Conference clippings--Infosecurity Europe 2005.Malicious Spyware Matt Piecy, F-Secure AKA advertising-supported software or adware--has been until recently a fairly benign snooper on your surfing habits. The data it gathers is then used to target you with tailored advertising, either in pop-up windows or emails. The problem is that these software spies are starting to get nasty. Spyware is being written and propagated with the express purpose of recording personal data such as passwords and credit card numbers, or hijacking hijacking Crime of seizing possession or control of a vehicle from another by force or threat of force. Although by the late 20th century hijacking most frequently involved the seizure of an airplane and its forcible diversion to destinations chosen by the air pirates, when your browser and bookmarking In genetics and epigenetics, bookmarking is a biological phenomenon believed to function as an epigenetic mechanism for transmitting cellular memory of the pattern of gene expression in a cell, throughout mitosis, to its daughter cells. pore or other undesirable sites, or grabbing your web dialler. What's more, unlike viruses and worms, most people with spyware on their computers have asked for it, albeit unwittingly. Many websites may ask you to register or sign up to them to receive content, and by doing so you may agree that spyware can operate on your PC. And it isn't a small-scale problem. Research in the US in Spring 2004 showed that 1 in 3 PCs scanned had spyware hidden on its hard drive. A total of 650,000 PCs were scanned, finding more than 18 million spyware tools. Nor is spyware confined to home users. The average amount of spyware on business machines is similar to home users'--largely because most companies don't have centralised, managed anti-spyware protection in place. Certain spyware--such as that used by P2P See peer-to-peer and point-to-point. networks like Kazaa--is also bandwidth hungry as it communicates a lot of data between machines, which can be a problem on corporate networks. It's becoming such a sizeable problem in the US that the Government voted unanimously in Spring 2004 to approve the first-ever anti-spyware bill. The Securely Protect Yourself Against Cyber Trespass (Spy Act SPY ACT Securely Protect Yourself Against Cyber Trespass Act (proposed US privacy legislation) ), approved by the US House of Representatives, will levy fines up to $3 million for those who illegally collect personal information, change a browser's default home page or bookmarks, log keystrokes, or steal identities. Spy Evolution So how has spyware been allowed to get this far without being restrained? The key problem is that we have accepted spyware in a variety of forms for too long. A cookie--the website marketer's long time friend--is a form or spyware. Microsoft uses various forms of friendly spyware to help most of us in our everyday work, by tracking what documents and applications we've used recently and giving us quick, one-click access to them. But in the same way that Internet worms evolved to take advantage of email, malware authors are now taking spyware away from its neutral roots into Internet crime--whether by hijacking browsers and diallers, keystroke logging Keystroke logging (often called keylogging) is a diagnostic tool used in software development that captures the user's keystrokes. It can be useful to determine sources of error in computer systems and is sometimes used to measure employee productivity on certain clerical or laying the groundwork for mass spamming. These authors are also using tricks from the virus world by finding and exploiting browser vulnerabilities to their advantage. This means that spyware be installed even on a fully-patched Windows machine running the latest anti-virus software anti-virus software n → Antivirensoftware f . A partial solution is to combine AV with a personal firewall--but even this isn't a complete fix. Spywam can get installed through ActiveX which is enabled with MS Internet Explorer Microsoft's Web browser, which comes with Windows starting with Windows 98. Commonly called "IE," versions for Mac and Unix are also available. Internet Explorer is the most widely used Web browser on the market. It has also been the browser engine in AOL's Internet access software. . Alternatively, it can exploit vulnerabilities that are patched in Internet Explorer--so-called zero day vulnerabilities because the loophole is exploited before the patch is available and widely deployed. Disabling ActiveX is an option--but it makes surfing difficult because many websites actively rely on using ActiveX. Its frustrating to have to click 'Yes' every single time the web browser The program that serves as your front end to the Web on the Internet. In order to view a site, you type its address (URL) into the browser's Location field; for example, www.computerlanguage.com, and the home page of that site is downloaded to you. asks you about running ActiveX scripts and controls. AntiSpyware So spyware has become both a security and a management issue for companies as it becomes destructive. But how do companies manage the problem? There's currently a dearth of corporate anti-spyware tools which integrate with other security applications, such as anti-virus and desktop firewalling. However, this is soon to change. Anti-virus vendors are starting to introduce spyware and adware pop-up blocking and removal to their core anti-virus and Internet Security ''This article or section is being rewritten at Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. solutions. These will be updated in exactly the same way as conventional virus signatures, and will give policy-based centralised management of this emerging issue--helping to nullify nul·li·fy tr.v. nul·li·fied, nul·li·fy·ing, nul·li·fies 1. To make null; invalidate. 2. To counteract the force or effectiveness of. the threat from self-updating malicious spyware programs while giving IT staff the option to allow non-aggressive spyware. By putting spyware on the security map, companies can ensure that the more malicious spyware elements do NOT come in from the cold. In conclusion: Dealing with aggressive spyware: --use freeware tools to audit your PCs and identify what spyware is resident --use the same tools to try and remove unwanted spyware: a combination of two tools often works where a single tool fails--look at latest-generation AV software which includes anti-spyware functionality, giving corporate, policy-driven spyware management of this emerging problem. Is Your Network Public? Peter Wood, First Base Technologies. If I were to wander into your offices, plug in my laptop and within minutes take control of your network infrastructure, would you be surprised? There's a backdoor See trapdoor. into many large networks which few organisations seem to recognise or understand--Simple Network Management Protocol (SNW SNW Snow SNW Strange New Worlds (Star Trek) SNW Social Networking Website SNW Sub Networks SNW Storage Networking World ). SNW is the Internet standard An Internet standard is a specification for an innovative internetworking technology or methodology, which the Internet Engineering Task Force (IETF) ratified as an open standard after the innovation underwent peer review. protocol developed to manage nodes (servers, workstations, routers, switches and hubs etc.) on an IP network. It enables network administrators to manage network performance, find and solve network problems, and plan for network growth.. It's also one of the easiest ways for someone to control your network, steal information and eavesdrop eaves·drop intr.v. eaves·dropped, eaves·drop·ping, eaves·drops To listen secretly to the private conversation of others. on traffic! By default, SNW is enabled on routers, switches and even servers. If you're using network management software like UP OpenView or IBM (International Business Machines Corporation, Armonk, NY, www.ibm.com) The world's largest computer company. IBM's product lines include the S/390 mainframes (zSeries), AS/400 midrange business systems (iSeries), RS/6000 workstations and servers (pSeries), Intel-based servers (xSeries) Tivoli then you're using SNMP (Simple Network Management Protocol) A widely used network monitoring and control protocol. Data are passed from SNMP agents, which are hardware and/or software processes reporting activity in each network device (hub, router, bridge, etc. . Even if you're not using any network management tools, you still have SNMP somewhere on your network. There are two passwords (called 'community strings') that you need to know in order to take advantage of SNPW--the read string, which has a default value of 'public' and the read/write string, which is set to 'private'. Most people never change these defaults. Armed with this knowledge you can view, alter or remotely control any SNMP-enabled device. When I plug into your network a DHCP server A server in the network or a service within a server that assigns IP addresses. See DHCP. will issue me an IP address. At the same time I am also given a 'default gateway' address--the address of the router that my laptop needs to know about in order to view the rest of your network Just type 'ipconfig -all' at a command prompt The symbol displayed in a command-driven system that indicates it is ready for user input. For example, in a DOS command line or in the Windows emulation of the DOS command line, c:\budget> would be the command prompt when the current drive is C: and the current directory is BUDGET. to see what I mean. If I feed the default gateway address into a network discovery tool like SolarWinds Network Sonar www.solarwinds.net and if your router is set up with defaults, I will soon have details of every device on your network. I can also download the router config from each of your routers and read the administrative passwords, giving me the keys to your network infrastructure. If you have Windows servers running SNMP (and chances are you do) then I can fist the name of every user and group on that server. This gives me an excellent starting point for password guessing and dictionary attacks. I can also map out your Windows domain, discover your server names and even see what hardware you' re using. Of course its not just the casual visitor who may take advantage of this vulnerability, but a disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see member of staff, an industrial spy disguised as a contractor or just a nosy nos·y or nos·ey adj. nos·i·er, nos·i·est Informal 1. Given to prying into the affairs of others; snoopy. See Synonyms at curious. 2. Prying; inquisitive. IT graduate. Most organisations remain highly vulnerable to insider attacks, yet feel secure because they've spent a lot of money on firewalls. Its time to wake up and recogise that organised crime and casual thieves will both take the easiest, least risky route and that's from inside the organisation. So what can you do? First and foremost, if you're not using SNMP, turn it off, If you are using it, a good start must be to change those default community strings. But before you rush off to start this project, a few words of caution. Firstly, discover which software in your Organisation is using SNW and whether it can use non-default community strings (there are still some horrible applications with hard-coded strings and passwords in many organisations). Secondly, once you're satisfied that nothing will break if you change those strings, select something complex that will resist a dictionary attack. A long string of mixed case, numbers and punctuation is best. Thirdly, as you'll need to write those complex strings down, make sum you secure that information properly! Now, before you go to set up that meeting with your network admins, there are a number of other backdoors that may reveal your SNMP strings to an attacker even after you've changed them all. So build a strategy to seek out those backdoors and secure them, and then develop an incident response procedure to use when your shiny new community strings are compromised. One of the most common methods of exposing SNMP community strings is via server management consoles like Compaq Insight Manager (CIM (1) (Computer-Integrated Manufacturing) Integrating office/accounting functions with automated factory systems. Point of sale, billing, machine tool scheduling and supply ordering are part of CIM. ), which may have been poorly configured. A web browser interface to CIM can often be found on TCP (1) (Transmission Control Protocol) The reliable transport protocol within the TCP/IP protocol suite. TCP ensures that all data arrive accurately and 100% intact at the other end. port 2301. Older versions have a default Administrator password of 'administrator', permitting an unauthorised user to gain control of the server remotely, read the SNMP strings and even power down the server. A short and inexpensive network discovery exercise can provide you with valuable information on your network weaknesses and a remediation plan for your networks team. Understanding how these and other default infrastructure configurations can provide unrestricted access to your network is a major weapon in the battle against hackers and insiders. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion