The Threat of Bots and Botnets

Written on January 27, 2008 | by RP Mickler | Leave a Comment |

Twelve cyber security veterans, with significant knowledge about emerging attack patterns, worked together to compile a list of the attacks most likely to cause substantial damage during 2008. Participants included Stephen Northcutt, Ed Skoudis, Marc Sachs, Johannes Ullrich, Tom Liston, Eric Cole, Eugene Schultz, Rohit Dhamankar, Amit Yoran, Howard Schmidt, Will Pelgrin, and Alan Paller. The SANS Institute recently published their consensus list; I’ll be discussing each of these issues as they relate to small business.

2. Increasing Sophistication And Effectiveness In Botnets

First of all, I probably have to begin with a couple of definitions. A bot (a shortening of “robot”) is software written to exploit a specific vulnerability found in an application or operating system of a microcomputer, and typically a Microsoft Windows station. A bot is similar to a virus in that we would say that a machine is infected with a bot, and once infected, the bot will listen for instructions from the Internet for activities to perform on the infected computer. These activities may further compromise the stability of the computer, it’s ability to maintain confidentiality, or, introduce additional trojan viruses or worms to the PC. Meanwhile, a botnet is a network of bots that are interrelated and intercommunicate in a peer/peer basis or on a master/slave basis. Bots can perform automated tasks through interrelating instructions to each other, or, can receive instructions from a “bot master” who then orchestrates activities against infected computers.

In September 2007, Symantec reported over 2,000 botnet-related security incidents in 81 of the Fortune 500 companies. Symantec reported that up to 30 percent of its customers experinced a bot-related incident in September (http://www.darkreading.com/document.asp?doc_id=137602).
Trend Micro, in October 2006, announced that many thousands of computers in the US government were suspected of being infected by bots and botnets (http://www.informationweek.com/news/showArticle.jhtml?articleID=193104896). And in 2007, the Storm Worm (a bot) accounted for one out of every 12 infections on the Internet.

Bots can be used to launch DDOS and DOS attacks (Distributed/Denial of Service Attacks), launch additional viruses and worms, download software (often pirated) as a file transfer repository for peer-to-peer file sharing networks, serve as website tools to capture information from websites illegally, gobble up concert tickets when they become available for sale on the web, or channel spam.

Obviously, bots and botnets have been very successful and will continue to be a direct threat. What is of concern to many security professionals:

Existing bots and botnets may go undetected and could become platforms for deploying more sophisticated and harmful malware.

Bots are becoming increasingly sophisticated and automated, self-directed, even artificially intelligent, using fuzzy logic to make decisions.

Bots may sometimes be perceived as beneficial programs and are thus not targeted by anti-malware solutions.

What is of concern to the small business is that their computers may (unwittingly) be compromised and used as a botnet. Users will gladly download tools from websites that give additional features to their computing experience without realizing the danger here. The additional traffic load from their activity may bog down Internet bandwidth and slow the Internet to a crawl for a small business, or, steal processor time away from legitimate applications on their PC’s, causing PC performance to also slow or lag. Further, there is the criminal aspect to this problem: unknowingly, assets of the small business may be used to conduct illegal activity, store illegal or pirated content, or channel illegal traffic.

A couple of strategies for the small business:

1. Install practical safeguards. Install and maintain a commercial anti-virus/anti-spyware solution on all microcomputers and servers. Avoid freeware solutions like Panda and AVG – they’re not comprehensive and may lend a false sense of security. Once installed, set them to auto-update.

2. Update your Internet browser. Update to the latest version of Internet browser and implement its anti-phishing and spyware tools.

3. Set a management policy and educate your staff. Using policies, prohibit the downloading of unauthorized software from the Internet and incorporate that understanding into your Acceptable Use Policies. Use technical controls to reinforce this restriction.

4. Quarterly scans. Perform quarterly scans on your network servers and workstations. If you can’t afford a comprehensive protection suite like McAfee or Norton, Microsoft offers a one-time free scan (http://www.microsoft.com/protect/products/computer/safetyscanner.mspx). Norton has a watered-down feature from 360 called AntiBot that is less expensive and provides protection and detection (http://www.symantec.com/norton/theme.jsp?themeid=botnet).

5. Patch your firewall. Have a competent technician tune and patch your firewall to detect and block bot traffic; ask for recommendations on replacing your firewall hardware.

As for technical strategies, bots tend to use blended threats and will open FTP, HTTP, DNS, IRC, and transmit a lot of bogus AUTH protocol responses. Frequencies, target and receipt IP’s should make sense to the local administrator. They will open backdoors on workstations and potentially SAP their infected status to other infected machines, potentially generating more excess traffic. Specific ports can be filtered by the firewall, shielded by a NAT mapping, or prevented by restrictive ACL settings. IDS solutions like Snort or a localized sniffer like HijackThis! could be used to spot malicious transmissions or suspect TSR’s hanging around in memory.

Microsoft to Push IE7 to Desktops Feb 12

Written on January 24, 2008 | by RP Mickler | Leave a Comment |

InfoWorld is reporting that Microsoft will push IE 7 to public desktops via WindowsUpdate next month (February 12), regardless of whether or not it had been previously requested by the user. Microsoft is rolling out IE7 to all desktops as a response to mounting security fears.

In order to reach the broadest of applicability, IE7’s Genuine Advantage Program prerequisite will be dropped for the installation; all WindowsXP machines will attempt to upgrade.

Microsoft has released an administrative toolkit to block the automatic distribution.

In my opinion, the small and mid-range business should have already adopted IE7 for its protected mode functions and anti-phishing/ad blocking solutions. Mandatory adoption may be impractical for companies who’ve been asked by their vendors not to upgrade from IE6 to accomodate their software (Sage’s MAS90 4.1 comes to mind, to accomodate their HTML help files), and may wish to consider – for example – the risk of continued exposure to the benefit of a help file, and push their vendors to accomodate.

February 13 will probably be a fun period for small businesses – and that’s tongue-in-cheek – as users who’re not familiar with IE7’s interface will have it pushed upon them. Luckily, you read my column, and may remember my instructions on how to bring IE7’s interface into a compatability state with IE6, to lower the learning curve.

Is There a Future for Public Radio?

Written on January 23, 2008 | by RP Mickler | Leave a Comment |

On the first week of February, my local public radio station for Oregon Public Broadcasting will begin their quarterly fund drive. This is where they interrupt regularly scheduled programs like NPR’s Morning Edition to beg for money.

At this time of year, I struggle to understand the public broadcasting business model. Per their own admission, less than 10-percent of listeners actually respond to these drives and OPB receives no public subsidy. They do not advertise, costs are always increasing for their content which is based on market demographics, and over 60-percent of their budget comes from membership donations.

So, while driving this morning, I mentally recapped where I get my news these days:1. I subscribe to eight podcasts. I listen to them daily. They are free. Noteworthy to mention who they are: CNN, the San Francisco Chronicle, The Economist Magazine, NPR, Boing Boing… professional content here.

2. I actively read nine blogs through an RSS feed. I read them daily. They are free.

3. I receive daily news alerts on my Blackberry and email from CNN. They are free.

4. I use the web to watch a video, read an article, or Google the news. It’s free.

5. I listen to public radio at any time – for free – from my computer, using radio channels available in iTunes.

6. I subscribe to four paper magazines. They were practically free, less than a buck an issue for twelve months.

Anyway, if consumers have more choice, and, numerous substitute products exist, and, the switching cost/barrier to entry is nill, what is the future of public broadcasting? Satellite channels and programming in the car, news feeds to cell phones, iPods and podcasting, mass customization of news and alert monitors… how can a non-profit entity hope to survive, let alone remain relevant? Everything I hear on NPR is 30 minutes behind the feeds that I receive … for free… on my mobile devices.

Certainly, the future of public radio is pretty bleak when there isn’t incremental or added value to their consumer, that their broadcast cannot be customized or tailored to my preferences as a consumer, their service is redundant (perhaps even obsolete) to sources of news that arrive faster to that consumer, and their product has been reduced to a commodity: iTunes offers it for free.

I guess it bothers me to hear a fund drive for something like NPR when on the rare occasion that I’m actually listening to public radio. No amount of begging will prevent the inevitable: the business model has been made irrelevant and survives only by the goodwill, or nostalgia, of its contributors. Eventually, public broadcasting must end, or, entirely change to remain relevant. Yet here we are: planning another winter fund drive. Actually, it annoys me so much that I often return to my iPod to see if there was an update to one of my NPR podcast subscriptions. Makes me wonder if anyone in public radio is paying attention to another decaying industry – newspapers – and learning anything from the experience? Is anyone paying attention?

Safeguarding Against Websites That Exploit Browser Vulnerabilities

Written on January 21, 2008 | by RP Mickler | Leave a Comment |

1. Increasingly Sophisticated Web Site Attacks That Exploit Browser Vulnerabilities.

Browser variability is becoming a problem; some small businesses haven’t paid attention to browser upgrades and have even left the auto-update functions of IE in favor of using FireFox or Opera. Unpatched, existing vulnerabilities exploit the browser and take advantage of the weakness in system updating. Further, browser plug-ins like Macromedia Flash or Apple’s QuickTime are infrequently updated and patched by system administrators or common users.

Malicious websites that want to take advantage of these vulnerabilities stack a number of exploits on a single webpage. Users browse to the webpage and the exploits target the known vulnerabilities of the browser version and/or plug-in version, passing a virus or harvesting personal private information. This gets uglier when websites themselves become infected and the instrument for distributing a malicious payload, as users are more apt to accept browser messages from trusted websites.

Small businesses can address this problem by:

1. Use a simple browser. If it is not critical to core functionality, use the standard browser distributed with the Microsoft Windows platform (Microsoft Internet Explorer). This helps with standardizing training and security response. IE updates are passed automatically through the Windows Update process. If a 3rd party browser is either desired or necessary, then set a regular schedule to upgrade the browser software manually on every microcomputer.

2. Standardize the browser. Set an administrative policy that standardizes the Internet browser across your company, and, what plug-ins are allowed. Prohibit the installation of non-approved browsers. Use technical controls to prevent the installation of new browsers.

3. Upgrade the browser. Upgrade to IE7 or the latest 3rd party browser. Enable anti-phishing and anti-spyware controls in the browser.

4. Schedule updates for add-ons and plug-ins, or…

5. Turn on automatic updates. If the browser, the operating system, and/or plug-ins can be auto-updated, then enable it whenever possible. Allow the computer to handle updating the browser and its components.

Individuals can address this problem by following many of the same practices.

Explained: Zero-Day Vulnerability

Written on January 16, 2008 | by RP Mickler | Leave a Comment |

Explained: Zero-Day Vulnerabilities

A zero-day vulnerability is the time from when a threat is released to the time that software manufactures can release patches and updates. Viruses and other forms of malware are released and distributed, and because they are not within an antivirus definition, they are not seen by the antivirus utility.

Zero-day vulnerabilities directly impact the small business because it is often a small business that does not have a dedicated technology person on staff. Larger organizations with dedicated professionals frequently monitor new threats as they’re reported and may take some level of corrective action until a new definition file is provided by the software OEM. Further, there is a wide array of government, commercial, and enlightened bloggers who offer voices on emerging threats and it is difficult for the lay-user to weed out what is critical vs. what could be construed as a minor annoyance.

Because the small business does not likely have a dedicated professional, it is even more important for the small business to enter into a routine process of proactive maintenance to patch software residing on desktop and server computers. Bearing in mind that the more time that lapses between the zero-day threat and the application of the patch, the small business becomes increasingly more vulnerable.

A reasonable amount of time, in my mind, for implementing such a routine would be a weekly patching process for servers, and even better if the small business were to activate nightly automated updates on their Windows desktops. Why not turn on automated updates for servers? Since the server has such a critical role to the data processing needs of the small business, unsupervised installations of patches and updates could be detrimental to the server’s state and could cripple the small business. In my opinion, server maintenance should be scheduled and monitored so that performance problems introduced by the patch can be addressed.

A good date for the small business to remember is the ninth of every month whereas Microsoft will publish consolidated updates to their products – coincidentally, you may notice that your computer consistently restarts on the 9th because new updates are downloaded and installed automatically by your computer. Monthly updates are fairly reasonable but they do not address the zero-day exploit as quickly as it should be.

Students of IT and technology professionals have access to a number of free RSS feeds and e-mail alerts. Again, it is difficult to recommend that the layperson use these feeds because they may convey a sense of panic – not every vulnerability is detrimental to your business or to your computer. However, for those in the technology industry, up to date information is critical to resolve Zero-day vulnerabilities.

The Symantec RSS Feed
http://phx.corporate-ir.net/phoenix.zhtml?c=89422&p=newsRSS

The United States Computer Emergency Readiness Team RSS Feeds
http://www.us-cert.gov/channels/

The Microsoft Security Bulletin RSS Feed
http://www.microsoft.com/technet/security/bulletin/secrss.aspx

SearchSecurity RSS Feed
http://feeds.feedburner.com/techtarget/Searchsecurity/SecurityWire

I subscribe to each of these myself and provide a value added service to notify my newsletter subscribers of critical vulnerabilities that require their attention. The key here is information and consistency: even if the small business does not have a dedicated professional, a routine maintenance strategy combined with automated updates, and at least an awareness of what’s going on in the environment, could mean the difference between a proactive safeguard and downtime.

Let Them Eat Cake: $99 PC’s

Written on January 14, 2008 | by RP Mickler | Leave a Comment |

Last week at the Consumer Electronics Show vendors were ready to show off their new PC’s boxes (literally) that start at $99.

Shuttle’s $99 and $199 KPC Linux machine (pictures shown here).

Asus’ Eee PC

Everex’s Cloudbook and gPC

Generally speaking, these are machines with a small form factor, a dual-core processor, a 128mb video card, 1 gb RAM – a decent machine for looking at email, surfing the web, and working with productivity applciations – yet all of them are lacking one specific thing: Microsoft Windows. In fact, all of them featured some variant of Linux and promoted open applications like Google’s Writely or OpenOffice.

What’s interesting about these classes of machines is that they’re addressing an “appliance” layer of data processing that is likely to be marketed to 3rd world countries or anyone looking for a good deal on a simple box at Wal-Mart. Which begs the question: will open source be the platform for the poor?

It’s even compelling to think about it in terms of class distinction: the information-have’s will be flushed in proprietary solutions and the information have-not’s with an open platform. The impressive resume will feature certification and licenses from software vendors; the unimpressive resume will be riddled with self-exploration and discovery with hand-crafted software.

All of this sounds pleasantly counter-culture but I can’t help but think this a legitimate “Marie Antoinette” strategy on behalf of commercial OEM’s. It’s kind of like acknowledging a Kia Optima looks like a Lexus LS, but under close inspection, people who … know … about luxury vehicles realize the Kia for what it is. A Linux box may look and feel like Windows, but anybody who knows (and can afford) a premium O/S understands the benefit. Somewhere, a senior manager at Microsoft is saying, “Let them eat cake: we’ll keep serving the over-priced pork.”

So. when looking at a resume, and understanding this economic disparity between open and proprietary solutions, I might be inclined to believe those with extensive experience with SendMail, Eudora, Ubuntu, Firefox, and MySQL are like chop-shop mechanics trying to keep a taxi fleet running with junkyard parts. Yeah, they worked with what they had and maybe did a great job, but I could I even employ this guy? All I’m running my taxi fleet with are Lexus’.

Bio

Archives

Categories

Blogroll