310 likes | 324 Views
Explore the latest trends in virus and worm attacks, implications for individuals and businesses, and the impact on national security. Learn how to protect yourself with user education, security software, and policy enforcement.
E N D
9th Colloquium for Information Systems Security Education United States Military Academy, West Point, New York 7-10 June 2004 www.ncisse.org 5th Annual IEEE Information Assurance Workshop “The West Point Workshop” United States Military Academy, West Point, New York 10-11 June 2004 www.itoc.usma.edu/workshop Submission deadline for IAW and CISSE papers is 31 March 2004
Information Security in 2004 and Beyond: Emerging Threats to Our Way of Life The 17th Annual Federal Information Systems Security Educators’ Association (FISSEA) Colonel Daniel Ragsdale, Ph.D. daniel.ragsdale@usma.edu
Three Alternative Titles • “Whose &*%$* computer is it anyway?” • “The Unholy Alliances and a Call to Arms” • “Viral Devastation”
FISSEA • Returning Home • Executive Board Service • Presentation Highlights • One Joke • No Silly Glasses • No Imitations • Experiments • Raise hands
Why we should all lie awake at night? • Dyslectic, agnostic, insomniac? • The environment has radically changed • We are losing ground!! • Publicly known vulnerabilities and attacks • The proverbial “tip of the iceberg” • Users and managers are not getting it!
Virus Advisory • McAfee Raises Risk Assessment to Medium on New W32/Netsky.j@MM Worm • McAfee receives over 70 Samples an Hour of W32/Netsky.j Yahoo News - Monday March 8, 6:16 pm ET
Bagle.J Pokes a Hole in Internet Service • Virus is an e-mail attachment intended to generate spam. • Use anti-virus software if you have opened what appears to be a security warning Montreal Gazette March 9th
Another day another Netsky • Sophos is reporting two more versions named Netsky-J and Netsky-K. • Both worms use the familiar technique of using its own SMTP engine • On the 10th March Netsky-K will play random sounds between 10 a.m. and 11 a.m. PC Pro March 9th
Worm Poses As Microsoft Patch • Plays off fears of worms by masquerading as a patch from Microsoft • Sober.d arrives with a subject that reads "Microsoft Alert: Please Read!" • The worm also comes in a German "Microsoft Alarm: Bitte Lesen!" Internet Week 8 March
Sinister New crop of viruses dogs PCs • Latest barrage of computer bugs likely tied to organized crime • The Internet often compared to the Old West • Now seen as more sinister domain of gang warfare and organized crime. • A recent plague of viruses, including 20 variations of the viruses Mydoom, NetSky and Bagle Orlando Sentinal March 9, 2004
The New Players • What motivates them? • Fame • Fortune • What mindset do they all share? • It is OK for them to use yoursystems and access your data without your explicit prior approval
The Unholy Alliances • Spam Entrepreneurs • Adware / Spyware Providers • File Sharers • Phishers • Porn Purveyors • Hackers Sliding scale of legitimacy!
Virus and Worm Trends • More common • More sophisticated • Faster Spreading • Significant code re-use • Often More lucrative • Increasing number of infection vectors • Better social engineering
Quiz for “Trained Professionals” • Who has ever: • Downloaded software at work? • Opened a malicious attachment? • Bought through a spammer? • Had a “fanny acting” system? • Installed a HW firewall at home? • Personally affected by identity theft?
Implications • For Individuals • Identity Theft ($) • Credit Cards ($) • Privacy Threats • For Businesses • Propriety Information ($) • Resource Theft ($) • Productivity Losses ($) • United States • National Security
MyDoom • Fast spreading Virus • DDOS • Backdoor!! • SMTP Engine
Netsky • Swamped many SMTP gateways in about 10 minutes • SMTP Engine • Intentionally timed to spread just after AV updates • Zip files are a real problem
W32/Bagle.j@MM • Was missed by many filtering packages • Competing with the Netsky writers • SMTP Engine • Also opens a backdoor
Adware / Spyware • Saddam Escapes! • EULA • The Software provides you the opportunity to access content for no charge. In return for the right to access this Content, you acknowledge and agree that the Software contains additional software products provided to PSD Tools .... In addition, the Software will interoperate with your current instant messaging client so as to permit the automatic sending of advertising messages originating from your Computer to your contact or “buddy” list regarding Content offered by PSD Tools or its suppliers.
What now? • Office / Agency / Home • Restrictive Policies • No attachments • No software downloads • User / Manager Education • Spyware Zappers and Browser Plug-in Checkers and Startup Checkers • Hardware Firewall / Routers • More Secure Wireless Configurations • Automatic Updates and Patches
Other Issues • Don’t overly rely count on the “Live Update” feature of AV software. • Despite efforts to educate • Many still opened the infected email and the zip file because the email came from high level trusted sources. • Some sites make it a practice of returning infected emails to the sender, including the infected attachment • can cause other sites to become infected.
Education, Education, Education • The threat is greater than it has ever been • Technology alone will not solve the problem • Restrictive policies and user discipline are essential • Battlelines…
Spam:It's Not Just for In-Boxes Anymore • System Tray and Startup • Start -> Run… -> msconfig Stephen Manes From the February 2004 issue of PC World magazine
Best Practices Against Spam • 1. USER AWARENESS - User awareness of spam and how to avoid it, User • awareness that you cannot stop only manage what you receive (ie via website • & awareness programs) and not having harvestable addresses on • public websites (ie use images). • 2. CENTRALISED FILTERING - A level of centralized filtering using • heuristics or Bayesian, where tagged spam is sent to a junk folder with an • auto expiry (especially while filtering process is being developed and • refined, or is sent to the user and tagged as spam, or a combination of • both based on variable scoring.) • 3. CLIENT FILTERING - An additional level (to gateway filtering) of • User defined filtering that includes opt in/opt out, variable level client • filtering with the option of the User receiving tagged spam to a junk • folder or simply choosing to delete it from the server prior to receiving • tagged spam. (Note all of this additional to gateway filtering).
Spaf: Future Impact of Viruses on Internet • I'd like to point out that the majority of the problems we have had have two things in common. In fact, I would say that these are two necessary conditions for every mail-based worm we have seen in the past couple of years, and at least one of the two is necessary for all the others: • They include an executable for Windows • They are based on an executable encoded using MIME in email • Those of us on machines running Solaris, HP/UX, MacOS, BSD, Linux, etc have simply had to deal with all the extra email fallout, but the Malware has not established itself on our machines. • There are fundamental architectural problems in Windows that makes these kind of things work so well (from the attackers' point of view). I don't believe they are being addressed as part of the MS security push, either. So, one way to protect yourself from these attacks is to consider a switch to another OS, at least for machines that handle email. • That's not to say that other operating systems aren't susceptible to viruses -- they are. However, those other systems don't allow general user accounts such unfettered access to structures and resources that make worms so easy to establish, insert deeply into the system, and propagate so quickly. • As to the second point, if we simply start blocking any executable content attachments, we will do a lot to stop these kinds of things (not to mention recover disk space and bandwidth, cut down on trojans, and reduce the number of pranks users play on each other). I block .(com|cmd|exe|pif|scr|bat) files on general principle. I also bounce .doc files, and I am now bouncing .zip archives. This has never caused me any real difficulty in collaboration with others. If anything, it has cut down on the junk people simply mail because it is easy. Sending around 50K files for a 3 line memo is a waste of resources. • ANY executable type routinely sent via email is going to result in a danger. Our community has established that we can't train our users to avoid clicking on attachments. It is also clear that the anti-virus programs, as a rule, don't catch all the new malware. So, let's be proactive and simply shut down the vector -- stop allowing users to send executables in email. • I've expressed this before on this list and been mildly flamed for suggesting that people stop exchanging dangerous file types. However, I'm sure that most (if not all) of those who were so quick to criticize my advice have also had to clean up multiple instances of malware since. To me, it's like walking in a 1970s restaurant and suggesting that people stop smoking because it is harmful to everyone there. After being booed out, I've been enjoying the fresh air and watching all the smokers cough and succumb to repeated lung diseases. The addicts are so far gone they can't envision what it is like to be free of the addiction so they argue with anyone who suggests they can. • I average over 200 email messages a day (NOT counting spam). In 25 years online, I have never had a computer virus or worm on my personal machines, with the exception of the Morris Worm in 1988. I do not have any anti-virus software scanning my email, either. It's not rocket science: I use a Mac, and I don't open or accept executable attachments unless I have prearranged for them and know what they are. I use a mailer that doesn't auto-open attachments. I don't use Word. So long as people want to put patches on fundamentally unsound software and procedures, problems will continue. If we want to really make a change, it requires actually *changing* things rather than putting new patches in place.
More Worm Stuff • On Mon, 09 Feb 2004 15:44:10 EST, Michael Sofka <sofkam@rpi.edu> said: • > But, there are Linux trojans and worms (do google searches of slapper • > and bliss, for example). It's been 17 months since any made headlines • > (an eternity in Internet years), but they do exist. In addition, some • > windows viruses can infect applications run under WINE. • I was around for slapper. and Bliss and Lion. and for *MORRIS*, for that matter. • So nobody needs to tell me "they do exist". However, security is about trade offs - what's your best payback for effort, and are you spending more on security than you're likely to lose? • Which is more likely to produce *effective* results: • 1) Buying an A/V package for a single-user Solaris workstation that scans for PC viruses (when the box isn't even a mail or file servers). • 2) Buying an A/V package for that Solaris box that scans for Solaris viruses and worms. • 3) Shelling out for a copy of the SANS Step-by-step for Solaris and a copy of Tripwire (or a copy of the Center for Internet Security benchmark for Solaris and the freeware Tripwire, and a long afternoon, if your budget is tight). Won't stop many viruses, but will help with all the OTHER attacks that Solaris boxes *are* prone to... • Now, what can you conclude about the all-too-common site that blindly mandates (1) or (2), but *doesn't* require (3) just to connect to the network? • And as the original poster has *already* clarified, their site *does* realize the truly poor price/performance of Unix/Linux A/V and is willing to grant exemptions.
With the fun we are all having with viruses, we are wondering how many • > institutions are just dropping executable attachments all together. • > It's something that I know a lot of virus/mail gateway software can • > do, but are a lot of schools doing that? • For a short period of time, our central mail servers were configured to delete executable attachments from email messages. As a result of complaints from faculty, IT management instructed us to find another way to deal with the potential risks of executable attachments in email. • Our central mail servers run Sendmail Switch 3.1.3 + MIMEDefang + McAfee uvscan • + SpamAssassin on Solaris 8. Attachments which uvscan identifies as • + malicious • are discarded. Executable attachments which are not identified as malicious are renamed by appending '_unknown' to the file name. For example, 'trojan.exe' becomes 'trojan.exe_unknown'. We rename based on the filename extension, and there are approximately 70 extensions on the list. During the 48 hour period ending at midnight last night, the servers renamed 253 attachments, including 135 .zip, 21 .dll, 17 .pif, 16 .scr, 16 .exe, and 15 .adp. • When an attachment is renamed, a MIME part is inserted at the top of the message advising the recipient that the attachment has been renamed and warning the recipient of the potential risks of executing files which arrive by email. The recipient can save the attachment as a separate file, rename it, and launch it, however, it will not be launched automatically by the user's email client. It is a compromise. We may deliver malicious content, but we make the user work to execute it. • It's pretty rare that people actually legitimately try to send a .exe file, • but when they do, they get a bounce back and can then deal with it by • zipping the .exe first - not a big deal, and it lets us reject most new • viruses before the signatures are even out. In the case of this latest • virus, because it came through zipped, it got through our virus scanner for • about 45 minutes. In that 45 minutes, many dozens of machines on campus got • infected by users who had forgotten the golden "don't open attachments" rule.
Social Engineering • Biggest single problem area • Then • Phones and Personal Contact • Now • Email and Web Browsing