269 posts categorized "Rob Rachwald"
September 26, 2012
 ENISA Advises EU on Antivirus Efficacy
Pin It

The European Agency Network Information Security Agency (ENISA) warned today that antivirus programs only work to prevent 30% of attacks and instructed companies to be more diligent about protecting themselves.  “Antivirus only works in 30% of cases to prevent cyber attacks, so it is necessary for security and technology go far beyond what has been done so far in the EU,” explained ENISA’s executive director. (Ironically, this hasn’t been covered by the English media yet.  The article above was sent to me by a Spanish colleague.)

By contrast, in the US, rather than warning about the shortcomings of antivirus, the FBI warned of a "new" virus attack.  Specifically, on 17 September, they cited a "new trend in which cyber criminal actors are using spam and phishing e-mails, keystroke loggers, and Remote Access Trojans (RAT) to compromise financial institution networks and obtain employee login credentials."  Of course, a different version of the same old attack is not really new.

Is ENISA’s directive part of a growing trend away from antivirus?  It seems so.  This snippet from a hacker forum highlights the fundamental problem with antivirus and the ease of evasion:

When Flame was made public, Mikko Hyponnen’s famous mea culpa was quoted repeatedly across the internet:  “Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.”

In just the last two weeks, two articles have appeared questioning the efficacy of antivirus.  First, MIT’s Technology Review wrote, “The Antivirus Era Is Over.” 


In his blog, Neil MacDonald asks, “Is Antivirus Obsolete?”

Both articles argue you need it but by itself antivirus is not enough. Fair enough: You want to have an antivirus because it provides signatures to protect you against the high volume of the known malware attacks.  But what about the hardcore hackers who write new stuff daily?  You need to take them into account when securing your stuff.  Hardcore hackers are not reusing exploits, they are finding them and writing their own payloads.  Consequently, they are ahead of the antivirus industry until the hack is found and gets patched. 

Some recommend expanding endpoint protection.  Not enough.  With an industry built on evasion, modern data protection policies should be all about spotting aberrant behavior and whitelisting.  A good policy for an organization will be to monitor for unknowns and unwanted behavior, but audit all activity for a period of time.  Reviewing audits based on business events.  Banks, for example, look for audit trail of users while those users are on vacation, so they know there shouldn’t be activity. In this way, you can ensure complete control of your data access.



September 21, 2012
 Where do Web App Attacks Originate?
Pin It
Incapsula examined 200M web sessions across 3,000 to identify the origin of web attacks.  It's a very cool graphic and overview.


September 20, 2012
 Why Google Acquired VirusTotal
Pin It

Imperva's Tal Be'ery has an interesting and positive perspective on Google's acquisition of VirusTotal which was published in SecurityWeek.  Here's the thesis:

In buying VirusTotal, Google provided itself with an access to a community based reputation feed. They will probably leverage this valuable data in order to provide Chrome’s and other Google services’ users with better malware protection.

The acquisition of VirusTotal by Google signals that community based reputation feeds is a key element in a modern protection suite.


 A Comprehensive Guide to DDoS
Pin It
Today, we released our latest Hacker Intelligence Initiative report, A Comprehensive Guide to DDoS.  This month, we took a comprehensive look at DDoS--including the latest trends, technologies and techniques.

Anyone concerned about DDoS--which is just about everyone--should download our report.  It is available here (no reg required).


September 12, 2012
 What the IPS Didn’t See
Pin It

After seeing the Dark Reading article, What the IPS Saw, the question came up was, 'What Didn't the IPS See?' 


Why?  The billions upon billions of data points they collected contained one glaring gap:  the Web application attack vector (SQL Injection and Cross Site Scripting to name a few).  Since many security teams falsely believe that IPS can block or mitigate application attacks and IPS vendors increasingly claim application security features, understanding the gap is important.  

Fact:  Hackers love web applications and databases
In 2011, according to Verizon’s Data Breach Report (page 39), 83% of all data breached was from databases and 80% involved web application breaches.  In the case of hacktivism, our report, the Anatomy of an Anonymous attack, highlighted the paramount importance application attacks play in a hacker’s arsenal:


Analyzing hacker forum data (over a period of a year) helps us understand what interests “private” hackers.  Again, web attacks are the vector of choice:


It is easily recognizable that the largest vector of attack was in fact SQL Injection.

Bear in mind that the zero-day and shell code percentages also include XSS attempts to inject malicious code, which means even if the payload is shell code; the injection vector is a Web XSS.

Brute-Force will also be included in the Web Application Attack vector, as it will be mainly the attempt to break web logins by running dictionary attacks at them, via—surprise!—the Web.


Why don’t I see this information in IPS reports?
The answer is quite simple. The reason you can’t see this information in IPS reports, is because IPS can’t see it.

IPS technology is designed to follow patterns and to either match signatures against traffic, or understand structure of a flow.  For example, in an exploit that is known, the system will have an updated (or so you hope) dictionary of signatures that will match and the session will be dropped. And in other cases, IPS might work on thresholds for amounts of traffic, or what is “known to be good practice” threshold.

Tautology vs. Signatures
Let’s single out SQL Injection to make an important distinction. A SQL Injection utilizes a True statement, meaning a statement that the SQL Interpreter will analyze and will say “yes, this is valid, I will now analyze this”. Unfortunately for the world of IPS, there is no limit to True statements in the world.  For example:

  • a<>b
  • 1=1
  • 1=((2-1)*2/2)
  • date(today) != char(57)
  • JimmyPage > Life
  • The list goes on...

The point here is very simple … you can’t write a signature for unlimited amount of terms, and you can’t predict behavior of an application by analyzing traffic as a pattern, since every application is written differently, and every developer has his/her own quirks.

You don’t use an IPS for Web application security, like you don’t install an antivirus to protect yourself against spam.



September 11, 2012
 Lessons from the BlueToad/FBI/Apple Mess
Pin It

Last week, we blogged quite a bit on the Apple UDID-FBI news. 

We were right that in fact the IDs were not a hoax, as some had purported.  However, the real lesson from the breach isn't the trustworthiness of hacktivists or the FBI.  Rather, this episode highlights the intersection and interdependence of privacy and security.  I don't find myself agreeing with the ACLU often, but in this case, their principal technologist Chris Soghoian, had it exactly right:

What this highlights is that this identifier that exists on your phone is not as private as you might think,” he says. “There are probably hundreds or thousands of companies that have databases of UDIDs.”

Whether the FBI or other government agencies track UDIDs the same way ad networks and app makers do is still up for speculation. But thanks to a model where hundreds of firms can pass around users’ data without restrictions, it would have been a surprise if the government was left out of the party.



September 10, 2012
 Imperva's Take on the Sunday NY Times OpEd
Pin It

Sunday's New York Times op-ed warns us about the growing use of offensive vs defensive cyber security capabilities.  

This article actually got it wrong. For years, emphasis has been put on developing attack capabilities rather than defensive ones.  Its just that recent headlines with Flame and Stuxnet would have us believe otherwise.

The reality?  In the US, much like in Israel (and probably other countries), there is a large disproportion between the amount of resources invested in developing offensive capabilities (a lot of resources) versus developing defensive measures (which has only recently increased). This is inversely proportional to common sense and potential impact. While offensive capabilities are very important in terms of gathering intelligence, they are relatively ineffective in terms of a large scale strike on underdeveloped countries like Syria, Libya and even Iran, not to mention terrorist organizations.


September 06, 2012
 Assad's Password? 1234
Pin It

First paragraph puts it perfectly:

In a development reminiscent of a scene from the movie Spaceballs, hackers who broke into Syrian President Bashar Assad’s email account earlier this year told Arabic newspaper Al-Hayat that the dictator’s password was 1234.


September 04, 2012
 What the Breached Apple/FBI Data Tells Us
Pin It

So far the best coverage of this breach in terms of how it occurred is here.  We hope to answer a few more questions that seem to be swirling on the Web.

Is this breach real?

Probably. We think so for two reasons:

  • The FBI agent that was supposedly breached is real.  He’s a known recruiter in the FBI focused on getting white hat hack hackers to work for the feds.  Here’s his Facebook video:
  • The data base that was breached seems authentic—though only Apple can confirm.  However, the structure and format of the data indicates that this is a real breach.  It would be hard to fake such data.


What is new about this hack?

There are two things interesting about this attack:

  1. Shows a new angle on hacktivism—This breach resembles a new innovation by hacktivists.  Specifically, they targeted an individual in the same way government-sponsored hackers (a.k.a., APT hackers) would attack.  Sure, Anonymous/Lulzsec targeted HB Gary in the past but we haven’t seen this type of attack reappear until now.  Is this part of a broader trend of hacktivists expanding their attack methods?  Could be.  For example, the recent Saudi Aramco breach used malware, a type of attack not normally associated with hacktivists.
  2. This attack was not pre-announced—Normally, hacktivist attacks are pre-announced, often an Operation [FILL IN THE BLANK].  Doesn’t seem to be the case here.


What can hackers or FBI use this data for?

If the hackers have what they claim, they may be able to cross reference the breached data to monitor a user’s online activity—possibly even a user’s location.  To be clear, the released database is sanitized so you cannot perform this type of surveillance today.  But with the full information that hackers claim to have, someone can perform this type of surveillance.  This implies that the FBI can track Apple users.


What scams can we expect?

How many people will get infected “finding out” if their apple device was one of the 12 million?  Here’s one blog that already points you do a site where you can “check” if your creds were stolen:

How do we know if such sites are real or scams to find out your real credentials?  Sites like this sometimes appear after high profile breaches and consumers shouldn't visit them.



August 27, 2012
 Analyzing the Team GhostShell Attacks
Pin It

Why did they do it?  They claim it was payback for law enforcement arresting hackers. 

How did they do it?  Mostly via SQL injection.  Looking at the data dumps reveals the use of the tool SQLmap, one of two main SQL injection tools typically deployed by hackers.   Here’s a picture from one of the data dumps showing SQLmap:


For more on these tools, click here.

How much data was taken?  Hard to count and verify.  Some of the breached databases contained more than 30,000 records.

What type of data was taken?

  • Admin login info.
  • Username/passwords.  And the passwords show the usual ‘123456’ problem.  However, one law firm implemented an interesting password system where the root password, ‘law321’ was pre-pended with your initials.  So if your name is Mickey Mouse, your password is ‘mmlaw321’.   Worse, the law firm didn’t require users to change the password.  Jeenyus!
  • Files/documents.  A very large portion of these files come from content management systems (CMS) which likely indicates that the hackers exploited the same CMS with a vulnerability in it that allowed a hacker to target it.  However, a lot of the stolen content did NOT include any sensitive information.

Who was targeted?

  • Banks—Credit history and current standing is a very noticeable part of the data stolen.
  • Consulting firms
  • Government agencies
  • Manufacturing firms.




Find Us Online
RSS Feed - Subscribe Twitter Facebook iTunes LinkedIn YouTube
Monthly Archives
Email Subscription
Sign up here to receive our blog: