Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-08-20 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Skype Back Online / Patch Tuesday to Blame? - UPDATED x4

Published: 2007-08-20
Last Updated: 2007-08-20 22:11:11 UTC
by John Bambenek (Version: 1)
0 comment(s)

Skype is apparently fully functional and has released an explanation of the problem that attributes the failure to Patch Tuesday.  Specifically, the peer-to-peer network failed because of the large number of simultaneous reboots and consequent relogins to Skype on boot.  There are some questions with this explanation, namely why did it take over 24 hours for the system to fail after a 3am reboot (the default) on Wednesday (failure was Thursday) and if Patch Tuesday is to blame, why didn't it happen last month?

The more interesting notes for me as a non-Skype user is that this shows several consumer behaviors and their ill-effects.  The automatic updates for Microsoft are 3am local time to the machine.  Very few people change this, even on the enterprise level.  For most places, it makes sense.  Most are in bed at 3am and nothing is going on.  A few 24x7 shops might want to rotate times a bit to prevent disruption of work.  But mostly, users (particularly consumer-grade users) aren't going to touch the defaults on their machines.  If only we had operating systems and software packages that shipped in a hardened-by-default way, many problems would be averted.

The second interesting note, is that if Skype's explanation is true, that means that vast majority of Skype users have machines that don't require a login on boot.  Those machines simply happily login as the default user (and I bet almost all have full admin rights) and the log on to Skype (and their other start-on-boot applications).

Neither of these two behaviors are particularly surprising.  Consumer-grade users will not have the time, inclination, and/or capability to harden their machines and you simply can't make them do it either.  Systems need to be shipped as hardened-by-default but be usable too.  So, dear reader, how would you fix it?

UPDATE (11:06 CDT 8/20/07)

According to ISC Reader Raul, the VOIPSA list has another theory that the crash was in fact a malicious DDoS.  There is a proof-of-concept code that will send malformed URIs to Skype Servers that will cripples them and allow them to transverse the entire server list.  The ultimate result, assuming enough malicious users do it, is a DoS against the entire balance of Skype servers.  I'll contact Skype to get their opinion on the PoC...

UPDATE (11:12 CDT 8/20/07)

And for some humor... (courtesy of ISC Reader roseman)

UPDATE (13:10 CDT 8/20/07)

After reviewing many reader comments, various mailing lists and other sources, I'm inclined to agree that Skype's line on blaming patch Tuesday is a line of bull.  The PoC out may or may not work (there is no safe way to test it because the code is proprietary) but there seems to be more than they are telling and many people (including myself) are less than convinced with the story line.  The patch Tuesday theory doesn't add up.  Why did it take "so long" to have the failure?  Why not last month?  What about this Proof-of-concept?  Skype just isn't answering the questions that matter.

Consumers can tolerate proprietary code (see Microsoft)... consumers don't tolerate being snow-jobbed by their vendors well.

UPDATE (17:00 8/20/07)

Robert McMillan over at CSO got a spokesman at Skype to answer some more questions.  Color me unimpressed.  Microsoft has also posted their comments... "it's not our fault".

--
John Bambenek / bambenek {at} gmail {dot} com

Keywords:
0 comment(s)

Job Search Sites Compromised, Spear Phishing Hillarity Ensues

Published: 2007-08-20
Last Updated: 2007-08-20 21:08:48 UTC
by John Bambenek (Version: 1)
0 comment(s)

It appears many, many accounts on monster.com were stolen and are now being used to send credible spear phishing job ads to users.  What makes this attack interesting is that the phishing organization behind it is very organized.  In short, monster.com registered recruiters have had their accounts compromised so phishers can use them to send credible job ads to perspective victims.  Normal phishing attacks (spam the world) can net up to 10% of recipients.  According to some studies (which I can't find at the moment) that number increase to 80% when the e-mail is credible such as coming from social networking sites (i.e. friends) or job ad sites like this attack.  To be fair, those are numbers of people who have ever clicked on a phishing email, but those are still big windows of compromise.

One of the trojans used in this case is Prg Trojan and the organization putting them out has staged variants and releases new ones as soon as the last one was detected.  The result is that AV doesn't do much for you because the second it is detected (and hopefully cleaned) a new, undetected version comes out.  Rinse, Repeat.

Brian Krebs at SecurityFix has a good article and analysis of the whole thing.

One could try to stop clicking on links even from job ad sites but that makes the service near unusable.  Recruiters would start having to send prospective employees job descriptions in text with the URL in text.  Yes, text-only e-mail readers are still better than HTML, for obvious reasons.  AV can't keep up.  I'm trying to get more details about the fake ads and the malware so I may have specific defenses shortly.

There are tactics to raise the bar here, perhaps monster and others can just force a system-wide password reset to lock out the attackers.  However, the core problem is simple and it's this: the PC is not a trustworthy device for sensitive information... period.  As long as people keep treating PCs as "safe", phishers, frauders, and herders will keep exploiting the vast majority of insecure desktops, installing backdoors, and stealing information.  As long as credit cards companies and banking companies rely on weak authentication (username and password), that information will keep getting stolen.  Social Security numbers don't require ANY authentication for us, and we're approaching a point were most to all of those numbers are essentially compromised and public.

--
John Bambenek / bambenek {at} gmail {dot} com
University of Illinois at Urbana-Champaign

 

Keywords:
0 comment(s)

Principle of Most Privilege and the Snort/ClamAV Purchase

Published: 2007-08-20
Last Updated: 2007-08-20 21:00:49 UTC
by John Bambenek (Version: 1)
0 comment(s)

The purchase of ClamAV by Snort will likely be a boost for both Snort and ClamAV.  In the next few weeks I was planning on rolling out a network-based virus-scanner here in the hopes of catching recalcitrant users machines that aren't keeping up on antivirus updates.  The purchase will hopefully lead to some better integration.  That said, it also exposes the signature-based security methodology as one that is ultimately destined for failure. IDS/IPS and signature based AV isn't dead, but it is paraplegic. And for the record, Snort isn't the worst out there, I use it because its one of the best as far as IDS goes.

There have been a few studies showing the performance issues of IDS/IPS which limit their applicability to security in real-time.  The problem stems from the stance pervasive in information security that I call the "principle of most privilege".  Namely, unless something is known to be hostile it is presumed safe.  The problem is that the number of packets, executables or emails that are safe is finite and small.  The number of hostile packets, executables or emails is infinite and our signature system is only limited by the fact that exploits only get discovered so fast.

In order for IDS/IPS systems to keep up with an every increasing network, the signature base needs to remain low.  To be fair, this also applies for virus-scanning on the desktop.  The big difference is that most PCs tend to not be fully-utilized so a 10-20% performance hit only really bugs the power users (you know the type… they are the ones that turn off their anti-virus applications because it slows them down and then complain to you when their credit report shows up on the internet… they, of course, blame you).  However, a network can't take such a performance hit.  In an era of online social networking, which is basically technology's version of a flash mob, network performance hits become less than acceptable. 

The solution is to either slow down the IDS/IPS or slow down the network and neither are good solutions.  Adding virus-scanning to an NIDS might sound like a good idea, but do you think it could keep up with a 10G network?  Me neither.  If they were into it, they could produce some good network statistics and that would be really useful.

As long as the security industry continues to operate under "most privilege", there is no way IDS/IPS solutions will keep up.  Not if they want to maintain real-time alerting.  They'll still have uses for forensics and after-the-fact incident handling, but they'll be dropping off as a front-line defense because the technology is unsustainable under the current paradigm.  For that matter, the time is coming for anti-virus software companies too, but because the performance hit is less of an issue on the desktop, they'll have more time.

It's far past the time to move to a system where packets (for an IDS/IPS) and binaries are disallowed until otherwise allowed.  That would be proactive security.

We have a new poll question up "Will IDS/IPS devices remain relevant?".  Let us know your thoughts.

--
John Bambenek / bambenek {at} gmail {dot} com
University of Illinois at Urbana-Champaign

Keywords:
0 comment(s)
Diary Archives