This is getting interesting
Sounds like the new UK/US gov-sponsored information warfare lot had better consist of some switched-on guys. Maybe I need to migrate my skills security-wards....
Most businesses are defenseless against the types of attacks that recently hit Google and at least 33 other companies, according to a report to be published Monday that estimates the actual number of targeted companies could top 100. The attackers behind the cyber assault dubbed Aurora patiently stalked their hand-chosen …
The report still fails to assign the appropriate level of blame to the most important of all flawed practices that have made this possible - the practice of "Make It All The Same". This practice means that the security of the entire company is weakened by the lowest common denominator - some obscure idiotic system somewhere which works only with an obsolete version of desktop software. It is an environment which is ripe for the picking and it got picked.
And in reality the only person who needs to access that system which still requires IE6 is Joe Shmoe in procurement. It is not a justification to screw the remaining 99%.
Of course it all has to be the same else how are people going to be able to read web pages and open email. At least that's the fable MS has been feeding us for ages. It's called a monoculture. Of course no one can say this out loud for fear of losing his job ..
http://www.wired.com/politics/security/news/2004/02/62307
>>Windows machines for the vast majority of users should only be run in unprivileged mode, the authors also recommend<<
Best practice in Unix is to disallow root login. Is this even possible in Windows?
Of course, for most of its lifespan, root login has been the ahem... default in Windows and still is, though UAC has been shoehorned in at the last moment
I repaved our saleman's laptop which ran Vista a few weeks ago. He clicked a link from a Facebook "friend" telling him about a photo of himself on said site. Vista UAC didn't slow the malware down a bit. It installed two DLLs which indicated they were related to gaming. When I tried to disable their autorun registry settings, they just enabled it again. His AV didn't detect them and some other AV scanners I have only detected one of them. I didn't want to nuke his hard drive, but once one of these things gets onto one I don't trust the system anymore.
UAC is not the answer.
...and here is the truth. No matter what security and access cleverness is installed, the user doing dumb things like following unknown links from maybe-friends is going to cause problems.
Education #1, before dumping IE, is to get the end-users not to go all screwy-eyed and click everything in sight.
You wrote : "...and here is the truth. No matter what security and access cleverness is installed, the user doing dumb things like following unknown links from maybe-friends is going to cause problems."
Agreed.
"Education #1, before dumping IE, is to get the end-users not to go all screwy-eyed and click everything in sight."
Education #1 STARTS with dumping IE!
If this is really what was going on, then it raises the battle between IT security and the crackers to a new level. Sounds like all use of work mail addresses on social network sites should be banned forthwith, as should access to said sites and personal Webmail accounts from work PC's. Makes you think that the security police were right (and painfully obnoxious) along.
How long before saying who you work for on open sites becomes a workplace disciplinary offence!
Mind you, the presence of zero-day and un-patched known vulnerabilities in the OS and browsers does not help
IMO - what it boils down to is your security plan is going to have to be as much as you can afford in time and money, and just as important as your web presence and anything you produce, elimination of access to secrets by air gap (and no I don't mean WI-FI or any RF device I mean physically separated from the web--I hate the word "internet"), and vigilance always for other kinds of traffic (VM's for banks and other filters). And worms people can walk in with but can't install if there's no HOLES in your computer!! I mean knowing how to defend also means I could wreck you if you made someone mad, so the prudent thing here is if you don't have a "security plan" no matter who you are, it's past time you make a "security plan" and start rolling it out and dedicating money to improving it as your able.
Anyway.. Interesting but not scary.
Just because you feel smug and safe being on a platform that is not a high-volume target, does not mean that you are not vulnerable. In fact, thinking you are not vulnerable is likely to get your entire organisation into big trouble before you know it. Security by obscurity has limits. With the increased popularity of Linux/Mac we will see increased exploits. It is just a matter of time....
"Windows machines for the vast majority of users should only be run in unprivileged mode, the authors also recommend"
Hmmm. I'd never have worked that out for myself. Good job we have real expertise available in the industry, isn't it? And isn't it lucky that there's no such thing as an unfixed "escalation of privilege" exploit?
... how much progress has the chief culprit, Microsoft, really made in these 10+ yrs (?) of proclamations of taking security seriously. I sort of expected that things would have gradually gotten better, given time, but from a pragmatic point of view it seems that the trend is just the opposite. Shame on me for being naive, I suppose.
You fail to note that what is different also from ten years ago is the level of dependency on connectivity with other parties via mail, web, etc that business have reached.
Believe me, ten years ago the attack would have been much much easier than now. A piece of cake. However, MS security has not improved enough. The reasons are three:
1- They need to keep compatibility with legacy software written at a time when there was absolutely no concerns to security, not only in MS but also the rest of the Windows software industry.
2- Security is always a trade off between ease of use , accessibility and ,,,, security. Making things more secure (like Unix?) introduces additional complexity for end users and admins, as well as breaking legacy applications (see above). Making the system more complex to use or administer is against the Windows sales advantage, therefore MS does not want to cross the line that makes people think that they would be better using other OS.
3- Updates: even if MS achieved perfect security (impossible for reasons noted above) third parties like Apple (iTunes, Safari), Adobe (Flash, Acrobat Reader), Sun (oops, now Oracle) with Java, Mozilla, (Firefox) and such have become so common place in the desktop that there would be still vulnerabilities to exploit at those levels. "Perfect" security for MS would mean no way to log in an unauthorized user and no way to escalate privileges once logged in. But that will not protect against all the damage a single, regular user can make. Which is a lot, if only in terms of available data.
For all that you know.
Messages "apparently from trusted colleagues" or bosses looks like a particular vulnerability to be locked down. External communications, or maybe even communication from a legitimate person but the wrong workstation, should be segregated or quarantined, and obviously filtered for executables and exploits.
Strip the bloody thing to plain ASCII. It might prevent idiots sending inter-department proprietory files with different versions of software, set up for different printers, and that oh-so-epic-fail of including god knows how much undo/revision information so you can (in nerd terms) "unwind the stack" to compare what the document should have looked like, and what was sent after management urinated all over it.
And, please, no more ****ing PowerPoint. Get the point, I *hate* PowerPoint, I hate everything it stands for, and if you feel the urge to make a three line message, decorate it with crass animations, add a soundtrack (yo! copyright violation!) and send all 15Mb across the intranet to me, don't be surprised if you don't get a response, I probably deleted it without even looking.
...and it is even worse when company memos that are supposed to be important get that kind of treatment. All to promote a message that is smaller than this post. <sigh>
Anyway, at home I have an itty-bitty plaintext email client I knocked out with VB one boring weekend. It works with ASCII. It sort-of deMIMEs. Anything weird just gets dropped on the floor, except when HTML is detected in which case the entire message is discarded. I really wish I could use this software at work. How many infiltrations are due to junk sent in/with emails? If there's NOTHING to click and NOTHING to run, then there's a lot less risk...
Well, linux based shops would be affected if the malware is customised for your company; it's pretty irrelevant what the platform is.
They've spent the time to target your company, you're connected to the internet; you're vulnerable.
It doesn't matter if you run as a privileged user or not; the problem, as they say, exists between chair and keyboard.
Or checking out their twatter/failbook account. Coughing up all those useful tidbits, so handy for the dedicated cracker. It used to take fake magazine surveys or on site surveillance to find this out.
Progress is for everyone.
Perhaps this might teach some people that their identity *really* is their most valuable asset*
*Although given that the #1 target was Google, an outfit keen to find out as much about *everyone* else's business there is a certain amount of irony here.
In conclusion, let me restate perhaps the obvious point that a defense-in-depth security architecture can minimize the risk of this exploit:
* Next Generation Firewall
* Secure Web Gateway
* Mail Server well configured
* Desktop Anti-malware that includes web site checking
* Latest version of browser, perhaps not Internet Explorer
* Latest version of Windows, realistically at least XP Service Pack 3, with all patches
* Database Activity Monitoring
* Data Loss Prevention
* Third Generation Security Information and Event Management
http://www.riskpundit.com/riskpundit/2010/01/operation-aurora-analysis.html
-------
A much simpler solution would be to run Ubuntu off a USB device and use some kind of PKI/single signon solution ..
https://help.ubuntu.com/community/Installation/FromUSBStick
Most of us have been seeing 0-day phishing since 2002, so this is really nothing new. Except of course to the folks that really don't monitor their network and let this fly under the radar.
This really comes down to application control. If you let users install unchecked software on their systems, they are going to get 0wn3d. It amazes me how many Admins will still initially react with "Oh no, we can't stop users from installing software in this environment". By running the software in monitoring mode I can usually show them that users need access to < 20 well known apps. Lock down installation to only these select programs and suddenly Malware and 0-Day are far less of an issue.
An oft trotted out concept is to layer your defenses like an onion. Only most of the defenses here turned out rotten. That would've been easy to see for someone halfway competent, and honestly probably was known at some level, but ignored for ``business reasons''.
Well, business is wrong, here. So is IT, mind. Instead of giving business what it demands (``intuitive'' systems and a licence to not engage one's brain), IT should give it what it needs. Different systems with less holes in it that accomodate better policies, support meaningful auditing, and so no and so forth. That probably includes retooling most applications for different interfaces and it definitely includes retraining all users (and the engaging of their brains, oh the horror). It'll also spell the death of a certain marketeering company from redmond. They used to have something better(!) internally but chose to eat their own dog food, which repeatedly didn't work out so well. Oh well.
But seriously, if you want solid systems you can't build on a foundation of quicksand, not even if you add layers and layers of it to ``stiffen it up''. So don't.
* educate employees about all possible threats, including social engineering and sigint. The last one is often underappreciated when people send source code, financial figures or marketing strategies over the internet. There must be serious money spent on education and training of //all// people handling sensitive data, as they are the most important factor.
* don't connect your confidential systems to the intertubes, but have a "social PC" in every office which is being used for insensitive internet stuff. Maybe also an "Email PC" for everybody. Hardware is cheap nowadays.
* run the Email system in a VMWare image. Not as good as dedicated machine, but still pretty solid
* have two different email accounts for internal and external email, whith each running in a different VM image. That dramtically limits the damage from a compromised "external Email".
* perform lots of statistical analysis on traffic. Whenever a supposed "friend" contacts one of your workers and suddenly uses a new email address, this should be checked for legitimacy, especially if the email has a nice attachment (PDF, Word, movie etc)
* have a professional Managed Security Company defend your intranet. They have tons of knowledge and specialised tools to monitor your intranet. Even larger intranet operators do not have this specialised knowledge.
One thing that it is time to consider is "black boxing" the AV/web filter/firewall, etc. software being used. If it is invisible to the average corporate user, then they don't know what it is - i.e., no splash screens, no identifiable .exe or services names, etc. This common practice of "branding" the first line of defense so that every user knows just what it is is only making it more vulnerable to social hacking - if an attacker knows your AV package(s), then he can craft specifically for it. If he cannot find it (because no users know to even tell him), then he has a much harder time - still doable, but then he has to socially engineer IS, which hopefully is harder if they are educated.
So, it's time to take a long hard look at "enterprise" level AV deployments, and consider how to stealth them so that even the users cannot figure out what they have. Sounds draconian, and I'm sure to take heat for this POV, but it is perhaps the only way to stop or slow social engineering from revealing what defences you have in place.
"The attackers behind the cyber assault dubbed Aurora patiently stalked their hand-chosen victims over a matter of months in a campaign to identify specific end users and applications that could be targeted to gain entry to corporate networks, the report, prepared by security firm iSec Partners, concluded. "
Sounds like a Sound CyberIntelAIgent Security Sweep Searching Deep into Drive Kernels for Available Flaw Vectors and Expoitable Vulnerabilities for Remote Virtual Power and Control TakeOver .... AIMakeOver ........ for QuITe Alien IntelAIgents with Colossal Third Party Adminstrative Human Facility for Media Manufacture of Reality with Virtualisation and Clouds.
Across the Pond, AIRenegade Apache Change in LOVE with Renaissance?
A Question for US Cyber Commanders into Control.
""These guys really understand how to take control of one laptop and turn it into domain admin access," Stamos explained. "People are not well prepared for this kind of stuff."" ..... Alex, it is the Internet that they are Controlling with Gobal Operating Devices and laptops connected Virtually. And that dDeliver Universal Power.
My IT department has granted me Admin privileges "temporarily" to fix a problem and failed to remove them on two computers now, including this one. While these hackers are obviously determined and clever, there's bound to be /some/ incompetence somewhere along the line.
A/C, obviously.
Well, I for once nearly got fired for denying a level-c exec local Admin rights on a windows 2000 box, the IT manager gave them to him, and saved my ass.
After a week the guy's machine got infected with everything under the sun, this was circa 2002-3 Neither to say that he kept the admin rights, after all, what is he paying the IT dep for? A virus (trojans, spyware, malware) they are all the same according to management isn't? only causes your computer to slowdown innit?.
This fight was lost a long time ago because:
CONVENIENCE IS THE FIRST VICTIM OF SECURITY.
Only the paranoid survive... Mine is the one with the deep packet inspection book in the pocket, and the double closed LAN
"Windows machines, the authors also recommend, should only be run in unprivileged mode for the vast majority of users. "
Well, duh. Anything requiring system privileges on Windows can be done with RunAs. Try it, you'll like it (or at least dislike it less).
Also, I wouldn't dismiss layered security solutions, because even though they may be built on 'quicksand', it's the users you're talking about. Nothing will ever stiffen them up, but they're our (well, my) livelihood, so anything we can do to mitigate their weakness helps. A "defense-in-depth security architecture" is necessary, if not sufficient to completely eliminate risk. Our jobs are about risk management, and making the right trade-offs.
Sounds to me like "security through obscurity", which has never been a viable approach.
Is it perhaps time for Microsoft to throw in the towel on Windows and admit what everyone else already recognizes? That Windows is inherently insecure, and no number of after the fact fixes is going to change that. Maybe it's time to open-source Windows and let world+dog start looking for holes in that morass of code?
Why is it that Apple, presumably with a fairly small programming staff, can produce a system (including apps) that is far more secure than Windows, even though Microsoft has enough programmers to declare war on China?
I just KNEW someone would trot out that old chestnut - and it is the wrong interpretation of the phrase. "Security through obscurity" relates to CRYPTO, not your overall defensive structure. And it has been well-proven that public-domain and well-tested crypto tends to fall over a lot less than people using "proprietary" algorithms that have not been publicly vetted and studied. No debate there.
But overall security is an entirely different matter, much more related to military planning than algorithm design. If I am a general, I don't want my opponents to know my defensive structure - I may have published papers on the overall shape and possible strategies (the military do that all the time for discussion and to collect feedback, and advance careers), but I certainly don't want the enemy to know my exact troop and resource distribution, know where my command and control is, know my logistics routes, etc. The enemy will certainly try to find that out, but I want to make that as hard for them as possible - at some point they may give up and look for a softer target, or even get it wrong. Modern armies use an incredibly sophisticated set of deceptions to hide their real intents and tactics - all I am simply saying that IT should begin to employ the same techniques. My "black box" for AV deployments is similar to the military making many of their redeployments under cover of darkness, or in gaps in the spy satellite coverage of the enemy, or the development of stealth combat vehicles.
The big issue here is that the software suppliers LOVE their "branding", because they haven't gotten it into their own heads that this is really a war. Its the equivalent of sending stealth fighters on patrol while plastering them with neon, radar-reflecting decals advertising who built them. It is time for enterprise IS to start having a real discussion with their vendors about the saneness of said strategy, until SOME VENDOR gets an idea for stealth deployment of AV for corporate sites.
Actually, your comment has made me realise one thing - as long as computer security is considered in the domain of pure techies with little or no military strategy training, we will perhaps always be vulnerable. The algorithmically pure approach will not always be best, some things MUST be done illogically in order to confuse the enemy, mis-information is a valid and strong technique, and sometimes brute force will be an effective counter (such as deploying your own botnets to DDOS their botnets). This isn't about technology, it is about fighting other PEOPLE.
All this talk about which OS is better/best misses the point entirely (and again is indicative of a "techie" mindset that is frankly a fail) - ANYTHING can be hacked with enough effort. Its the thinking around the defences that matters...and that takes a well-planned strategy, not just good coding. Again, that socially unpopular but in this case utterly vital military mindset so lacking in most IT departments. Its time to start thinking as if we are in a real fight, not just blindly following "best practices" or hoping that a minority share OS will cure all ills. Go re-read Gibson's "Burning Chrome" and Stephenson's "Snow Crash", and realise those days of combative IT are already here...
"How does one determine the difference between a user wishing to access said resource, and a commandeered machine pretending to be the user?"
Often you can use statisitical techniques to determine that a certain activity is illegitimate. For example, if a server has been connected only between 9 am and 3 pm for 1000 times and now you get a request at 7pm. That will make an alarm go off in the systems of a Managed Security Service Company monitoring your intranet.
Other suspective activity is probing ports, logging onto a system from an anusual PC, accessing unusual files, accessing many files in a short time, accessing a lot of data etc, DIR commands with a certain kind of wildcard expression (DIR p:/*fighter*.* etc).