I recently had to have my computer disinfected, which was frustrating. My firewall is up, I keep my antivirus up to date, I’m cautious about opening e-mail and don’t click indiscriminately on links. But something got through.
A new report from Lastline, a security company that focuses on advanced malware, offers some insight into a new technique used by black hat writers to escape detection by having their code do busywork in a security sandbox until it is allowed out.
It should be noted that Lastline has a dog in this fight and is offering a solution to counter this new threat. But the information is still interesting.
A sandbox is a virtual environment with its own guest operating system where intercepted incoming code can be observed. If it acts maliciously or suspiciously, it can be tossed out. Observing behavior of code in a sandbox should detect and block malware regardless of whether the code or the vulnerability it exploits is already known.
The challenge for attackers, then, is to outwit the sandbox. They do that with environmental checking; malware might check for the presence of a virtual machine or it might query well-known registry keys or files that indicate a sandbox. Other malware authors instruct their malware to sleep for a while, waiting for the sandbox to time out.
Security vendors have countered by looking for behavior such as queries for registry keys and by forcing sleeping code to wake up.
The latest trick by malware writers is what Lastline calls stalling code. It delays the execution of a malicious code inside a sandbox and instead performs a computation that appears legitimate. Sort of like an intruder avoiding notice by carrying a clipboard through an office. Once the sandbox has timed out, the evasive malware is free to execute.
This is not the ultimate malware; evasive techniques can be countered by better sandboxes. Also, these techniques are no good if the vulnerabilities being exploited have been patched or if the signature of the code is known. Although signature-based detection has been shown to be an inadequate defense by itself, it still works well when it works. (We’ll look later at why it doesn’t always work.)
But it is a reminder that what the mind of one man can achieve, another can overcome. No attack and no defense is perfect, and the battle goes on.
Posted on Feb 22, 2013 at 12:20 PM1 comments
The Internet has created “a golden age for intelligence collection,” says James Lewis, a fellow at the Center for Strategic and International Studies. In fact, he writes in a new paper on conflict in cyberspace, “The primary challenge for sophisticated intelligence agencies is not the collection of data, so porous are Internet-based systems, but the ability to store, process and analyze the data they have acquired.”
This is not much of a surprise in the wake of recent reports such as that from Mandiant detailing the incursion efforts by the Chinese People’s Liberation Army, believed responsible for penetrating the systems of more than 140 companies, many of them in the United States. The Mandiant study itself builds on earlier work by other security researchers. The clear message is that the Chinese are in U.S. systems, have been for some time, and are not likely to leave any time soon.
All of which raises the question: How do we protect ourselves against these attacks? Better security awareness would help. Organizations, both government and private, need to know what resources must be protected and then focus their efforts on those. Even organizations that are not targets can become vulnerable links in a chain of complex attacks and they need to protect themselves accordingly.
But relying on technology alone is not enough, Lewis says. The stakes are too high and the systems being targeted are too complex for that.
“Any analysis of cybersecurity needs to accept the fact that cyber espionage will continue,” he writes. Improving system security can discourage amateurs and criminals looking for easy money, “but advanced services, with their resources and their combined technical means, will retain an advantage. The task of cyber espionage will become more difficult, and a sophisticated opponent will still be able to achieve success.”
Government must bring to bear its intelligence, diplomatic and political resources, treating espionage as an IP and trade issue rather than a cybersecurity issue, Lewis writes. “Vigorous response is the key to managing cyber espionage.”
One roadblock to this approach has been the lack of attribution — the ability to identify the ultimate source of attacks with a high degree of confidence.
But Lewis says this is a false barrier, for two reasons. First, everybody knows China is doing this; and second, this is a matter of diplomacy, not a court of law, and proof doesn’t need to be established beyond a reasonable doubt. Diplomatic pressure and economic sanctions backed by intelligence could make it politically difficult for China to continue this behavior.
What is needed is an accepted set of international norms concerning behavior in cyberspace — the kinds of norms that helped the United States survive the Cold War. The Cold War “worked,” in that the United States and the Soviet Union were able to confront each other without nuclear war because there were more or less clearly defined roles and conventions with an understanding of what could be done and how. Currently, that is missing from cyberspace.
None of this means that firewalls and vulnerability patching are not important. They are. But while system administrators raise the technical bars, the policy wonks also will have to raise the political bars.
Posted on Feb 21, 2013 at 8:25 AM4 comments
The Federal Communications Commission was dinged in a recent audit for cutting corners while upgrading network security in response to a breach.
The Government Accountability Office said that the security of the commission’s Enhanced Secured Network was compromised because the FCC did not implement appropriate security controls and follow proper procedures in project development and deployment.
But FCC countered that the ESN was an emergency response, “designed to avoid an increase in security risks posed by delays in implementation,” and that even with cutting corners, “the FCC’s network is stronger, better, and more secure than it was before the commission started these upgrade efforts.”
The case is a good example of the conflict between the requirements of auditors who evaluate regulatory compliance and the demands on frontline administrators who must deal with real-world threats while keeping systems running. The conflict is an old one and has implications for IT security. Auditors evaluate how something is done rather than what is accomplished. They focus on process and documentation. Process and documentation are important because they help ensure repeatability of results and keep everyone on the same page while doing a job. Results often are hard to quantify and measure, so adherence to process can the best way to tell if requirements have been met.
But the guys on the front lines spend a lot of time putting out fires and patching things, with little time for paperwork. Duct tape isn’t pretty, but admins do what they have to do to keep things running. Maybe they can go back and fix it properly later — after putting out the next fire. Auditors hate this. Administrators aren’t crazy about it either and would gladly change things if they had the budget, time and resources they need.
The FCC situation began with the 2011 discovery of a breach during an upgrade of the commission’s security and monitoring systems. The ESN project was the response and it was brought in under budget and on schedule. But GAO found that impact assessments had not been done to ensure that the proper security controls were being used and that the system had not been formally reauthorized for operation as required by the Federal Information Security Management Act.
FCC acknowledged these lapses but said they were necessary at the time and that it had gone back to cover these bases after ESN was up and running.
Both sides have their points. The key to the dispute lies in a single word in GAO’s conclusion: “As a result of these and other deficiencies, FCC faces an unnecessary risk that individuals could gain unauthorized access to its sensitive systems and information.” The key word is “unnecessary.”
Did FCC create an unnecessary risk? Or did the commission accept a necessary amount of risk to get a necessary fix in place as quickly as possible?
It is impossible to say without knowing the details of the breach and the fixes, which haven’t been released. But it would be wrong to conclude that a risk is unnecessary just because it could be prevented under ideal conditions. Most people go to work each day and do the best they can with the conditions at hand, which seldom are ideal.
Posted on Feb 11, 2013 at 8:13 AM2 comments
The IRS touts electronic filing as the safest way to file tax returns, but it is impossible to say just how safe it is.
There are hints in a recent report from the Treasury Department’s Inspector General for Tax Administration that online filing might be making things safer, but the title of the report highlights the broader problem: “There are Billions of Dollars in Undetected Tax Refunds Resulting from Identity Theft.”
According to the report, auditors turned up 1.5 million potentially fraudulent returns claiming refunds of $5.2 billion. Extrapolating this figure, while taking into account improvements the agency is making in spotting phony claims, the auditors projected that this could cost (honest) taxpayers $21 billion over the next five years.
Auditors turned up some interesting figures on fraudulent returns that should have been tip-offs to tax collectors. For example, there were 4,864 tax returns filed from just five addresses in Michigan, Illinois and Florida, for which $8.1 million in refunds had been issued. By far the busiest address was in Lansing, Mich., sending in 2,137 returns for $3.3 million in refunds.
The IRS cannot say for sure whether the shift to e-filing is making things safer or more dangerous. In recent testimony prepared for a House Oversight and Government Reform subcommittee, the Government Accountability Office reported that the total number and cost of fraudulent returns is unknown, and the agency does not track the characteristics of known frauds, including whether returns are more likely to be filed electronically or on paper.
IRS policy is to encourage — if not require — online filing. It is offering a Free File option for electronic filing in conjunction with a number of companies and it promotes its e-file service that can be used with commercial tax preparation software. As of last year, any tax preparer filing more than 10 individual returns must use e-file.
There are signs that electronic filing lets the IRS do a better job of spotting fraudulent tax returns. In calendar year 2009 the IRS identified 456,453 cases of ID theft, and just 440,581 in 2010. Each year taxpayers discovered about a quarter of these cases and the IRS found the rest. In 2011 the number of identified cases shot up to 1.1 million, with IRS identifying about 90 percent of them. In that year the number of online filings also increased sharply to 109 million from about 97 million in 2010. Maybe it is easier to spot those phony returns electronically.
Identity theft is not strictly an online problem, of course. But the nature of the Internet makes it easy for criminals to anonymously reach out to steal and manipulate, and the potential certainly exists for fraud on a scale that is not practical with ink and paper.
However the fraud is being committed, the IRS needs to take steps to ensure that electronic filing can be relied upon by both the taxpayers and the tax collectors. There is a burden on the third parties who are intermediaries for taxpayers and the IRS to ensure that data and identities are valid, but there also is a responsibility on the part of the IRS to adequately monitor that data as it arrives, flagging what is suspicious and improving its filtering over time.
Posted on Feb 06, 2013 at 9:40 AM2 comments