The sword of insecurity

Sword Business has evolved to embrace the delivery channels of the internet, and we now see a globalised footprint of operations generating vast profits out of online etrade, adding much to the gross national product (GNP) for many countries across all continents. With this in mind John Walker, Secure-Bastion, examines the evolution of ecrime and its effect on business and postulates on trends to come.

We also see a wide utilisation of offshore service providers, to support remote systems and applications, to develop code, or provide other distance based services, all of which are dependent on durability of the supporting infrastructure to carry such trade-based communication, and to underpin the contracted service.

Business are also keen to leverage lower running costs offered by the internet, and many more corporate, and SME's are now deploying lower cost IP communication deliveries, be they pure VoIP, or the more popular technology of choice with the SME community, Skype, and other lower cost telecommunications, e.g. Vonage.

Usage of advancements in technology does not stay behind in the workplace, but also reaches out to encompass the home. Here we may also see a dependency on the internet to sustain or to accommodate transactions over the internet, such as completion of tax returns, conduct home banking, to purchase products and groceries, saving that trip down to the shops in the family car, or to monitor home security when on holiday.

Entertainment may also be dripping from the IP tap, with on-line gambling and IP television, and of course, as with the corporate user, we also see utilisation of the internet to enable voice communications, so overall, the profile would infer high usage, and expectations of the invisible connectivity we refer to as the net.

There are actually two issues which have an adverse impact on those who rely on the internet, and on-line trade, and they are:

  1. As with any business venture that attracts finance, organised crime (ecrime) has increased its focus and interest on this area, targeting both home and business user.
  2. Whatever the user type, they do not always deploy adequate levels of security, so by inference are left exposed.

ecrime 

Consider the current threats, ranging from phishing, a practice aiming to fool the user into utilising a spoofed site to conduct some form of transaction,  exposing sensitive information to non-authorised persons (criminals). 

There are also a series of other attacks which ecrime gangs may leverage to circumvent end user security, and these range from compromising the end of line device (say the PC), and then installing some form of Trojan code onto the machines to gather information, or maybe even recruit the machine into what is termed a BotNet, which may be used to participate in a distributed denial of service (DDoS) attack against a specific target, a criminal speciality normally aimed at business environments.

Recent advances of new tactics supporting ecrime have enhanced the objective of the end criminal intent, and are getting even more sophisticated, using a configurations referred to as Rock-phish.

At time of writing, the most recent case of an identified Rock-phishing attack was mounted against on-line credit-agency in October 2007 with some success, causing internet serving hardware to crash and burn, creating a business related outage resulting in loss of revenue.

In simple terms a Rock phish requires ownership of multiples of domain names, which are normally nonsensical, e.g. dio666.org. These are then constructed into spam email which creates the look and feel of a genuine communication. Underlying the Rock phish attack is the use of wildcard DNS, which is employed to resolve to variations of IP addresses, and then mapping them over to a dynamic gathering of compromised machines.

Clearly space in this article will not allow further expansion in depth, but what this does mean in terms of threat vectors is, Rock phishing sites are much more durable, and harder to take down, and have an average time to live/trade up-time of more than 160 hours.

There are also other advances in the world of ecrime which support the potential for higher success rates in the world of criminal profitability, another example being fast-flux domains. 

Again in simple terms, these are deployments utilising multiple domains linked to multiple IP addresses, which rotate toward new IP's on a regular basis, and do so again, and again, potentially consuming thousands of IP addresses. When this approach is employed it makes it almost impossible to quickly take down such deployments, which are most likely compromised systems anyway.

Another low point in the world of insecurity is that many large businesses do not report security issues and events, e.g. DoS, and phishing, to the high tech crime units. There is still a very strong opinion in the corporate world, that the only way to protect reputation is to not reveal any information outside of the company, but this actually serves an injustice, to both the company under attack, as well as to the wider community.

By sharing such information and intelligence with the law enforcement community, it will empower them to analyse the information, therefore, enabling operations like the Serious Organised Crime Agency (SOCA), and their associates to have a real time snap-shot of what is actually happening. 

In addition, such agencies will also have access to the footprint,  breadth, and depth of attack, thus enabling them to pin point the perpetrator through cooperation with other serious crime agencies (where necessary) to track down the masters, and put them where they belong - behind bars. Organisations who do reveal security incidents to law enforcement can be assured that the information will be treated confidentially (covered by the SOCA Act 2005) and will most certainly not be publicised onward.

However, there would seem to be good news on the horizon, as there has been a significant decline in the number of viruses, and worms arriving at the PC, but again this is just another sign of the times. When viruses first appeared in their early active states, whilst it was a real issue for most employed in the world of computing, in many cases such infestations were all about the notoriety of their creators - Cascade, Brain, Coffee-Shop, are such examples.

However, an infamous status does not pay the rent. Enter organised crime. What we now see is a trend to utilise the skill of anarchistic individuals to craft code, and payloads, to circumvent security, no matter what criminal intent it is crafted to carry - it matters not. So don't be fooled, and keep your perimeter and desktop protection up to date and alert, the threats have never been higher.

On the other side of the sword of insecurity there are the issues of security vulnerabilities, patches, and fixes which are released on regular occasions by the majority of vendors. Here on one side of the challenge we see a continuous state of chasing security to keep the security profiles up to date.

However, on the other there is a commitment to ensuring that insecurities will always be present - this is a good, or should I say bad example of Patch Tuesday when Microsoft release their updates to secure identified vulnerabilities and bugs - a good thing for all.

Just to focus on how important this is, consider the updating of a brand new Vista Ultimate Laptop (as of October 07), requiring 29 updates for the O/S, and installed Office applications, a must to apply.

Sadly it is a common activity of those on the other side of the blade who are concerned with compromising security, hence tend to follow up with a Black Wednesday release of new security issues and exposures, and so the cat-and-mouse chase goes on, and there isn't much anyone can do about this.

In fact it is much the same for any other security application. It is not until the exploits are known, the virus signature and strings identified, or the vector and profile of threat understood, that the defensive fixes, and reposes be deployed. This explains why there are so many concerns about the issues of zero-day threats. Take it from me, they are here, I have seen them in action with new releases of virus attacks - just 15 minutes before the antivirus update was installed.

One would expect, in today's high tech business world, that we would find adequate and realistic profiles, and practices of defences being deployed, covering all areas of potential exposure, and vulnerability, but this is not always the case. I do of course accept that there is no such thing as 100 per cent security, and I also accept that business can't operate under Fort Knox security, but consider some of the security issues that have been publicised.

In many cases they came down to what may only be considered, at best, as a short fall in the stance of operational security, and at worst just slack - I would suggest this may be the case in more organisations than one would care to admit - lost laptop, non encrypted data, stolen credit card information, and non-secure personal records all spring to mind, and as there are no obligations in the UK for much of this to be reported, just how much of your personal data has been exposed - you simply don't know, what you don't know.

The conclusion is ecrime is now a very successful industry generating millions, if not billions on an annual basis, and it may be that until such time when the world of industry and commerce start to take this seriously, we will see more issues of significance come home to roost.

All this is linked with the current high dependence on internet connectivity, both at home, and in the work place, a developing trend which may indicate a dangerous over dependence on connectivity.

March 2008