I use Google Mail. While checking email today, I ran across this error message.
“Arrgh! The page has been corrupted. If you are running security or firewall software, you might have to disable it”
I stared at it for several seconds.
WTF? Who the hell decided the wording of this error message? Is that an actual recommendation from Google? Disable security software and firewalls when you encounter a momentary glitch in a web application?
There is an interesting article by Scott Berinato at CSOonline about the widespread use of “antiforensics” tools, and how they are changing the information security landscape in general, and the forensics practice in particular.
This is antiforensics. It is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you.
The concept is neither new nor foolproof, but in the past 12 months, forensic investigators have noticed a significant uptick in the use of antiforensics. This is not because hackers are making more sophisticated antiforensic tools, though some are. Rather, it’s because antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. What’s more, this transition is taking place right when (or perhaps because of) a growing number of criminals, technically unsophisticated, want in on all the cash moving around online and they need antiforensics to protect their illicit enterprises. “Five years ago, you could count on one hand the number of people who could do a lot of these things,” says the investigator. “Now it’s hobby level.”
The article describes some tools currently used, such as Timestomp, Slacker, Sam Juicer, etc. and how the “arms race” has moved from the disk to memory.
It would seem that the forensics practice is currently sitting at the bottom of a “trough of disillusionment“.
Some months ago I prepared a presentation about “Forensics in the Corporation” (sorry, only in Spanish!) which should have been really called “Why everything you learned at forensics training won’t be really useful in the real world”. And I didn’t include anything about antiforensics, just focusing on the technical, political and organizational challenges that big corporations pose to the forensics investigator.
The forensics practice is much too focused around the PC world. That is, you normally have physical access to the “suspect” machine, you can power it off or unplug it from the network, hard drive sizes are reasonable, and some expectations are always met. That is fine. This kind of forensics work… works! But mostly in the workstation/laptop world.
What about servers? Virtualization, huge storage capacities (SAN, NAS, RAID arrays, etc.), distributed systems (as in “distributed all over the world”), business critical systems that cannot be unplugged or turned off (come on, in how many LOB servers could you do such things?)
I’m sure the forensics practice will evolve in the following years. I’m sure it’ll be damn interesting to see.
RSnake comments (at Dark Reading) about the perils of home-grown forensics, and how, if you’re not careful, you can end up making a mess of it.
“It’s best to treat a hack event like a fire. Stop, drop, and roll. Once you’ve done that, hopefully you’ll have come to your senses enough to know you need to hire a professional.”
Read it here. It’s good advice.
Let’s assume you have the usual “defense-in-depth” security architecture in place. Anti-virus software, perimeter firewalls, machines properly hardened, non-admin users, etc.
Let’s also say you have a serious malware outbreak today. Wait, make that tonight. Your sysadmins call you at night and tell you several thousand clients and servers are infected with something that sneaked past the AV software. What do you do? Do you have a procedure?
These things happen. You might have the best security architecture, follow best practices, have top consultants evaluate your risk periodically, the whole thing. But when push comes to shove, does everyone know what to do? Do they have the tools to do it?
This is a simple checklist. It probably isn’t very complete. But it’s wise to at least think about these questions before lightning strikes. In no particular order:
Or would all this make life too easy for us? ;)
Software vendors often indulge in adding “features” to their software products which are not really necessary. “To insecurity through bloatware”, we could say. And no, this time this is not a rant against the usual suspects.
Did you know that you can embed JS scripts in Apple Quicktime movies? (the feature is called “HREF tracks”)
An HREF track is a special type of text track that adds interactivity to a QuickTime movie. HREF tracks contain URLs that can specify movies that replace the current movie, load another frame, or that load QuickTime Player. They can also specify JavaScript functions or Web pages that load a specific browser frame or window.
Well, this might not be very new or bleeding-edge, but apparently there is malware using invisible QuickTime movies embedded in webpages. Didier Stevens writes about it:
The EMBED tag instructs your browser to play a movie when it renders the HTML page. But in this case, the movie is hidden (attribute hidden is true). It’s a QuickTime movie, downloaded from the profileawareness.com server.
This tys4.mov QuickTime movie is sneaky: it contains JavaScript code to download and execute another JavaScript program. QuickTime has a feature that allows you to embed URLs or JavaScript in a movie.
I don’t have Apple QuickTime installed in the laptop I’m using to write this, but I would be very surprised to see an option to disable this kind of behaviour or “trust zones” control like in IE or Outlook.
The ATLAS Dashboard has become my first-pageload-of-the-day of lately. Together with ISC from SANS, of course. It is interesting, not only for the information about the attacks going on, but also because it puts in perspective the relative rates of occurrence of different threats.
You see, of the top 5 attacks in the Internet right now, 4 of them are related to Windows. Nothing new here. However we find that they are expliting vulnerabilities which are between 3 and 6 years old!
Come on, the top attack is related to a SQL Server Buffer Overflow from 2002!! and the fourth attack is related to a IIS vulnerability from 2000!!
The Security community is well aware of the need to:
Just by following these simple rules (which even a trained chimpanzee would be able to), nearly 100% of the attacks would be prevented, and the security guys would be able to focus on the really tough ones.
It’s not superhackers we are up against 99% of the time. As they say, there is no patch for human stupidity.
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Dec | ||||||
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 | |
