Steve Goodbarn

Ellen Messmer of Network World reports on IBM's semi-annual security threat report, which indicates the increasing use of banking and other Trojans. These attacks are more effective and cost-efficient than phishing emails. The full IBM report requires registration to view. Here are some key points:

Phishing attacks may be down because criminals “are likely getting better results with Trojans,” says Dan Holden, X-Force product manager at IBM’s ISS division. “It’s a return on investment issue for them.”

The big picture is that the Web is a “dangerous place,” Holden notes. Criminals are exploiting software vulnerabilities to compromise sites with malicious code or simply taking advantage of the openness of public social-networking forums to place malicious code to go after victims.

The number of malicious Web links used to trick users into downloading malware or visiting dangerous sites has increased, up 508% in the first half of 2009 in comparison to the number discovered in the first half of 2008, says the report.  

With no effective and universal way for users, customers, and businesses to authenticate the sites they visit or to authenticate the emails they receive, we continue to be vulnerable to these increasingly sophisiticated attacks.

Also note the pervasive problem of software vulnerabilities. Every piece of software should be immune to malware. Today it is not. We have a long way to go here although there is malware immune software today:

When it comes to software vulnerabilities and patching them, there’s been an 8% decrease over the first half of 2008, with 3,240 reported vulnerabilities disclosed in the first half of the year by vendors and open-source communities managing a code base.

DNSSEC is the only way to authenticate on the Internet. It's adoption is dragging along slowly while the world spends a fortune on ineffective cyber security. 

The recent wave of denial of service (DDoS) attacks and the arrest of individuals responsible for stealing credit card data on 130 million people is getting some attention in the mainstream press.

Forbes.com has a story "Avoiding the Identity Theft Underworld" that shows how easily you can be compromised by malware. But in terms of how you can protect yourself it leaves as many questions as answers. Consumers should not have to check URLs and avoid opening links or attachments. If the DNS is directing you to an improper site these steps won't help you in any case.

The only way to begin to address on-line identity theft is a system that authenticates who is whom so that you know where emails come from, you know that a web site is legitimate (or not legitimate), and no one can insert themselves between you and a web site to spy on you (a man in the middle attack).

 DNSSEC is the only way to authenticate the Internet and email simply, universally and inexpensively. It makes the Internet work the way we think it should work without imposing exhaustive diligence on users. From a user perspective it requires nothing. It just works.

Mobile devices are becoming our computer, they are a key component to a busy lifestyle and make a lot of things easy for us. It's pretty inconvenient (insert stronger language if you wish) if you have to jump through a security verification process each time you get a message with an attachment, or a link, or if you have to verify the URL of a site you visit .  But with DNSSEC this will not be necessary.

Consumers should demand DNSSEC from their broadband service providers and from anyone offering services over the web.

The front page of today's Wall Street Journal headlines the arrest of three individuals who allegedly stole 130 million credit and debit card numbers, causing hundreds of millions of dollars in losses. No details were provided about how they were able to penetrate networks at Fortune 500 companies in order to steal data and install "back doors" to enable further data thefts in the future. And this isn't the last we will see of this type of fraud. The article warns of increasing financial security threats:

Wire fraud, conducted in cyberspace because wire transfers now use networks that connect to the Internet, has exploded in recent years. The Treasury Department recently reported that of the more than 55,000 incidents of wire fraud since 1998, more than half of them occurred in the past two years.

"The financial sector may be more secure than most, but it's hemorrhaging," said Tom Kellermann, a former cybersecurity official with the World Bank who is now a vice president with Core Security Technologies, a cybersecurity company. "For too long a time they have not paid enough respect to the sophistication and organization of the underground economy."

A companion article "What Consumers Should Know About the Breach" suggests "spending five to 10 minutes per day looking on-line at bank and credit card accounts". What fun! Who has time for such activity on a daily basis? And if your PC has been compromised with a keylogger then you could be giving the bad guys access to your accounts.

Several banks offer notification via email and otherwise about account activity. That is worth checking into.

Why is the situation getting worse?

• The first reason is that the hardware and the operating systems powering the Internet can never be made secure due to their architectures. They are based upon designs that predate the Internet. It's a vulnerability - exploit - patch cycle that never ends. This is a fundamental problem although architectures exist today that are much stronger.
• The second reason is that there is money to be made and a lot of low hanging fruit to exploit for the hackers.
• The third and obvious reason is that anyone in the world can be a hacker and can reach you through the Internet. So the list of possible attackers is huge.
• Lastly, there is no authentication of who is who on the Internet or for email. This makes introducing malware through email or malicious web sites possible. DNSSEC will take care of this shortcoming but most of the market still believes it is complicated and expensive. That will change over the next year as infrastructure providers implement DNSSEC.

Until we address Internet infrastructure shortcomings we will be stuck checking our accounts frequently.

Twitter has been in the news almost daily for the past month due to security issues. It began with the hack of company data on Google's cloud computing platform, disclosures about exploits using the Koobface worm, and then last week's denial of service attacks, which carried in to yesterday.

Network World reports that Twitter users are again being targeted by the Koobface worm. Koobface spreads on social networking sites and is getting more sophisticated. 

Twitter co-founder Biz Stone will appear in a taped segment on Tavis Smiley tonight so perhaps we can learn a little more about the attacks: 

There is continuing speculation as to who caused the attacks (including confusion between DNS and DDoS) and how they were carried out. Even if the attack did not involve DNS, the use of DNSSEC to authenticate would make it more difficult to build the bot armies of contaminated PCs needed to stage these attacks.

It will be interesting to see if the publicity hurts or helps Twitter with market penetration.

UPDATE: Here is a link to the full interview with Biz Stone on Tavis Smiley.

I'd like to add "software updates" or security patches to the list of life's certainties. Designed to prevent malware and other exploits from doing all sorts of nasty things, downloading updates is a way of life if you surf the web.

Recently I downloaded patches from Adobe, Apple, Apple Safari, Mozilla Firefox, and Microsoft. There were also recent patches to CISCO's IOS, which runs routers, and to BIND 9, the dominant DNS software. And don't forget recent fixes for the iPhone, which now has applications that allow you to deposit checks.

And fake software updates are being used to attack systems by altering DNS settings and installing malware. See Mac Users: Avoid the MacCinema Installer. The DNS is the soft underbelly of Internet security. If the DNS is compromised it does not matter how well your firewall or anti-virus software works.

The recent denial of service attacks on Twitter highlight how vulnerable the Internet can be. These attacks are more amusing than dangerous but serve as a warning.

We are slipping farther and farther behind in this never ending cycle. As noted by Network World, Patches put a heavy load on IT and on users. They require continuous diligence. And when you take into account that patches are always in the works and only address known vulnerabilities, it can never be said that a system is secure. The situation makes a mockery of HIPPA, PCI compliance and other laws and regulations that stipulate Internet security. Who are they kidding?

We are not going to throw out the current infrastructure overnight. But improvements underway to the DNS, including DNSSEC, will finally provide authentication - a necessary first step. This will take a few years to deploy. In the meantime, be diligent with software updates.

I've reported before about the limitations of SSL (Secure Sockets Layer - the little padlock that lights up when you buy something on-line and are typing in your credit card number). SSL is used extensively to secure Internet connections for on-line transactions. People assume they are safe during an SSL session.

Dan Kaminsky again gave a presentation on flaws in SSL at the recent Black hat and Defcon conferences. He has spoken about these issues many times over the past year. William Jackson comments on Dan's presentation and that of another security researcher in today's GCN: Digital certificate standard yields to hackers.

In greatly simplified layman's terms SSL uses cryptographic keys, or certificates, to secure your connection. GCN:

Digital certificates use public/private key pairs to sign and validate the IDs as a way to authenticate the identity of a person, machine or application online. Authentication is a necessary element of security.

Think of it as a "Shave and a Haircut" password at the mathematical level. Until DNSSEC is implemented we have no overall authentication of who is who on the Internet. But today we have a hodge-podge of outdated certificates, outdated algorithms used to generate keys, different implementations of standards, and unverified certificate issuers. As a result it is possible to fool this process and either put a "man in the middle" spying on the transaction and seeing all of the data, or to redirect you to the wrong site. In either case you are screwed.

The obvious and least costly solution, suggested by Kaminsky, is to use DNSSEC as an authenticated repository for SSL certificates. Without it on-line transactions lack essential security and present solutions are expensive and incomplete.

Last week there were several articles about businesses and schools that lost money through malware-enabled ACH transfers out of their bank accounts: Network World: "Cyber attackers empty business accounts in minutes"; Brian Krebs of the Washington Post:  "The Growing Threat to Business Banking Online".

And we continue to hear about credit card data being stolen from servers: Security Watch: Network Solutions User Credit Cards Compromised".

The fraud typically starts with a targeted phishing e-mail, aimed at whomever is in charge of the company's checkbook. By tricking the victim into running software, opening a harmful attachment or visiting a malicious Web site, the criminals are able to install keylogging software and steal bank account passwords.

As most of the readers of this blog know, Twitter experienced a denial of service attack today, along with several other social networking sites. The site was down for about 2 hours and is at this time still experiencing problems.

Twitter has had several security issues recently, including compromised company data and the Koobface worm. It will be interesting to see what exactly is happening with this attack as more information becomes available.

A short disruption of a social networking site is an annoyance, but the cost incurred to protect from these attacks is an unnecessary tax on all of us. There must be a renewed focus on lowering the cost of Internet security. DNSSEC is the first step and is fundamental to starting this process.

XML, or Extensible Markup Language is a specification for tagging or formatting data and documents that facilitates analysis and sharing of data.

XML is used in many ways. For example, the SEC this month requires electronic filing of reports in XBRL format. XBRL uses XML tagging. The purpose is to allow more of an "apples to apples" comparison of financial data between filers. It makes analysis faster and theoretically more accurate. XML is used in all sorts of applications. It's everywhere on the web.

For most of us, that is more than we care to know about XML and XBRL. It's not a light topic. 

But of course with any tagging of data there are security concerns and today Ellen Messmer of Network World reports "XML flaw threatens apps built with Sun, Apache, Python libraries". The vulnerabilities create the possibility for denial of service attacks or insertion of malicious code.

The press release from Finnish security vendor Codenomicon, indicates the libraries have been patched, but users of these libraries will have to update their software:

"XML implementations are ubiquitous - they are found in systems and services where one would not expect to find them", says Erka Koivunen, Head of CERT-FI. "For us it is crucial that end users and organizations who use the affected libraries upgrade to the new versions. This announcement is just the beginning of a long remediation process that ends only when the patches have been deployed to production systems", Koivunen continues.

XML has come a long way from the days when it provided support for just a few applications and file formats. Today, XML is used in .NET, SOAP, VoIP, Web Services, industrial automation (SCADA) and even banking infrastructure. The new advancements in XML fuzzing have led to the discovery of vulnerabilities and defects in important applications that are deployed in business-critical environments.

This is not the last security problem we will have with XML. Stay tuned.