. -- it looks sort of like a ski slope.  

The market demand for these products (tape automation is shown here) appears to be contracting in the double-digit percentage range annually.
This is not to wildly state that "tape is dead" or anything similar: it's just that we're all  apparently using a lot less of it with every passing year.  
The numbers don't lie.
Reactions tend to split in the community: some argue passionately for tape's continued longevity in the industry, others just want to move on to the next thing as quickly as possible.
From an industry perspective, I would state the obvious: declining category revenues for tape means that progressively less R+D will be invested in advancing the technology, with the inevitable outcome being that tape eventually becomes an interesting niche in the way that so many other storage technologies have become.
Diskette

BTW, I have a nice supply of 3.5" diskettes if anyone is interested :-)

The motivation for the transition boils down to a few key elements.  
First and foremost has been rapidly declining disk media prices.  A terabyte of raw capacity isn't the big deal it used to be.  The advent of powerful software that not only dramatically compresses backup images, but retains compatibility with existing IT processes has made cheap disks all the more usable.  
And, finally, the ever-increasing performance of Intel-based CPUs has raised performance to impressive levels.
All three trends are at play here with the new product announcements.  
So, What's Being Announced?
Three things: two that are somewhat expected, and one that has the potential to be a big game-changer in the marketplace over time.
The first part of the announcement is the expected bigger/faster/better versions of the popular Data Domain backup engines.  
Slide3
Speed matters in backup devices, especially those that are shared resources for multiple applications.  

Faster backup speeds means both more application availability and more efficient consolidation.  It's a win-win.
As data volumes continually grow, there's perpetual built-in demand for bigger -- and faster -- backup devices.
Slide9
At the high-end, the new version of the Data Domain Global Deduplication Array (or DD GDA for short) now boasts an ingest rate of 26.3 terabytes per hour, and a maximum of 570 usable TBs that can result in a logical capacity anywhere between ~5.7 and ~28.5 petabytes of logical capacity.  

This is roughly twice the performance of the previous version of the GDA, and an estimated 7 times faster than the corresponding IBM offering -- our next closest market competitor.
Slide4
The more traditional DD units have been upgraded as well: the new DD890 and DD860 boast not only sizable performance and capacity bumps, but are both data-in-place upgrades for owners of the previous DD690 and DD880.

For those of you that missed it, "DD Boost" refers to a nifty software option that uses the frequently untapped processing cycles of backup servers to speed performance even further.  As a result, throughput numbers are shown both ways -- with and without DD Boost.
Slide7
Unlike primary storage devices, there seems to be a bottomless demand for bigger/faster/better versions of backup-oriented dedupe devices.   Fortunately, thanks to the Intel roadmap, there will likely be many of these healthy bumps in store for years to come.

The second part of the BRS announcement has to do with host support: now adding IBM's inimitable "IBM i" (aka System i / iSeries / AS400 -- no jokes about the artist formerly known as Prince, please).  
For those of you not familiar with this particular server market, there are a *lot* of iSeries out there in very specific industries and geographies.  And, yes, they need better backup solutions as well :-)
Slide5
Since IBM markets this platform as an all-in-one "solution", there aren't a lot of third-party infrastructure options for these users.  IBM implements some interesting nuances in the environment that require special storage engineering support.

EMC is the only major vendor (other than IBM) that has consistently invested in providing primary storage support for iSeries (through the Symmetrix product family) and now disk-oriented backup via Data Domain.  
For those of you interesting in mainframe (formally zSeries) backup solutions, I'd invite you to keep an eye on our recent acquisition of BusTech.
And The Big One ....
Slide14
The third part of the announcement may seem rather unremarkable at first, but -- at least in my opinion -- has the greatest potential to change the dynamics of the storage market over time.

The new product is simply named "Data Domain Archiver".  
From a hardware perspective, it appears rather ordinary -- essentially a cost-and-performance optimized version of other Data Domain products.  
Slide16
Simple-to-use software establishes straightforward migration policies to move aged backup data down to more cost-effective tiers over time.  And it all appears as a logical extension of the backup environment people are using today.

But there's far more to the story than meets the eye -- and here's why.
Most businesses need to keep data around for a long time.  They may never need to access it -- but when they do, it has to be there -- and be there reliably and relatively quickly.
Slide15
Historically, tape has been the preferred medium for many of these long-term hope-I-never-have-to-use-it archives.  Internally, we refer to this particular use case as "tape's last refuge".

With this announcement, the game has changed -- we can now offer these deep-tape users a brand-new value proposition -- get rid of tape for long-term retention purposes.
How the numbers work out (tape vs. DD) in your particular environment will likely vary.  We're already able to make the case to switch for many customers, including this one.  
However, regardless of how the numbers might look for you today, all available data shows that industry forces are pushing one number down, and the other one up.
The forces pushing cost-to-store downward on disk-based solutions are easy to understand: rapidly declining costs for disk media, as well as more powerful standard processors that can efficiently deduplicate larger and larger volumes of information.
A little harder to get to -- but just as important -- are the forces pushing tape costs upward.  Due to declining revenues -- vendors don't appear to be advancing the economics of tape automation and media as quickly as their disk-based competitors, like Data Domain.
Slide17
For most people, costs like floor space, labor for tape handling and other related services aren't going down fast enough.

Indeed, I think this "deduplicated disk as long term archiving" aspect is probably worth a bit more discussion
Integrating Long-Term Archiving With Backup
The use case for deep tape archiving is pretty clear: put it on tape, and pray you never have to access it.  If you do, hopefully it's just a very tactical and focused piece of data you need to get back, and -- again, hopefully -- you don't have to do this very often.
But things have a way of changing over time.  
First, the number of events that require a archival tape restore are apparently increasing over time.  It's just assumed that the IT guys can easily go find whatever files might be needed from several years ago.  
Finding and restoring particular files off of long-term tape can be very labor intensive -- if the data can be read at all!  Anecdotally, I've been told this retrieval process is usually an iterative process, e.g. "Is this what you're looking for?"  "Well, is this what you're looking for?"  "How about this?"  ... and so on.
Since everything archived sits on random-access media -- and typically appears as a single, consistent space -- retrieving specific data from the archive is far faster than before -- and takes much less effort.
Measuring The Impact
With this particular announcement, there are actually two important things going on.
Slide4

The first is rather clear: disk is well on its way to replacing tape for primary backup and restore.  

EMC's BRS division is clearly leading the way here, and -- with this announcement -- not only have greatly magnified their fundamental economic proposition for their customers, but increased the distance between themselves and their next closest competitor.
But, more interestingly, with the Data Domain Archiver, EMC has essentially opened up an interesting new incremental new market built around displacing tape's last refuge in longer-term deep archives.
So, here's the real question -- how long before the only place we'll see tape is here?


Chuck Hollis
VP, Global Marketing CTO
EMC Corporation

Friday, January 28, 2011

Things That Happen In Social Media In 2 Hours

I was traveling last week. I decided to order a shuttle service for the one-hour trip from San Jose to the San Francisco International Airport. Last week, however, the trip took 2 hours. Our super helpful driver tried his best to speed up our travel time by taking a different route and changing freeways – but with not much success.
As I was looking out the window admiring the long parking lot on the freeway (insert sarcasm here), my mind started wondering: “I wonder what’s going on out there while I’m sitting in here”.  Fueled by curiosity, I later jumped on the Internet to do some research and got my calculator out. Here is some fascinating information on what 2 hours means in the world of social media and web 2.0.
THINGS THAT HAPPEN IN SOCIAL MEDIA IN 2 HOURS
The moral of the story? If you are using social media for business,
  1. Your updates, uploads and tweets will need to really stand out to be heard and seen.
  2. Your tags need to be intuitive to web users. You need to tag your content using THEIR language to help them quickly discover and locate it.
  3. Keeping an eye on what people are saying about you is a must. Information on the web spreads faster and to more people than ever before. 
By Petra Neiger
CISCO
 

Thursday, January 27, 2011

Apple’s App Store Downloads Top 10 Billion

CUPERTINO, California—January 22, 2011—Apple® today announced that more than 10 billion apps have been downloaded from its revolutionary App Store℠ by the more than 160 million iPhone®, iPod touch® and iPad™ users worldwide. The 10 billionth app downloaded, Paper Glider, was purchased by Gail Davis of Orpington, Kent, UK. As the winner of the App Store Countdown to 10 Billion Apps, Gail Davis will receive a $10,000 iTunes® Gift Card.

“With more than 10 billion apps downloaded in just two and a half years—a staggering seven billion apps in the last year alone—the App Store has surpassed our wildest dreams,” said Philip Schiller, Apple’s senior vice president of Worldwide Product Marketing. “The App Store has revolutionized how software is created, distributed, discovered and sold. While others try to copy the App Store, it continues to offer developers and customers the most innovative experience on the planet.”

The revolutionary App Store offers more than 350,000 apps to iPhone, iPod touch and iPad users in 90 countries around the world, with more than 60,000 native iPad apps available. App Store customers can choose from an incredible range of apps in 20 categories, including games, business, news, sports, health, reference and travel.

Apple designs Macs, the best personal computers in the world, along with OS X, iLife, iWork, and professional software. Apple leads the digital music revolution with its iPods and iTunes online store. Apple is reinventing the mobile phone with its revolutionary iPhone and App Store, and has recently introduced its magical iPad which is defining the future of mobile media and computing devices.

Wednesday, January 26, 2011

Massive Online Bank Phishing Attacks in China

We have noticed a lot of sms-web-phishing attacks in China targeting Bank of China online banking users. Users received a phishing SMS that is designed to look like it was send by Bank of China as a reminder to their customers. This message looks like this: “Dear user, your token has expired , please visit http://www.boc**.com to re-active your token”. The URL is similar to the bank’s official website but points to a phishing site that looks almost like the original bank website .

In this bogus phishing website, there is a button on the top right that reads “Upgrade your token”.

Once the user clicks on this button, it will redirect to a page that looks like the normal online-banking login page. The criminals will get all the info they need to steal money from the victim’s account: User ID , Password and Token.

This information is used immediately to transfer the victim’s account money into the attacker’s account before the token expires.

A lot of technologies are designed specifically to protect against phishing, including token, certificates, dongle etc . But even while BOC uses token to enhance the online-banking security, customers still need to take care to prevent this phishing attack.

Tuesday, January 18, 2011

Careful What You Search For

Search results and malicious websites
Among the many excuses I’ve heard from people who take computer security too lightly, or who brush off the likelihood of being targeted by Web attacks, are comments such as “I don’t search for anything bad,” or “I only visit sites I know.” I find this sort of attitude very frustrating, if not amusing, and I like coming across bits of information that I can use to educate these people. So, I was especially interested in the results of some related data analysis that I worked on for on the recently released Symantec Report on Attack Kits and Malicious Websites.
One of the metrics we use in the report examines Web search terms and the number of times the use of each search term resulted in a user visiting a malicious website. The range of search terms was unrestricted and consisted of both “good” and “bad”’ things—anything that any one might search the Web for, in other words. The top 100 terms were chosen for closer inspection based on the volume of malicious website hits associated with them.
Malicious websites by search term type
One of the resulting data points that came from the analysis was particularly interesting, although not surprising. Of the top 100 search terms, 74 were specific to legitimate domain names. That means that someone was searching for a legitimate website by name and ended up visiting a malicious website instead. How does that happen? One of the main ways is this: When Uncle Bob wants to visit some website, perhaps his favorite social network, he types the website name in the search bar rather than entering the full URL. Uncle Bob’s browser searches for the matching domain name and returns a list of results. Uncle Bob, absent-mindedly clicks on one of the results without verifying its integrity and ends up opening a malicious website.
This scenario may sound a bit contrived, but I think alternate scenarios are likely similar. Moreover, the numbers speak volumes: attackers are getting more hits on their malicious sites when targeting searches for reputable (i.e., good) websites than they are for targeting, say, less-than-savory sites, reinforcing just how important caution is when browsing the Web, even for people who think they’re practicing safe searching.
For a complete analysis of malicious websites by search term—as well discussion on other aspects attack kits and malicious sites—please download the Symantec Report on Attack Toolkits and Malicious Websites.

Exploiting Jnanabot for Fun and Profit

Lest we forget, malware is a software application, albeit a malicious one. And, like any other software application, it can have vulnerabilities that can be exploited.
Our analysis of Trojan.Jnanabot has revealed several serious vulnerabilities. One of the more interesting features of Jnanabot is its custom peer-to-peer (P2P) networking protocol. In other words, its bots are designed to be a part of a P2P network and use a custom-designed protocol for communicating with each other. This ensures that there is no single point of failure and that it is harder to trace the source of the infection and to take the botnet down. While the protocol was designed to provide some degree of robustness to the botnet, it has some flaws that allow anyone (provided they have the right know-how) to exploit them for fun and/or profit. At the very least, these flaws can be used to collect information about the infected hosts. At worst, they can be leveraged to create a fully functional parallel botnet or effect the complete takeover of the existing one.
In this blog I will document these flaws and illustrate how they can be exploited. Taking a page from the black hat handbook, we know that a successful exploit involves the following steps:
1.    Identifying a target
2.    Information gathering
3.    Exploiting a vulnerability in a network service running on the target
4.    Launching further attacks

Our research has shown that Jnanabot protocol vulnerabilities make the above steps trivial.
Identifying a target
The port for Jnanabot P2P communication is determined from the IP address of the peer, using a hashing algorithm. This means that given an IP address, it is possible to determine the port on which the Jnanabot P2P service might be running—if the host is in fact infected. Moreover, if a badly formatted P2P message is sent to an infected host, Jnanabot responds with an error message. Hence, given a range of IP addresses, it is possible to scan and identify infected hosts in that range.
Information gathering
The Jnanabot P2P protocol has an information-disclosure vulnerability that can be exploited to determine the current version of the bot and the operating system of the infected host on which it is running. In fact, the bot provides access to any file to which the currently logged-in user has access. It is easy to determine the current operating system and its version from artifacts of the file system. For example, the following chart shows Jnanabot’s OS distribution, mapped in the early part of December 2010:
In addition, on Windows hosts the malware installs a keylogger that records keystrokes in a plaintext flat file on the system before uploading the file to a remote FTP server. These files are accessible via the P2P service and can reveal private and confidential details such as usernames and passwords to a remote unauthenticated attacker.
Exploiting a vulnerability
The Jnanabot P2P protocol has a vulnerability that allows the user to upload any file to any location of the host’s file system. This can be easily exploited to run a simple backdoor on the infected host. For example, a file created in the startup directory in Windows will run every time Windows restarts. An attacker may also install a rootkit to cover his or her tracks and/or hide the backdoor.
Launching further attacks
Each Jnanabot agent maintains a list of peers. The P2P protocol provides a way of updating this list and also obtaining this list from a host. In addition, this list is present in encrypted form in the root directory where Jnanabot is installed. Hence, if even a single peer in a network is known, its peer list can be used to identify further targets whose peer lists can in turn be used; in this way, a large list of exploitable hosts can be obtained. A single peer can be used as a springboard to dive ever deeper into the Jnanabot network. Note that each list can have a maximum of 100 peers—making it highly probable that at least some of those peers will be accessible and available for exploitation.
Conclusion
It is not possible to determine if the existence of these vulnerabilities is known to Jnanabot’s creator(s), who either have a callous disregard for them or are simply unaware. We also do not know if there are others in the black hat community who know of these issues and are exploiting them. In any case, a host infected with Jnanabot has its doors wide open with a big “Welcome” sign inviting further exploitation. As such, the presence of Jnanabot on a host poses a threat much more grave than previously thought. Put that together with the fact that Jnanabot can infect multiple platforms, and we have a recipe for disaster.
Note that Jnanabot is written in a secure language, using advanced cryptographic techniques with strong algorithms. Yet, it allows for a complete compromise of the host on which it runs. This goes to show that depending solely upon secure platforms cannot ensure application security. Logic bugs are platform independent and can affect any application, including malware. It also demonstrates how a single malware infection can open the door to further infections and compromise the overall security of systems and networks.

Thursday, January 13, 2011

Rampant Ransomware

Contemporary viruses are written to make money. They achieve this through extortion, information theft, and fraud. Threats that use extortion can be some of the most aggressive and, in some cases, offensive viruses encountered. These viruses are generally referred to as ransomware. This blog discusses some of the nastiest variants that have been encountered so far.
In your face!

Whilst by its nature ransomware is not subtle, certain variants are very obvious in their approach. They use a combination of shock and embarrassment in order to extort money from people. The most recent example of this is Trojan.Ransomlock.F. The Trojan.Ransomlock family is a particular type of ransomware, which locks a user’s desktop. Once the desktop has been locked, it is then no longer possible to use the computer as normal. To restore access to the desktop, one typically has to send a text message to a premium rate number. A message containing the unlock code is then – hopefully – sent back to the user. (Trusting someone who has just compromised your computer and is holding you to ransom is generally not very reliable.)

In the case of the Trojan.Ransomlock.F variant, not only does it lock the desktop, but it also changes the desktop background to an explicit pornographic image as in Figure 1 (censored!). This additional trick has been included by the authors of the threat in order to play on the user’s insecurities. Having a graphic pornographic image emblazoned across a monitor is guaranteed to give anyone a red face. They are less likely to seek technical help from another person to solve the problem in an effort to avoid embarrassment.
Figure 1 Censored Trojan.Ransomlock.F image (see translation of the message in Figure 2)
WARNING!
You surfed gay porn videos for three hours.

The free viewing time has expired.

To pay for the service, you need to make an online payment through the Beeline system to XXXXXXX for the amount of $400 USD.
Upon receipt of the payment you will be given an activation code.

Enter it in the box below and press Enter.

Figure 2 Translated Trojan.Ransomlock.F
A similar tactic is used by Infostealer.Kenzero. This threat masquerades as an adult game. When the Trojan is first executed, the user is asked to enter some personal information. It then monitors any pornographic Internet pages visited by the user and uploads the list of pages to a certain website. The user is then threatened with exposure of this list, in association with their personal information, if a sum of money is not paid. Again, the threat plays on a person’s embarrassment in order to extort money.
Backup

Another approach that ransomware threats typically employ is holding a user to ransom for files on their computer. This is a relatively common tactic, but has evolved over the years, utilizing encryption in smarter ways. The general approach is to search for files on the compromised computer. When user-specific files such as .doc, .xls, .jpg, etc. are found, they are then encrypted by the threat. The encryption renders the files inaccessible. Only by obtaining the correct key can the files be decrypted and accessed. Of course, to get the key, the owner of the compromised computer has to pay out.

A classic implementation of this can be seen in Trojan.GPCoder.E. This Trojan generates an encryption key specific to the compromised computer. It then checks to see if the system date is after July 10th, 2007. If so, a comprehensive list of files is searched for and encrypted using the generated key. Furthermore, a message (Figure 3) is left in each folder where a file has been encrypted.
Hello,    your   files   are   encrypted   with   RSA-4096   algorithm  (http://en.wikipedia.org/wiki/RSA).

  You  will  need  at least few years to decrypt these files without our software.  
  All  your  private  information  for  last  3  months  were collected and sent to us.
  To decrypt your files you need to buy our software. The price is $300.
  To  buy  our software please contact us at: [MAIL_ADDRESS] and provide us your  personal code [PERSONAL_CODE].
  After successful purchase we will send your  decrypting  tool, and your private information
  will be deleted from our system.
  If  you  will not contact us until 07/15/2007 your private information will be shared and you will lost all your data.
                Glamorous team

Figure 3 Ransom message
Luckily, this threat did not use RSA, as it claimed (or a grammar-checker for that matter), and stored the generated encryption key in the registry. Therefore, it was possible for the user to retrieve the key from the registry and the files could then be successfully decrypted.

Unfortunately, a more recent implementation has proven to be much smarter and uses a more advanced encryption technique. Trojan.GPCoder.G uses the public key algorithm, RSA. The local files are initially encrypted using a symmetric encryption algorithm with a random key. This random key is then in turn encrypted by the public key of an RSA key pair. Without the private key from this key pair, it is not possible to obtain the symmetric key in order to decrypt the files. The owner of the compromised computer must send the encrypted symmetric key, along with the ransom to the malware authors. They decrypt the symmetric key and return it. This process is illustrated in Figure 4. The user can then decrypt their files. There is no way to bypass this technique. Unfortunately, unless the ransom money is sent to the malware authors (which has no guarantee of success), the only way to retrieve the encrypted files is from backup. Always backup!

Figure 4 Trojan.GPCoder.G process
Boot blocking

The most basic computer resource that an attacker can attempt to obtain a ransom for is access to the operating system itself. No operating system means no antivirus and no assistance from the Internet.Trojan.Bootlock achieves this by overwriting the master boot record (MBR) with custom code. The MBR is responsible for starting a computer’s operating system. By overwriting it with custom code, the malware authors deny a user access to the operating system. Instead the user is greeted with the message in Figure 5.


Figure 5 Trojan.Bootlock

The web page that is referenced in the message demands payment of $100 to obtain the password. Contrary to what the attackers claim, however, the hard drive is not encrypted and can still be accessed offline. The MBR can be repaired and the threat removed using the Norton Bootable Recovery Tool.
As always, the best way to defend against such threats is up-to-date antivirus and a regular backup routine. Thanks to the various engineers whose analysis made up this article, including Paul Mangan, Yousef Hazimee, Karthik Selvaraj, Fergal Ladley, and Elia Florio.

Wednesday, January 5, 2011

Portable Document Format Malware

Symantec continues to observe a large amount of malware that exploits PDF vulnerabilities. We see samples using old vulnerabilities, even though those vulnerabilities were found over two years ago and have already been patched. One of the reasons why such samples are used is the existence of techniques to avoid antivirus detections by taking advantage of the PDF specifications. Symantec has been and continues to be on the lookout for PDF malware to create signatures to detect them.

A few weeks ago I presented a paper at AVAR 2010 discussing PDF malware that takes advantage of the PDF specifications and the implementation of PDF viewer applications to hide themselves.

This paper shows concrete examples of detection avoidance from the point of view of PDF and JavaScript. By knowing your enemy like you know yourself, we hope that it helps your defenses. With this objective we present the whitepaper on Portable Document Format Malware.