RSA Reporter's Notebook: Time to outlaw rootkits?

By SearchSecurity.com Staff 20 Feb 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

DHS official suggests anti-rootkit legislation
Jonathan Frenkel, the U.S. Department of Homeland Security's director of law enforcement policy, suggested to 2006 RSA Conference attendees Thursday that the most appropriate response to the industry's increasing use of rootkits is to ban them through legislation.

"The recent Sony experience shows us that we need to be thinking about how we ensure that consumers are not surprised by what their software programs are programmed to do," Frenkel said. "Legislation or regulation may not be a solution in all cases, but it may be warranted in some circumstances."

Security experts have roundly criticized Sony BMG Music Entertainment since researcher Mark Russinovich, chief software architect and co-founder of Winternals Software LP in Austin, Texas, found the company's rootkit on his own machine and wrote an analysis of it on his blog at Sysinternals.com, setting off a public relations nightmare for Sony.

Experts said Sony was playing with fire by using a rootkit-based digital rights management (DRM) system to prevent CD copying and that the company's move could trigger a variety of dangerous exploits. Rootkits, tools or programs used to mask software or network intrusions, are typically used by malicious hackers.

Special coverage of the 2006 RSA Conference Nobody brought you more coverage of the 2006 RSA Conference than SearchSecurity.com. Check out all of our special features, including news, Q&As and podcasts from the show.

Sony hasn't been the only company to catch flak for using hidden programs.

In January, Cupertino, Calif.-based AV giant Symantec Corp. was forced to fix a flaw in its popular Norton SystemWorks program. As Symantec put it, "Norton SystemWorks contains a feature called the Norton Protected Recycle Bin, which resides within the Microsoft Windows Recycler directory. The Norton Protected Recycle Bin includes a directory called NProtect, which is hidden from Windows APIs. Files in the directory might not be scanned during scheduled or manual virus scans."

Symantec acknowledged attackers could use this feature to hide malicious files on computers, and updated the product so it would display the NProtect directory in the Windows interface.

Russinovich has also fingered Russian AV firm Kaspersky Lab Ltd. for using a rootkit-like feature in some of its products. Kaspersky has denied such claims.

Well-intentioned employees trump evil insiders
During an RSA Conference panel discussion Thursday on how to avoid information leakages, San Francisco-based data protection provider Vontu Inc. surprised some attendees with statistics it's collected from customers. For instance, 1 in 400 outbound e-mails at large organizations contain confidential information. Similarly, 1 in 50 files or file shares on desktops hold proprietary information. If another stat holds true, 95% of the insider data breaches that reveal that confidential information continue to come from well-meaning employees, not malicious ones.

Talk of remedies focused on encryption and monitoring, but one of the panelists also suggested IT security departments run a test to see how well employees voluntarily comply with policy changes. For instance, if the company decides to ban opening e-mail attachments, he recommended sending out a notice with an effective date -- then observing the adoption rate before making compliance mandatory through tools. The unannounced trial period will shed insight into how a workforce follows policy and single out individuals and departments that may need more nudging.

Perimeters, trusted users fading away
Endpoint security, NAC and NAP may be the technology flavors of the month, but to a group of current and former corporate CISOs huddled together Wednesday at the RSA Conference, security is not about controlling the endpoint. It's all the about data, whether it's in use, at rest or on the move.

"The workstation used to be the endpoint; now it's gone virtual," said Rhonda MacLean, former CISO at Bank of America Corp. during an panel discussion hosted by the Executive Alliance. "So if the perimeter's gone, what is it that you're controlling? It's your IP."

The trusted user keeps me up at night. Craig Shumard, CIGNA Corp.

Defining the endpoint has proven close to impossible. With the dissolution of the network perimeter, trusted users are accessing corporate intellectual property on laptops, PDAs, cellphones and other personal devices, including home PCs. That complicates how security managers provision access to data, as well as account for its whereabouts and eventually dispose of it.

The notion of the trusted user is dissolving equally as quickly as enterprises extend their borders online to customers, partners and suppliers.

"The trusted user keeps me up at night," said Craig Shumard, CISO of insurance provider CIGNA Corp. "At the end of the day, a number of people have the keys to the kingdom. They can cover their tracks and seriously put you at risk."

Endpoint security tools that assess devices as they connect to a network can fill in some of those gaps. These tools determine whether a device is adequately patched, whether antivirus and antispyware signatures are current and whether system configurations are secure. But they don't prevent someone from walking away with the company secrets on a thumb drive.

"Securing the endpoint is letting users off the hook," Shumard said. "These solutions are not helping. They're driving [security] back to being a technology issue."

Thumbs up for open source
How do you like your penetration tools? Nitesh Dhanjani of Ernst & Young LLP likes 'em open and says you should too.

Nessus and Metaspolit, for example, are prominent in his arsenal.

"I used them because you can open Nessus and see how it arrived at the problem. You can't do that with closed-source proprietary tools," Dhanjani said. "Open source tools allow you to tweak and extend their functionality without having to wait for vendor add-ons."

While Metasploit remains free and open, Nessus 3, released late last year, was not released under the GNU General Public License (GPL) and updates and plug-ins can no longer be freely distributed. Columbia, Md.-based vendor Tenable Network Security Inc. now owns Nessus, and creator Renaud Deraison has maintained that the core engines will remain free, and only the plug-ins will come with a price.

Wilson decried the lack of due diligence currently in place when determining if the buyer of an SSL certificate for a site is indeed an agent of the company, or even if the entity exists. This has facilitated the rise in phishing sites that carry legitimate certificates and the ubiquitous padlock that is supposed to signify the security of a site.

Wilson said future versions of Internet Explorer and Firefox, for example, will elevate the padlock to the URL address window, which will be color-coded to reflect the safety of a site. The name of the certificate authority will also be prominent, as will the relevant purchaser information.

Tags: Software Development Methodology,  Web Authentication and Access Control,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Web Authentication and Access Control Group to shed light on secure identity management threats How to confirm the receipt of an email with security protocols Schneier-Ranum Face-Off: Is Perfect Access Control Possible? Kaminsky reveals key flaws in X.509 SSL certificates at Black Hat Changing times for identity management How to use single sign-on for Web access control to prevent malware IBM USB banking device stops keyloggers, malware Can mutual authentication beat phishing or man-in-the-middle attacks? Could someone place a rootkit on an internal network through a router? Sun launches open source OpenSSO for identity management

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary