Early this year I predicted that a proliferation of rootkits would occur. I was short sided in my prediction in that I missed the bigger issue—the spread of malware itself. Although rootkits comprise the most serious threat in the malware arena, rootkits are only one of many types of malware. Furthermore, rootkits typically set up back door access and also often incorporate keystroke or tty sniffing ability, functions that are also frequently built into other types of malware.
Several weeks ago I noticed a news item that stated that sites infected with malware (and thus that are capable of spreading malware to computers that connect to them) increased by 300 percent compared to last year. These statistics provide poignant evidence of the accelerating growth of malware. Interestingly, of the 213,000 sites that were found to be compromised by malware, over half of them were in the Peoples Republic of China. Incredibly, just ten networks around the world contain almost half of all sites that inject malware into computing systems. Read more…
A very good friend of mine over the years just lost his job. He was a deputy program manager with a very large corporation that has a well-advertised computer usage policy that does not allow files that are not business-related to be on any of this corporation’s computers. My friend was on vacation for a while, and during this period he transferred several attachments sent to him by a family member to his USB storage device. When he went back to work several weeks later, forgetting the contents of this device, he used it to make a “sneakernet” file transfer from his computer to another. This corporation has implemented a mechanism such that starting the instant a computer connects to its network, all files in that computer’s file system are immediately backed up. Unfortunately for my friend, the USB storage device had the files that his family member had sent him, and so these files were also backed up. Soon thereafter someone identified these files as non-business-related, triggering a swift termination procedure for my friend. Read more…
In my last blog posting, I asserted that virtualization is from a security point of view very much a two-edged sword. Nothing supports this assertion more than the Blue Pill rootkit developed by security researcher Joanna Rutkowska, who has developed what she calls a 100 percent undetectable rootkit (“Blue Pill”) that circumvents the Vista integrity-checking process for loading unsigned code into the Vista kernel. This rootkit uses AMD’s secure virtual machine, designed to boost security, to hide itself. In short, something that was intended to elevate security can be subverted to cause security nightmares. Read more…
Virtualization is a major trend in the IT arena. There are many reasons to use virtualization, including consolidation of computing resources, dynamic load balancing, failover capabilities, ability to perform maintenance without downtime, ability to pool computing resources, ability to use custom virtual machines (VMs) as a container for application delivery, and much more. Virtualization will be a major part of computing for a very long time.
Virtualization’s benefits go far beyond efficiency, functionality and continuity, however, in that virtualization also offers much for information security. VMs can be used to isolate processes from attackers and malware, making systems and applications more difficult to successfully attack or infect. User access to applications can be tightly controlled in that virtualization allows special applications to be isolated from end-user applications, making unauthorized access to the former very difficult. Even if a system or application that runs in a virtualized environment is successfully attacked, any impact resulting from the attack is almost always attenuated. The ability to spread attacks (particularly due to malware-based infections) is thereby reduced. Read more…
Just when it seemed as if all were quiet on the Western front, Jeanie Larson, the Department of Energy’s (DOE’s) program manager for incident response, shattered the silence during her presentation at the recent Government Forum of Incident Response and Security Teams (GFIRST) conference. In a nutshell, Jeanie said that although fewer attacks against US government networks are occurring, the state of security is by no means better. Instead, attackers are more carefully choosing their targets, usually by focusing on a few government employees and contractors whom the perpetrators believe have information that is highly valuable to them, then using various methods (email, malicious Web sites, and more) of infecting their computers with malware that captures all input and output. The targets are chosen through extensive reconnaissance and intelligence-collection activities that often last for months before an attack is ever carried out. Much of the malware hides itself very carefully after it is loaded into a victim system, and then it deletes itself when an attack is finished. Perimeter security is ineffective in countering these threats. Cooperation and information sharing among government agencies is vital in dealing with these threats, but neither is happening. The full story is at http://www.federalnewsradio.com/?nid=169&sid=1415201. Read more…
If you regularly read security-related news, you have undoubtedly seen news items regarding the growing number of targeted attacks against sensitive US government and commercial sector computing systems. Although the attack methods have varied widely, many of them have involved sending malicious attachments to certain US government or private sector employees which, if opened, implant malicious code in the system used by the unsuspecting targeted individual. Now in control of the system it has infected, the malicious code covertly notifies the attacker that this code has control of a system. The attacker follows up by gaining backdoor access to the infected system with full privileges without leaving any indication of the activity whatsoever. The only real common denominator is that systems keep getting broken into time-after-time. Read more…
Many information security professionals have done much good for the information security profession, so many that to single them out would take forever. Some have done so much, however, that they deserve special recognition. Don Evans of the United Space Alliance is one such individual. Don just retired on June 5, 2008, and although I was not able to attend his retirement ceremony, unfortunately, I would imagine that there were not many dry eyes among the attendees when all the nice things about him were being said. Don is above all else one of the finest human beings I have ever known. He is a living embodiment of kindness, graciousness, honesty, fairness, unselfishness, and personal maturity—a true model for others to follow Read more…
About 25 years ago when I started working in the information security arena, one of the first issues that caught my attention was a debate concerning whether system auditing was necessary. Advocates of system auditing argued that enabling system auditing was essential for security in that without it, unauthorized activity was almost impossible to detect. On the other hand, detractors argued that nobody looked at system audit log data anyway, and, worse yet, enabling system auditing consumed a large amount of system resources as well as disc space.
Twenty five years later, many things have changed considerably. Whereas 25 years ago intrusion detection systems (IDSs) were in their infancy and intrusion prevention systems (IPSs) were unheard of, today both types of systems are deployed in a significant percentage of information security practices in medium and large businesses and organizations. Additionally, an abundance of network security monitoring tools and utilities now exists. Furthermore, one of the first things intruders typically do in an attempt to masquerade their dire activities is to disable system auditing and/or to erase existing audit logs. Frankly speaking, one of the least trustable pieces of evidence from a potentially compromised system is audit log data. So the issue very much persists—should system auditing be enabled? Read more…
