Tom Olzak

Archive for the ‘Patching’ Category

Trojan Defense: Configuring Your SOHO or Personal Infrastructure

In Business Continuity, malware, Patching, Security Management on April 10, 2010 at 08:46
Trojans continue to be a serious Internet threat and arguably the most insidious. As with any malware defense, making the right choices—and teaching users to do the same—is the only effective control. Further, continuous vigilance is required to detect and react to Trojan polymorphism.

The Challenge

Typically, Trojans gain access to a computer to collect data. The data collected are used by the Trojan’s distributor, directly or indirectly, to make money or for other gainful purposes. To achieve fiscal objectives, black hats go to great lengths to surreptitiously deliver their code and keep it secret.

To prevent anti-malware (AM) software from detecting and eliminating Trojans during delivery or implementation, developers are going as far as encrypting questionable payloads. According to a recent Kaspersky Labs Threat Post:

Once the malware is on the machine, anti-malware products may detect it as a malicious file. But this process is much more difficult if the Trojan itself is encrypted. Dmitry Bestuzhev, a malware analyst for Kaspersky Lab in Latin America, has been following the evolution of Brazilian banker Trojans, and has noted a recent change in their sophistication

A new (for Brazil) concept takes place between second and third stages when the Trojan.Downloader downloads and installs the Banker. On the one hand Brazilian coders obfuscate the download links using several techniques and on the other hand now they also crypt the Banker to be downloaded to the system.

It’s a crypted (specially packed) PE file. The coders from Brazil use this technique to prevent an automated malware analysis and monitoring mode by AV companies. This sample downloaded as it is on the server won’t be functional on the user machine unless it’s decrypted. The decryption mechanism in this case is included into the initial Trojan.Downloader, which first downloads malware, and then decrypts it to be able to infect the user machine (Fisher, 2010).

Once a Trojan successfully takes up residence on a computer, it begins collecting banking and other sensitive information for later transmission to its home server. And even if it is detected, cleaning steps short of a complete wipe and replace of all content will likely fail.

.
.
.

Security Tip: Patching must include ALL applications

In Cybercrime, Hacking, Patching on October 6, 2009 at 07:14

Once again, patching isn’t just about plugging holes in Windows.  Most if not all applications have security vulnerabilities if someone looks hard enough.  Up until now, however, finding those vulnerabilities was harder than just whacking the OS.  But Microsoft has settled into a patch release routine that, when followed, pretty well hardens servers and user workstations.  And although there are still vulnerabilities, the level of effort required to find and exploit them has become harder—more difficult than shifting focus to widely installed user applications.

Adobe is experiencing attacker-love now.  They are a good target because their reader is everywhere. 

Adobe’s software has increasingly come under attack in recent years as hackers have come to realize that it can be easier to find flaws in popular software that runs on top of Windows than to dig up new vulnerabilities in the operating system itself.

That’s led to a round of new attacks that exploit bugs in products such as Adobe’s Reader, Apple’s QuickTime, and the Mozilla Firefox browser, for example.

It’s a reality that Adobe Chief Technology Officer Kevin Lynch freely acknowledged Monday in a press conference at the company’s annual Adobe MAX developer conference, held in Los Angeles.

Source:  After attacks, Adobe patches now come faster, Robert McMillan, Computerworld, 6 October 2009

But Adobe isn’t the only end user application on your endpoints.  It’s critical to get ahead of the attack curve by developing an overall patch process today, BEFORE that new user productivity tool becomes a target.

Security Risk Extends Beyond Simple Loss of Data

In Business Continuity, Data Security, Government, Insider risk, Mobile Device Security, Network Security, Patching, Risk Management on June 7, 2009 at 14:52

Laptop encryption as a security control has become an expectation rather than an option.  Organizations worried about data breaches and their possible business impact are spending exorbitant percentages of IT budgets to avoid having to tell customers or employees they’ve lost their personal information.  Couple this with regulatory requirements to report certain types of breaches, and laptop encryption becomes as common on mobile systems as Notepad.  But not everyone agrees with this movement to protect laptop data at all costs.

Even the big picture suggests that spending is poorly allocated. “Thieves got 99.9 percent of their data from servers and 0.01 percent from end user systems, but enterprises spend about 50 percent of their security budget on endpoint security,” [Dr. Peter Tippett, founder of ISCA Labs] said. “They should spend more of it on server security.”

“The cause is a problem I call WIBHI, for Wouldn’t It Be Horrible If,” he said.

He added that it explains laptop encryption. He said that we encrypt laptops not because it will protect them better (passwords are good enough for that) but because we don’t have to report a breach if the laptop was encrypted.

Source: Enterprise Security Should Be Better and Cheaper, Alex Goldman, Internetnews.com, 6 June 2009

I make a habit of reading as much as possible about actual breaches, and I agree that we may be overdoing it a bit when we put multiple layers of security on devices which are not typically the primary target of attackers.  But I have three questions for Mr. Tippett.  What about botnets?  What about loss of access to critical systems due to malware-caused enterprise network shutdowns?  And what about the impact on a business if the public discovers encryption—a security control they’ve been told must be implemented or a business is negligent—was not used on a lost laptop containing personal information?

Business risk extends beyond a simple breach.  Its scope must include all possible negative impact scenarios which might be caused by weak endpoint security.  Yes, it is all about the data, including its availability and public perception—not necessarily based on a scientific assessment of actual risk—of how well it’s protected.  So until potential victims, potential customers, careless employees, and knee-jerk-driven politicians are removed from the risk formula, we will likely continue to spend more than might be reasonable and appropriate in a perfect world.

Cloud Computing May Solve Patching Problems…?

In Patching on May 1, 2009 at 11:41

Wolgang Kandek of Qualys is quoted in a TechWorld article as follows:

“We believe that cloud security providers can be held to a higher standard in terms of security,” said Kandek. “Cloud vendors can come in and do a much better job.”

Unlike corporate admins for whom patching was a sometimes complex burden, in a cloud environment, patching applications would be more technically predictable – the small risk of ‘breaking’ an application after patching it would be nearly removed, he said.

Source: Cloud security will supplant patching, says report author, John E. Dunn, Techworld, 1 May 2009

I agree with Kandek’s assertion.  However, cloud computing doesn’t relieve managers from ensuring cloud vendors have a good patch process and that they actually follow it.

%d bloggers like this: