Opinion: Warez More Dangerous Than P0rn

A couple of vendors have been talking about how prevalent malware is in online porn these days, but during our testing of HoneyPoint Wasp, we found pirated software (or “warez”) to be among the most concerning. Pornography is still a dangerous segment for infection, but it seems that grabbing so called “cracks” and “keygens”, along with pirated programs from the web and peer to peer networks is even more dangerous.

In our testing, it took us around 1/8 of the time to find infected warez that it took to find infected pornographic sites. In fact, our estimates are that less than 10% of the pornography files we tested (excluding “codecs”, obvious Trojan Horses) were infected, while nearly 90% of the cracking and keygen tools were, in fact, malware. In many cases, the warez would appear to work, but contained a background dropper that would install one or more pieces of adware, spyware or other malicious software. Even worse, in a clear majority of our testing cases, several of these malicious programs were missed by the consumer-grade anti-virus applications we had installed on the test bed. We used the white listing capability of HoneyPoint Wasp as the control and indeed identified a large number of malicious programs that traditional AV missed.

The key point of this topic though, is that pirated software remains a significant threat to businesses without proper license controls. Particularly, small and mid-size businesses where piracy often runs rampant, present a very wide target for attackers. Good policies against pirated software, user awareness and the use of license enforcement/asset inventory tools are useful controls in ramping up protection against this attack vector.

How has your organization fared against pirated software? What controls do you have in place to reduce both the legal liability and the malware threat that warez represents?

How to Safeguard Your Data From Hackers, Phishing Scams, and Nasty Intruders

In my last article, we discussed shedding the fears we have of the technologies we interact with by learning more about them. Building on that philosophy, we’ll venture down a rabbit hole now that we’re online and looking to browse, shop, bank, and interact safely. As society becomes increasingly reliant on the conveniences of the Internet, it will be important to know basic safety and how to identify possibly dangerous activity.

Somehow people have come to feel less and less worried about email being an attack vector in the modern arena. Unfortunately, this complacency has done an injustice as email attacks are still a dominant method by which attackers compromise their targets. Our penetration testing team uses email attacks on almost every engagement, and we see through our work with HoneyPoint as well as other intelligence that this continues to be a staple of the modern attacker’s arsenal. But what does that mean to you?

Hopefully, the average user has gotten into the habit of filtering spam, only opening email from known senders, and only opening attachments when they are known and/or expected. But are we seeing the possible danger in an email from support@mycompany.com or human.resources@mycompany.com when we have only ever received email from techsupport@mycompany.com or humanresources@mycompany.com? Attackers spend a lot of time doing their homework and finding trust relationships to exploit in obscure ways such as these. If in doubt about the source of an email, send a separate email to the sender to verify it.

Browsing the Internet is fun, entertaining, and often necessary. Web browsers are also a ripe playground for nefarious activity which means the more risky places you visit, the bigger the chance that you’ll face some sort of danger. First, like all software, we need to be using a fully patched deployment of the latest stable version of the browser. Here is one of many statistical breakdowns of browser security for review, which should make a user consider which web browser they want to use. Internet Explorer controls a majority of the market simply due to being packaged with Windows as a rule, but the other options are stable, smooth, and less of a target making a successful attack less likely.

In addition to being compromised simply by using a weak browser, we must also be aware of where we browse and look for oddities when we surf. Looking at the URLs in the browser’s address bar, hovering over links to see where they direct and then ensuring that’s where you end up, realizing the pop-up browser window (telling you the machine is infected with a crazy number of infections and must be dealt with NOW) is a browser window, not a legitimate warning from your Anti Virus solution (you ARE running AV, right?). After all, modern browsers still struggle with BROWSING properly, we can’t expect them to properly provide AV coverage too!

While browsing safely is much deeper than we have space to cover in this post, one last activity we’ll discuss is online banking. Banks do a good job protecting us while providing online service for the most part. Individual users must still run a tight ship to keep the attack surfaces as small as possible. First off, change your banking passwords regularly. I know this sounds like a pain in the backside, but it’s worth it. I promise my next post will discuss more about how to manage this with ease. Secondly review your account often, looking for discrepancies (If you want details on the plethora of fraud I’ve encountered doing this, contact me on twitter). And finally, log off. Most banking web applications are designed to properly terminate your session upon logging off which prevents any issues with stale sessions that might be hijacked by an attacker.

Embrace the conveniences that technology provides, but do so with a sharp mind and open eyes. Following these few basic tips will help build the skills that become second nature to a wise and seasoned traveler on the Information Super Highway!

Jumphosts Are a Great Place For HoneyPoint Wasp

As the idea of network segmentation, or enclaving, becomes more and more popular, many organizations are also implementing so called “jumphosts” for their critical systems. Typically, a jumphost is a terminal server or Citrix host that users and admins connect to, then ride a terminal server or Citrix connection into the segmented critical hosts. This connection is usually filtered by a firewall, screening router or other access control method which segments the critical hosts from other parts of the infrastructure. Given the critical role these jumphosts play in the operations, it is essential that they be highly protected and monitored.

This is where HoneyPoint Wasp comes in. One of the strongest use cases for Wasp in the field has been to help protect these critical jumphosts from compromise and give the security team deeper visibility into their operation. Wasp lends itself well to this task, especially given the static nature of the systems, by extending normal anti-virus to include deeper, more accurate behavior-based anomaly detection. For example, Wasp maintains a white-list of known applications on the jumphost. If a user or attacker starts a new process that Wasp has never seen before, an alert is generated for the security team to investigate.

This white-listing approach is not reliant on signatures or heuristics to determine if a process is malware or the like, it just learns what is known on the jumphost and when something new is observed, it alerts. In addition, with Wasp in place, the jumphosts are continually monitored for other common signs of infection and intrusion, like newly opened listening IP ports, changes to critical files in the file system, new accounts being created locally or changes to the population of the local administrators group, etc. This new vision into changes on the jumphost can give the security team a heads up when an attack against the critical core is in process. Further, it does so without false positives or noise to degrade their performance over time.

Pricing for HoneyPoint Wasp is comparable to anti-virus pricing. Wasp is designed to work in conjunction with normal anti-virus and is available for Windows systems. Other components of the HoneyPoint product suite are also being used heavily in enclaved environments to bring detection to areas of the network defined as being of the highest priority. Deployments of these tools are in place in government systems, financial organizations, telecomm, manufacturing and critical infrastructure, including SCADA networks. For more information about what HoneyPoint Wasp can bring to your IT environment, give us a call or drop us a line.

Welcome to the Post-Zeus/Stuxnet World!

The new year is always an interesting time in infosec. There are plenty of predictions and people passing on their visions of what the new year will hold. Instead of jumping on that bandwagon, I want to turn your attention not forward into the crystal ball, but backwards into the past.

While we were all focused on the economy last year, the entire information security threatscape suddenly changed, under the watchful eyes of our security teams. To me, the overall effectiveness, capability and tenacity of both Zeus and Stuxnet is an Oppenheimer moment in information security. For the first time, we see truly effective bot-net infections for hire that have REAL insight and awareness into specific business processes that move money. Attackers leveraging Zeus on a wide scale and in precise ways were able to grab funds, perpetrate new forms of fraud and steal from us in ways that many of us were unprepared for. It raised the bar on malicious software for criminals and that bar is now about to be raised further and further as criminals extend the concepts and techniques used to go beyond the present levels. On the other hand, Stuxnet represents a truly weaponized piece of code with a modular, expansive and highly extensible nature. It also showed an EXTREME amount of intelligence about the target processes, in this case specific SCADA systems, and perpetrated very very specific forms of attack. In the future those concepts may be extended outward to include attacks that cause loss of life or critical services, even as some of the core concepts of the Stuxnet code are applied to crimeware designed for fraud and theft.

All told, this quick look back at the past should lead us to identify that we must find new ways to increase our resistance to these forms of attack. Here are our challenges:

1) Clearly, simple anti-virus, even when combined with basic egress filtering at the network edges, has proven to be minimally protective. We have to identify the means for creating additional layers of protection against crimeware, and that begins with the absolutely HUGE task of creating mechanisms to defend our user workstations.

2) We have to do our best to prevent the infection of these systems, but MORE IMPORTANTLY, we have to develop and implement strong processes for identifying infected hosts and getting them out of our environment. Not only will this help us directly protect against the threats of crimeware and fraud, but it will also pay off in the longer term if we are able to reduce the overall load of bot-net infected systems which are in play against all of us for fraud, spam processing and DDoS attacks.

Just like in life, keeping your own house safe helps all of us to be safer. This is the very reason we build the HoneyPoint products and Wasp specifically. We want to help you find a better way to keep your systems safe at that level and thus far, Wasp is working well for customers around the world. (More on that in the coming months.)

I hope the new year brings you much success, joy and opportunity. I also hope this look backward helps drive awareness of what might lay ahead in the coming months and years. As always, thanks for reading and drop us a line if you want to discuss the issues. You can also find us on Twitter at @microsolved or myself, personally @lbhuston. Happy new year!