The U.S. Department of Justice recently arrested 10 suspects from 8 countries who involved in a global botnet ring. This international cyber crime infected over 12 million PCs worldwide, caused more than $850 million losses, and harvested financial information from over 800,000 victims. The attack started from a Butterfly botnet, which spread itself using variants of Yahos. Yahos is a virus that spreads by sending links via social networks or instant messages and launches attack when users click on the malicious link. Yahos targeted Facebook users from 2010 to October 2012, and security systems were able to detect affected accounts and provide tools to remove these threats. Facebook’s security team provided assistance to law enforcement throughout the investigation by helping to identify the root cause, the perpetrators, and those affected by the malware.

Yahos  affected Facebook users for two years and caused great economical loss to them. Why didn’t Facebook find out the issue and take actions earlier? This may largely due to the lack of connection between users and Facebook. When a user is attacked, he probably won’t link it to Facebook. Thus Facebook has no knowlege of the attack only until a large number of systems get infected and people report this issue increasingly. Then Facebook needs to figure out the root cause, detect the intrusion, and remove the threats, everything takes time.

International cyber crimes are disastrous. Due to the open nature of Internet, these global botnet operations may affect numerous users in different countries. Does the government has the responsibility of preventing its citizens from these attacks? One may argue that government should be away from supervision and leave users complete freedom. But this can be an effective way to protect the users. If firewalls can be build to filter out sensitive key words, they can be used to filter attacks similarly.

Border Gateway Protocol (BGP) is the de facto inter-domain routing protocol in the Internet. A major limitation of BGP is its failure to adequately address security [1]. Recent security analyses clearly indicate that the Internet routing infrastructure is highly vulnerable, and there have been enormous proposals to solve the BGP vulnerability of all kinds. In this review, we summarize the state-of-the-art solutions to prefix hijacking attacks.

In general cases, an IP prefix should only be originated by a single Autonomous System (AS) [2]. A Multiple Origin AS (MOAS) conflict occurs when a prefix is originated by more than one AS simultaneously. This can occur legitimately. For instance, a multi-homed AS transitions between preferred routes. However, these MOAS conflicts can also directly indicate prefix hijacking. A recent study of MOAS conflicts shows that potential causes included prefixes associated with exchange point addresses that link ASes, multi-homing without BGP or with private AS numbers, and faulty configurations [3].

[4] proposes to enhance BGP using community attributes [5] to distinguish between valid and invalid MOAS conflicts in response to these operational oddities. The set of ASes authorized to announce a given prefix is appended to the community attribute, which can be used to determine if a MOAS conflict is valid. Because the community attribute is optional and transitive, routers can drop this information without causing an error. Because they are not authenticated, the announcements can be forged or altered by malicious routers. However, the authors suggest that forged routes can be detected by flagging prefixes received with multiple, conflicting AS lists.

Intrusion detection mechanisms are used in [6] to identify forged origin announcements and several metrics for bogus announcements identification are also proposed. In this work, the detection criteria arise from the evaluation of common configurations and AS behavior, rather than derived from the BGP specification. Specifically, any departure from normal ownership behavior, such as a new AS begins to announce the address or a new MOAS occurs, is considered to be malicious and thus is flagged. This scheme produces few incorrect alerts. But the prefix ownership lists are pre-computed, requiring rebuilding the network model whenever the network topology changes.

The Prefix Hijacking Alert System (PHAS) [7] makes further extensions to MOAS detection based on prefix ownership. It relies on the assumption that a prefix owner is the only entity that can differentiate between real routing changes and prefix hijacking attack.  It examines routing updates from Route Views [8] and RIPE [9] repositories. If there are changes to the originator of a route, the owner of the prefix is notified through email. The system is incrementally deployable, because a prefix owner only needs to register with the PHAS server. However, the server becomes a single point of failure. If it is compromised, numerous false alarms to prefix owners will be sent out. Moreover,  the  system relies on the validity of entities registering their prefixes, and there is no protection against an adversary making a false registration. To solve this problem, Route Origin Authorizations (ROAs)  provide secure registries for resolving MOAS conflicts [10].

Pretty Good BGP (PGBGP) [11] is another alerting system. It shows misconfigurations and prefix hijacking attacks could be mitigated if routers exercise a certain amount of judgment with the routes in their routing tables. PGBGP maintains states through historical routing data to determine what routes to prefixes are normal. Any incoming routes violating these origins are flagged as suspicious for the time period shown in the data from [12].  The results of this work show that this solution may often protect ASes against hijacking attacks. An administrator deploying this solution must be cognizant of their business relationships and ensure that events causing path changes don’t affect convergence. In addition, sufficiently equipped adversaries can engineer the set of routes the system is forced to accept, in a routing equivalent of the link-cutting attack by Bellovin and Gansner [13].

[14] provides a mechanism for detecting prefix hijacking attacks in real time. The solution is based on fingerprinting techniques for networks and hosts. A number of criteria are used to characterize a particular network prefix, such as operating system of machines within a given prefix, and the identifier field within IP packets, TCP and ICMP timestamps. It takes advertised conflicting origin ASes as potential evidence of a prefix hijacking attack and compare the collected fingerprints against probes set to all origins. Differentiation between fingerprints will provide evidence that updates have been received from different originating machines, and that a newly-advertised prefix with sufficiently different characteristics is not the original network advertising a new path, but rather an adversary attempting to hijack the prefix. This approach relies on a real-time BGP UPDATE monitor, whose availability is critical. If updates are delayed, the ability to collect measures will be compromised. Subsequent work investigates how to optimally place route monitors within the Internet to maximize prefix hijacking detection coverage [15].

The Whisper protocol [16] is designed to validate the initial source of path information. Instead of providing explicit route authentication, it seeks to alert network administrators of potential routing inconsistencies. In its weakest form, a hash chain is used in a similar fashion to the cumulative authentication mechanism described in [17]. A random value is initially assigned to each prefix by the originator, which is repeatedly hashed at each hop as it is propagated from AS to AS. Received paths are validated by receiving routers by comparing received hash values. If the hash values are the same, then they must have come from the same source. Stronger protocols make the initial value more difficult to guess, using heavyweight modular exponentiation. One variant uses a construction similar to RSA [18], where a random initial value is by the AS numbers of the ASes a route traverses. Another variant, using a series of hash constructions, is complicated by the fact that only the route originator can verify the route because of the non-invertibility of secure hash functions.

References

[1] K. Butler, T. Farley, P. McDaniel, and J. Rexford, RexfordA survey of BGP Security Issues and Solutions, in Proc. IEEE, Jan, 2010.

[2] J. Hawkinson and T. Bates, Guidelines for Creation, Selection, and Registration of an Autonomous System (AS), RFC 1930, 1996.

[3] X. Zhao, D. Pei, L. Wang, D. Massey, A. Mankin, S. F. Wu, and L. Zhang, An analysis of BGP multiple origin AS (MOAS) conflicts, in Proc. ACM SIGCOMM Internet Measurement Workshop, 2001,San Francisco, CA, Nov. 2001.

[4] X. Zhao, D. Pei, L. Wang, D. Massey, A. Mankin, S. Wu, and L. Zhang, Detection of invalid routing announcement in the Internet, in IEEE DSN 2002, Washington, DC, Jun. 2002.

[5] R. Chandra, P. Traina, and T. Li, BGP Community Attribute, RFC 1997, Aug. 1996.

[6] C. Kruegel, D. Mutz, W. Robertson, and F. Valeur, Topology-based detection of anomalous BGP messages, in Proc. 6th Symp. Recent Advances in Intrusion Detection (RAID), Sep. 2003, pp. 17–35.

[7] M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L. Zhang, BPHAS: A prefix hijack alert system, in Proc. 15th USENIX Security Symp., Vancouver, BC, Canada, Aug. 2006.

[8] http://www.routeviews.org/

[9] http://www.ripe.net/

[10] G. Huston and G. Michaelson, Validation of Route Origination in BGP Using the Resource Certificate PKI and ROAs,

Internet Draft, Aug. 2009.

[11] J. Karlin, S. Forrest, and J. Rexford, Autonomous security for autonomous systems, Computer Networks, Oct. 2008.

[12] R. Mahajan, D. Wetherall, and T. Anderson, Understanding BGP misconfiguration, in Proc. ACM SIGCOMM 2002, Pittsburgh, PA, Aug. 2002.

[13] S. Bellovin and E. Gansner. (2003, May). Using Link Cuts to Attack Internet Routing. [Online]. Available: http://www.cs. columbia.edu/smb/papers/reroute.pd

[14] X. Hu and Z. M. Mao, Accurate real-time identification of IP prefix hijacking, in Proc. IEEE Symp. Security and Privacy, Oakland, CA, May 2007.

[15] Y. Zhang, Z. Zhang, Z. M. Mao, Y. C. Hu, and B. M. Maggs, On the impact of route monitor selection,[ in Proc. ACM Internet Measurement Conf. (IMC), San Diego, CA, Oct. 2007.

[16] L. Subramanian, V. Roth, I. Stoica, S. Shenker, and R. Katz, Listen and Whisper: Security mechanisms for BGP, in Proc. Symp. Networked Systems Design and Implementation (NSDI), San Francisco, CA, Mar. 2004.

[17] Y. Hu, A. Perrig, and D. Johnson, Efficient security mechanisms for routing protocols, in Proc. ISOC Network and Distributed Systems Security Symp. (NDSS), San Diego, CA, Feb. 2003.

[18] R. Rivest, A. Shamir, and L. M. Adelman, BA method for obtaining digital signatures and public-key cryptosystems, Commun. ACM, vol. 21, no. 2, pp. 120–126, Feb. 1978.

Security Analysis: Bring Your Own Device?

I had two very different internships for the past two summers, one at a investment bank technology division and one at a technical company in silicon valley. Despite other differences, one thing I remember was the attitude towards Bring Your Own Device(BYOD). In the bank, most people have their desktops at work, blackberries for checking emails and personal phones for daily uses. Most people don’t even have laptops and working from home was not a very common option. On the other hand, in the tech company, every developer has a laptop preinstalled with VPN, RSA token,  a desktop at work and their personal phone with their working email account connected. People work from home regularly once a week. The two cases are extreme but the trend of BYOD is undeniable since the prevalence of iPhone, iPad and other smartphone/tablet. People like the freedom to have their own devices and the flexibility to use various apps to increase productivity. But for IT department, BYOD is a tempting but still risky policy to adopt.

Risks:
1. Data Loss:
One of the biggest concern of BYOD is data loss protection(DLP). Before smartphone era, people don’t really carry confidential data in their devices and wander around because what they can do with a blackberry is quite limited. But now smartphone especially tablet can do complicated tasks thus increase both the power and the danger of the device. If an employee now dropped his device on a cab and someone else picked it up, it would be harder to protect the confidential data from stolen if the employee doesn’t have the required firmware installed. Another problem is that the security of portable device is relatively weak. For iPhone, many things are related to the unlock password. Once the attacker found out the password either through social engineering or simply brute force, as most people only use 4 digits for their password, could unlock the phone and potentially peak into confidential information or documents. Application like Dropbox, Google Drive or Evernote are convenient and user-friendly but probably too friendly at some point. The separation of working and personal data will be harder thus even lowering the security.

2. Malware Protection
Tons of apps in either iOS App store or Android Google play store are malicious. Those apps might exploit vulnerabilities in the system or interact with other apps in an uncontrolled way. Sandboxing of the company internal apps is important. There was a paper I read through this class about how malicious apps using ads to do evil things on behalf of other apps. Though it’s unlikely an internal app will have ads, the possibility of different apps sharing some sort of resource can still be a headache for the IT department.

3. Deployment Issue
Even some security methods are implemented, how to make sure it is deployed in every device and functioning well? The device options these days are not limited to just one but at least 3 or 4 popular ones. And operating system like android has serious fragmentation of os versions. The cost is huge but not even that effective. Cloud seems to be a very popular way to do things these days and it solves some problem such as scaling and compatibility but security is still a big concern.

From an survey by HDI, the percentage of BYOD adoption is increasing and employees are definitely happier using their own devices but when asking about the future of BYOD, only 1/3 of the companies who currently don’t have BYOD program are considering adding that in the next 12 months. I think BOYD will be the future eventually because it can potentially be a win-win situation for both companies and employees.

Reference:

https://news.citrixonline.com/wp-content/uploads/2012/04/BYOD-Hot-or-Not.pdf

http://blog.fortinet.com/byoa-brings-new-and-old-challenges-for-it/

http://www.pcpro.co.uk/features/377659/the-truth-about-byod/2

I remember when I travel abroad to Taiwan, credit card wasn’t as prevalent as it is here in the States especially outside of the metropolitan area like Taipei; thus I always need to get cash from some sketchy ATM machines in some sketchy convenience stores. I know it is not safe but I don’t always have an option. Therefore when I see articles like this, I just worry more.

From the article, the common ATM skimmer attack is replaced with a more aggressive attack that direct draws money from the ATM. The ATM being attacked had a security camera connecting via USB and the attacker somehow removed that and replaced it with a folding keyboard. He was then able to take control of the machine since the ATM is believed to use some sort of Microsoft Windows system. After rebooting the system, the attacker could then draw money from the ATM directly. Sounds like movie scene to me but the scary part is that it sounds so easy to do! It is crazy that by plugging in some USB device, the whole ATM can be taken control. Fortunately the police caught him on the spot.

Later in the article, the author talked about other skimmer devices in ATMs in hospital where people are assuming the safety of the cash machines. Apparently the hospital doesn’t hold responsibility but the machine vendor. Those skimmer devices could stay there for weeks before it would be discovered. Here is an article about the details of how a skimmer device work. It really didn’t seem too complicated.

In the end the article suggested people to withdraw money at bank branches, which is what I mostly do if I have to get some quick cash. Even then I am very aware of those machines outside of the bank. It is still possible to have skimmer devices installed there. I feel more comfortable if the machines are in a closed lobby with many security cameras. Where can people really comfortably get cash? That is a tough question.

I came across this article and found it quite interesting. As the holiday season coming, people are planning their trips and booking hotels. I won’t be surprised when a phishing email like this got many people tricked. I have to say nowadays the phisher made more efforts in luring people since people are more aware of the traditional attacks. The email is quite convincing by using popular hotel names like Four Seasons Hotel and had the sender using a seemingly legitimate website like booking.com as well as a standard confirmation format with a confirmation number and receipts as attachment. The tricky part of this email is that even people didn’t reserve any hotel or didn’t happen to plan a trip, they would click on the attachment to make sure that their credit card wasn’t charged. The psychological trick is pretty impressive in my opinion. The article warned people to be aware with any email with attachments out of blue. But even that I can still see a lot of people got caught by this type of emails.

I used to always think phishing is dumb and it won’t ever work but then I realize social engineering is actually more useful than I thought. I remember seeing my facebook friends post things that’s weird but interesting enough that made me want to click. There was one time, one of my good friend post something about weight loss. I was totally gonna click but I gave a second thought and texted her before I did that. She was confused about what I was talking about and shocked about the spam “she” sent out. Sometimes we get curious because the links are too ridiculous. Also there are some vicious facebook apps that lure people to use it and post random stuff on behalf of the users. A popular one is the one tells you the top 10 stockers. Since facebook doesn’t disclose that information, people are always curious and easily lured to apps like that.

Believe it or not, phishing works and works pretty well. Even at rice we got emails to check our accounts and 1 hour later IT sent out email warning us about phishing. Being aware is the best thing we can do but it is not enough. It will always be a battle.

I came along this article and as a cs major myself taken 2 computer security classes already, it is quite an interesting question to ask, should I be proud to be a hacker? Well for now, I can’t label myself as a hacker cause I never hacked anything real and I probably shouldn’t. But in my opinion, I am sure some of my fellow classmates would agree with me, that hacker is not a easy to get label and it is a recognition for a computer person. There are hackers doing bad things, taking advantages of the technology vulnerabilities but “hacker” has more meanings now.

According to the article “The word is not the evil word it used to be because companies now employ people who legitimately call themselves ‘white hat hackers,’ ” said Doug Jacobson, the head of Iowa State University’s highly regarded information assurance program. “People make a living doing this legitimately. The word has lost that tone of evil.” From the news, a lot of the top hackers are hired by top companies like Google, Microsoft, Apple and the list goes on. Here is a news about “twitter hiring one of the best iphone hackers to protect the tweets.” Hackers are smart people. The best way to protect something is first to understand where are the weak points.There Twitter wanted someone who understand the system’s vulnerability in iOS when they started the deeper integration with iPhone.

Many companies also have high rewards for hackers who found serious vulnerabilities. From this link, Goole rewarded $60,000 to a security researcher who cracked its Chrome web browser during a hacking contest.And another link , Facebook would expand rewards for hackers. In the article Ryan McGeehan, who manages Facebook’s security-incident response unit, is quoted as saying: “If there’s a million-dollar bug, we will pay it out.”

I think my point is that nowadays, “hacker” shouldn’t be related to evil and crime, not just in the techy nerdy circle but also for general public to see the values good hacker, also known as white hat provides. As technology gets more impact in our everyday life, and companies like Facebook and Google become more like everyday brands, the public has more exposure to the underground mysterious hacker news. People also look at the things more on defensive side than the offensive side. Like the end of the article, hopefully one day, my mom won’t think being a hacker means I am a criminal.

Some 2-3 weeks backs when I was doing facebook, i suddenly got a pop message from an unknown person which has a link for some random video. At that time i didn’t pay any attention to that and continue doing my work, but today when i was reading this blog i came to know that it was actually a malware attack.

The working of this malware could be understood from this flowchart . where in which a random chat window open in Facebok login with some video link and as usual people/user tends to click that link in order to watch it but what really happens is malware gets downloaded (drive by download attack) and infect the machine. After this happens series of events like it makes a hole  in the firewall policy of the system by using netsh command or by modifying the registry. At this time it even disables the updates of windows and antimalware scanners keeping the system at the mercy of the attacker. After this it drops the path in the startup so that it starts next time automatically when the system reboots. The malware changes the home pag of all the native browsers like explorer, firefox and chrome. The folowing image shows the command the malware received from the attacker :

Through this command file attacker tries to checks all the chat window of the victims and spread the same type of attack and duplicated over other chat windows also, for example in case of skype attacker uses PostMessageA to post the comment.

Though the spread of worm could be stopped very easily by just killing all the running instances of it and cleaning up the registry. But the things that need to keep in mind while doing social networking is trying avoiding the clicking link from any unsolicited person as it may be an attack to the privacy of your data, these type of attack could only be stopped by knowledge of these attacks.

While it seems that bank’s two-factor authentication mechanisms work quite securely, a new Trojan called Zeus circumvented banking authentication and looted an estimated €36 million, or $47 million, from about 30.000 European bank accounts this summer. They targeted 30 banks which are located in Italy, Germany, Holland and Spain. In order to operate their information hijacking, they used a well-known technique to trick users and that was drive-by-download.

Like similar malwares it intrigues people to click on a link in a malicious email or direct them into a compromised server and infect their computers with Zeus. This malware remains on the victims computer till the user starts an online banking session and sets a cell phone number in the profile. Instantaneously the malware send the information to the command and control server which subsequently sends a SMS massage to the user providing a link for upgrading banking software security. Clicking on the link, which seems logical to the user, would lead to downloading ZITMO Trojan(Zeus in the mobile). In this situation even the Transaction Authentication Number (TAN) which provides extra security does not work efficiently.

Although recently Check Point Versafe worked with Europeans law enforcement and Internet Service Providers to shut down the C&C servers there could be the chance for Zeus Campaign to apply a more complex attacking architecture to hide their C&C servers like what we saw in a paper earlier in this semester.

One issue is interesting about this Trojan. While two-factor authentication is not as widespread as Europe there was no reason why these kind of attacks cannot be used against American Banks (for instance by choosing Wells Fargo as a victim).

Since users often due to their lack of knowledge or unintentional mistakes are prone to do unsafe actions, we, as security guys, should control other parts of information hijacking chain to protect users. (Look at this nice figure)Based upon what has been mentioned in a paper earlier this semester we can conclude the weakest part of this chain is the bank and need to be protected by law enforcement.

References:

http://www.net-security.org/malware_news.php?id=2344

http://securitywatch.pcmag.com/none/299291-fake-android-security-app-is-mobile-zeus-malware-in-disguise

http://securitywatch.pcmag.com/none/305682-zeus-campaign-stole-47-million-from-european-banks

http://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29

While reading about hot viruses I found recently  Symantec come across a new sophisticated threat which targets “corporate databases”. They detect this malware as W32. Narilam. This malware sabotage database entities of accounting softwares and replace them with random data. Like other malwares, Narilam copies itself to the infected machine and then adds registry keys and finally infects removable drives and spread through networks. But what is unique about this malware is that it can update Microsoft SQL databases if it is accessible by OLEDB protocol. (OLE DB provides interfaces that expose data from variety of sources and also provides an amount of DBMS functionality needed.)

The strange idea that I found about this virus is that it only look for specific database names used in the small business accounting software of an Iranian company. Then it replaces specific objects and tables rather than just uploading data to command-and-control servers.

Although it turns out that this virus is not a cyber-weapon on the scale of Stuxnet (http://vimeo.com/25118844), It is really the targeted nature of the malware that needs to be understood and addressed. Not too long ago, small and midsize businesses could rightfully consider themselves immune to targeted attacks and malware, as the size of the business didn’t create enough of a reward to be worth the risk to the attacker. With cloud computing and powerful analytics allowing midsize businesses to harness unimaginable amounts of data, their data stores and lax security make them the perfect target for attackers.

Hopefully, the damage that a worm like Narilam can do will be enough to convince IT manager of the need for powerful, consistent security measures. While locking down systems is rarely possible or profitable, ensuring that employees understand the importance of proper security precautions can greatly diminish malware’s ability to infect a system and spread out from there.

Between employee education and proper anti-malware software, the threat of destruction from malware is significantly diminished, but only if the right people remain vigilant.

References:

http://securitywatch.pcmag.com/none/305296-database-modifying-malware-narilam-a-corporate-sabotage-tool

http://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage

http://midsizeinsider.com/en-us/article/is-narilam-malware-something-to-worry-ab

http://msdn.microsoft.com/en-us/library/windows/desktop/ms722784%28v=vs.85%29.aspx

I recently came across a cool plugin called “HTTPS Everywhere”, created by EFF and the Tor Project.  It automatically switches thousands of sites from insecure “http” to secure “https”.  It will protect you against many forms of surveillance and account hijacking, and some forms of censorship.

What is HTTPS and why should we use it instead of HTTP? There is a nice metaphor about using HTTP to log in to internet service — it’s the same as write your username and passwords on a postcard and mail it for the world to see.

While https are protecting users against session hijacking attacks and man-in-the middle attacks, not every website are using it, mainly because of 1) people are ignorant 2) HTTPS is slower and requires more performance on the server.

After the famous “firesheep” firefox plugin, the awareness of the importance of https have risen to gain most website’s attention. For instance, major sites like Google, Twitter, Facebook etc have all moved their sites entirely to HTTPS.

The migration isn’t that easy though. Facebook spent the last two years making infrastructure improvements so that its transition of all its users to HTTPS which starts in last month will “slow down connections only slightly.”

Still, a lot sites are either using HTTP or just using HTTPS for the login page and using HTTP for the rest of their pages. So if you don’t want your online activity be within fingertips of the whole world given that free sniffer softwares are everywhere, use “HTTPS Everywhere” on your Chrome/Firefox to switch from HTTP to HTTPS.

Relevant Links:
http://arstechnica.com/business/2011/03/https-is-more-secure-so-why-isnt-the-web-using-it/
http://codebutler.com/firesheep/
http://en.wikipedia.org/wiki/HTTP_Secure
http://techcrunch.com/2012/11/18/facebook-https/
http://gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html