Steve Goodbarn

Krebs on Security is one of the best sites tracking Internet crime and malware. Today's post Fake LinkedIn Invite Leads to ZeuS Trojan should be read by everyone who uses social networking sites.

The spam campaign began Monday morning, according to security experts at networking giant Cisco Systems, and for a while the fake LinkedIn invitations accounted for as much as 24 percent of all spam. Recipients who click links in the message are taken to a Web page that reads, “Please Waiting, 4 seconds,” and then sent on to Google.com.

On the way to Google, however, the victim’s browser is silently passed through a site equipped with what appears to be the SEO Exploit Pack, a commercial crimeware kit that tries to exploit more than a dozen browser vulnerabilities in an attempt to install ZeuS.

Go to the Krebsonsecurity site for more information.

Don't respond to Linkedin invitations from anyone you don't know. Better yet, log in to linked in directly if you get any invitiations.

Spam will never be stopped until email is authenticated. With DNSSEC deployment underway it is only a matter of time, but we have a long way to go today.

The Guardian reports today that a UK law firm was hit by a denial of service attack that exposed a database to hackers. 

See: Law firm could face £500,000 fine over data breach Personal details of thousands of Britons accused of illicit file sharing leaked from ACS:Law website (my bold):

The details were exposed in files on the website belonging to ACS:Law, a firm of solicitors which has attracted the ire of a number of online forums due to its aggressive approach to people accused by its clients of filesharing. The site was the target of a "denial of service" attack over the weekend which made it collapse – and the files, which would normally be hidden from unauthorised access, became visible when the site was brought back online.

If the Information Commissioner determines that the data exposure was through ACS:Law's fault in operating its website, rather than directly as the result of hacking, then it could levy a fine against the company.

Alex Hanff, of the pressure group Privacy International, said the data breach was "one of the worst ever in the UK" and that the group has launched legal proceedings against the firm.

Denial of service attacks and malware are in the news these days, including the recent Facebook outage (apparently caused by an internal error), viruses spreading through Twitter, and several attacks on media industry sites (4chan takes down RIAA, MPAA sites, 4chan invades Tea Party website).

It really makes you want to start banking online.

The Wall Street Journal today reports on malware that is being delivered through online advertisements. See: Malware Served Through Ads Is Expanding, Group Says:

Over the past three months, the number of graphical ads that included such software increased 250%, according to research by the Online Trust Alliance, a group that includes businesses, non-profits and government agencies. These ads were served by more than 100 unique ad networks and exchanges, the organization says.

About half a percent of all ads online are infected, said Craig Spiezle, executive director of the Online Trust Alliance and a former director of security and privacy product management at Microsoft. That translates into more than a million ads per day, according to security firm Dasient, and “millions of users at risk,” Mr. Spiezle said.

You don't have to click on some of these advertisements in order to be infected (my bold):

Spiezle said that Web users can protect themselves by running anti-malware and virus protections software and making sure their software is updated with the latest patches. He cautioned that some malvertising can affect a machine even if the user doesn’t click on the ad and that this is the “most alarming issue” when it comes to affecting a users’ trust of websites.

Until we have better authentication of who is whom on the Internet (DNSSEC) we will continue to be victimized by malware. Even for those not infected the cost of fighting fraud is a tax on all of us.

This article from Internet Identity caught my eye: Majority of U.S. Federal Domain Names Still Fail to Meet Federal Internet Security Mandate for DNSSEC Adoption.

I've blogged on this topic before. Despite a memo from the Office of Management and Budget that required DNSSEC deployment in externally facing DNS zones by the end of 2009, and a further requirement under FISMA to deploy both internally and externally by September 2010, less than 40% of Federal .gov sites have implemented DNSSEC.

Lax enforcement of security requirements within Federal agencies echos the general lack of security on the Internet generally. Improved security benefits everyone but it takes a notable breach to bring security into focus.

Since both the root servers and the .gov domain have implemented DNSSEC and there is software available to fully automate DNSSEC, adoption today is a no-brainer.

The entry below from Bill Worley is cross posted from Paths2Trust. It describes attributes in hardware and software that are essential for security.  Yet these attributes are incomplete in the hardware, operating systems, and application software that runs the Internet. With just one weak link in the chain you are not secure.

And there are a lot of weak links in IT infrastructure today. As a result there is an endless stream of vulnerabilities-exploits-patches. Here are some examples this week:

Adobe Warns of Attacks on New Flash Flaw

Siemens: Stuxnet worm hit industrial systems

Mozilla halts Firefox security updates

Microsoft Releases Security Patches for 11 Vulnerabilities

And last week:

Attackers Exploiting New Acrobat/Reader Flaw

Are "Here You Have" and "David Leadbetter" viruses going after specific targets? New e-mail borne viruses hitting media companies, utilities

Apple, Mozilla Fix DLL Loading Issue in Browsers

Symantec 'Hack Is Wack' Website Fixed

You get the picture. This cycle is endless and we are getting less and less secure each day as hacking becomes more institutionalized and industrialized. Without secure trust throughout hardware and software we are kidding ourselves that our systems are secure.

From Bill Worley at Paths2Trust. This is a bit technical but follow-on posts will provide specific examples that are easier to understand:

When considering software chains of trust, it is helpful to begin with a running system, executing software that has been supported by a chain of trust. The following basic requirements for the software and hardware, particularly for the hardware protections needed by the software, become clear.

    1.    The integrity of every software component in the executing system must be ensured at the time the software begins to execute.

    2.    Hardware protections must ensure that loaded executable code cannot be modified while the system is running.

    3.    Hardware protections must ensure that critical program flow and control data are inaccessible by any attack (or other unrelated) software, and that only permissible flows of control can occur.

    4.    Data associated with each software component must be protected from read and write accesses by non-associated software.   

The first requirement implies that loadable software must reside on system storage in a form that permits strong authentication of its integrity each time it is loaded for execution. This is achievable by protecting executable software cryptographically and validating its integrity each time it is loaded for execution.  It also is achievable by loading, and refreshing when necessary, executable software from previously validated read-only system storage.  These approaches, of course, assume that the loader itself also was validated when it first was made executable, by employing means such as a TPM chip.

The second requirement implies that hardware memory access protections can be set to prevent any attacker (or other) software from modifying executable code.  Ideally these protections also can prevent executing code from being read by any other software.

The third requirement is for the ability of hardware to safeguard function arguments, return values, function return addresses. etc. - both from unrelated software seeking to learn the values of one or more of these critical control data, and from attackers seeking to modify such data in order to hijack executing software.

The fourth requirement is to ensure the integrity of computational data.  Hardware data access protections at all needed levels of granularity are crucial. Two hardware privilege levels and multiple virtual address spaces simply are not sufficient.

In summary, strong hardware protections are required to support the end product of a complete software chain of trust. Such hardware protections are essential, but nearly all extant hardware architectures lack one or more needed capabilities.  Examples of such capabilities include fine-grain memory protections, execute-only code, inaccessible program control state, fully granular access protections, enforced flow control limitations, and virtually mapped bus access by I/O and other adapter boards.

Today's widely deployed systems consistently have valued ever-increasing functionality and complexity over trustworthiness. As such, they remain unable to support full software chains of trust.

Dr. Joseph Markowitz's first law of information assurance states that: "every new function brings with it new vulnerabilities."  Software driving for ever increasing layers of functionality, while continuing to rely upon insufficient hardware protection architectures, simply cannot support full software chains of trust.  Resulting systems, particularly at the incomprehensible levels of complexity we see today, will continue to be well springs of new vulnerabilities, unending patch cycles, costs for deployment of external protective bodyguard systems, and insufficiently responsive manual procedures for attack identification, isolation, and remediation.

Bill

General Keith Alexander, Director of the NSA, stated in a recent speech that the United States "has a duty to secure the Internet".

See: NSA Director Says U.S. Has a Duty to Secure the Internet.

In a speech at the Gov 2.0 Summit here, Alexander said that it is incumbent upon the U.S. government to play a major role in making both the public Internet and private, classified networks more secure and resilient to attack. He expressed confidence that the country's information security apparatus was up to the task, but acknowledged the difficulty of securing the Internet, a network that many security experts see as hopelessly broken and flawed by design.

"We made the Internet and it seems to me that we ought to be the first folks to get out there and protect it," Alexander said. "The challenge before us is large and daunting. But we have an obligation to meet it head-on."

Many security and privacy experts have been critical of the efforts of both the Bush and Obama administrations' cybersecurity efforts, especially in the way that the federal government approaches data sharing with private-sector organizations. The government also has come under fire for attempting to tell companies how to improve their security while suffering a slew of embarrassing intrusions on its own public and classified networks. The most well-known of these attacks is the compromise of a classified Department of Defense network through an infected USB drive in 2008.

I'm hoping this speech leads to concrete action. Presently almost he entire US Government is out of compliance with FISMA requirements to deploy DNSSEC.

And the insecure nature of the Internet has real consequences. Here is a recent story about a Denver area family whose mortgage refinancing proceeds were stolen by the Russian mafia which was somehow able to redirect a bank wire.

Did Russian Mafia Steal Family's Refinancing Money?

The scariest part of the video is that a title insurance company is no longer sending wires due to the risk. Our financial system depends on the ability to wire money securely.