90 Seconds of Security: Malware Primer

My latest 90 Seconds covers the different types of #malware, how infections happen and what to do if you get infected. Slightly extended edition courtesy of #F5's Security Incident Response Team. https://f5.com/sirt




ps

3 Billion Malware Attacks and Counting

Almost half the total population of this planet.  At this rate, we’ll all have our own personalized malware in the coming years, specifically tailored for our various behaviors.  I built this infection especially for you.  Symantec recently released their annual Internet Security Threat Report for 2010 and noted that the cyber threats are increasing both in sophistication and frequency.  They found more than 286 million new threats last year with social networks and mobile devices being a favorite targets.  Mobile vulnerabilities were up 42% with 163 discovered last year.  The U.S. actually topped the list in many nasty categories: Most targeted country by DoS attacks (65% of total), most bot command and control servers (37% of total), most infected computers (14% of total) and most overall malicious activity (19% of total). 

As you may know, I like numbers and statistics and there were a couple supplemental reports that I found interesting.  The Year in Numbers and The 2010 Timeline.  Each is a single page report with highlights from the year.  The highlights, or lowlights depending on your view are:

• 93% Increase in Web Based Attacks - URL shorts were the main culprit accounting for 65% of the malicious URLs over a 3 month period.
• 260,000 Identities Exposed per Breach - The average number for each of the data breaches during the year.
• 42% More Mobile Vulnerabilities – Remember, we’re now keeping our lives on these devices.
• 6,253 New Vulnerabilities  - More than any previous year and new vendors affected by a vulnerability grew 161%.
• 14 New Zero-Day Vulnerabilities – From IE to Flash to Reader.  Stuxnet used 4 unique zero-days. 
• 74% Pharmaceutical Spam – 3/4 of all spam were for Rx pills.  Will you take the red one or the blue one?
• 1 Million Plus Bots – Rustock had over a million bots under control.  No draft dodgers here.
• $15 per 10,000 bots – Utility spam services…Get your bot herrrrrrrrrrah.
• $.07 to $100 per Credit Card – Cost of a stolen credit card but if you buy in bulk, get a discount.

Lastly, if you are looking for porn, then more than likely you’ll find malware and the leading culprit of a breach which could lead to identity theft was a lost/stolen computer or data storage device.  One of the cool things about the data offered is the ability to build your own custom report.  You can select various topics or trends to customize the report specifically to your area of interest.

ps

Resources

• Symantec Threat Activity Report: U.S. Tops the List
• Looking for malware? Search for porn
• Internet Security Threat Report, Volume 16
• Build your custom version of the Internet Security Threat Report, Volume 16
• The Big Attacks are Back…Not That They Ever Stopped
• Where Do You Wear Your Malware?
• A Digital Poltergeist On Your Television
• The New Wallet: Is it Dumb to Carry a Smartphone?
• Social Media – Friend or Foe

Technorati Tags: F5, mobile, threats, Pete Silva, security, malware, technology, Symantec, cyber-threat, cloud, attacks, virus, vulnerability, web, internet, cybercrime, identity theft, scam, data breach

Connect with Peter:	Connect with F5:

Where Do You Wear Your Malware?

The London Stock Exchange, Android phones and even the impenetrable Mac have all been malware targets recently.  If you’re connected to the internet, you are at risk.  It is no surprise that the crooks will go after whatever device people are using to conduct their life – mobile for example, along with trying to achieve that great financial heist….’if we can just get this one big score, then we can hang up our botnets and retire!’  Perhaps Homer Simpson said it best, ‘Ooh, Mama!  This is finally really happening.  After years of disappointment with get-rich-quick schemes, I know I'm gonna get Rich with this scheme...and quick!’  Maybe we call this the Malware Mantra!

Malware has been around for a while, has changed and evolved over the years and we seem to have accepted it as part of the landmines we face when navigating the internet.  I would guess that we might not even think about malware until it has hit us….which is typical when it comes to things like this.  Out of sight, Out of mind.  I don’t think ‘absence makes the heart grow fonder’ works with malware.  We certainly take measures to guard ourselves, anti-virus/firewall/spoof toolbars/etc, which gives us the feeling of protection and we click away thinking that our sentinels will destroy anything that comes our way.  Not always so.

It was reported that the London Stock Exchange was delivering malvertising to it’s visitors.  The LSE site itself was not infected but the pop-up ads from the site delivered some nice fake warnings saying the computer was infected and in danger.  This is huge business for cybercriminals since they insert their code with the third-party advertiser and never need to directly attack the main site.  Many sites rely on third-party ads so this is yet another area to be cautious of.  One of the things that Web 2.0 brought was the ability to deliver or feed other sites with content.  If you use NoScript with Firefox on your favorite news site (or any major site for that matter), you can see the amazing amount of content coming from other sources.  Sometimes, 8-10 or more domains are listed as content generators so be very careful as to which ones you allow.

With the success of the Android platform, it also becomes a target.  This particular mobile malware looks and acts like the actual app.  The problem is that it also installs a backdoor to the phone and asks for additional permissions.  Once installed, it can connect to a command server and receive instructions; including sending text messages, add URL’s/direct a browser to a site along with installing additional software.  The phone becomes part of a botnet.  Depending on your contract, all these txt can add up leading to a bill that looks like you just bought a car.  In fact, Google has just removed 21 free apps from the Android Market saying its malware designed to get root access to the user’s device.  They were all masquerading as legitimate games and utilities.  If you got one of these, it’s highly recommended that you simply take your phone back to the carrier and swap it for a new one, since there’s no way of telling what has been compromised.  As malware continues to evolve, the mobile threat is not going away.  This RSA2011 recap predicts mobile device management as the theme for RSA2012.  And in related news, F5 recently released our Edge Portal application for the Android Market – malware free.

Up front, I’m not a Mac user.  I like them, used them plenty over the years and am not opposed to getting one in the future, just owned Windows devices most of my life.  Probably due to the fact that my dad was an IBM’r for 30 years.  Late last week, stories started to appear about some beta malware targeting Macs.  It is called BlackHole RAT.  It is derived from a Windows family of trojans and re-written to target Mac.  It is spreading through torrent sites and seems to be a proof-of-concept of what potentially can be accomplished.  Reports say that it can do remote control of an infected machine, open web pages, display messages and force re-boots.  There is also some disagreement around the web as to the seriousness of the threat but despite that, criminals are trying.

Once we all get our IPv6 chips installed in our earlobes and are able to take calls by pulling on our ear, a la Carol Burnett style, I wonder when the first computer to human virus will be reported.  The wondering is over, it has already happened.

ps

Resources:

• London Stock Exchange site shows malicious adverts
• When malware messes with the markets
• Android an emerging target for cyber criminals
• Google pulls 21 apps in Android malware scare
• More Android mobile malware surfaces in third-party app repositories‎
• Infected Android app runs up big texting bills
• Ignoring mobile hype? Don't overlook growing mobile device threats
• "BlackHole" malware, in beta, aims for Mac users
• Mac Trojan uses Windows backdoor code
• I'll Believe Mac malware is a problem when I see it
• BlackHole RAT is Really No Big Deal
• 20 years of innovative Windows malware
• Edge Portal application on Android Market

Technorati Tags: F5, mobile, android, Pete Silva, security, malware, education, technology, apple, mac, cloud, trojan, virus, blackhole, web, internet, cybercrime, identity theft, scam, google, data breach

Connect with Peter:	Connect with F5:

2010 Year End Security Wrap

Figured I’d write this now since many of you will be celebrating the holidays over the next couple weeks and who really wants to read a blog when you’re reveling with family and friends.  It’s been an interesting year for information security, and for me too.  I started the year with New Decade, Same Threats? and wondered if the 2010 predictions of: social media threats, smarter malware/botnets, using the cloud for crime, financial DDoS, rogue software, Mac and Mobile malware, more breaches and a whole host of others would come through.  And boy did they. 

Social media was a prime target for crooks with the top sites as top targets.  Users were tricked to accepting and sharing friends that really weren’t friendly and social networks became a new hotbed for malware distribution.  As for malware, while many botnets and spam outfits got taken down this year, Stuxnet was certainly the most sophisticated piece of malware researches have seen in a while.  Targeting industrial & utility systems along with the ability to reprogram itself, no longer was it my single laptop or a company’s system that had a bull's-eye, although the initial infection is with those systems, it was nuclear facilities, oil refineries and chemical plants that were the ultimate objective. For Cloud Computing, was it Cloud 9 or Cloud Crime when it came to using the cloud for nefarious activities?  Many people thought that with the cloud offering a slew of computing power, that it would be a prime way to initiate an attack.  We really didn’t see much pertaining to ‘cloud breaches’ even though almost every survey throughout the year indicated that security in the cloud was everyone’s ichiban concern.  I covered many of these surveys in my CloudFucius Series, now playing in a browser near you.  This article talks about that, the reason we might not have seen much in the way of cloud specific breaches is that many of the data loss repositories do not differentiate between a cloud based and non-cloud attack.  In addition, cloud providers are not that willing to spill vulnerabilities that have led to crimes.  Share please. 

Banks and financial institutions were certainly targets this year, why wouldn’t they be, that’s where all the money is.  In one incident, about $3 million was stolen from various banks around the world using viruses and more than 100 crooks suspected of running the global cybercrime ring were arrested in the US and UK this September.  A 16 year old Dutch kid was arrested last week for a Distributed Denial of Service attack on the MasterCard and Visa websites.  And, merging malware, mobile and money stores, the ZeuS Trojan could infect a desktop, capture the user’s bank credentials next time they logged in to their financial institution, popped a dialogue box for the user to ‘include’ their mobile phone for SMS payments, send the phone a fake message & certificate for acceptance and then installed another Trojan on the phone to monitor messages via SMS.  Lots of trickery and luck to be successful but still a very scary exploit.  And if you think those mobile banking apps are secure, think again.  Just last month, a number of those apps were found to have serious vulnerabilities, flaws and holes.  Many of those apps have been patched in light of the research but as with any ‘new-ish’ type technology, mobile banking must be locked down before the masses adopt.  Too late now.

I wrote about corporate espionage both in Today’s Target: Corporate Secrets (2010) and The Threat Behind the Firewall (2009) and this year did not disappoint.  Social engineering or convincing someone to give up their info is alive and well but throughout 2010, employees stole secrets from the companies they worked for: Former Goldman Programmer Found Guilty of Code Theft, Greenback engineers guilty of corporate espionage, Ford secrets thief caught red handed with stolen blueprints, and SEC Bares Text of Inept Suspects As They Sold Disney Earnings Info To FBI Agents.  These insider events can often be more costly than an external breach.

This is by no means an exhaustive list of the breaches, attacks, vulnerabilities, hijacks, frauds, or other cybercriminal activities from 2010.  I’d probably be writing through the holidays to get them all.  These were just some of the things I found interesting when looking back at my initial blog entry for the year.  With 2011 being the Year of the Rabbit, just how much will cybercrimes multiply?

ps

Resources:

• Social Life’s a ‘breach’
• Security: Malware, Hacks and Leaks: The Top 10 Security Stories of 2010
• 2010: Looking back at a year in information security
• Surprising little information about Cloud Computing and Terrorism or Crime
• Accounts Raided in Global Bank Hack
• ZeuS attacks mobiles in bank SMS bypass scam
• Firm finds security holes in mobile bank apps
• The truth about Mac malware. It's a joke
• Study: No Hacking Needed when Modern Spies Steal Corporate Data
• Growth in Social Networking, Mobile and Infrastructure Attacks Threaten Corporate Security in 2011
• Ponemon Encryption Trends, 2010
• Personal Data For Sale – In time for the Holidays!
• Synthetic Identity Theft: The Silent Swindler
• Cybercrime, the Easy Way
• Dumpster Diving vs. The Bit Bucket

Connect with Peter:	Connect with F5:

Technorati Tags: F5, infrastructure 2.0, integration, cloud connect, Pete Silva, security, business, education, technology, application delivery, intercloud, cloud, context-aware, infrastructure 2.0, automation, web, internet, cybercrime, security, holiday shopping, identity theft, scam, email, data breach

Cybercrime, the Easy Way

The Dummies series is a great collection of ‘How to’ instructions on a wide array of topics and while they have not published a ‘Cybercrime for Dummies®’ booklet (and don’t think they will), DYI Cybercrime Kits are helping drive Internet attacks.  Gone are the days when you had to visit a dark alley to get a crook’s cookbook.  You don’t need to be an expert or tied to some sophisticated crime ring but now you can infect, spam, phish and generate other dastardly deeds with the best of them.  Similar to downloading and using iTunes, P2P applications, IM services, Skype and others to accomplish those specific tasks, you can get a Cybercrime toolkit to go with your black ski mask, getaway car and evil lair hideout.  You don’t really need any technical knowledge since all you do is install the program, tell it what you want, customize the message, send the infection and wait for the program to tell you when you’ve hit gold.  The early ‘hacking’ sites like www.2600.com or www.L0pht.com use to allow you to download your favorite virus to send to friends.  Granted, many organizations used their malicious code to test their own systems and they’ve since become more industry friendly and still provide great insight into the ‘black-hat’ing’ community.  I’ve even used L0phtcrack several times over the years.  Remember, downloading a root kit isn’t necessarily a crime, it’s what you do with it that might be.
The initial data breach numbers for 2010 are already staggering.  In just a couple weeks, around 1,233,432 records have already been breached according to Privacy Rights Clearinghouse – that’s an average of over 68,000 a day.  During 2009, Panda Labs saw a 77% increase in banking theft Trojans compared to 2008 which directly corresponded with the increase in available kits.  As this trend continues, the ‘Kids with Kits’ will be competing with the ‘Established Mobs’ for your passwords, money, identity and any other valuable items/info to sell or use themselves. 
Certainly, users need to be extra vigilant when receiving suspicious emails with ‘Click Here:’ boldly pronounced and organizations need to realize that their systems will be poked, prodded and tapped even more this year.  On the web facing front, deploying a Web Application Firewall, like BIG-IP ASM, not only protects against the typical, well known attacks like SQL Injection, DoS, Brute Force and Web Scraping; but can also help with identifying that bad-boy with IP Geolocation and ASM has always helped to keep you compliant.  BIG-IP GTM v10.1, with the new DNSSEC feature, secures your web property against DNS Cache Poisoning and other malicious redirects.  The FirePass SSL VPN and other BIG-IP products offer End Point inspection to ensure that the requesting host abides by your security policy prior to gaining access and Encryption to keep the traffic secure.  The BIG-IP MSM takes a bite out of unwanted spam.  Even BIG-IP LTM with it’s virtualization capabilities among other security features provides some network firewall functionality and with BIG-IP PSM, you get powerful security services for HTTP(s), SMTP, and FTP at BIG-IP speeds.
Now that it’s gotten easier for anyone to become a cybercriminal, your defenses must be also be easy and quick to deploy.  F5’s BIG-IP systems give you the control, power and ease of use to thwart both the organized crime syndicates and those rookies just getting into the game.

ps
Technorati Tags: Pete Silva,F5,security,application security,network security,virus

New Decade, Same Threats?

Do I call it Twenty-Ten or Two Thousand Ten?  Just not Two Thousand and Ten since that pesky decimal takes us back 10 years.  Eh, either way, the new year and decade brings out all the predictions for the coming year with this one taking the cybercriminal approach.   The various 'Year in Reviews' also make appearances since we need to understand where we came from to know where we’re going.  These are always interesting due to the various points of view even if many of the predictions are the same: social media threats, not necessarily more but smarter malware/botnets, using the cloud for crime, financial DDoS, rogue software, Mac and Mobile malware, more breaches and a whole host of others.  Compliance and Health Care, while not threats, seem to be the areas of security focus in the coming year along with online banking.

From a government perspective, while much has been written about compromised drones and Warplanes, the real concern at the Pentagon is Electronic Espionage – breaching the network.  Being able to not only see data, such as intelligence reports, but manipulate the data.  Imagine if an ammo request was intercepted and changed to reflect a new delivery location.  That would be bad.  I’ve written about Corporate Espionage as part of the 26 Short Series and do think it’ll continue.  Trade Secrets, product plans and customer data are all tasty treats to the cybercriminal.  One of the reasons I think that this type of data is a target is due to regulatory compliance, but maybe not in the way you  think.  I look at it from a more ‘human nature’ position.  The more locked up, secret, hidden or protected something is, creates a perception of greater value or worth.  If you see a door with 5 locks on it verses one with just a single lock, you’d probably think that Door Number 1 has the good stuff since more protection was deployed.  If you’ve ever walked through the Tower of London to see the Crown Jewels, you’ve also seen the huge, thick vault doors that keep them safe at night.  With all that security, it must be extremely valuable. 

In some ways I think compliance creates the same ‘perception’ and increases the attack potential.  Companies are required by law to protect, store, encrypt and generally safeguard certain private/sensitive data – the crown jewels so to speak.  Don’t get me wrong, I’m not advocating to ignore compliance and current regulations – such as PCI – are needed.  I even think some could go a little further in prescribing security protections but it also tells cybercriminals – this is the good stuff.  If you want a huge score, hit here.  We might see an increase in Gas Station terminal thefts as we get closer to the July 2010 PCI deadline for unattended, Point-of-Sale PIN entry devices as thieves probably want to beat the deadline too.  2009 proved that while little scams and thefts will continue, it’s the big breach of regulated data that gets the biggest payout and the most news coverage.  That’s what I see coming in 2010.

ps

Related Resources

• Will you Comply or just Check the Box?
• Innovative Web Protection and Compliance
• DNS Security for web-based applications
• Accelerating Your (Secure) Ride to the Cloud: Fasten Your Seatbelts

Catch some Zzzzzzzzzzzzz

It used to be the ‘stuck to our side’ pagers that go off at 3am telling you that a server crashed that would keep you up at night.  You’d drag yourself out of bed (or the chair at the data center that you fell asleep in), tippy-toe to the computer in hopes of gaining remote access or wonder to the car, still in your PJs, to drive to the facility.  In February 2009, InformationWeek & Dark Reading conducted a survey entitled, ‘What Keeps Infosec Pros Awake at Night.’  They asked more than 400 IT pros, among other things, what are their most serious threats, how are they prioritizing their defense of these and what are they going to do to keep their data safe in 2009 and beyond.  At the time, 52% said they were concerned about Internal threats – either employees or partners, accidental or malicious.  This makes sense since there were several articles in early 2009 which looked at Laid-off workers turning to Cybercrime.  They also feared the loss/theft of a laptop/potable storage device which might contain sensitive information that can lead to a corporate security breach.  Their biggest wish was for end users to be smarter about security and understand the risks.  Automated technology allowing IT pros to focus on emerging threats rather than day-to-day firefighting came in 2nd.  They just wanted to have the time to find ways to make their systems more secure, and compliance was driving it.

Recent data from Verizon’s addendum to its Data Breach Investigations Report actually shows that most (73%) data breaches come from External sources, not insiders.  Granted, the InformationWeek data was garnered from a survey (point in time opinion) and the Verizon info was generated by analyzing disclosed/investigated public data breaches (over time) and it doesn’t include undisclosed incidents with internal investigations.  Verizon concluded that breaches which warranted public disclosure were primarily done by external sources.  I’m sure that many internal incidents that didn't affect a large swath of the public were never disclosed, which could slightly sway the results but interesting nonetheless.  So the fear was Insider threats yet the actual data implicates outsiders.  I started wondering if this one of those Perception vs. Reality things or as Stephen Covey puts it, “We see the world, not as it is, but as we are.” 

In February 2009, when the economic crisis was in full swing, layoffs were a daily occurrence.  There were many documented cases in the early 1990’s of crime/fraud that occurred during that recession and many believed it would happen again – but this time with technology's help.  Stories started to appear indicating that this scenario might happen again and when the few that did happen were spotlighted (like the current trial of Terry Childs) - folks believed, or feared, that a new wave was coming.  The data that came out other end, seems to show that those internal threats were less than expected, except maybe in the financial industry.  The other side is that sometimes perception is more important than reality.  With the perceived immanent danger of rogue ex-employees, IT departments had a wake up call to reexamine how they handle access termination, a critical piece of data preservation.  In life and security, our view of the perceived risk is based on our past experiences/beliefs and that ultimately shapes our reality.  My reality and your reality might be very different but we always have the power in how we respond to events, even ones out of your control.  So as 2009 winds down and you get some needed rest (maybe), revel in the fact that this challenging year is almost over, you did the best (hopefully) you could and there will be a whole new set of threats, breaches, viruses, vulnerabilities, scams, malware and many other incidents that put security at risk as thieves typically work through the holidays.  Plan as best you can and take the new ones in stride as a challenge to all of us to get even better at protecting all our critical assets – including the living, breathing ones.

And there you have it – 26 Short Topics about Security.  Yea, we made it!  But wait, there’s more.  Stay tuned for the Post-blog Report where we look back at the series, pick some favorites and share what I’ve learned about putting together a chain of blogs over the course of 5 months covering a single topic.  Should be fun.

ps

• #26 out of 26 Short Topics about Security
• Previous stories: 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Technorati Tags: Pete Silva,F5,security,application security,network security,virus,