Upload
secure-one
View
222
Download
0
Embed Size (px)
Citation preview
8/8/2019 Secure View #4 Small Web
1/36
4th quarter 2010
WEAK LINKS: Changes in the methods and targets of the cybercriminals attacks
DESPERATE JAILBREAKERSIs it actually safe to jailbreak an iPhone?
THE ENEMY AT THE GATERogue AVs are rapidly becoming one of the biggest threat to users
ARTIFICIAL INTELLIGENCE IN THE REALMS OF IT SECURITYAutonomous systems that treat infections
EXPERTSCOMMENT
BUSINESSES UNDER ATTACK
How to protect your company
from cybercriminals
8/8/2019 Secure View #4 Small Web
2/36
www.a-school.com www.a-school.ru www.a-school.pl
8/8/2019 Secure View #4 Small Web
3/36
CONTENTS
NEWS
Breakthroughs and trends
in the IT security industry 4-9
REPORT
Black Hat USA 2010:
News and trends from
Black Hat U SA 2010 10-11
TOP STORY
Businesses under attack:
Everything you should know
about corporate threats 12-17
ANALYTICS
Desperate Jailbreakers:
Recent smartphone
security issues 18-21
The enemy at the gate:
Rogue antivirus
programs on the rise 22-25
TECHNOLOGY
Articial Intelligence
in the realms of IT security:
Cyber Helper an autonomous
system that treats infections 26-29
Under control: Analyzing
application activities 30-31
FORECASTS
Weak links: Changes in
the methods and targets of
the cybercriminals attacks 32-33
INTERvIEW
Keeping pace with iruses:
Current malware sample
processing techniques
with Nikita Shvetsov 34
A WORD FROM THE EDITOR
Dear Readers,
I am sure that the majority of you reading thiswork for a company of one sort or another. Ten
to one your company has its own Internet site,
communicates with its clients and partners over
email, and possibly even uses Instant Messaging
too. Often, many of you will take some work home
with you, burning the midnight oil on yet another
important document. Just the thought of working
without a computer and the Internet, or not being
able to complete an urgent job at home when you
need to, would seem utterly strange for a lot of
people these days.
So where is this all leading you may ask? Well,
working in an ofce, you cant have failed to notice
that there is a security solution installed on yourcomputer. A similar solution should be installed
on your companys servers where their ofce is
located. If that it is not the case, then it is very
unfortunate indeed, but lets put that dismal
scenario aside for now and move on.
Antivirus, or more complex security package
installed by your companys systems administrators
are designed to protect your computer from attack
by criminals, butare you sure that your company
has a complex security policy in place? If the system
administrator does not regularly install updates for
the operating systems and any third-party software
installed on the users computers, there can be no
guarantee that a determined cybercriminal wont
nd an unpatched vulnerability in the system and
use it to their advantage.
Are you sure that your smartphone, which you
rely on for daily business communications, or the
notebook that you or your boss are working on at
home or in the ofce are protected from such a banal
thing as loss? After all, if the notebook that you lost
or had stolen at the airport ended up in the hands of
specialist crooks, all of your condential information
would be right there in front of them. At least, that
would be the case if your device didnt happen to
have a suitable encryption solution installed and a
complex login and password security program.
However, lets not get ahead of ourselves for
the moment. Just read this issues Top Story and
consider carefully whether you have closed all of
the loopholes through which a cybercriminal might
attack your company, and while we are talking
about threats, do you and your colleagues know
enough about rogue antivirus programs and how
they can penetrate your computer?
See you next issue!
Alexander Ivanyuk
Editor-in-ChiefAlexander Ianyuk
SECUREVIEW
SECUREVIEW Magazine
4TH Quarter 2010
Editor-in-Chief: Alexander Ivanyuk
Editor: Darya SkilyazhnevaDesign: Svetlana Shatalova,
Roman Mironov
Production Assistants:
Rano Kravchenko
Editorial matters: [email protected]
http:// www.secureviewmag.com
1997 - 2010 Kaspersky Lab ZAO.
All Rights Reserved. Industry-leading Antivirus Software
The opinion of the Editor may not necessarily agree with
that of the author.
SECUREVIEWMagazine can be
freely distributed in the form of theoriginal, unmodied PDF document.
Distribution of any modied versions
ofSECUREVIEWMagazine content
is strictly prohibited without explicit
permission from the editor.
Reprinting is prohibited unless with
the consent of the editorial staff.
8/8/2019 Secure View #4 Small Web
4/36
NEWS
www.secureiewmag.com4|SECUREVIEW 4thquarter 2010
vULNERABILITIES ENCRYPTION
Research by the I.N.R.I.A (The
French National Institute for
Research into Computer Science
and Control) has shown that
there are serious vulnerabilities
in the BitTorrent peer-to-peer
protocol. The vulnerabilities
allow BitTorrent users to be
spied on. An attacker might
be able to deanonymize a user
even behind an anonymizing
network such as Tor.
Tor operates on the basis
of the construction of chains of
proxies, as well as multilayered
trafc encryption. The researchers
propose three methods of attack
to deanonymize BitTorrent
users on Tor.
The rst method of attack
consists of inspecting the
payload of some of the
BitTorrent control messages
and searching for the public
IP address of the user. In
particular, the announcement
messages that a client sends to
the tracker in order to collect alist of peers distributing content,
and the extended handshake.
Messages sent by some
clients immediately after
the application handshake
occasionally contain the public
IP address of the user.
The second method of attack
consists of rewriting the list of
peers returned by the tracker in
order to include the IP address
of a controlled peer. As the user
will then connect directly to the
peer controlled by the attacker,
the latter can deanonymize the
user by inspecting the IP header.
Whereas this hijacking attack
is accurate, it only works when
the user relies on Tor alone
to connect to the tracker.
The third and nal method of
attack consists of exploiting
the DHT (Distributed Hash
Table) to search for the public
IP address of a user. Indeed,
whereas Tor does not support
UDP, BitTorrents DHT uses
UDP for transport and when
a BitTorrent client fails to
contact the DHT using its Tor
interface; it reverts to its public
interface, hence publishing its
public IP address in the DHT.
As the content identier and
the port number of a client
transit through the exit node,
and port numbers are uniformly
distributed, an attacker can
use this information to identify
a BitTorrent user in the DHT. This
DHT attack is very accurate andworks even when the peer uses
Tor to connect to other peers.
Using the hijacking and
DHT attacks, researchers
deanonymized and proled close
to 9,000 public IP addresses
of BitTorrent users on Tor.
In particular, they have exploited
the multiplexing of streams from
different applications into the
same circuit to prole the web
browsing habits of the BitTorrent
users on Tor.
Researchers have devised
a new kind of random number
generator for encrypted
communications and other uses
that is cryptographically secure,
inherently private and certied
random by the laws of physics.
Although the events around
us can seem arbitrary, none of
them is genuinely random in
the sense that they could not
be predicted given sufcient
knowledge. Indeed, truerandomness is almost impossible
to come by. That situation is
a source of persistent concern
to cryptographers who need
to encrypt valuable data and
messages employing a long string
of random numbers that form
a key to encode and decode the
message. For practical purposes,
encoders typically employ
various mathematical algorithms
called pseudo-random number
generators to approximate the
ideal. However, they can neverbe completely certain that
the system is invulnerable to
adversaries or that a seemingly
random sequence is not, in fact,
predictable in some manner.
Now though, Stefano Pironio and
Serge Massar from the Universit
Libre de Bruxelles (ULB), in
partnership with European and
American quantum information
scientists, have demonstrated
a method for producing
a certiably random string of
numbers based on the principles
of quantum physics. Their solution
relies on a discovery made by
physicist John Bell in 1964:
two objects can be in an exotic
condition called entanglement
in which their states become
so utterly interdependent that
if a measurement is performed
to determine a property of one,
the corresponding property of the
other is instantly determined as
well, even if the two objects are
separated by large distances.Bell showed mathematically
that if the objects were not
entangled, their correlations
would have to be smaller than
a certain value, expressed
as an inequality. If they
were entangled, however,
the correlation rate could
be higher, violating the
inequality. The important
point is that the violation of
a Bell inequality is possible
only if we are measuring
genuine quantum systems,says Pironio. Therefore if
we verify a Bell inequality
violation between isolated
systems, we can be sure that
our device has produced true
randomness independently of
any experimental imperfection
or technical detail. But to build
something concrete out of
this initial intuition, we had to
quantify how much randomness
is actually produced and
whether it is secure in
a cryptographic setting.
Deanonymizing
anonymizers
Random numberscertied by Bells theorem
Source: http://arxiv.org/PS_cache/arxiv/pdf/1004/1004.1267v1.pdf
Source: www.physorg.com/pdf190468321.pdf
http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/8/8/2019 Secure View #4 Small Web
5/36
NEWS
www.secureiewmag.com 4th quarter 2010 SECUREVIEW|5
Dr. Jacob Scheuer from
Tel Aviv University has
developed a unique
optical system of secret
cryptographic key
distribution. The researcher
claimed that his system is
potentially uncrackable.
Transmitting binary lock-
and-key information in
the form of light pulses,
his device ensures that a
shared key code can be
unlocked by the sender and
receiver and absolutely
nobody else. Dr. Scheuer has
found a way to secure the
transmitted ones and zeros
using light and lasers. The
trick, says Dr. Scheuer, is
for those at either end of
the fiber optic link to send
different laser signals they
can distinguish between,
but which look identical to
an eavesdropper.
Rather than developing
the lock or the key, weve
developed a system which
acts as a type of key bearer,
the researcher explains.
ANTIvIRUS TESTING THE EXPERTS COMMENT
Recently, I was sitting around
with a number of colleagues
from Kaspersky Lab, discussing
everybodys favorite subject:
the state of AV testing these
days. During the chat,
somebody brought up the
name of a new, obscure testing
organization in the Far East.
Nobody else had ever heard
of them and so my colleague,
Aleks Gostev, jokingly called
them a rogue Andreas Marx.
It then occurred to us that
some of these new testing labsthat have recently appeared
mimic the tactics of Rogue AV
products. What exactly do I
mean? Well, as we know the
rogue AV business model is
based on selling a false sense
of security; we professionals
know it is fake, but the vict ims
dont. People buy a Rogue AV
program hoping that it will solve
their security problems, but at
best the products do nothing
and at worst, they install
additional malware.Rogue AV testers are somehow
similar in behavior. In their
case, the business model is no
longer based on a false sense
of security, but instead, on a
false sense of insecurity. So,
how do they operate? Well, it
seems to start with a number
of tests which look legitimate
and mimic real world conditions.
Then, the tests slowly become
more complicated and security
products do worse and worse.
Sometimes, the product thatdid best in the previous test
suddenly becomes the worst
in the group. In other cases, all
products fail miserably. Finally,
the main idea emerges: that
all security products are bad
and utterly useless. Hence,
the false sense of insecurity
is promoted through the tests:
you are insecure, your money
was misspent beware! Going
further, the rogue AV testers
use various techniques such as
not disclosing product names
in published test results and
attempting to sell these results
for serious amounts of money.Here are some of the
characteristics we identied as
being specic to rogue AV testers
and can help you to spot them:
1. They are not afliated
with any serious testing
organization, such as AMTSO.
Sometimes, the Rogue AV
testers could also show fake
afliations or even falsely
display (say) the AMTSO logo
on their website, in order to
remove suspicion and doubt.
2. They publish free publicreports, but charge money for
the full reports. In general,
the public reports should look
as bad as possible for all the
tested products, to maximize
the prots from selling the
full reports.
3. The public reports are full of
charts that look complicated
and intelligent, but sometimes
reveal amusing mistakes.
4. They claim all AV (or security)
products are useless. This is
the foundation stone of anybusiness based on the false
sense of insecurity.
5. They charge for samples and
methodologies, usually very
large sums of money, to make
sure the awed methodology
and samples cannot be
reviewed externally.
Reputable testers will make
samples and methodologies
freely available to the developers
of the products that they test,
and instead, charge for the
rights to publish the results in
magazines or for the permission
to use the results in marketing
materials. Charging money forsamples is a clear indication that
something wrong is going on.
There are other characteristics,
but I think everybody has got
the point by now.
Just like the explosion in Rogue
AV products, making them one
of the most protable crimeware
categories, I suspect Rogue AV
testers will follow and in the
process, they will also become
an extremely protable category.
Of course, the worst thing is
that they will provide a strong,negative value to the entire IT
security industry.
So, if you are trying to compare
security solutions, I recommend
sticking to established testing
organizations such as Virus
Bulletin, AV-TEST.ORG and AV-
COMPARATIVES or reputable
magazines with a good history
behind them. If in doubt, ask for
AMTSO afliations and nally, do
not forget about the list of hints
that can help you to spot Rogue
AV testing behavior.Do not become a victim of the
Rogue AV testers!
The Rise of the Rogue AV Testers
Costin Raiu
is the Director
of Kaspersky Labs
Global Research
& Analysis Team
CRYPTOGRAPHY
Laser key
Source: http://www.sciencedaily.com/releases/2010/03/100323121834.htm
8/8/2019 Secure View #4 Small Web
6/36
NEWS
www.secureiewmag.com6|SECUREVIEW 4thquarter 2010
SOCIAL NETWORKS
A group of researchers have
demonstrated the fundamental
limits of privacy in social
networks with personalized
recommendations. The
recommendations cannot
be made without disclosing
sensitive links between users.
Facebook recommends
new contacts based on
the pattern of connections
between existing users, whilst
Amazon recommends books
and other products based on
purchase histories and Netix
recommends movies based on
historical ratings. To be sure,
these sites produce helpful
results for users that in turn
can dramatically increase sales
for the merchant, but they can
also compromise privacy.
For example, a social network
recommendation might reveal
that one person has been in
email contact with another, or
that an individual has bought
a certain product or watched
a specific film. It may even be
a breach of privacy to discover
that your friend doesnt trust
your judgment in books.
Today, researchers say
that privacy breaches are
inevitable when networks
are exploited in this way. In
fact, theyve worked out a
fundamental limit to the level
of privacy that is possible
when social networks are
mined for recommendations.
The scientists approach is
to consider a general graph
consisting of various nodes
and the links between them.
This may be a network in
which the nodes are books,
say, and a link between
two nodes represents the
purchase of one book by the
owner of another. The team
considers all these links to
be private information. Then
researchers consider an
attacker who wants to work
out the existence of a link in
the graph from a particular
recommendation. So given
the knowledge that people
who bought book X also
bought book Y, is it possible to
determine a purchase decision
made by a specific individual?
To do this, scientists dene
the privacy differential as
the ratio of the likelihoods
that the website makes such
a recommendation both with
the private purchase decision
in question and without it.
The question they then ask is to
what extent recommendations
can be made while preserving
this privacy differential.
It turns out that there
is a tradeoff between
the accuracy of the
recommendation and the
privacy of the network.
So a loss of privacy is
inevitable for a good
recommendation engine.
Fundamental privacy limits
of recommendations
Source: http://www.technologyreview.com/blog/arxiv/25146/
Amazon recommends books and other products based on purchase histories
ONLINE SERvICES THREATS
An international research
team has demonstrated the
possibility of hijacking Google
services and reconstructing
users search histories.
Firstly, with the exception
of a few services that can
only be accessed over HTTPs
(e.g. Gmail), researchers foundthat many Google services
are still vulnerable to simple
session hijacking.
Next they presented the
Historiographer, a novel
attack that reconstructs
the web search histories of
Google users, i.e. Googles
Web History, even though
such a service is supposedly
protected from session
hijacking by a stricter
access control policy. The
Historiographer implements areconstruction technique that
rebuilds the search history
based on inferences received
from the personalized
suggestions fed to it by the
Google search engine. The
attack was based on the fact
that Googles users receive
personalized suggestions for
their search queries based on
previously searched keywords.The researchers showed that
almost one third of monitored
users were signed in to their
Google accounts, and of
those, half had their Web
History enabled, thus leaving
themselves vulnerable to this
type of attack.
The attacks demonstrated
are general and highlight
concerns about the privacy
of mixed architectures using
both secure and insecure
connections. The researchdata was sent to Google and
the company has decided
to temporarily suspend
search suggestions from
Search History in addition to
offering Google Web History
pages over secure protocol
HTTPs only.Hijacking Google servicesSource: http://arxiv.org/PS_cache/arxiv/pdf/1003/1003.3242v3.pdf
http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/8/8/2019 Secure View #4 Small Web
7/36
NEWS
www.secureiewmag.com 4th quarter 2010 SECUREVIEW|7
Researcher Stephan
Chenette has released
a Firefox plug-in called
FireShark designed to build
visual diagrams of criminal
connections as well as
schemes for the malicious
distribution of code. The
plug-in allows the capturingof web traffic from a browser,
the logging of events and the
downloading of content to disk
for post-processing analysis.
The software has the
potential to become a very
powerful forensics and
antimalware tool.
The plugin can be
downloaded free of charge
from the authors site.
ENCRYPTION
Toshiba Research EuropesCambridge lab has announced
an important breakthrough in
quantum encryption.
The researchers have
succeeded in demonstrating
the continuous operation
of quantum key distribution
with a secure bit rate
exceeding 1 megabit per
second over 50 km of fiberfor the first t ime. Averaged
over a 24 hour period, this
is 1001000 times higher
than anything reported
previously for a 50 km link.
It was achieved using two
innovations: a novel light
detector for high bit rates
and a feedback system which
maintains a high bit rate at all
times and requires no manual
set-up or adjustment.
Significantly, the
breakthrough will enable
the everyday use of one-
time pad encryption, a
method that is, in theory,perfectly secret. Although
ultra-secure, the application
of one-time pad encryption
has been restricted in the
past as it requires the
transmission of very long
secret keys the same
length as the data itself. For
this reason it has only been
used for short messages
in situations requiring very
high security, for example
by the military and securityservices. The achieved
bit rate breakthrough will
extend the application of this
ultra-secure communication
method for everyday use.
Record in quantumkey bit rate
Source: http://www.toshiba-europe.com/research/crl/qig/Press2010-04-19-
qcbreakthrough.html
QUANTUM COMPUTATIONS
A new scheme for making
quantum money could lead to cash
that cannot be counterfeited.
Just like ordinary cash,
quantum cash would be
exchanged in lieu of goods.
It would be sent and received
over the Internet without the
need to involve third parties
such as banks and credit card
companies. That would make
transactions anonymous and
difcult to trace, unlike todays
online transactions which
always leave an electronic
paper trail. Thats one big
advantage over todays money.
Another is that quantum states
cannot be copied, so quantum
cash cannot be forged.
But quantum cash must have
another property: anybody
needs to be able to check that
the money is authentic. That
turns out to be hard because
the measurement of quantum
states tends to destroy them.
Its like testing regular dollar bills
by seeing whether they burn.
But there is a way around this
based on the ideas behind
public-key encryption. The idea
here is to nd a mathematical
process that is easy to do
in one direction but hard
in the opposite direction.
Multiplication is the famous
example. Its easy to multiply
two numbers together to get
a third but hard to start with
the third number and work
out which two factors created
it. The question for quantum
money gurus is whether a
similarly asymmetric process
will provide similar security
assurances for quantum cash.
A research group led by
Edward Farhi has developed
secure quantum cash based
on a new kind of asymmetry.
The scientists took their
inspiration from knot theory,
a branch of topology that
deals with knots and links.
The purported security of the
proposed quantum money
scheme is based on the
assumption that given two
different looking but equivalent
knots, it is difcult to explicitly
nd a transformation that turns
one into the other.
Uncounterfeitable
currency
Source: http://www.technologyreview.com/blog/arxiv/25135/
Visualizingthe malicious web
Source: http://www.reshark.org/
For example, FireShark makes it easy
to see compromised legitimate sites
redirecting users to malicious domains
8/8/2019 Secure View #4 Small Web
8/36
NEWS
www.secureiewmag.com8|SECUREVIEW 4thquarter 2010
Egyptian researchers have
proposed a mutual authentication
protocol that prevents attacks on
low-cost RFID tags.
RFID systems are vulnerable
to a broad range of malicious
attacks ranging from passive
eavesdropping to active
interference. Unlike in wired
networks where computing
systems typically have
both centralized and host-
based defenses such as
rewalls, attacks against
RFID networks can target
decentralized parts of the
system infrastructure, since
RFID readers and RFID tags
operate in an inherently
unstable and potentially
noisy environment.
RFID tags may pose a
considerable security and privacy
risk to the organizations and
individuals using them. Since
a typical tag provides its ID to
any reader and the returned ID
is always the same, an attacker
can easily hack the system
by reading a tags data and
duplicating it in the form of bogus
tags. Unprotected tags may be
vulnerable to eavesdropping,
location privacy, spoong, or
denial of service attacks.
Low-cost RFID tags like
Electronic Product Codes (EPC)
are poised to become the most
pervasive devices in history.
There are already billions of
RFID tags on the market being
used for applications like supply-
chain management, inventory
monitoring, access control
and payment systems. When
designing a really lightweight
authentication protocol for
low cost RFID tags, a number
of challenges arise due to the
extremely limited computational,
storage and communication
abilities of such devices.
The scientists have proposed
modications to the Gossamer
mutual authentication protocol
used by the tags. The proposed
protocol prevents passive
attacks, as active attacks are
discounted when designing a
protocol to meet the RFID tags
requirements. The analysis of
the protocol shows that the
added modications increase the
security level of Gossamer and
prevent eavesdropping on public
messages between reader and
tag. However, the modications
do not affect the computational,
storage or communication
cost of Gossamer.
Source: http://airccse.org/journal/nsa/0410ijnsa3.pdf
WIRELESS SECURITY
Securing RFID
ENCRYPTION
Security-conscious organizations
evaluate a large number ofdevelopmental technologies for
building websites. The question
often asked is, What is the
most secure programming
language or development
framework available?
WhiteHat Security has issued a
report which highlights the answer.
The reports Top-10
key findings are:
Empirically, programming
languages/frameworks do
not have similar security
postures when deployedin the eld. They are shown
to have moderately different
vulnerabilities, with different
frequencies of occurrence,
which are xed in different
amounts of time.
The size of a web applications
attack surface alone does
not necessarily correlate
to the volume and type of
issues identied. For example
Microsofts .NET and Apache
Struts, with near-average
attack surfaces, turnedin the two lowest historical
vulnerability averages.
Perl had the highest average
number of vulnerabilitiesfound historically by a wide
margin, at 44.8 per website
and also the largest number
currently at 11.8.
Struts edged out
Microsofts. NET for the
lowest average number of
currently open vulnerabilities
per website at 5.5 versus 6.2.
Cold Fusion had the second
highest average number of
vulnerabilities per website
historically at 34.4, but has
the lowest likelihood of havinga single serious unresolved
vulnerability if currently
managed under WhiteHat
Sentinel (54%). Closely
following was Microsoft ASP
Classic, which at 57% beat
its successor Microsoft .NET
by a single point.
Perl, Cold Fusion, JSP, and
PHP websites were the
most likely to have at least
one serious vulnerability,
at roughly 80% of the time.
The other languages /frameworks were only within
ten percentage points.
Among websites containing
URLs with Microsofts. NETextensions, 36% of
their vulnerabilities had
Microsoft ASP Classic
extensions. Conversely, 11%
of the vulnerabilities
on ASP websites had
Microsofts .NET extensions.
37% of Cold Fusion
websites had SQL Injection
vulnerabilities, the highest
of all measured, while Struts
and JSP had the lowest with
14% and 15%.
At an average of 44 days, SQL
Injection vulnerabilities werexed the fastest on Microsoft
ASP Classic websites, just
ahead of Perl (PL) at 45 days.
79% of Urgent Severity SQL
Injection vulnerabilities were
xed on Struts websites,
the most of the eld. This is
followed by Microsofts .NET
at 71%, Perl at 71% and the
remainder between 58% and
70% Apercent.
The report is based on data
from 1,659 websites
What web programming languageis the most secure?
Source: http://www.whitehatsec.com/home/resource/stats.html
http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/8/8/2019 Secure View #4 Small Web
9/36
NEWS
www.secureiewmag.com 4th quarter 2010 SECUREVIEW|9
One of the major threats to
virtualization and cloud computing
is malicious software that enables
computer viruses or other malware
that have compromised onecustomers system to spread to
the underlying hypervisor, and
ultimately, to the systems of other
customers. In short, a key concern
is that one cloud computing
customer could download a virus
such as one that steals user data
and then spread that virus to the
systems of all the other customers.
If this sort of attack is feasible,
it undermines consumer
condence in cloud computing
since consumers couldnt trust
that their information would
remain condential, said Xuxian
Jiang, Assistant Professor ofComputer Science at North
Carolina State University.
For instance, in Blue Pill attacks,
as demonstrated by Polish security
researcher Joanna Rutkowska,
a rootkit bypasses the digital
signature protection for kernel
mode drivers and intercepts the
operating system calls.
But Jiang and his Ph.D. student
Zhi Wang have now developed
a piece of software called
HyperSafe that leverages existing
hardware features to secure
hypervisors against such attacks.
We can guarantee the integrity
of the underlying hypervisor
by protecting it from being
compromised by any malware
downloaded by an individual user,
Jiang says. By doing so, we canensure the hypervisors isolation.
For malware to affect a
hypervisor, it typically needs
to run its own code in the
hypervisor. HyperSafe utilizes two
components to prevent that from
happening. First, the HyperSafe
program has a technique
called non-bypassable memory
lockdown, which explicitly and
reliably bars the introduction
of new code by anyone other than
the hypervisor administrator, Jiang
says. This also prevents attempts
to modify existing hypervisor code
by external users.
Secondly, HyperSafe uses
a technique called restrictedpointer indexing. This technique
initially characterizes the
hypervisors normal behavior and
then prevents any deviation from
that prole, Jiang says. Only
the hypervisor administrators
themselves can introduce changes
to the hypervisor code.
CYBER SECURITY
TECHNOLOGY
An international team
of researchers has published
a report about global cyber
espionage systems titled
Shadows in the Cloud.
The report contains the results of
their investigations into a complex
cyber espionage ecosystem that
as the authors say, Systematically
compromised government,
business, academic and other
computer network systems in
India, the ofces of the Dalai
Lama, the United Nations and
several other countries. The report
also contains an analysis of data
stolen from politically sensitive
targets and recovered during the
course of the investigation.
The report analyzes the malware
ecosystem employed by the
Shadows attackers, which
leveraged multiple redundant
cloud computing systems, social
networking platforms and free
web hosting services.
The following is a summary
of the reports main ndings:
The cyber espionage
network is complex
The theft of classied and
sensitive documents is rife
There is evidence of
collateral compromise
The command-and-control
infrastructure leverages
cloud-based social
media services
There are links to the
Chinese hacking community
Researchers are proposing
a paradigm-shifting solution
to trusted computing that
offers better security and
authentication. The European RE-
TRUST project (http://re-trust.dit.
unitn.it/) promotes a technology
that ensures remote, real-time
entrusting on an untrusted
machine via the network.
Remote entrusting providescontinuous entrustment for the
execution of a software component
by a remote machine, even though
the software component is running
within an untrusted environment.
The proposed technology provides
both software-only and hardware-
assisted remote entrusting.
Whereas hardware-assisted
entrusting requires a special
chip either on the computers
motherboard or inserted into
a USB drive, RE-TRUST useslogical components on an
untrusted machine to enable
a remote entrusting componentto authenticate via the network
the untrusted machines operation
during runtime. This means it
ensures that the software isrunning properly and that the code
integrity is maintained, thus almost
completely guaranteeing security.
Investigating global
cyber espionage
Better remote entrusting
Source: http://Shadows-in-the-Cloud.net
Source: http://www.sciencedaily.com/releases/2010/04/100413131939.htm
Concentrations of non-unique IP addresses of compromised hosts (from the report
Shadows in the Cloud)
Entrusting by remote software authentication during execution
SECURITY THREATS
Protecting hypervisors
Source: http://www.scienticcomputing.com/news-HPC-New-Security-for-
Virtualization-Cloud-Computing-050310.aspx
8/8/2019 Secure View #4 Small Web
10/36
REPORT |Black Hat USA 2010
www.secureiewmag.com10|SECUREVIEW 4thquarter 2010
Stefan is a Senior SecurityResearcher for KasperskyLab. He specializes in webapplication security, web-basedthreats and malware 2.0. Stefan
is involved in several innovativeresearch projects, rangingfrom malware databases orhoneypots, to web crawlerswhich continuously scanthe Internet to identify andneutralize the latest threats.As a member of the GlobalResearch and Analysis Team,Stefan publishes analysesof hot information securitytopics on threatpost.com andsecurelist.com, the KasperskyLab information and educationportals on viruses, hackersand spam. Stefan is alsofrequently invited to speak at
major international securityconferences such as VirusBulletin, RSA and AVAR.
Article byStefan Tanase
Black Hat is the place where IT and computer
security happens. Now in its 13th year, researchers
latest ndings are published during presentations
spread over 11 conference tracks and two days.The two opening keynotes this year were delivered
by Jane Holl Lute, the current Deputy Secretary of
Homeland Security, and Michael Vincent Hayden,
former Director of both the National Security Agency
and the Central Intelligence Agency. This doesnt
come as a surprise, especially after Jeff Moss, the
founder of the Black Hat and DEF CON conferences
was sworn in to the Homeland Security AdvisoryCouncil of the Barack Obama administration.
This years event featured more than 200 speakers
discussing their latest research around essential
security topics ranging from infrastructure, reverse-
Las vegas The Security Researchers OasisEach year, the entire security industry waits for the Black Hat Briengs in
the sweltering Las Vegas desert. This year was no different, with more
than 6,000 people interested in security gathered from all over the world
at Caesars Palace, Las Vegas, Nevada the place where the conference is
traditionally held. From private companies and government agencies throughto security researchers, system administrators and law enforcement ofcers -
everybody was there. Security researchers from all over the world come to
Black Hat to identify security threats and work collectively to create solutions.
The Black Hat community is one of the greatest assets we have for defending
the safety and security of the Internet, said Jeff Moss, founder of Black Hat.
Caesars Palace the place to be for Black Hat
http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/8/8/2019 Secure View #4 Small Web
11/36
Black Hat USA 2010|REPORT
www.secureiewmag.com 4th quarter 2010 SECUREVIEW|11
engineering, malware +, ngerprinting
and exploitation, to the latest topics in IT
technology - cloud/virtualization and cyber
war and peace.
JACKPOTTING ATMS
One of the most highly anticipated talks
at Black Hat USA 2010 was delivered by
Barnaby Jack, Director of Research at
IOActive Labs. Barnaby discussed two types
of attacks against automated teller machines
(ATMs) running Windows CE: the rst one was
a physical attack using a master key which
can be purchased on the Internet and a USBstick to overwrite the machines rmware with
a custom-built rootkit; the second one was a
remote attack exploiting a vulnerability in the
ATMs remote administration authentication
mechanism which allowed the attacker to
remotely rewrite the rmware.
The talk itself was eye-opening and
disappointing at the same time. It was
amazing to see the depth that Barnaby
had achieved when reverse-engineering
the ATMs and building a custom software
tool called Dillinger to overwrite the
machines operating system, take complete
control of the ATM and send commandswhich remotely instructed the ATM to start
dispensing cash. Incidentally, Dillinger is
named after the famous bank robber. The
disappointing part from an avid researchers
point of view was that he only focused on
Windows CE-based ATMs, an old operating
system which is not widely used in other
regions of the world.
For instance, the two attacks that
Barnaby demonstrated, the physical and
the remote attack, would not be possible in
most European countries, but its a whole
different story in the United States.
All in all, seeing such progress being madein ATM security research denitely makes
you think twice about using ATMs, especially
when traveling. In fact, with the amount of
skimming going on anyway, why not avoid
using ATMs altogether?
THE CLIENT-SIDEBOOGALOO
Nicholas Percoco and Jibran Ilyas,
Members of Trustwaves SpiderLabs team,
presented Malware Freak Show 2010, a talk
that extended their initial Malware Freak
Show presentation delivered at DEFCON
17 in 2009. This years talk explored four of
the most interesting new pieces of malware
that were obtained during more than 200
investigations they conducted in 2009.
An interesting fact which emerged as a
result of combining intelligence from cases
they were both involved in was that attackers
spend an average of 156 days exploring a
victim network before getting caught. This is
an alarmingly high number which conrms how
low the general level of security awareness
and education is among businesses.
The presentation included the anatomy
of a successful malware attack, a prole
on each sample and victim and a live
demonstration of each piece of malware
discussed: a memory rootkit, a Windows
credentials stealer, a network sniffer rootkit
and a targeted attack malware program that
uploads documents to an FTP server.
TRACKING CYBER SPIES
AND DIGITAL CRIMINALS
Greg Hoglund, who literally wrote the
book on Windows rootkits, presented some
techniques to track down the origins of
malware samples. Malware attribution,
which is dened by Greg as Finding the
humans behind the malware, aims to know
more about the people who create maliciousles. This type of information can be very
useful during forensic investigations.
His basic premise is that software is not
easy to write and programmers adhere to
the if it aint broke, dont x it principle.
Once a programmer has written a piece
of code which works, they are not going to
rewrite it, but instead will most likely reuse it
at every opportunity.
Each cybercriminal or cybercrime group
normally reuses the code that they create.
To prove this, Greg performed a case study
on a Chinese RAT (Remote Administration
Tool) called gh0st RAT. He showed theaudience how he discovered that malware
samples from 2010 are still using code from
2005 making it possible to link ve-year-
old samples together. These techniques are
very developer-specic.
In his conclusion, Greg called on the security
community to understand that generally it
is better to focus on identifying the authors
behind the malware than the malware itself.
ATTACKING
PHONE PRIvACY
Cryptography researcher Karsten Nohl
presented vulnerabilities, tricks and ideas
which he used to successfully crack A5/1, the
encryption system used to protect GSM calls.
One of the biggest breakthroughs that helped
him with his research was the fact that
some GSM packets, the keep-alive ones, are
predictable in the stream of different packets.
The x for this vulnerability was released
two years ago, but none of the GSM networks
have implemented the patch yet, even though
the patch is rather simple.
It is much easier to intercept the part of
the call that is coming from the tower to the
mobile phone, rather than the one going from
the mobile phone to the tower. This is due
to the fact that mobile phones dynamically
adjust the output power of their signal to
save battery power and can be on the move
in areas surrounded by buildings, while the
towers are transmitting high power signals,are stationary and are located in high areas.
So, the majority of GSM networks
nowadays are quite unsafe. They are either
using very insecure encryption, or in countries
like China and India, none at all. A mitigation
technique to this threat would be to switch
your phone to UMTS-only mode, although not
every phone supports this and 3G coverage is
not available in remote areas.
UNTIL NEXT YEAR
There were many other interesting
presentations, as you can see from the Black
Hat online archive: http://www.blackhat.com/
html/bh-us-10/bh-us-10-archives.html.
As usually happens when thousands of
security researchers gather in the same
place, there were several incidents that
made this years Black Hat very memorable
for example, the live stream got hacked
by a security researcher at Mozilla who
responsibly disclosed the vulnerabilities
found to the third party company which was
providing the streaming service.
This and other things make attendingBlack Hat a thrill and a challenge at the
same time. RE
Barnaby Jack shows how jackpotting works on vulnerable ATMs
http://www.blackhat.com/html/bh-us-10/bh-us-10-archives.htmlhttp://www.blackhat.com/html/bh-us-10/bh-us-10-archives.htmlhttp://www.blackhat.com/html/bh-us-10/bh-us-10-archives.htmlhttp://www.blackhat.com/html/bh-us-10/bh-us-10-archives.htmlhttp://www.blackhat.com/html/bh-us-10/bh-us-10-archives.html.8/8/2019 Secure View #4 Small Web
12/36
TOP STORY|Corporate threats
www.secureiewmag.com12|SECUREVIEW 4thquarter 2010
Article byJoerg GeigerChief Technology Expert
at Kaspersky Lab
Todays computers store and process alltypes of ofcial information; they generate
business activity reports, they perform
economic analyses and undertake planning
and they are used for technical modeling and
design. Companies advertise their products
via the Internet and communicate with society
in general using computers. Goods are
readily bought and sold through the medium
of electronic trading and Internet shops. In
the course of everyday business activity,
computers and smartphones have become an
indispensable communications tool for workers,
clients and company managers alike. The
burgeoning capabilities of todays IT equipmentmean that companies can now benet from a
whole new world of commercial possibilities.
Such companies rely heavily on stable IT
infrastructure to maintain their business
processes and competitive advantage.
As mentioned previously, the presence of
nancial or condential information attracts
the shadier elements of society who wish
to nefariously grab a slice of the pie for
themselves, and in addition, it should be
remembered that companies can and do suffer
enormous losses due to the availability of
condential information to insiders. Serious
security incidents can incur punishment bythe state in most countries, violation of
security standards is a prosecutable offence
carrying criminal responsibility, and whereapplicable, the withdrawal of state-issued and
other licenses.
The incentive to hack corporate networks
grows as commercial information becomes
more and more valuable and as business
processes are automated. The tendency is
for business IT to not only develop automated
management and recording systems, but
technological processes as well IT is already
a major player not only in accountancy,
warehousing and HR, but in manufacturing
and production as well. Today it is completely
unacceptable to leave corporate IT systems
under-protected, or worse still, unprotected. A
Businesses under attack
Joerg Geiger has 11
years experience inIT-Journalism. Havingcompleted his Diploma inComputer Science, Joergworked as a Senior Editorfor a number of differentprinted and onlinemagazines. For the last3 years, Joerg has beena freelance contributorto German newspapers,websites and various ITcompanies and specializesin operating systems, IT-Security and mobile IT.
Modern companies cannot survive without information and computertechnologies. IT has become an inseparable part of any commercial
venture, state-run enterprise or worldwide business system.
However, IT has also developed into a potent source of problems
and threats which companies must face. With the help of malware,
hackers are able to steal condential information from computers
which in turn can lead to damaged commercial reputations, the
collapse of business deals and the infringement of intellectual
property rights. Under the control of hackers, corporate computer
networks can spread spam and malware, not only locally, but to
the computers of trusted clients and partners as well. Software
and hardware failures lead to unwanted downtime, the interruption
of important business processes and the loss of working time
by personnel. This is only a small part of the modern corporate
threatscape which we will look at in more detail within this article.
The Internet has long since been used for the majority of corporate
nancial transactions
http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/8/8/2019 Secure View #4 Small Web
13/36
Corporate threats|TOP STORY
www.secureiewmag.com 4th quarter 2010 SECUREVIEW|13
companys IT infrastructure must include
reliable and comprehensive protection
against computer threats.
GOALS AND TASKS
It is interesting to note that malware
specifically designed to target
corporate information systems does not
exist. The tools of the hackers trade
remain the same regardless of whether
the target is a private individual or a
company, the only real difference is
the scale of damage, so companies
have to pay particular attention to
their own protective measures. The
cybercriminals are far more interestedin attacking companies than private
individuals as the potential rewards
from such attacks are considerably
higher. It is very rare indeed for a
hacker or virus writer to work for
nothing. Usually when they feel the
need to put their professional abilities
to the test they try to ensure that their
efforts are duly remunerated.
Hackers that attack companies
generally do so for the following reasons:
To steal condential information,
including nancial, with a view to
proting from its usage or resale,for example, databases belonging to
nancial organizations
To disable a companys IT
infrastructure with a view to
extorting money from that company
for returning its IT infrastructure to
operational condition. Additionally,
a hacker may want to do damage toa companys reputation or interrupt
their business processes by the use
of DDOS attacks
To use the IT resources of one
company for the purpose of attacking
other companies
Those who order hacking attacks
are usually dishonest competitors,
nancial fraudsters or people involved
in industrial espionage. For example, it
may be that on the day that a company
is due to launch a new product, hackers
acting behalf of a competitor take
down that companys website, thereby
depriving the company of a lot of
potential customers who would have
otherwise visited it. Another common
example is a competitor acquiring
detailed information concerning an
important business deal from a rival
companys computer system and the
deal subsequently being undermined.
Then there is always the scenario in
which nancial information is stolen by
an insider in order to initiate an illegal
transaction. In the most dangerous
cases, vital social infrastructure can
be put out of operation if the company
responsible for maintaining it becomesthe subject of a hackers attack.
METHODS OF ATTACK
How do cybercriminals gain access to
corporate information? What vectors
of attack do they choose? First of all,
the particular attributes of corporate
networks play right into the hands of
the cybercriminals, such networks are
typically: large-scale, distributed across
geographical sub-divisions, hierarchic in
composition with heterogeneity of the
component parts, carrying high levels
of trafc and supporting a signicant
number of users.
Networks belonging to large
enterprises with geographically diverse
subdivisions have equipment located
in different towns and sometimes even
different countries, as well as hundreds
of kilometers of communications cables.
All this makes it very difcult to prevent
unauthorized network access or the
interception of condential information
transmitted over the network. An
attacker can surreptitiously connect to
some part of the network and secretly
monitor the channel trafc without
alerting anyone to their presence, or
masquerade as an authorized user
and send requests for information and
messages in the name of a legitimate
user. Hacking can occur on both private
and publicly accessible sections of a
network usually the Internet. In such acase, the cybercriminal does not need to
Cybercriminals do not have to attack a whole organization
to get their hands on nancial or condential information.
It is much simpler to carry out an attack by targeting an
individual victim in an administration or HR department
where the level of computer literacy is usually fairly low
A hacker does not usually need direct access to the target computer within an organization: these days attacks are
carried out remotely via the Internet
8/8/2019 Secure View #4 Small Web
14/36
TOP STORY|Corporate threats
www.secureiewmag.com14|SECUREVIEW 4thquarter 2010
be physically near the hacked channel,
using hackers tools and methods
available on the Internet it is possible to
hack a network remotely.
Probably the most popular method
for infecting computers is via the
use of programs called Trojans which
inltrate a target machine through
malware links in spam, instant
messaging, drive-by downloads and the
exploitation of vulnerabilities in different
software applications.Of all of the abovementioned methods
of infection, it is the vulnerabilities
in software that is one of the biggest
problems within the corporate
environment. Large corporate networks
are made up of a huge number of
component parts: workstations, servers,
laptops, smartphones, all of which
may operate under the control of a
different operating system. The situation
gets even more complex when the
functional diversity of the component
parts of a large corporate network
are factored in also; the hardware willservice different subdivisions, perform
different tasks and differ from unit
to unit, not to mention that it is often
produced by different manufacturers.
It is almost impossible to keep track
of all the programs installed on all of
the systems and devices mentioned.
IT administrators need to constantly
update programs and install patches
for the entire systems resources, but it
is a complex task, made more difcult
by the fact that an administrator may
have to wait a signicant amount
time for a much-needed patchwhile the manufacturer creates and
distributes it. As a result, a corporate
network can remain susceptible to
attack by cybercriminals who can
exploit a vulnerability, for example, by
installing malware in an old version
of Adobe Reader, with ensuing dire
consequences for the computers on
the corporate network. In such a case,
even technical specialists may suspect
nothing if they do not keep themselves
up to date regarding the latest detected
vulnerabilities in application-
dependent software.Another loophole used by the
criminals is the multiplicity of staf f and
the resulting multiplicity of computer
network users and access points. The
larger the numbers of end-users and
nodes, the more chance there is of
an accidental oversight in security
procedures or an intentional violation
of security policy. It is more difcult
for the administrators to determine
users loyalties, especially as users
could typically be both staff members
and for instance, clients. Therefore it is
more difcult to control them today,
simple methods of recording user
information are no longer suitable, more
complex methods like authentication,
authorization and auditing are required.
Modern corporate IT systems need to
be able to do much more than just allow
or disallow a user access to something,
they need to have the exibility to
provide degrees of access, taking into
consideration factors such as - time,
group membership, editing rights etc.
Nowadays a corporate user has a wider
range of services available to them;
very often they have Internet access,
which is awash with malware, a mobile
connection which has become unsafe
and remote access from home which
makes it difcult for the employer to
check whether passwords to access the
corporate servers are stored in a secure
manner. Unfortunately, companies
rarely do have all-encompassing security
policies in place, thus the cybercriminalscontinue to actively abuse the situation
and commit targeted attacks.
EDUCATION
One of the keys to successfully
minimizing corporate attacks is to
educate staff on a constant basis,
and not just technical staff, but
administrative staff too. It is more
often than not the latter group who
are responsible for the large numbersof successful attacks carried out
using social engineering techniques.
Obviously, when a user has no real
knowledge of the basic rules of
computer security there can be no
guarantee that hackers wont be able to
enter the corporate network; regardless
of whether or not a highly qualied
administrator has implemented the most
stringent security settings.
Teach your staff not to react to
emails and IM messages of a dubious
nature, which may well contain
malicious hyperlinks in the body of themessage. Explain to them that a letter
or SMS message from a friend can be
The Structure of a typical corporate network is usually much more complex than the one displayed in the picture
http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/8/8/2019 Secure View #4 Small Web
15/36
Corporate threats|TOP STORY
www.secureiewmag.com 4th quarter 2010 SECUREVIEW|15
compromised and that it is always better
to think twice and check before clicking
on any messages received. Remind
your staff again and again that There
is no such thing as a free lunch; banks
and social networks will never ask you
about your login or password simply
because they have problems with their
infrastructure, or their database of
users is being updated. It is imperative
to teach your staff to think twice and
remain cautious.
COMPLEXITY
So, what can be done within the
framework of corporate security to
prevent the criminals from gaining
the upper hand? The most important
thing is to understand that protection
of the corporate network needs to be
complex and multilayered. Before the
design and installation of a secure
network can take place it is necessary
to consider all of the possible threats to
the integrity and condentiality of the
information that it will contain, as well
as to think about how the network could
be penetrated, for example, via external
media and software vulnerabilities. The
measures taken to counter any threats
must be complex and should include
organizational and technical methods.
Organizational means of protection
should include a set of company
procedures and a structured approach
to working with documentation and
information. A companys management
has to clearly understand what
information is considered condential,
which staff can have access to such
information and how to arrange a system
so that a breach of those access rules
cannot occur.Technical means of protection
can include all kinds of equipment
for nullifying electromagnetic
radiation and avoiding electronic
eavesdropping, access control
mechanisms, encryption systems,
antivirus programs, firewalls, etc.
One should remember that within the
realms of complex technical procedures,
it is very important to restrict the use
of external media such as ash drives
and portable hard disks; it is also
recommended that the possibility of
recording data to CD-ROMs is removed
or otherwise controlled. This is
achievable through technical means, for
example, by closing ports at the BIOS
level to which an ordinary user would
not have access. Additionally, most
corporate antivirus solutions have inbuilt
If the use of portable storage media is not strict ly
managed, then the protection of condential information
can be forgotten
Modules allowing the centralized management of corporate network protection are present in every major business IT security solution
8/8/2019 Secure View #4 Small Web
16/36
TOP STORY|Corporate threats
www.secureiewmag.com16|SECUREVIEW 4thquarter 2010
functionality that provides control over
USB and other peripheral ports. Those
staff members whose work regularly
entails the use of portable storage
media must be provided with, and made
to use, an automatic encryption system
that will protect any information stored
on it in the event of the theft or loss
of the media.
Other similarly important measures,
which are quite often overlooked by
companies, include the protection
of wireless access points and data
transmission channels. If you have
protected the whole infrastructure, but left
your WiFi networks without WEP encryption
and not implemented a monthly password
changing policy, then you have protected
nothing. Generally speaking, the use of
WiFi inside a company should be as limited
as possible. It is necessary to regulate
the distance that the signal can travel
by adjusting the radiated power of the
transmitter, provide users with temporary
passwords, dene which WiFi networks
guests can connect to and limit access to
internal resources, etc.
CENTRALITY
Protection of a corporate network is a
round-the-clock, yearlong process and
should embrace the entire informationlifecycle - from its arrival at the company
through to its destruction, loss of value
or downgraded level of condentiality.
Reliable protection means real time
control over all the important events and
occurrences that may inuence security.
It is very important to implement the
centralized management of a security
system. This approach allows the
speedy acquisition of a complete
picture of network events from a single
access point and provides a centralized
approach to the resolution of tasks; it is
a method for checking and effectivelyresisting generic threats. At the same
time, the application of different security
policies across the various subdivisions,
as well as an individualized approach
to the resolution of tasks should not be
excluded. The centralized management
of network security via a single interface
has the advantage that system
administrators do not have to spend a
lot of time familiarizing themselves with
several different security solutions.
Modern corporate antivirus solutions
offer companies precisely this level
of control. As a rule, such solutionswill contain some sort of centralized
management system that allows
adjustment of the many different
security-related software modules that
control; the antivirus system setting,
the setting up of individual and group
application parameters, access to
different resources, database updates
and the continuous monitoring of the
network status and dynamic response in
the event of critical situations.
SUFFICIENCY
Any security system has to be
sufciently robust. This means that it
should provide the maximum level of
protection, availability and resiliency.
To do this, a security system must have
a reserve of hardware and software to
cope in situations where a component of
one or the other type fails. Additionally,
the system has to employ effective
technologies that can cope with existing
threats and are able to combat new
attacks thanks to imbedded extra
capabilities such as heuristics and
enhanced signature detection processes.
Heuristics analyzers, as well as script
emulators and le execution emulators,
are used when a program sample is
not present in antivirus databases and
allows program execution to be emulated
inside an isolated, virtual environment.
This is absolutely safe and allows all ofthe programs actions to be analyzed in
advance, so that its potential to cause
harm can be estimated with a high
probability prior to real world execution.
In this way, new threats are being
detected before they become known to
virus analysts and their signatures can
be included into antivirus databases
accordingly. Taking care to ensure that a
system is sufciently robust prolongs its
usefulness as a means of defense.
REASONABLE BALANCE
It is always the case that a reasonable
balance needs to be struck between the
capabilities of a security system and its level
of resource-intensity. The more options
and functions a solution has, the more
computer, human and other resources that
are consumed. This is unacceptable for a
corporate network as it will generally have
high enough working loads already - it must
simultaneously serve a large number of
users, search vast databases, transmit big
volumes of trafc and do all of the above
precisely and quickly. Manufacturers
of antivirus products pay a great deal of
attention to the balance between productivity
and protection of systems. For this reason
there are parameters that can be set to run
system scans only at times when nobody
is working on a computer, i.e., when a
computer is locked or its screensaver is on.
This allows, for example, a deep heuristic
analysis to take place during an antivirus
scan without interference to the work of the
staff. Additionally, modern antivirus products
include technologies that can signicantly
increase the operating speed of an antivirus
application through always-on protection andon-demand scanning. Speed is also gained
by excluding the multiple checking of les that
have been scanned already, provided that
this does not pose a threat of infection. By
complimenting each other, such technologies
can greatly reduce the time and resource-
intensity required for the antivirus scanning of
different objects, les and operating systems.
It is necessary to encrypt not only the data that the phone contains, but also the data stored on any accompanying
memory card in the event that important information is stored on that too
http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/8/8/2019 Secure View #4 Small Web
17/36
Corporate threats|TOP STORY
www.secureiewmag.com 4th quarter 2010 SECUREVIEW|17
FLEXIBILITY
A security system should also be exible and
scalable, in other words it should be adaptable
to a wide range of tasks, working conditions
and quantitative characteristics of a corporate
network. Todays computer networks can expand,
contract and change their conguration very
quickly. Threats are also changing with alarming
rapidity and security system should be ready for
it. To meet this requirement, high quality security
solutions need the means to update practically
all of their program components - for example,
malware protection solutions should update not
only their antivirus signature databases, but
also their malware behavior pattern recognition
capabilities and their own operating algorithms.
INTERACTIvITY
Another important requirement is interactivity.
The security system has to be able to interact
with an experienced user, system and network
administrator. It has to provide a user with sufcient
information upon which to base operational
decisions and be able to warn a user about
potential errors. It is preferable that the systems
settings and security modules are understandable
to a layman who has no specic knowledge in
the eld of information security. This allows
corporations to quickly train their own specialists
and means that medium and small business canhave a protected system without the need to employ
security administrators or even IT specialists. In
order to do this, antivirus solution developers pay
increased attention to their product interfaces,
trying to make it as simple and straightforward
as possible. Special signicance is given to the
provision of notications when the security of the
system is under threat. The system must inform an
administrator of what actions should be performed
in order to restore normal defensive levels. The
interface must also allow the administrator to
quickly jump between tasks such as virus scanning,
antivirus database updating, etc.
COMPATIBILITY
AND HETEROGENEITY
Compatibility is a denitive requirement of
a security system it must be able to fully
operate in a complex, heterogenic corporate
network without any negative impact on the
other components. Any corporate antivirus
system has to be able to function with a range
of different devices. Modern computer systems
can consist not only of workstation computers,le servers and mail servers, but notebooks and
smartphones too. Smartphones are commonly
synchronized with computers, and if a user opens
a malware link on their telephone, there is a real
chance of transferring that virus to the corporate
network during the process of synchronizing mail
or calendar items with the networked computer.
Whilst on the subject of smartphones, it is
worth comparing them to portable information
storage devices all messages and mail
correspondence, as well as the contents of
ash memory and memory cards which are
used for the additional storage of information
should be compulsorily encrypted. Only then
it is possible to guarantee the integrity of the
stored information in the event of the loss of a
device. When choosing a protective solution for
mobile devices, close attention should be paid
to ensuring that it has the capability to block a
lost smartphone, even if the SIM card is changed
by a thief. Otherwise the criminal will be able to
drop off the radars of those seeking to retrieve
the device, and having removed the SIM card
from the phone, will be able to do anything
they wish with the phone and the valuable
information it contains.
Also, it is worth remembering that when a
company uses machines with different operating
systems, all of them should be protected, as if
only one of the systems is secure, it means none
of them are safe. If an administrator thinks that
there are not many viruses for the Mac OS X out
there so the risk to the company is negligible
and therefore it is not critical to protect
Macintoshes - they would be absolutely wrong.
It is through just such an open gate to the world
of Windows computers that the most harmfulmalware threats may come, for example, by way
of a malware link which becomes active once
inside a Microsoft environment. Another route
is the Trojan program which automatically copies
itself to a ash memory card on a computer
running under the Mac OS X and is later inserted
into a different workstation running under
Windows management.
RESUME
New threats and vulnerabilities in the world ofcomputer security are growing as never before
and there are no indications that the situation is
going to improve any time soon. Nevertheless,
if you as a company administrator or security
specialist provide proper protection on all
fronts, then there is a good chance that your
companys business will prosper. Educate your
staff about computer safety on a regular basis.
Distributed security policies and access rights
should be compulsory and provide protection
solutions for all nodes on the network, from the
gateways to the endpoints - and dont omit the
bosses smartphones or notebooks. Remember;
economize just once on network protection andit is possible that the whole of the companys
business could be lost as a result. RE
Kaspersky Labs
products for corporateusers are complex
solutions for heterogenic,distributed networks andthat is very important at
the present time. Oursolutions for Windows,
Linux, Mac, NovellNetWare and mobile
operating systemsare simple to installand use. Kaspersky
Labs solutions provideprotection for all types
of network nodes from mobile devices
to servers. They can
control all incoming andoutgoing data flows, fromemail and Internet traffic
to internal networkinteractions and theyalso provide powerful
management tools too.All of KasperskyLabs solutions
include the KasperskyAdministration Kit
management consolewhich allows the
centralized organizationand control of network
protection for the whole
company, integratingall the different levelsof protection into one
system. The solutionsprovide scalability,notification of the
status of the networksantivirus protection,
control over the use ofexternal devices, special
security policies formobile users, support
for network accesscontrol technologies and
customized reporting,allowing administratorsto manage the system
in an effective wayvia a straightforward
interface.
Nikolay GrebennikoChief Technology Ofcer at
Kaspersky Lab
EXPERT COMMENTS
8/8/2019 Secure View #4 Small Web
18/36
ANALYTICS |
www.secureiewmag.com18|SECUREVIEW 4thquarter 2010
ANALYTICS |Smartphone Security
The exploit, embedded in the website
jailbreakme.com, was intended to provide
a simple way for iPhone and iPad users
to "jailbreak" their phones a process
that allows the installation of third-party
applications that are not expressly approved
by Apple. Yet, security experts were instantly
drawn to the much darker potential for this
exploit to be abused to install malicious
programs on all of these devices and not
just those belonging to jailbreakers.
The hackers who discovered the flaw soon
released a patch to block future attacks
against jailbreakers, and Apple issued anofficial fix to protect regular iPhone users a
few days later. Still, the incident has thrown
a spotlight on the simmering, high-stakes
tension between security and usability in the
mobile computing market.
While technically speaking all jailbreaks
exploit security vulnerabilities or configuration
weaknesses in the underlying operating
system, nearly all previous jailbreak exploits
required the user to connect their iPhones
to his or her computer with a USB cable. If
you were lucky, the jailbreak would work;
otherwise, you might be the proud owner of a
very expensive paperweight.All of that changed on 01 Aug, with the
debut of a powerful and highly reliable new
iPhone exploit embedded in jailbreakme.com,
which allowed iPhone users even those on
the most recent 4.0 iOS to jailbreak merely
by visiting the site with the iPhone's Safari web
browser and dragging the slider bar across the
device's touchscreen.
Instantly, the process of jailbreaking
became more akin to casual web surfing and
less like patching and praying. At the same
time, tens of millions of people were exposed
to a powerful, remote exploit that criminals
could use to install malware just by convincingan iPhone or iPad user to browse a hacked or
malicious website.
Desperate JailbreakersIt was late July, and Apple was still reeling from an uncharacteristic
backlash by the media and its typically adoring customer base over
a design aw in the antenna of its much-vaunted new iPhone 4.0
that effectively wiped out wireless reception for many users.
Then, at the beginning of August, hackers published a remotely
exploitable security vulnerability in the device that left tens of
millions of iPhone users exposed to malicious drive-by downloads.
Brian Krebs is editor ofkrebsonsecurity.com, adaily blog dedicated toin-depth Internet securitynews and investigation.Until recently, Krebswas a reporter for TheWashington Post, wherehe covered Internetsecurity, cybercrimeand privacy issues forthe newspaper and thewebsite. Krebs got hisstart in journalism atThe Post in 1995, andhas been writing about
computer security,privacy and cybercrimefor more than a decade..
Article byBrian Krebs
Now to unblock an iPhone, iPod touch or iPad, i ts enough just
to visit a special website
http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/8/8/2019 Secure View #4 Small Web
19/36
|ANALYTICS
www.secureiewmag.com 4th quarter 2010 SECUREVIEW|19
"My grandma doesn't know what
jailbreaking is and never had to worry
about what jailbreakers were up to
because if she wanted to jailbreak her
phone she had to plug it into a computer,
download some special tools, and then
it might work," said Charlie Miller, a
renowned iPhone hacker and researcher
with the Baltimore, Md. based rm
Independent Security Evaluators. "But
now, here was something that could
radically change your phone just by
visiting a webpage, all of a sudden
this meant instead of doing something
fun and friendly like jailbreaking the
phone, it could do something evil, where
grandma goes to some site and the
same vulnerability is used to download
code to the phone."
PATCH WARS
Four days after jailbreakme.com went
live, Apple announced it would soon
be releasing a patch it had developed
to protect users. Almost immediately,
jailbreaking advocates lit up Twitter.com
and other social media sites, warning
people not to download the Apple patch
because it would un-jailbreak those
devices, or possibly worse.
That advice struck some security
experts as a scary sign of things tocome. Mikko Hypponnen, Chief Research
Ofcer for Finnish computer security rm
F-Secure Corp., was among those who
publicly chastized the team for telling
people not to apply the patch.
"Imagine if this would have
happened with Microsoft Windows,
where someone creates a zero-day
exploit, doesn't report it to Microsoft,
then publishes the exploit, and when
Microsoft responds with a patch there
are thousands of people telling the
world not to patch it," Hypponen said.
"If they want to give that kind of advice
to people who have jailbroken their
phones, that's great. But now they've
made everyone vulnerable because
these exploits are out there affecting
everyone and even people who
haven't jailbroken their phones aregetting the advice not to upgrade, when
in fact they should."
Within days of releasing its exploit,
the crew responsible for creating the
web-based jailbreak a group called
the iPhone Dev Team, along with a
developer known by the screen name
"Comex," - released "PDF Warner," a
tool that jailbreakers could install to
receive a warning if a website tried
to use the jailbreak flaw to install
malicious software.
The Dev Team even released its own
unofcial patch for those who had
jailbroken their phones, which went
further in protecting jailbroken users than
did the ofcial patch from Apple, which
does nothing to x the aw in iPhone
devices older than iPhone 2.x versions.
Will Strafach, an independent software
developer from Connecticut who helped
test the exploit used on jailbreakme.
com, acknowledged that the unofcial
patch took a bit longer than expected,
and that it is still not installed by default
after people use jailbreakme.com. Still,
he noted that neither this exploit nor a
similar, remotely exploitable jailbreakme.
com exploit released back in November2007 resulted in any malicious attacks.
"Not much detail will be released
about how the exploits work until after
Apple has issued their patch, sothere
has never to date been a malicious
payload I have seen for the two
jailbreakme.com exploits," Strafach said.
Strafach is technically correct. Then
again, the only real threats to emerge
against the iPhone have worked only
against jailbroken device, by exploiting
default settings lef t behind during
the jailbreaking process. In November
2009, the relatively harmless "Ikee
worm" spread rapidly amon