- Ed Skoudis, Counter Hack
Infosecurity could be in for some rough weather in the coming year. Our forecast shows threats moving in on five major fronts, carrying the potential for widespread damage and unprecedented data loss.
Information Security assembled a team of "security weathermen." They've checked the radar, monitored the Doppler, reviewed satellite photos and recorded the Internet's barometric pressure. The forecast is grim.
Their consensus: Threats will generally take familiar forms -- exploited browser flaws, destructive worms, DoS attacks, cracked wireless networks and schemes to undermine e-commerce systems. What's fluctuating is the scope and severity of these threats, intensified by increasingly automated hacking tools and enterprises that remain vulnerable despite the clear storm warnings.
More reason for concern is that malicious hacking is becoming a growth industry. Underground websites sell customized backdoor and root kit software; and attackers rent armies of compromised systems for spamming, phishing, DoS attacks and identity theft. Organized criminal elements are the epicenters of many enterprise network attacks.
Heed these forecasts and hunker down for the coming storms. As they say in the Nor'east, "There's a storm brewing, and we're in for a walloping."
The ubiquitous Internet Explorer is the foundation of e-commerce -- and an increasingly common attack vector. Expect more numerous and lethal attacks as IE flaws are discovered with alarming frequency.
"IE vulnerabilities are surfacing at a rapid pace, and a large proportion is extremely critical," says forecaster Eugene Schultz. For example, within days of its release, researchers found flaws in the highly touted IE security fixes in Windows XP SP2.
Forecasters: Our security weathermen
Ed Skoudis, CISSP, our chief meteorologist, is cofounder of Intelguardians, a security consulting firm, and a member of the Information Security Testing Alliance.
Anton Chuvakin, Ph.D., GCIA, GCIH, is a security strategist with netForensics. His infosecurity expertise includes intrusion detection, Unix security, forensics and honeypots. He is the author of Security Warrior.
Eugene Schultz, Ph.D., CISM, CISSP, is a principal engineer at the Berkeley Lab of the University of California and is editor-in-chief of Computers and Security. He's the author/coauthor of five books.
Jim Jones is chief scientist and director of SAIC's Rapid Solutions Laboratory and has held infosecurity positions in government, academia and private industry.
Mike Poor, is a senior security consultant at Intelguardians, where he specializes in penetration tests, security audits and architecture reviews.
Marcus Sachs, is director of the SANS Internet Storm Center. He previously served on the staff of the National Security Council.
IE is deeply intertwined with the Windows operating system, spreading the potential damage to other applications that rely on browser-related DLLs and other code. The problem is getting worse, as attackers analyze IE at a microscopic level to find problems ripe for exploitation. They will exploit flaws, such as September's buffer overflow in IE's JPEG processing code, to install backdoors.
With businesses depending on the Web for everything from online banking and shopping to supply chains and global access to backend databases, the browser is a prime target for criminals.
A glaring example of what lies ahead occurred last June with the exploitation of the Download.Ject flaw in IE, which lead to the installation of the Berbew keystroke logger from a Russian website to the computers of users who visited any of the more than 100 compromised commercial websites. Criminals used the logger to steal thousands of credit card numbers and bank passwords.
Since you can't control IE vulnerabilities any more than you can control the weather, take these steps to protect your organization from compromise:
- Harden your browser configurations. Use enterprise management tools, such as Windows Group Policy or Microsoft's Internet Explorer Administration Kit, to shut off functionality your users may not need, such as ActiveX controls and scripting of Java applets, which attackers can exploit by installing Trojans, deleting or retrieving files, etc.
- Lock down your operating system configuration using a solid security template such as those available free from the Center for Internet Security (www.cisecurity.org) for Windows 2000 and XP, Linux, Solaris and other systems.
- Implement a patch management process that enables you to rapidly test and deploy critical fixes.
- Use firewalls and proxy servers, including those from Cisco Systems, Juniper Networks and Check Point Software Technologies, that can remove untrusted active content, such as ActiveX controls, Java applets and browser scripts.
Worms and bots storming in
From Bagle to Sasser to Phatbot, we've never seen the likes of this year's relentless malware release cycle. Our forecasters predict a significant increase in the number and destructive power of malware in 2005, featuring swarms of worms and bots.
Several factors are feeding this pending hailstorm of activity.
Bots, which are highly effective backdoors installed on unsuspecting victim machines, are sometimes released with source code, allowing people with limited development skills to create variants by adding or removing code. Also, today's worms and bots are highly modular, built to be quickly tweaked with newer and nastier features. Some bots include more than 100 functional modules, each with a different capability, such as launching a DoS flood, acting as a spam relay, or giving the attacker command-shell control of a compromised machine.
Compounding the problem, attackers are using worms to spread bots. A simple mass-mailing worm can spread one bot to thousands of systems, creating a distributed "botnet" of controlled victims.
In 2004, with some variants of worms like Netsky and Bagle, we witnessed a new phenomenon: the use of bots to spread worms. Using hundreds or thousands of bots as a starting point for worm distribution, attackers can rapidly conquer thousands of additional machines and flood the Internet with malware that has no discernible source point.
We've entered a vicious feedback loop -- with worms spreading bots and bots spreading worms--and tomorrow's batch could be more damaging than the ones we've seen so far.
"As malware authors begin to include destructive code with their exploits and worms, they would cause mass disruption," says forecaster Mike Poor.
This rising storm of malware is pushing the limits of traditional AV defenses as new, fast-spreading malicious code staged from bot-controlled systems can compromise a multitude of targets in a matter of minutes.
The lesson: Don't rely solely on signature-based defenses.
- Make sure your AV tools automatically update signatures as soon as they become available.
- Use personal firewalls to limit outbound and inbound traffic to those services required for your business.
- Use host-based intrusion prevention systems, such as those from Cisco, McAfee and Sana Security.
- Bolster your defense with network-based intrusion prevention systems from companies like TippingPoint Technologies, Check Point, Q1 Labs, Mirage Networks and ForeScout Technologies, which can rapidly detect worm-like traffic patterns and contain attacks.
DoS floodwaters on the rise
In the old days, a patient hacker could hijack perhaps 200 systems to launch a DDoS flood. Today, an attacker with even limited skills can assemble a botnet army of tens of thousands of machines.
Today's flood traffic, such as legitimate HTTP requests, is harder to deflect than the relatively simple SYN floods used by MafiaBoy in 2000 to take down Amazon, Yahoo and eBay.
"Botnets mean anyone can launch such a denial of service, and generated traffic can look nearly indistinguishable from legitimate traffic," explains forecaster Jim Jones.
Now, add the profit motive. This year saw a rapid rise in the number of DoS extortion attempts against offshore gambling and Internet porn sites. The attackers threaten a potential target with a business-crushing DoS flood unless the victim pays them off, or they launch a flood without warning and sell "protection," like a mobster shaking down neighborhood shop owners. Attackers will likely focus on other targets, including e-commerce sites and, possibly, financial institutions.
There's no way to defend completely against a determined, massive DDoS attack. The best you can do is quickly detect, mitigate and weather the storm. Here are some things you can do:
- Work with your ISP to make sure you have adequate bandwidth with multiple, parallel paths connecting you to the Internet, so that your critical systems can better withstand DDoS attacks.
- Activate flood detection and throttling capabilities in your firewalls, which can identify some spurious traffic and cope with relatively minor storms.
- If you have a large enterprise or work at an ISP, investigate products designed to detect and thwart floods upstream from companies like Arbor Networks, Mazu Networks, Lancope and Cisco. Ask your ISP if it uses these kinds of tools.
- Develop a corporate response policy and plan for dealing with extortion threats. Who will make the ultimate call about whether to brave the storm or give in?
Lightning strike on e-commerce
Consumers' confidence in on-line banking and e-commerce walks on a razor's edge.
"Most banks are building their future business models on a world where there are only a few human tellers and most of their customer interface is done via the Web or an ATM," says forecaster Marc Sachs. "However, attacks on banking systems and online fraud have increased at an alarming rate in the past 12 to 18 months. Banks will begin to feel the pain, either through enormous fraud losses or a big drop in consumer confidence."
In addition to the erosion of customer trust, our forecasters are watching the radar closely for a category 5 hurricane that could wash online banking away. The bad guys now have the technology to turn online businesses' own defenses against themselves, possibly triggering a cataclysmic financial DoS attack against financial services targets or the entire industry.
Here's how it would work: The financial services industry operates under the assumption that criminals and hackers possess a certain quantity of stolen credit card numbers--some estimate more than one-third of the total in circulation. They calculate a certain amount of fraud into their financial planning as a cost of doing business and can shut down individual cards if their automated antifraud systems detect suspicious spending patterns.
But today attackers -- perhaps terrorists -- have the potential to exploit this model on a vast scale, overwhelming the systems by initiating billions of suspicious transactions; the antifraud systems themselves could be used to shut off millions of credit cards. Envision a massive botnet flooding e-commerce sites in the middle of the holiday shopping season. Millions of credit cards would be suspended, and customer support centers would be overwhelmed. The impact would be a nationwide -- if not global -- breakdown of consumer confidence.
Your best defense against this doomsday scenario is knowing that it can happen, and developing contingency plans for mitigating the effect and ensuring business continuity. Your company's antifraud personnel should test to see how their detection systems would react to a massive influx of automated fraud. Conduct a simulation exercise to determine how you would detect and respond to such an attack. Would you weaken or disable your automated antifraud detection and card-disabling capabilities to keep business running, knowing the cost of massive fraud, or would you beef up your support resources to deal with it as best you can?
Take steps to keep the bad guys from scamming your customers into giving up identification information. Work with organizations like the Anti-Phishing Group, which compiles data on phishing attacks and serves as a resource to discuss antiphishing measures, including ways to educate your consumers.
In addition, a number of companies offer antifraud services, including traditional security vendors like Symantec. Others, such as Cyota, MarkMonitor and Cyveillance, specialize in antifraud protection.
Something bad in the air
The wireless security forecast is for continued heavy attacks, as organizations continue to deploy wireless networks without taking reasonable security precautions -- despite the well-documented weakness of the Wired Equivalent Privacy (WEP) protocol and cautions about war drivers and rogue access points.
"Wireless attacks will become more of an issue, since wireless is inherently insecure, given that there is no physical barrier," says forecaster Anton Chuvakin.
True, the newly adopted 802.11i protocol leverages 802.1X and strong encryption to correct the weaknesses of the earlier wireless standards; and WPA- certified (Wi-Fi Protected Access) products feature the Temporal Key Integrity Protocol (TKIP), which resolves WEP's weak provision for static, shared keys. However, supported products are just coming to market, and organizations with legacy wireless infrastructures are going to be reluctant to invest heavily. Many organizations have even failed to use the weak WEP security or taken any steps to control rogue APs.
Watch for more attacks against organizations where the public can easily wander near rogue APs connected to vital internal networks, such as retailers, remote branch operations of financial services companies and buildings shared by disparate businesses with different physical security controls.
If you opt to embrace wireless, deploy access points with a secure configuration, avoiding cleartext communication and cryptographically weak protocols like WEP. Instead, use stronger authentication and encryption for all wireless access, such as carrying all wireless information across a wireless-only VPN.
Check for rogue APs using the same tools the bad guys use to detect your WLAN, including NetStumbler, Wellenreiter and Kismet; consider more comprehensive products from companies like AirDefense and AirMagnet, which monitor WLANs, detect rogues and provide IDS capability.
About the author:
Ed Skoudis, CISSP, is cofounder of Intelguardians, a security consulting firm, and is a member of the Information Security Testing Alliance. He's the author of Malware: Fighting Malicious Code (Prentice Hall, 2003).