Goodbye, WatchGuard Blogs; Hello, WatchGuard Wire!

As you've probably noticed, we haven't posted any updates to this blog in many months. Regular readers are probably wondering where the heck we've been. The short answer is... Due to many changes at WatchGuard, we will be retiring these WatchGuard Blogs and returning to the WatchGuard Wire.

Scott Pinzon and I originally started this blog as an experimental offshoot of the WatchGuard Wire. At the time, we'd been posting blog-like security stories on the Wire for years. However, our voice on the Wire was very business professional; it didn't leave much room for our personalities or personal interests to come out. We started the WatchGuard Blogs with the desire to change that. The Blog was where we could share our personal opinions about the security stories we reported. We also hoped the blog would provide our readers a place to share their opinions. We dreamed of starting our own small security community.

In the beginning, this all worked out well. When we started, we had another analyst, Mark Waldstein, take over the normal news posts on the WatchGuard Wire, which left both Scott and I plenty of time to post on the Blog. So what happened? Well, we lost some people.

Unfortunately, both Scott and Mark have left WatchGuard to pursue other opportunities. While this is great news for them, I'm sad to have seen them go. I enjoyed working with both of them. Scott in particular has been my "partner in crime" for years here at WatchGuard. We pioneered many new projects together, including our well-known Malware Analysis video series.

These personnel changes, as well as a slight change in my own job title, have left our various security content feeds very understaffed. Essentially, it leaves only me to write LiveSecurity Alerts, WatchGuard Wire posts, WatchGuard Blog posts, and to record the Radio Free Security podcast. One man can't do it all. In order to provide regular content, one of these feeds had to go. That's why we're officially discontinuing the WatchGuard Blogs.

Don't fret though, there is a silver lining. You can still get the same type of blog-like security stories I posted here at the WatchGuard Wire. In fact, I plan on adopting the more relaxed voice we used here on the Wire. So if you'd still like to follow my security stories, I encourage you to subscribe to the WatchGuard Wire feed.

Also, if you're crunched for time and just want to know where to find the latest security stories, I recommend you follow me on Twitter. I tweet as SecAdept. With so many task to do, I only post to the WatchGuard Wire around twice a week. However, I tend to tweet daily about the latest security news. So if you're really interested in the latest breaking security news, you can find it on Twitter.

I apologize that it has taken me so long to officially explain our absence on the blog. It simply took a while to adjust to these internal changes, and to formulate a new content plan. I hope you continue to follow our security posts at the WatchGuard Wire and on Twitter. Nonetheless, thank you for reading the WatchGuard Blogs. It was a pleasure to provide it for you, and I enjoyed meeting some of you in the comment section. Adieu.

Want to score a cool quarter mil? Track down Conficker's maker

What's a sure sign that Conficker (also called Downadup) has actually infected lots of innocent users? The answer is, when Microsoft offers a $250,000 bounty on the worm author's head.

According to their press release, if you can supply any information that leads to the arrest and conviction of those responsible for the Conficker worm, Microsoft wants to give you a quarter million dollar reward. That's a nice chunk of change! I suspect many a researcher is scurrying to his or her underground contacts, trying to dig up some information on the gang behind this infection.

Meanwhile, the deplorable malcontents behind Conficker have not rested on their laurels. According to the latest reports, researchers have already discovered a new variant of Conficker called, Conficker B++. The original Conficker generated seemingly random malicious domain using an algorithm that changed daily, in order to find locations where it could download new malware. A group of malware fighters calling themselves the Conficker Cabal, cracked this algorithm and locked those future domains, thus preventing Conficker from downloading future malicious payloads. However, Conficker B++ was designed to combat that problem. In short, Conficker B++ is programmed with alternate means of downloading new binaries. So even if the Conficker Cabal blocks those malicious domains generated by that original algorithm, Conficker B++ can still find its malicious payload using other techniques.

Despite this nasty evolution, all the previous defenses still work against the latest variants of Conficker:

1. Use a firewall
2. Make sure your Windows systems have up-to-date patches
3. Use antivirus programs that automatically download new signatures
4. Be wary of using others' USB devices

If you at least follow those four tips, Conficker will have a tough time getting into your network.

Conficker's virulence continues to confound me

I still don't really understand why the Downadup/Conficker has spread so successfully, but it definitely has.

The latest reports say the virulent worm has infected over 10 million PCs. Some of the big name victims include, New Zealand's Ministry of Health, the UK Ministry of Defence, and some Sheffield hospitals. Furthermore, according to Panda Security the Downadup/Conficker has infected at least 1 in every 16 computers -- and perhaps as many as 1 in 3 (although I'm not sure how Panda came up with those figures).

Nonetheless, Symantec and Mcafee still rate this worm as low risk, and I kind of agree with them. You really should have little problem blocking this worm by following the most basic security practices. Almost any firewall on the market will block the ports this worm needs to spread by default. That only leaves its ability to spread via USB key. Frankly, I don't think this worm's USB capabilities can account for its impressive infection rate. However, if you are worried about USB malware, you can disable Windows' autorun features to help protect yourself from it.

I believe there's more to the story. While I can understand how the worm exploiting weak Windows passwords and the Server Service vulnerability would help it spread quickly inside your network, I don't see how those techniques would get through a typical network's defenses. I still think attackers might have seeded this worm using drive-by download, or spamming techniques.

Regardless of how this worm has spread, it has infected a lot of computers. When I think back a few years, on how the Storm botnet started - it too began as a seemingly basic email worm. I didn't think many people would fall for Storm's early social engineering techniques either. However, a few did. And as Storm slowly infected these first victims, it continued to evolve its infection techniques. In the end, Storm compromised many computers and created a huge botnet for its authors. It looks to me like Downadup/Conficker is following in Storm's path. If you haven't hardened your network from this worm, do so now.

OS X pirates usher trojan onto their computers

If you've recently downloaded iWork 09 illegally using BitTorrent, your Mac probably has a trojan.

According to Intego (a company focused on Mac security), a new Mac trojan is circulating within the illegal copies of iWork 09 floating around on BitTorrent trackers. The trojan, OSX.Trojan.iServices.A, hides within an extra install package included with the iWork image, called iWorkServices.pkg. If you install this illicit version of iWorks, the secret package quietly infects your Mac with the trojan, which has full root privileges. Once installed, the trojan connects back to its author, providing him a backdoor onto your computer. This allows the attacker to continue installing more malware onto your system, and could even potentially allow him to add your computer to a botnet.

In the PC world, it's standard practice for attackers to hide malware within pirated software. However, OS X users probably aren't used to this sort of technique. You better start getting used to it! In my opinion, this is just one more sign that Mac's aren't as bulletproof against security threats as some Apple users would like to think (and I say this as a proud Macbook Pro owner). Malware authors have noticed Apple's growing popularity, and they will continue to try and exploit it. It's time for Apple users to face reality, and become security aware.

So what should you do in this case? Simple! Don't download and install these kinds of illegal, pirated Apple applications. Stay with the legal stuff and this threat won't affect you. If you do succumb to the dark side, beware what you might get.

Huge data breach could affects tens of millions of credit card users

During President Obama's inauguration yesterday, Heartland Payment Systems -- a major debit and credit card transaction company -- admitted that they were the victims of a huge data breach that could affect tens of millions of debit and credit card customers.

According to a Washington Post Security Fix article, Heartland found malware buried somewhere within their payment processing system. Currently, they don't know how long this malware has resided on their system. They only began looking for it last week, after receiving fraudulent activity reports late last year from MasterCard and Visa on cards used at merchants that rely on their systems.

Through this planted malware, intruders had access to all the digital magnetic stripe information stored on any debit or credit card that Heartland processed during the time of the breach. Heartland's president and CFO, Robert Baldwin, claims they process around 100 million transactions a month, 40% of which come from small to mid-sized restaurants. That's a whole lot of credit card data!

However, Heartland claims that the data bandits didn't make off with any personally identifiable customer information, such as Social Security numbers, unencrypted PIN numbers, or addresses. This makes it slightly more difficult for criminals to leverage their stole credit card info. However, they do have enough data to create fake debit and credit cards, and use them at locations that don't verify your identity. In my experience, few retail locations actually verify this info (For instance, I can't count the number of times my wife used my cards undetected).

This is a truly flabbergasting security breach, coming from an organization that should have implemented the strictest, PCI-compliant standards of security. Some have already claimed that this breach could rival the one TJX suffered in 2007, which cost that company over a quarter of a billion in loses.

So what should you do in light of this gargantuan breach? If you process credit cards, do everything in your power to implement Defense in Depth and strive to maintain a PCI-compliant network. WatchGuard has unified threat management (UTM) appliances and some useful whitepapers that can help you with this task.

If you're a card carrier, your card company should contact you if you need to take any action. For now, I'd recommend you always monitor your monthly statements, and take advantage of any fraudulent activity services your card company offers.

If you'd like to learn more about this incident, check out Heartland's public release, or the links supplied below:

• NY Times article
• Security Fix article
• Wired Blog Post
• PC World article
  

Malware preys on Obama-mania

Today is an exciting and historical day in the United States (and the World). In just a few hours we inaugurate an African American man, Barrack Obama, as our 44th president. The nation feels a surge of hope, believing that the new administration will begin to correct some of the woes currently afflicting our country. Leave it to a few despicable malware authors to corrupt that hope, and twist it toward their ill-conceived purposes.

According to a ComputerWorld article, attackers have setup fake Obama/Biden campaign web sites, hoping to lure victims to a malicious drive-by download site. A blogger at MX Logix first noticed this attack. It arrives as spam email with Obama related subject lines. The subjects suggest that Obama has decided to decline the presidency. Some subject examples include:

• Barack Obama abandoned sinking ship
• Who will be our president now?
• Obama doesn't wany anymore to be a president (The misspelling is the attackers, not mine)

If you click the links within these fake Obama emails, you end up at what appears to be the Obama/Biden campaign web site. However, every link on the web site points to a malicious executable file. If you download and install this executable, it infects your computer with the Waledec worm, which experts believe is the latest worm by the Storm authors. In other words, you'll become a botnet zombie.

It still never fails to amaze me how low these attackers will stoop to infect new victims. While I encourage you to celebrate Obama's historical inauguration, be careful where you go while doing so. That seemingly innocuous Obama web site could add you as a drone in another botnet army.

Is the Downadup/Conficker worm creating the next big botnet?

Last week, F-Secure made quite a few blog posts [ 1 / 2 / 3 / 4 ] describing a new worm that seems to be spreading like wild-fire. Called Downadup by some and Conficker by others, the worm appears to spread, primarily, by exploiting the semi-recent Windows Server Service vulnerability (LiveSecurity Subscription required), which Microsoft patched last October. Previous worms have taken advantage of this popular vulnerability, but haven't achieved the success that F-Secure claims Downadup has.

According to F-Secure's last count, Downadup has infected almost nine million individual victims within four days, claiming that the virulent worm infected 1.1 million new casualties in only one day.

Once Downadup infects you, the worm does a number of things. First, it adds itself to certain Windows registry keys to ensure it can restart the next time you reboot. Next, it tries to connect to one of many potential malicious web domains in order to download more malware. The worm generates malicious domain names using a complex algorithm that changes daily and relies on the timestamp found at various public web sites. So far, no one has officially described the malware that Downadup installs. However, I wouldn't be surprised to find it installs a bot client in hopes of creating the next big botnet.

Downadup also starts a malicious web server on your computer. It then scans your local network for other computers vulnerable to the Server Service vulnerability, or for computers with weak Windows credentials, exploiting these weaknesses to infect new victims via its malicious web server. Finally, the worm appears to copy itself and an autorun file to USB devices it detects, hoping to spread when users plug these devices into other computers.

Despite F-Secure's analysis of Downadup's success, I'm not yet convinced that the worm is really as virulent as it seems. By default, even the most basic firewall blocks the ports necessary for Downadup to spread (TCP port 139 and 445). I can't imagine the worm getting very much traction scanning the Internet for these ports. That said… if the worm snuck into your network through other means, and you haven't applied Microsoft's October patches, it would spread within your network very quickly.

This brings us to Downadup's other means of infection - weak Windows credentials and USB devices. Weak Windows credentials, like Server Service vulnerability, require access to those same Windows networking ports to use the Windows credentials. I've already established that most firewalls block these ports by default. Finally, I simply can't imagine a worm infecting almost nine million users by piggy-backing on USB devices. Do people really share USB devices often enough for a worm to spread that successfully through them? I don’t think so.

I’m not the only one that thinks F-Secure may have overstated their warnings about Downadup. Both Mcafee and Symantec, two of the largest antivirus (AV) companies in the industry, rate this new worm as a low to very low risk. My guess is that F-Secure either flubbed their infection calculations or Downadup uses other unreported means of propagation (such as drive-by downloads or malicious emails).

Whether or not Downadup has really spread as widely as F-Secure suggests is negligible - it's still an infection you don't want to contract. Most AV companies already have signatures that detect and block this worm. Make sure your AV software is up-to-date, use a firewall, and make sure it doesn't allow access to the Windows networking ports (TCP port 139 and 445). If you already have a UTM appliance from WatchGuard, you're already fairly safe from an external Downadup attack.

PlayStation hammers a nail into the lid of MD5's coffin

Since 2004, security researchers have known that the MD5 hash algorithm suffered from certain cryptographic weaknesses. However, during a recent talk given at the 25th Chaos Communication Congress (25C3), a team of researchers showed the world just how dangerous these weaknesses have become.

Before I dive into the researchers' new attack, let me offer a refresher on some cryptography concepts required for understanding this attack. Let's start with cryptographic hash functions. A cryptographic hash function is a mathematical algorithm that returns a unique, fixed-length value (a hash) for any data fed into the algorithm. A specific hash value should only uniquely match one specific data set. In other words, if you feed different data into the algorithm, each different data set should always produce a unique hash value. Furthermore, if you make even the slightest change to a data set and send it through the algorithm again, its hash should change.

In cryptology, the properties of a hash prove useful in helping you ensure the integrity of data (an important part of the CIA triad). For instance, suppose you want to make sure a file you send your friend doesn't get altered in transit. You would run it through a hashing algorithm before sending it, and notify your friend of the result. When the friend receives the data, she can run the data through the same algorithm you used. If the file's hash result matches on both the sending and receiving ends, you know the file arrived without any changes. On the other hand, if the hashes differ, you know the file changed during transit. Many of the secure connections you make over the Internet -- from VPN tunnels to logging onto e-commerce sites -- use cryptographic hash algorithms somewhere behind the scenes to help ensure the integrity of the connection.

The MD5 hash algorithm is just one of many hash algorithms that cryptographers have created. Why so many? Well, not every hash algorithm is created equal; some are weaker than others; some are more suited for specific purposes or even specific computer processors. Remember, the value of a hash algorithm depends on its ability to create unique hash values for data sets. If two different data sets fed through the same algorithm generate the same hash, in crypto-land, this situation is called a hash collision. That hash algorithm can no longer guarantee the integrity of a data set. I like to say the algorithm has gone from "cryptographic" to "craptogryphic."

Frankly, there is no perfect hashing algorithm. They all suffer from potential collisions. However, the best designed and most secure hash algorithms make it computationally infeasible for attackers to find collisions -- that is, until some crazy smart mathematician comes along and discovers a short-cut.

All that background leads us up to what happened with the MD5 hash algorithm in 2004. Xiaoyun Wang (a crazy smart mathematician) published an attack that made it much more feasible for attackers to find collisions in MD5 hashes. This paper began the end of the MD5 hash algorithm. However, these types of cryptographic algorithms tend to take a long time to die. A mathematician's theoretical attack on an algorithm doesn't always translate into practical attacks. But that's where this new attack enters the picture.

At the 25th Chaos Communication Congress (25C3), a group of researchers leveraged MD5 collision vulnerabilities in a practical attack. They exploited the collision flaws to create a fake certificate. When you visit secure web sites, your web browser relies on digital certificates to insure the legitimacy of the web site. Those certificates are typically created and issued by trusted third parties, each known individually as a Certificate Authority (CA). In order to prove a certificate's validity, the issuing CA signs the certificates it issues with its digital signature. And therein lies the rub: the digital signatures CAs use to sign certificates are created using hashing algorithms, and some CAs still use weak MD5 signatures.

The group of researchers found a CA that still issued MD5-signed certificates. They bought a few such certs from the CA. Then they looked for collisions in the CA's digital signature. The 2004 MD5 collision attacks I mentioned earlier speeds along this MD5 cracking process; however, that attack is still computationally expensive. So the researchers set up a super-computing cluster made up of 200 networked Playstation 3s (PS3). With their PS3 cluster, the researchers were able to find a collision for CA's MD5 signature within a day, thus creating a rogue CA signature.

What does all this mean to you? Simply put, you can't trust the legitimacy of any website you visit if it only uses an MD5-signed certificate. If an attacker can leverage the MD5 collision flaws to create rogue CA certificates, the attacker can use these fake certificates to seemingly legitify any domain or web site. This provides the attacker an invaluable tool for phishing attacks. He can trick your web browser into thinking it really has a legitimate, digitally signed, secure connection to any web site the attacker wants to spoof.

So how can you fix this? If you're a normal user, the problem isn't one you can fix. The CAs that still issue MD5-signed certificates need to switch to a stronger hashing algorithm (for example, SHA). Most of the CAs vulnerable to this attack have already started doing so. In the meantime, pay close attention to the URLs you visit. The URL should really match the site you think you're visiting.

For administrators, this attack should prompt you to start phasing MD5 out of your network. Potentially, the MD5 algorithm could be used in many ways within your network. You might have VPN tunnels that rely on MD5. Some Host-based Intrusion Detection Systems (HIDS) use MD5 signatures to test the authenticity of files. You may even have configured your SSH server to accept MD5 signatures for login. Admittedly, the MD5 collision vulnerability doesn't affect all these systems with equal severity. Nonetheless, I highly recommend you at least begin to phase out MD5. This research has proven MD5 attacks feasible. The researcher's PS3 cluster has solidly hammered home a nail into the lid of MD5's craptogryphic coffin. //

Predict the future; win Superman's TRS-80!

The latest episode of Radio Free Security, entitled "Security Predictions for 2009," just went live, available on our feeds page and Apple iTunes. In this episode, we announce a contest, and I wanted to show you the Grand Prize. It's a rare comic book from 1982 wherein Superman and Wonder Woman desperately need the help of "the Computer Masters of Metropolis" -- who turn out to be two kids with Radio Shack TRS-80 computers. This is geek "absurdity by obscurity" at its finest.

You could be the next proud owner of this venerable IT curiousity, and as contests go, your odds of winning are better than usual. We are awarding this suitable-for-framing conversation piece to whomever sends us, by January 23, the best prediction of what will happen in network security during 2009. You have a choice of trying to send us the funniest prediction or the truest prediction (although the judges are biased toward incenting the truest prediction). Judging criteria is pretty straightforward:

1. Explain the reason for your prediction. The more convincing your rationale, the higher you'll score.
   
   
2. Your prediction cannot be one of the six predictions for 2009 that Corey and I make in our just-released episode. (Which means it might help your cause if you listen to our episode.)

Decisions by the judges are otherwise arbitrary, and final. Sorry, but WatchGuard employees and resellers and their immediate families are ineligible for claiming the prize (however, if you want to play just for kicks and grins, we'd love to see your predictions).

Why are your odds of winning good? Well, approximately 11 bajillion people participate in, say, McDonald's annual Monopoly contest. In comparison, we'll be surprised if we get as many as two dozen entries.

No purchase is required to enter. Just send your well-reasoned (or insanely ridiculous) 2009 security prediction to radiofreesecurity at watchguard dot com by January 23. The winner will be announced in the February episode of Radio Free Security.

Any kid who can rescue Superman using only 4 kilobytes of memory and a cassette tape as a data drive is one l33t h4x0r. Make your stab at learning his secrets today!

US gov sets out to secure cyberspace. First obstacle: US gov

In the first week of December, the Center for Strategic and International Studies (CSIS) released a seemingly important report, entitled "Securing Cyberspace for the 44th Presidency." The report was the conclusion of a year of work from a blue-ribbon panel, co-chaired by two Congressmen, an Air Force lieutenant, and a guy who has worked in security at Pricewaterhouserestofalphabet, Microsoft, and Trustworthy Computing. 

The 90-page report is being taken seriously by SANS and many others, but I'm struggling to find it credible. (To make up your own mind, download the report here.) 

 I asked some Internet security veterans (the kind of guys whose names appear on RFCs) what they made of the recommendations. None of them had ever heard of the CSIS. No one in the government, or anywhere else, is obligated to follow the report's recommendations. And the report is filled with the kind of unsubstantiated Very Serious Claims that fill every document out of the D.C. area as groups jockey for priority and budgeting, anticipating the next administration. 

In the report, again we are told that the Chinese are super-skilled hackers with a sinister agenda, and again no substantiation is offered. Again we are told that the answer to everything is: get a czar! Yep. We are one security czar short of securing cyberspace. Oh, and since the US government is not big, complex, and clumsy enough, what we really need is to invent several more Offices and Bureaus to oversee cyberspace. 

Give me a cyber-break.

I was still trying to keep an open mind, especially when one of the co-chairs who authored the report, Representative James R. Langevin, agreed to be interviewed by the readers of Slashdot. But Slashdot's technically savvy audience pretty much raked him over the coals. Langevin gets credit for addressing the audience directly, but his responses to the questions repeatedly devolve into acronymn hell as he cites all the federal institutions that must coordinate. Will stronger network security driven by government impinge on the citizen's right to not be spied on? Langevin answers this type of direct question by invoking the FTC, FDCC, the OMB, an e-Government Act, and by the way, he says you should read the PIA.

 In 2008, I was fortunate enough to attend some really great security conferences, featuring some of the most knowledgeable experts in the world of network security. At each of these conferences, there was a featured or keynote speech given by high-ranking US government figures, in two cases from the FBI, in other cases from diplomatic circles. In every case, the topic was cybersecurity. And in every case, the government rep was the least-informed, least-clueful attendee at the conference. At Black Hat, Techno Forensics, and other conferences, after the government guy spoke, the meetings would dismiss and the halls would fill with geeks expressing disbelief -- sometimes stunned, usually sarcastic -- at how inept the government was.

So for now, forget about the government securing cyberspace. The government can't get out of its own way. It's up to us folks in the private sector to do the job. Fortunately, finding what works, and implementing it, is what we're good at. 

Who will secure cyberspace? It won't happen from the top, down. It'll happen as you and me and each of our colleagues secures his or her own little domain. After seeing the government mindset, I rather prefer it that way.  ##