Detecting the Downadup / Conflicker Threat

“The Downadup worm—also called Conflicker—has now infected an estimated 10 million PCs worldwide, and security experts say they expect to see a dangerous second-stage payload dropped soon,” according to NetworkWorld.

Although most of you are surely aware of the worm, how do you go about detecting infected systems on your network? We posted a new filter to detect the specific worm that can be used with Observer and/or GigaStor. Check here for other specific worm, virus, or hack filters.

Install it on your Observer and mine data out of your GigaStor to see if anyone is infected.  You could also apply the filter to the real-time “Top Talkers” statistic, and this would only show you who was infected in real-time.  Another way would be to setup a trigger and alarm.  If you had an Observer Suite system, the alert could be configured to set off an SNMP trap or email.

Beyond looking at our signatures, you can also take advantage of GigaStor’s Security Forensics which allows you to upload Snort rules and investigate the path of attacks, worms, etc on your network in context of all other network activities.  Read more (PDF).

Cyber Forensics: iPhone Under Investigation

Crimes and unauthorized acts committed in the workplace seem to increasingly leave evidence trails in the physical and cyber worlds. Physical offenses from office bullying and harassment to clear computer crimes such as data theft cause the lines to blur between physical and computer investigations.

As the landscape blurs newly emerging portable devices and social networking applications are expanding the places and changing the ways network and security teams within an organization approach these investigations. We’ll look at the impact of  devices like the iPhone followed by a look tomorrow at social networking.

Ultraportable and Powerful Devices
•    Smart phones (iPhone, Blackberry, etc.)
•    Key-chain drives

Smart Phone Problems
The wide availability and popularity of smart phones from the iPhone to the Instinct is fueling a discussion about how to best deal with these devices when it comes to forensic investigations. Any of these devices can be used for storage, but the expanding capabilities of smart phones make them attractive weapons to perpetuate an attack or simply steel data and designs. These phones often include large storage capacity, digital camera, web/network access, and can be easily hidden.

Forensic Considerations
Becuase of their surging popularity, it’s not a matter of “if” but rather “when” will you’ll have to perform forensic analysis of this type of device. It goes without saying that digital evidence can be easily modified, and the most difficult step is ensuring your team is taking appropriate steps in the handling of the device. Depending upon the mobile device, you might also find that more information is available by knowing how to dig deeper.

While significant efforts are underway by forensic tool vendors, currently this area appears to by lacking for solutions. Jonathan Zdziarski offers a great how-to video demonstrating how forensic investigators can appropriately get under the hood.

Human Resources
Appropriate human resource policies should also be in place to define acceptable use of portable devices like iPhones or keychain hard drives. The devices can obviously be both a workplace benefit and hindrance. HR Daily Advisor does a good job of covering the potential risks of smartphones, while new iniatives to incorporate business applications into the device arguably increase worker productivity.  Another article that will be of interest details what info can be kept on smart phones.

Web 2.0 Applications Require Security Rethink

A small impact security hole in a Facebook design that released the members’ birthdates to the public during a test run reminded me how we’ve entered a different age with the Internet.

I’m surprised by the amount of personal information people leave on these sites. If they’re willing to leave personal information on a public web space, how hard would it be for a malicious party to pry more valuable information (bank accounts or from an HR perspective – confidential employer-held information) either through malware or social engineering.

Earlier this week, I covered a study that indicated almost 25% of companies block access to social network sites. I don’t think blocking social networking sites like Facebook is really the answer, because it doesn’t really get at the problem. Just because you block one avenue doesn’t mean an employee won’t find another. In the case of social engineering, there may be nothing that you can do to block it. The impact of social engineering can be quite disastrous to companies as illustrated by ChoicePoint in 2005.

I think the real answer revolves around HR and the IT staff to prevent the abuse of social network sites and other “Web 2.0″ applications.

Education
The type of trust that people extend to friends that you’ve known in physical world, perhaps shouldn’t be extended to the Net. I see education as the best way to make sure people are aware of the risks and vigilant. In the workplace, this means in addition to general information establishing and educating employees on proper protocols for sharing information with approved parties. Also, as a part of education, I would let them know that you are monitoring communications to protect against data leaks and prevent unauthorized acts. The idea is to remove any perception of big brother by being upfront about your actions.

Network Monitoring
There are two discussions here – internal monitoring and external monitoring. Internally it just makes sense to regularly monitor protocol use as a part of managing performance and bandwidth. It’s also good for identifying anything unexpected that might take place on the internal network. I’m assuming that internal security measures such as IDS, IPS, firewalls, and appropriate network access controls are in place.

External Network Security
There was a good article on the dangers of Web 2.0 applications that’s worth mentioning. A survey from the Forrester Group, commissioned by Secure Computing, found that, “while 96 percent of respondents reported finding value from the use of Web 2.0 applications, only 5 percent actually implemented comprehensive protection mechanisms.“

The article explains that the interaction between the Web 2.0 site vistor and the website has changed significantly over the last two – three years. These changes will impact the ways companies secure their networks.

“The bi-directional interaction that is the essence of Web 2.0 makes it a prime venue for hackers. Web sites such as Wikipedia thrive on people adding content; however, organizations that host these and other social media sites are not policing the content. This has led to what is known as Web-borne malware, a phenomenon that, during the last two years, has been effectively replacing the traditional delivery method for viruses: e-mail attachments. This new way of breaking into systems can catch users off guard.”

So it’s a matter of make sure that not only are you not accessing a bad site, but detecting that malware doesn’t exist on a page of a larger site like Wikipedia. Haven’t done extensive checking, but vendors like Secure Computing, Websense, and Barracuda, have filters to detect these threats.

To prevent potential information leaks, you’ll want to monitor sensitive data that may be inappropriately accessed or shared. Companies like Symantec (Vontu), Vericept, and Palisade Systems offer Data Loss Prevention (DLP) solutions for monitoring confidential information.

Complementing these security devices, you could use a network recorder (PDF) for security forensics like our GigaStor or others on the market. This allows to replay network events, HR infractions, and network attacks, for investigations and proof of the infraction.

The Price of eDiscovery

2007 was a banner year for data theft; a record number of publicly reported security breaches were recorded and compromised personal records are at an all-time high. With this being said, the ability to investigate exactly what occurred during a unauthorized disclosure is essential. With eDiscovery tools being a relatively new idea to mainstream networking, how do you determine the key qualities for an eDiscovery solution?

How do I determine whether a solution will be successful in the longterm?
InfoGovernance set up a good discussion and formula that you can use to evaluate the longterm success of an eDiscovery solution. It’s very helpful to read when you’re trying to set up a “bake off” between multiple eDiscovery vendors. With the field being new, you not only need to take into account the success of the solution to be “useful” for your situation, but the ability of the company to succeed. If you’re spending thousands of dollars on a solution from a small company, you also want to be sure the company will be around. The questions to ask about the company and solution are outlined here.

How do I determine a reasonable price and the ROI from an eDiscovery solution?
Although there is a lot of marketing speak from vendors around eDiscovery tools, there are also several online resources that you can use to get around this. For example, MarkYacino wrote a great piece about some of the basic vocabulary you’ll need to understand when speaking with vendors. Gartner and Network World have also developed resources around purchasing and using eDiscovery tools. From a legal perspective you can also check out Nixon Peabody.

In a past post I have outlined other online resources for eDiscovery.

Network Management Links for 2007-12-27

• InfoGovernance
  Post-termination employment forensics
• InfoWorld
  A fun quiz to test your Geek IQ
• Network World
  Virtualization, green IT, and other trends impacting the data center
• SearchNetworking
  How traffic shaping cures network congestion woes
• Sox First
  2007 Foot-In-Mouth awards
• TaoSecurity
  Very interesting security predictions for next year
• Ziff Davis IT Link
  An informative discussion on considering the Vista OS

eDiscovery Online Resources

Rob Robinson of InfoGovernance sent over an article published today in Law Technology by Robert Ambrogi. The article “Keeping Up with EDD Blogs and Tools” extensively documents online resources dedicated to eDiscovery.

As Ambrogi said in the article, “As I wrote last month in the first half of this two-part column, no lawyer today can afford to ignore electronic data discovery. No matter the case, digital data is likely to be implicated.“

Likewise, IT managers will find as eDiscovery laws and practices evolve, they will also need to be aware of how legal requirements impact network monitoring and management. eDiscovery can affect everything from how long data is preserved to the type of network activities and communications that need to be monitored.

Two blogs mentioned by the article that are worth checking out:

eDiscovery and Computer Forensics by DataTriage
Ride the Lightning by lawyer Sharon Nelson, who is also president of computer forensics company Sensei Enterprises

Your Federal Tax Dollars Hard at Work (REALLY)

SecurityDude, CISSP-ISSAP is an IT Consultant, Security & Privacy Advocate and blogger at large with over 20 years IT experience.

The Federal government is an easy punching bag for all of us in the Tax Payer category. There are countless examples of mismanagement, incompetence, and pork-barrel spending. A “Bridge to Nowhere“, anyone? How about billions of dollars the Federal government “lost“? Just Google the phrase “wasteful federal spending” if you would like an anger-fueled adrenaline rush.

However, if you work in Information Security there are encouraging signs that some of our cash is being diverted to useful work. In this entry, I would like to cheer some of the Federal agencies for their contributions to the IT Security field.

National Security Agency
During the Cold War, the Federal government denied the existence of the National Security Agency (NSA). The joke at the time was that NSA stood for “No Such Agency”. As part of their mission to safeguard the US against foreign threats, the NSA hosts a number of carefully researched and very informative security best practices white papers on the following topics:

Application Security, Database Server Security, Operating System Security, Router & Switch Security, IP Telephony Security, Wireless Security & Web Security.

Defense Information Systems Agency
DISA’s Mission:“The Defense Information Systems Agency is a combat support agency responsible for planning, engineering, acquiring, fielding, and supporting global net-centric solutions to serve the needs of the President, Vice President, the Secretary of Defense, and other DoD Components, under all conditions of peace and war.”

One of the services that DISA provides to the military and Federal government is something called a STIG (Security Technical Implementation Guide). When the Air Force wanted to add wireless access to the non-classified portion of certain base networks, the Wireless STIG authored by DISA was a key design element.

• Click here for the STIG listing.
• Click here for DISAs Technical Guidance page for Federal Agency Security Practices.

National Institute of Standards and Technology
NIST is probably most famous for the Cesium Fountain Atomic Clock in Boulder, CO that is the basis for the “official” time of day in the United States. NIST is MUCH more than just Time & Measurement. NIST has an entire department dedicated to Computer Security. They are also the keepers of the Federal Information Processing Standards (FIPS). As an example, FIPS 140-2 outlines the current requirements Federal agencies must adhere to when encrypting non-classified information.

Here are some important and interesting NIST links:

• FIPS Standards
• Computer Security Resource Center
• CSRC Special Publications (800 Series Security Best Practices)
• CSRC Information Technology Lab – ITL Security Bulletins

Industrial Espionage Made Easy

SecurityDude, CISSP-ISSAP is an information technology consultant and blogger at large with over 20 years IT experience.

Friday, I found myself at the San Jose airport almost four hours before my flight home. As many frequent travelers do, I headed for the (relative) comfort and quiet of the Admiral’s Club. I grabbed a seat at one of the many cubes they provide, plugged in my laptop, and launched my Verizon broadband card to review some documentation over the Cisco SSL VPN connection to my office servers.

As the afternoon progressed, the cubes quickly filled with technology professionals. I usually try to tune out the people who speak too loudly on their cell phones, but two guys seemed to be competing for highest volume. One of the gentlemen worked in the marketing department of a very prominent Silicon Valley equipment manufacturer. I was privy to the details of a product launch that had not been announced to the public.

A woman sitting behind me was working on a quarterly financial presentation to the board of directors of another well-known local company. Just for grins, I turned on my web cam and pointed it at her screen. She was oblivious to the fact I could watch. Were I an industrial spy, I could have covertly recorded a movie with audio and video using a tool called Camtasia. I use Camtasia to record audio with PowerPoint presentations and publish them to Microsoft Media Player or QuickTime movie formats.

These are examples of data disclosure vulnerabilities that no firewall can protect you from. What could these people have done differently to increase their privacy?

• Invest in a 3M Privacy Screen. It significantly restricts the viewing angle of the laptop monitor and deters ’snoops’ and spying.
• Alert callers that you are speaking to them in a public area and that you can be overheard. Be conscious of your surroundings.
• Avoid typing user names and passwords into public computers. Hardware keyboard loggers such as the Key Ghost can be easily deployed and recovered. Key Ghost cannot be detected by any means other than physical examination of the keyboard cable. Even if you log into your email over an encrypted VPN link, the keystrokes on the local keyboard are intercepted BEFORE they hit the browser. Some SSL VPN clients now feature a “virtual keyboard” that mitigates this exposure.
• If using a public wireless hot spot like T-Mobile, login to your corporate VPN before accessing your email. POP mail and SMTP authenticate in clear text and all of the message bodies are sent in the clear. Absent the VPN, your business becomes everyone’s business.

SANS News Browser

A friend sent me an e-mail about a free widget called the SANS News Browser offered by the SANS Institute. It’s a single *.exe file that you can plant on your desktop and just run (no setup required). They gather security and virus stories from over 3000 news sources. The Browser pulls from their digest.

The stories are generally posted within thirty minutes after the story appears on the publications’ sites. It is useful for security professionals who need to be certain they don’t miss important stories. It’s also helpful for bloggers like me always in search of new fodder for readers.

You may keep the browser in a window on your Windows PC desktop. Whenever you see a story that sounds important, click on the headline to go immediately to the original story at the news site. The very first story link is advertising, which I’m sure is how the pay for the program.

Helpful Links
Questions
Safety Concerns
Download It
Ideas for Christmas

eDiscovery: What Not to Do

Continuing with our eDiscovery series, I’d like to talk today about a real-world scenario illustrating the consequences of failing to produce requested electronic documents.

 

As I discussed in previous blogs, organizations can now be penalized, financially and otherwise, for failing to produce e-mails and other electronic documents during the legal discovery phase. A prime example comes from a case involving a major corporation based near our own Minnesota headquarters.

 

Best Buy Co., along with Microsoft, is involved in a class action lawsuit in which they are accused of signing up legions of customers to a trial period of Microsoft’s MSN internet service and then charging their credit cards without authorization. When pressed to deliver relevant e-mail communications, Microsoft delivered and Best Buy stalled.

 

Network World quotes a lawyer for the plaintiff:

“We had all this e-mail coming from Microsoft discussing basically the issues that are key to our case, and some of them were discussions with Best Buy,” she said. “We were getting virtually no electronic documents or e-mail from Best Buy. It seemed very suspicious to us.”

And looking suspicious in a courtroom isn’t good. In speaking with a lawyer specializing in eDiscovery matters, I learned judges can order juries to consider a party’s failure to produce e-documents when assessing its overall credibility. Best Buy may also face stiff financial penalties if documents are not produced in a timely manner.

Furthering the case for solid data retention and e-mail archiving policies, the article goes on to state that requests for archived e-mails are hardly a rarity.

Brian Babineau, an analyst at Milford, Mass.-based Enterprise Strategy Group, said that his firm’s research has found that three out of four organizations that go through court-ordered electronic discoveries must produce e-mails related to the queries.

At Network Instruments we’ve been holding discussions to determine whether our GigaStor™ line of products, which capture and store all traffic traversing the network – up to 48 TB of data – can be useful in eDiscovery situations; the answer, in short, is yes.

 

In my next blog I’ll discuss the ways in which products like GigaStor may be used as a legal safeguard and what types of organizations are best suited to this type of solution.