RE: [fw-wiz] Ok, so now we have a firewall, we're safe, right?
From: Ben Nagy (ben_at_iagu.net)
To: "'Paul D. Robertson'" <email@example.com>, <firstname.lastname@example.org> Date: Mon, 30 May 2005 22:20:14 +0200
> -----Original Message-----
> From: email@example.com
> [mailto:firstname.lastname@example.org] On Behalf
> Of Paul D. Robertson
> Sent: Monday, May 30, 2005 6:18 PM
> To: email@example.com
> Subject: [fw-wiz] Ok, so now we have a firewall, we're safe, right?
> AV isn't going to be effective against most custom Trojan
> Horses. We're going to see more of this in the future.
I wrote the below in an awful hurry, but it amplifies Paul's point. The
threats we're looking at today aren't really anything like they were when we
all got into this business. Sure, the _vectors_ are the same, and the
patented MJR/Fred/Paul methodology will still help you out against the huge
bulk of them. The point is that there is less and less margin for error.
Anyway, small, self-indulgent rant follows.
I didn't focus on defense techniques at all. Feel free to draw your own
conclusions about your own favourite protection strategies; Marcus, feel
free to plug your wirecutter posters. (hey can I get one of those shipped to
Switzerland, btw? ;)
--- Threats Facing Organisations Right Now A Short Essay by ben As more and more crime gets into hacking, we're seeing a whole lot of activity which was extremely rare 5-10 years ago. Most of the significant attacks these days are a result of organised crime, it's much less about pranksters, "true" hackers and those on a quest for knowledge. Identity Theft The biggest targets are consumer databases. High profile cases include ChoicePoint, Bank of America. Here's a para from a Fortune article: http://www.fortune.com/fortune/technology/articles/0,15114,1056163,00.html "In February data aggregator ChoicePoint acknowledged that identity thieves had stolen vital information on 145,000 people. Less than two weeks later Bank of America admitted it had lost backup tapes that held the account information of 1.2 million credit card holders. In March shoe retailer DSW said its stores' credit card data had been breached; the U.S. Secret Service estimated that at least 100,000 valuable numbers had been accessed. More than a month later DSW released the real number: 1.4 million. Reed Elsevier's LexisNexis, a ChoicePoint rival, followed suit, revealing first that unauthorized users had compromised 32,000 identities, then upping the number to 310,000." These attacks are targeted - it's like traditional hacking, except for lots of cash instead of for fun. The guys running them are criminal gangs - they're not a bunch of mischievous green haired pranksters. Here's quite a good article about Shadowcrew, which was a recent high profile takedown. We're talking seasoned hackers in their early twenties with guns, wads of cash and a profoundly criminal bent. Unfortunately it's just one such gang out of dozens. http://www.businessweek.com/magazine/content/05_22/b3935001_mz001.htm?chan=t c Phishing is a low grade form of identity theft, but the people I spoke to in banking and from the UK NHTCU (hi-tech crime unit) still agree that the only reason gangs are not making more money out of it is because they don't have enough people to make the manual account transfers. It's a HUGE money spinner. Phishing basically relies on stupid users giving away their logins to sites like electronic banking, but also things like ebay, paypal and other sites that let you shove cash around. Identity theft is very high profile, and the media has a field day with it. Extortion A common tactic out of Russia and Eastern Europe is to "own" thousands of computers - this is called a botnet - with the ideal number being 5000 to 10000 according to Kaspersky. With this few, you have a good chance of never getting your malware reported to an AV company so you're "under the radar" and no AV will pick you up. Then, you run an old-fashioned extortion racket. By threatening users with a DDoS (Distributed Denial of Service) you can effectively shut down the website of pretty much any mid to large sized organisation, for days if you want to, costing them a lot of money. Most pay. Long but cool article on this: http://www.csoonline.com/read/050105/extortion.html Spam And, while your botnet is idle, you can rent it or sell it to spammers. Saves you from having that investment sitting idle. Probably the bulk of spam is sent this way now, because it's virtually impossible to trace it back to the original sender. There are so many ways for a black hat hacker to make money out of spam it would take another twenty pages - it goes beyond just sending it. There is also money to be made from advertisers, using pay-for-click techniques. Great writeup here: http://www.lurhq.com/ppc-hijack.html Hacking for Hire There is much less written about this, but genuine, targeted attacks still happen. A good example is the theft and advance release of the Halflife 2 source code from Valve. http://money.cnn.com/2003/10/07/commentary/game_over/column_gaming/ Another great one is the Cisco source code theft. http://www.theregister.co.uk/2005/05/10/cisco_hack_investigation/ The damage to reputation and future income from these attacks is significant, but probably not crippling. The attackers in these cases were amateurs, and probably didn't make any money out of it - but it's a fairly common rumour that there are professionals doing the same thing who _do_ make money. The reason we don't read about it in the press is either because the theft is never detected, or if it is the company won't admit to it. [this was written before the Israeli targeted trojan article referenced, but that's another great example] Worms We haven't seen a major worm for a long time, so maybe they're not front-of-mind anymore. However, as soon as MS announce a suitable vulnerability (a stack based buffer overflow in a core networking service) there is a good chance we'll see another one. Worms actually annoy real hackers. They make a lot of noise, and they get companies to patch perfectly viable remote vulnerabilities much more quickly than they otherwise would. Most worms to date have been released by amateurs (you can tell when you reverse engineer them). However, one worm stands out, which was called Witty. Great writeup here. http://www.caida.org/analysis/security/witty/ What Witty demonstrates is that malicious hackers are writing worms which include a whole lot of techniques that are at the forefront of academic research. Many of the techniques in Witty had been first suggested in a research paper published only a year or two earlier. It was slick, well written - basically it was coded by a security expert. The theoretical damage from a _really_ nasty worm is difficult to calculate, but I was reading today about a completely feasible idea, where the worm could 'lock' any ATA hard-drive using firmware commands - not even a reformat would get it working again. Slammer hit half a million hosts inside 10 minutes. The trouble is that everyone will leave their head planted firmly in the sand until it happens. But, fundamentally, worms are only really interesting to vandals. They are too noisy to remain undetected, so people clean up after them. This is not what you want. So, I think the biggest threats right now are probably those coming from skilled criminals, and not from worms anymore. This is a reversal from how things were in 2001-2003 (worms were very rare before then). That said, a destructive worm really, honestly does have the potential to put you out of business - _permanently_ if your disaster recovery plans are not top-notch. --- Anyway, nothing above is really original. To me it all seems obvious, but whenever I talk about this stuff to the 'general public' they are all shocked, so maybe some subscribers will find it interesting. Cheers, ben _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards