Continue reading »]]> http://www.computerweekly.com/Articles/2009/09/18/237757/behind-the-times-it-managers-leave-systems-dangerously.htm

IT departments are fighting the security battles of five or 10 years ago, unaware that their IT systems are dangerously exposed to computer hackers.

That was the message from a study published this week by the US security education and research body the Sans Institute and security suppliers Tippingpoint and Qualys.

The study is the first to analyse systemically how cybercriminals are breaking into corporate IT systems. It draws on attack patterns recorded by intrusion detection systems in 6,000 organisations and software vulnerabilities detected in a further 9,000 firms.

Its findings will lead to a widespread reassessment of how companies spend their IT security budget, says Allen Paller, director of research at the Sans Institute.

Fundamental error

The study shows that chief security officers are spending most of their budgets ensuring that the operating systems of their PCs and servers are patched. But many hackers are directing their attacks against vulnerabilities in web applications and common desktop software, bypassing the operating system entirely.

Vulnerabilities in commonly used desktop software programs, including Adobe PDF, QuickTime, Adobe Flash and Microsoft Office, and in web applications accounted for 60% of hacking attacks recorded over the past five months.

“IT departments are still celebrating their success at patching operating systems. They think they are doing great, but they are using the wrong metrics,” says Rob Lee, faculty leader in forensics at the Sans Institute.

The greatest risk to corporate IT systems, comes form hackers exploiting vulnerabilities in popular websites to plant and spread malicious code on a huge scale.

Employees feel safe visiting trusted sites from their work places, but they are easily fooled into opening documents, music and video files that contain malicious code.

Once downloaded, the code exploits vulnerabilities in unpatched applications on their desktops, allowing hackers to plant backdoors that can provide them access to corporate networks.

Spear phishing

Hackers are using another technique known as spear phishing – targeted e-mails containing malware – to exploit the same application vulnerabilities.

Over the past year, the Sans team has responded to 40 major security incidents in businesses and government departments. Two-thirds have been spear phishing attacks.

“We have recently seen financial attackers using spear phishing campaigns against chief financial officers to get them to click on a link. They install a key logger. Once an individual logs into the bank account, the hackers get in and start moving funds,” says Lee.

There are some straightforward measures that business can take to protect themselves, says the Sans Institute.

Small businesses can deploy a separate hardened PC for staff to use for financial transactions online. And for all companies, deploying a web application firewall will help to protect web applications from malicious attacks.

“For the client side, get code patched and get it patched more quickly. The idea that you can patch operating systems in a week is great news. But that is focusing on the attacks of a couple of years ago,” says Ed Skoudis, security consultant at the Internet Storm Centre, which monitors hacking activity.

The other point, he says, is that companies should redouble their efforts to make sure users do not log into their machines with administrator privileges. “That way, if there is some sort of exploit, and the bad guys get a toe hold, it is only with limited privileges,” he says.

SQL injection attacks

SQL injection is the most common technique used by hackers to compromise web applications. The technique can be blocked by careful coding, but the Sans Institute warns that some programmers are creating applications that use SQL injection, leaving their networks open to attack from hackers.

“People writing these applications do not realise that they have put SQL injection in code as a feature. We find a lot of these applications in company networks. Things that people have put together quickly,” says Rohit Dhamankar director of security research at Tippingpoint.

Continue reading »]]> The Interceptor is a wireless wired network tap. Basically, a network tap is a way to listen in to network traffic as it flows past. Most tools are designed to pass a copy of the traffic onto a specified wired interface which is then plugged into a machine to allow a user to monitor the traffic. The problem with this is that you have to be able to route the data from that wired port to your monitoring machine either through a direct cable or through an existing network. The direct cable method means your monitor has to be near by the location you want to tap, the network routing means you have to somehow encapsulate the data to get it across the network without it being affected on route.

The Interceptor does away with the wired monitor port and instead spits out the traffic over wireless meaning the listener can be anywhere they can make a wireless connection to the device. As the data is encrypted (actually, double encrypted, see how it works) the person placing the tap doesn’t have to worry about unauthorized users seeing the traffic.

Requirements

This project has been built and tested on a Fon+ but should in theory work on any device which will run OpenWrt and has at least a pair of wired interfaces and a wireless one

This isn’t intended to be a permanent, in-situ device. It is designed for short term trouble shooting or information gathering on low usage networks, as such, it will work well between a printer and a switch but not between a switch and a router. Here are some possible situations for use:

• Penetration testing – If you can gain physical access to a targets office drop the device between the office printer and switch then sit in the carpark and collect a copy of all documents printed. Or, get an appointment to see a boss and when he leaves the room to get you a drink, drop it on his computer. The relative low cost of the Fon+ means the device can almost be considered disposable and if branded with the right stickers most users wouldn’t think about an extra small box on the network.
• Troubleshooting – For sys-admins who want to monitor an area of network from the comfort of their desks, just put it in place and fire up your wireless.
• IDS – If you want to see what traffic is being generated from a PC without interfering with the PC simply add the Interceptor and sit back and watch. As the traffic is cloned to a virtual interface on your monitoring machine you can use any existing tools to scan the data.

You can download Interceptor here:

interceptor_1.0.tar.bz2

Or read more here.