Securely deleting data is a requirement of most regulatory requirements. But many organizations struggle with just how to do this in a way that is both secure and compliant. Some ways to do this include using software to overwrite the data, using a degaussing tool to electronically damage the drives, and physically destroying them.

Make sure you keep in mind that whatever method you use, the goal is risk mitigation rather than risk elimination. You’re trying to mitigate the most risk for the least money. So while DBAN and smash therapy aren’t perfect, they do the job pretty well for what you need them to do. If you’re the DOD or NSA then of course you need to do something else. But if you’re the DOD or NSA you already knew that.

Another part of the HIPAA and SOX requirements is auditable documentation. NIST has a guide (linked below) which gives you a generic form for the types of data you need to track, including method of sanitization, serial number, who performed the test, etc. It is also beneficial to document your methodology since the auditors will want to see that along with your wiping logs.

DBAN is one of the most useful tools out there; it does several forms of wiping to remove data from all types of drives, including SCSI and older hardware. If the drives are all ATA and manufactured within the last five years (erring on the side of caution), the SecureErase command is more thorough and faster. This command is implemented in a number of utilities, probably the best known one being put out by UCSD and called Secure Erase (linked below). Obviously physical destruction is an option too; it can be fun and cathartic to take a sledgehammer to the drives, and old platters can make a great mobile for the crib geek’s ceiling.

Wiping portable media is a different issue entirely. Backup tapes, thumb drives and portable hard drive storage are three such examples of portable media. Each has its own challenges. I’ve addressed the hard drive issue above, but probably the best way to wipe the other two is physical destruction. It’s an easy process for small USB drives but can be difficult to do safely with backup tapes. I’d suggest contacting your paper records disposal company and asking them if they can provide this service for you. You may find that their rates are low for this sort of thing.

NIST Special Publication 800-88 – Guidelines for Media Sanitization
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

DBAN
http://www.dban.org/

Secure Erase
http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

National Industrial Security Program Operating Manual DoD 5220.22-M 2006 (Deprecated)
https://www.dss.mil/GW/ShowBinary/DSS/isp/odaa/documents/nispom2006-5220.pdf

Data Erasure
http://en.wikipedia.org/wiki/Data_erasure

Data Remanence
http://en.wikipedia.org/wiki/Data_remanence

Marcus Ranum’s method of physical destruction
http://www.ranum.com/security/computer_security/editorials/diskcrypt/index.html

In the past couple of months, the Freakonomics blog asked why there has been such a downturn in the familiar Viagra and Nigerian prince Spam. The author attributed this to the cost of spamming not being worth the rates of return anymore. Most commentators pointed to better spam filtering software.

While it does seem that anti-spam filtering has improved, there might be more to the reasons of the observed downturn. There are noted temporary declines whenever some of the bad guys’ ISPs get taken down, but that the general trend is toward continued spamming. Interestingly, though, anecdotal evidence (my spam filter) doesn’t suggest that the spammers are spending much time coming up with new tricks to avoid detection.

So back to the Freakonomics theory: a change in business models. From what we’ve been seeing, cyber criminals seem to be spending more time focusing on different types of attacks on your inbox. In the last year or so, we in the Information Security business have seen a dramatic rise in phishing attacks, particularly more targeted phishing attacks.

Phishing attacks in which a criminal targets smaller regional areas have been quite popular. Criminals will try to find an area where there are only a few financial institutions and then send emails, text messages and leave voice mails for victims they believe are in that area. These messages will either be of the traditional kind, asking for sensitive information over the Internet, or they will instruct the recipient to call a 1-800 number to divulge information. The criminals then charge money on credit cards and withdraw from ATMs.

In addition, criminals are targeting businesses more frequently. Using legitimate-looking emails impersonating organizations like the IRS, UPS and Better Business Bureau are common in these attacks. The goals here are less about sensitive information and more about installing malicious software to infiltrate a company. Usually here the goal is to get access to a corporate bank account and transfer money electronically.

So it seems that the Freakonomics guys were right, it does come down to simple economics and opportunity costs. Spam is cheaper and easier per email, but phishing brings in far more money. Enough money, in fact, that organized crime groups can set up processing centers to do all the work while the cyber kingpins drive around in their Maseratis in Marseilles. That beats Nigeria any day.

On Februray 16th, 2009 there was a Border Gateway Protocol (BGP) anomaly which caused connectivity issues for some portions of the Internet. Arbor Networks and Renesys both provided good write-ups of the event. The basic problem was that SuproNET, a local Czech ISP, announced a BGP route with an extremely long Autonomous System (AS) path. The AS path is a BGP attribute that acts like a trail of bread crumbs showing how a route announcement got from its originator to you. As the route announcement passes through various networks they add their AS number to the AS path so that when that AS propagates the route, packets can find their way back home. We generally want packets to take the shortest path, so the length of the AS path is a fairly important metric used for route selection. As the Internet is highly interconnected, most AS paths are short – usually under a dozen hops.

When network engineers optimize routing, as they are wont to do, they often want a certain link to be preferred over others. A common way to do this is known as AS prepending. This simply means adding your own AS number multiple times to paths you want used less frequently. Other networks will see a longer path and be less likely to use that route.

Unfortunately, sometimes things go wrong. What happened a few days ago was that a route was announced with the originating AS prepended over a hundred times. Some routers were not able to handle this unusual condition and were unable to process routing updates or even crashed. There was even a new bug discovered in Cisco IOS because of this problem. The end result was that some networks were not able to route to some subset (potentially all) of the other networks comprising the Internet.

On February 20th someone from SuproNET posted to the North American Network Operators’ Group (NANOG) mailing list, explaining what had happened. While attempting to modify the number of prepends to a route, an engineer entered their AS number thinking that it would be treated as a string and added to the current AS path. Instead, it was treated as an integer, controlling how many times the originating AS number was prepended. This is because MikroTik routers have a syntax very similar to that of the same command on a Cisco router, but differing in how that single argument is treated. The router truncated the number (ignored high bits) to trim it down to an only slightly unreasonable size (176 instead of 20912) and then propagated the Internet breaking route.

BGPmon has a page up showing recent routes with long AS path. The three largest AS paths are a result of the MikroTik bug. As with many other similar problems, there are multiple failures here. An incorrect configuration was entered, due to a poor user interface. Then there were several routers that did not sanitize inputs correctly resulting in crashes and other problems when they received unusual inputs. Thankfully, the network operators of the world are a wiley and resilient bunch, capable of quickly organizing and resolving problems of this sort. Without their quick reaction, this (and many other problems you’ve probably never heard of) would cause a lot more downtime for the Internet at large.

Beijing, China 4/2008

Zhong guo hei ke tan hei ke, or ‘Chinese Hackers Talk Hacker,’ was an information security conference held earlier this year in Beijing, China. Sponsored by Yesky, a popular Chinese electronics e-retailer, the event drew around 80 attendees, most of which were hackers that had previously communicated entirely over the internet. Some of the more well-known attendees included Frankie Zie (now CTO of a network security company in China, former black-hat and well-known in Shenzen), r00t (has hacked numerous U.S. websites), and netcc (claims to possess the ability to hack a thousand websites per month).

These figures show some attack trends gathered by the SecureWorks CTU (Counter Threat Unit). Shown here is number of cyber-attacks per foreign country. These stats are from September 2008, however it is clear China’s numbers dwarf other foreign countries, and still, attacks from China continue to increase.

In interviews given at the conference and online, we get some insight into the Chinese hacking subculture and how it is growing at such a rapid pace. Translated below are some interesting responses that seemed to reflect the attitude of the populace:

Q: Under what circumstances will you perform a hack?

A: If it is a matter that affects us internationally, then we will gather members to perform the attack. Most of the time, we attack through the web site.

Q: What’s the difference between Chinese and U.S. hackers?

A: Over the past few years, Chinese hackers could not compare with hackers overseas. However, our hacking level is increasing rapidly. For example, we recently discovered a Microsoft vulnerability.

Xiao Rong, well known among the guests, provides software tools for use by other members of the hacking community. He begins his work nightly at 9pm, and spends all night scanning overseas websites for latent vulnerabilities. His guiding principle is `Don’t be hostile towards society.’ Overall, the attitude seems to be white-hat in nature, despite some guests’ history. It seems that if one’s intentions are judged to be `good,’ performing the hack seems to be acceptable (nevermind the legalities).

Here’s more from the conference:

Q: What is a hacker?

A: Hackers are a very disagreeable topic. In my opinion, hackers are interested in any kind of computer system, they proactively look for vulnerabilities in systems and at the same time look for solutions. Another kind of hacker, the `cracker,’ just intentionally break into others’ systems and cause interruption to their systems. Now, the media categorizes both hackers and crackers alike. I must clarify that this is wrong.

Q: Who is your idol?

A: Kevin Mitnick. In my opinion, the real hacker will not name himself as such, only by others.

Q: What does the existence of hackers mean for the Internet?

A: The internet would not exist without hacker culture. In the 70’s, hackers proposed a simple machine to serve people, and thus created the PC. Apple was also created by 70’s hackers. Later, hackers proposed the sharing of information and thus created the Internet.

Another guest known as `Shot Gun’ commented: “…more than 80 percent of Chinese websites are vulnerable. In February of this year, the most secure network, Yahoo, was hacked–this made people realize the importance of network security. However, many companies don’t have the resources to secure their own network.” Later, while speaking about what `real hacking’ involves:

…the true hacker will lock themselves in a room, eating only instant noodles, with cigarette butts everywhere. The men do not shave for months, just to solve a technical difficulty.

…hackers are irreplaceable. Hackers are warriors, we should be grateful for their dedication and give them a “real name.”

As the Chinese `hackers’ and `crackers’ (it’s not immediately apparent that white-hats in other nations are playing by the same rules either) continue to mount attacks, the SecureWorks CTU continues to investigate and protect against these threats.

Information Source: http://blog.54master.com/index.php/710520/viewspace-31153

On December 9, 2008, a “weaponized” zero-day exploit for a previously undisclosed vulnerability in Microsoft Internet Explorer 7 was discovered in the wild being used by Chinese hackers to install malware on victims’ computers. The exploit was based on a proof-of-concept that was posted on a Chinese forum early in November of 2008, and coincidentally, launched on the same day as Microsoft’s last batch of security patches for the year. The vulnerability is caused by memory corruption that results from an invalid pointer reference when Internet Explorer handles Dynamic HTML (DHTML) data bindings. The exploit itself is written in JavaScript and is intended to execute only in Internet Explorer 7 browsers on Windows XP, Windows Server 2003, Windows Vista, and Windows 2008; however, the underlying vulnerability resides in all versions of Internet Explorer. As of this date, no exploit for them has been discovered.

To exploit this vulnerability, a malicious website would cause IE to create an array of data binding objects, release one of the objects and re-reference it later on. The result is that Internet Explorer neglects to check the new array length after the object is released and a loop will continue to reference the released object, resulting in a use after free condition. If the deleted object’s memory space is reallocated and filled with user supplied data, Internet Explorer could crash in a way that is exploitable and effectively allow for remote code execution with the privileges of the logged-in user. While most attacks that exploit this vulnerability are being used to propagate malware, one must realize that this vulnerability can be leveraged to execute arbitrary code.

There are inherent vulnerabilities that exist in all browsers, but Internet Explorer is the most widely used web browser around the world, making it a prime target for hackers. The time between the release of proof of concept code and the release of full-fledged exploits is getting smaller and smaller. Although Microsoft has been quick to release workarounds to mitigate vectors for exploitation, the seriousness of this flaw has prompted Microsoft to release an out-of-cycle security update, MS08-078.

In order to maintain a good security posture, minimize your risk by being aware of the vulnerabilities that may pose a threat, and be prepared to show due care when a threat comes knocking at your door. Considering that security and functionality can often be a tradeoff, there isn’t a single product or configuration that caters to everyone; the solution is to figure which tradeoffs are appropriate for you or your company. As such, until issues like this can be addressed with a security patch, users should apply the workarounds, and/or consider using an alternate browser in the meantime.

Early last week the FTC took aim at Antivirus XP and the people behind it. This kind of scareware is a well known scam. My colleague Joe Stewart had previously investigated a similar scam, run by the Russian Bakasoftware group. From the court filings, the group the FTC is pursuing is run by American and Canadian citizens. The FTC sought and was granted a temporary restraining order (TRO) that requires the entities and people behind Antivirus XP to stop claiming they are performing AV scanning, concealing their identities (including to cease use of any domains registered using false information), and to not spend, hide or transfer any of their ill-gotten gains.

The TRO also extends to the defendants’ web hosting providers and banks. They are respectively ordered to take down and preserve web properties and to freeze assets owned by the defendants.

These scareware products have been marketed under a wide variety of names, those listed in the FTC’s complaint include: WinFixer, WinAntivirus, DriveCleaner, WinAntispyware, ErrorProtector, ErrorSafe, SystemDoctor, AdvancedCleaner, Antivirus XP, and XP Antivirus 2008. These are remarkably similar to the names used by the Bakasoftware group that Joe reported on: Easy Spyware Cleaner, SpyRid, InfeStop, WinIFixer, Advanced XP Defender, Advanced XP Fixer, Malware Protector 2008, Antivirus XP 2008. We do not believe these groups are related, but rather that this is another example of successful tactics being copied by other malicious actors.

These scareware products have defrauded millions of dollars from consumers and left them vulnerable to other malware. It’s great to see the FTC take action against them. The order also requires the defendants to supply the FTC with business records, including affiliate data.

Hopefully the FTC will also be able to go after the affiliates as well. As we previously disclosed, affiliates can earn big money from this kind of scam. A hacker known as NeoN, broke into the Bakasoftware affiliate website and found that some affiliates were earning in excess of a hundred thousand dollars a week installing Antivirus scareware.
The hearing for this issue is scheduled for this (Friday, December 12, 2008) afternoon. The defendants are ordered to appear, but personally I don’t have terribly much confidence they will be there. The complaint, restraining order, and press release can be found at the FTC’s website. Even if not, I’d like to see the FTC follow the paper trail and seize assets. Good job FTC, and good luck chasing the money trail.

Security researchers have had a number of victories to celebrate recently. First Atrivo and now McColo have been disconnected from the Internet. This was done not by law enforcement or other governmental action, but rather by the concerted efforts of the Internet community. The Internet is made up of privately owned networks that are voluntarily connected. The companies that were connected to Atrivo and McColo have severed those connections, removing the companies from the Internet.

Removing those two companies from the Internet has also removed large amounts of botnet and spam infrastructure. Several sources have reported seeing spam drop as much as 60-70% following McColo’s loss of connectivity. There was a similar, but smaller drop when Atrivo was taken offline. Of course, one of the reasons that the McColo disconnect reduced spam more than Atrivo, is that some of the spammers simply moved from Atrivo to McColo.

Back in October, my colleague Joe Stewart documented the Warezov botnet moving to McColo and also predicted (quite correctly as it turned out) that disconnecting McColo would reduce spam by one-half world wide. A number of other botnets, including Rustock, Srizbi, Pushdo and Ozdok had infrastructure hosted at McColo.

It’s clear that this infrastructure remains in place. Over the weekend McColo was able to temporarily find a new upstream provider. Thankfully, they were quickly shut down again. However, this did allow botnet C&C platforms in McColo to connect to their bots, updating software and rerouting the bots to new C&C servers located elsewhere. This has been seen to be happening with Srizbi, where researchers were able to register domains used as a fallback C&C mechanism.

Other botnets will also be relocating their C&C servers. While most, if not all, will just pop up in another datacenter, the growing trend of upstream providers disconnecting nefarious hosting companies is encouraging. So far these companies have been US based. We’re now seeing early evidence that bot-herders are moving their C&C servers overseas. The next question is: will the Internet community be able to put pressure on those companies and their upstream providers to prevent the bot-herders from finding a new safe haven?

If you’re a hacker wanting to register a domain for nefarious purposes, EstDomains is your go-to guy. They registered tens of thousands of malicious domains during their existence, providing an integral piece of the malware lifecycle. The Russian Business Network (RBN) used them extensively for their “bullet proof” hosting (web hosting designed to make takedowns extremely difficult if not impossible). Back in February of this year Vladimir Tsastsin, EstDomains founder, was sentenced to three years in prison for forgery, money laundering and credit card fraud. This conviction caused EstDomains to break section 5.3 of ICANN’s Registrar Accreditation Agreement. This section states:

Any officer or director of [a] Registrar is convicted or a felony or of a misdemeanor related to financial activities, or is adjudged by a court to have committed fraud or breach of fiduciary duty, or is the subject of judicial determination that ICANN deems as the substantive equivalent of any of these; provided such officer or director is not removed in such circumstances.

On October 28th, ICANN notified EstDomains that on November 12th, 2008, it would no longer be an accredited registrar. ICANN has posted this notice here: http://www.icann.org/correspondence/burnette-to-tsastsin-28oct08-en.pdf

EstDomains is currently attempting to distance themselves from Tsastsin in an attempt to stay in business. They responded to ICANN claiming Tsastsin was removed from his position in January one month before his conviction on the 29th: http://www.icann.org/correspondence/poltev-to-burnette-29oct08-en.pdf

Due to this response October 29th ICANN stayed the termination process:
http://www.icann.org/en/announcements/announcement-2-29oct08-en.htm

Hopefully ICANN will make the right decision and shutdown these criminals for good.

ClickJacking has recently been getting lots of media attention. Security Researchers Robert Hansen (”RSnake”) and Jeremiah Grossman planned to give a talk outlining this vulnerability at OWASP AppSec, but the talk was cancelled. At this point, some details have come to light. The specifics of the attack may vary. Some variants require JavaScript, Flash, cross-domain access, IFRAMEs, overlays, or a combination of these.

The attack starts with a malicious web page that may have some unintended consequences. Objects embedded in the page may capture mouse clicks and direct them to a hidden target. Hijacked clicks from users may be used in many ways, including deleting mail, advertisement click fraud, or other, more sinister actions. A demo page demonstrating one possible variation (reads images from a webcam without knowledge of the user) can be seen at the following URL:

http://guya.net/security/clickjacking/game.html

Unfortunately, there is no quick and easy fix. Firefox users using the NoScript plugin will thwart the majority of these attacks (make sure you are using version 1.8.1.9 or later!). We will continue to monitor this vulnerability and provide an update when more information is available.

I have the honor of presenting at ToorCon X this coming weekend at the San Diego Convention Center. I will be delivering a new talk entitled “Loaded Dice: SSH Key Exchange & the OpenSSL PRNG Vuln” at 2pm PDT on Saturday, September 27. If you’re in the vicinity of southern California this weekend, I encourage you to make the trip down to ToorCon. Based on my experience as an attendee last year, it is a great smaller con with a strong reputation for very deep technical talks.

I’ll also be in the Crash Course in Penetration Testing Workshop and the Deep Knowledge Seminars, so maybe I’ll catch some of ya’ll there too, before the actual conference kicks off Friday evening.