Archive for the ‘News’ Category

Returning to life

Sunday, February 20th, 2011

There’s been a long hiatus in blogging on this site. We’ve not stopped working, just blogging. We’ll aim to have content on here a little more regularly from now on but with a slight change of emphasis. Up till now we’ve only posted notes on things we were doing ourselves. Now we’ll broaden it out a little to include general commentary on the InfoSec world and current news.

Hopefully this will both make this site a more general resource but also allow us to blog more frequently. Tools aren’t updated that often (and some that are we can’t blog about) but the joy of InfoSec is that there is always something new happening.

Phishers branch out in their targetting

Tuesday, July 8th, 2008

Phishers have been branching out recently, moving on to new targets away from the traditional bank account scam. As users become more aware, and more banks roll out two factor authentication and other mitigations, scammers are having to move on to softer targets.

In the past few months we’ve seen two new targets, with different motivations. Both of these targets show trends in attacks as some targets become hardened.

First, many UK Universities have been hit with targetted phishing scams, usually claiming to come from “IT Support”. Any compromised accounts are then used to send out more spam. It’s a nice example of accounts being useful not so much for the information in them, but for the access they provide to other resources: bandwidth and credible email addresses

Second, as mentioned by Dancho Danchev in May in ZDNet and in June on his blog, job sites are coming under attack. Dancho posted about the selling of tools that scrape information from CVs posted to online sites. Now we are seeing more direct attacks, with phishing emails aimed at getting login details of users of Monster.com and other job sites. Clearly gaining access to the information held on a job site is very useful to a scammer: it makes all sorts of nastiness easier.

It’s an arms race out there. Banks are now very quick at taking down phishing sites (see the recent blog from Ross Anderson’s group at Cambridge with links to stats on takedown), but other types of scams currently last much longer. If you’re one of the bad guys, it makes sense to go for the low hanging fruit. Why bother to steal someones online banking details when you can get more money for less work by stealing their identity? And why bother to go to lots of work to get their details when they have helpfully posted it on the web for you, all ready to use?

Arthur

Global Browser Vulnerability Survey

Friday, July 4th, 2008

A lot of current computer security threat research activity today occurs in the client space, with honeyclients such as Capture-HPC and PhoneyC regularly being used to study attacks against web browsers. Often these attacks occur through malicious obfuscated javascript and exploitation of vulnerable plugins or media extensions to allow fully automated ‘drive by download’ infections. The Honeynet Project have published a number of Know Your Enemy whitepapers in this area over the past year, and continue to actively research in this area. We have also previously blogged about some of the ideas the UK Honeynet Project have been experimenting with in this area.

One of the biggest challenges with client based threats is assessing the real world scale of the potential problem. For traditional server based threats, it was fair simple to survey the entire IPv4 space and determine what versions of a particular application or operating system were in active use at a particular time. However, for client threats, you need a client application to come to you and interact with a service before any assessment of potential client vulnerabilities can be performed. This is a significant challenge for both attackers and researchers (hence the continued use of indiscriminate spamming and malicious advert serving at the same time as more targeted attacks are also being developed).

As the world’s most popular search engine, Google record the user agent client version data from the billions of web searches made by an estimated 75% of Internet users, and is therefore one of the organisations most likely to be able to provide an assessment of the current state of web browser security (Microsoft’s MSRT also has excellent data, but only for the ~450 million users regularly running Windows Automatic Updates). However, for obvious privacy reasons, this data has not been made available to the public.

An interesting survey was released yesterday by Google Switzerland, IBM ISS and the Computer Engineering and Networks Laboratory of the University of Zurich, which provides the first systematic study of the browser data from around 1.4 billion Google users during the first half of 2008. They analysed Google’s client version data and correlated this with vulnerability data from sources such as Secunia’s PSI, in an attempt to assess how many vulnerable browsers were in circulation at a particular time.

The results are very interesting, with Internet Explorer taking 78% (1.1 billion) of the browser share and Firefox getting 16% (227 million). Drilling down deeper into the IE market share shows roughly half of IE users have now moved to IE7, whilst most FF users run the latest release. More worryingly, less that 50% of IE uses had the most secure version of their browser (rising to 83% in FF). For the month of June 2008, the authors suggest that over 45% web surfers (roughly some 637 million people) accessed Google with a browser that contained unpatched security vulnerabilities. There is also some interesting analysis of the exposure to plugged in as well as inbuilt vulnerabilities, plus some good recommendations for potential improvements to web browser security. In particular, the concept of web sites checking a browser’s agent strings and displaying a highly visible “expiry date” warning on every page (in an attempt to enforce a maximum shelf life) is worth further investigation.

The very welcome paper is definitely worth a read, but is unlikely to cause too much immediate worry to the cyber criminals who are actively targeting web users through the thousands of mass compromised web servers, phishing emails and instant message spam we encounter each day.

It had to happen

Monday, June 30th, 2008

Today we received our first bit of spam from EC2. The message itself was pretty standard:

From: "Microsoft" 
Date: 29 June 2008 11:47:43 BST
To: XXX
Subject: Important Update Notification

Hello XXX,

You are receiving this notification because the version of Windows you are running is effected by a critical security issue.

For the protection of yourself and others using the Windows operating system, it is reccomended that all consumers update their operating system at their earliest convenience.

To do so, you may visit Microsoft Update by clicking here, and simply pressing "Open" or "Run" to begin the automatic update process.

Thank you for your cooperation in resolving this matter.

Kind Regards,
Microsoft Customer Support 

The link points to a phishing site


http://XXX/go.nhn?url=http%3A%2F%2Fupdate%2Emicrosoft%2Ecom%2E00000000000000000000000000000000000000000000000000000000000000%2Enet

So far, so standard. The interesting bit is in the headers of the message:

Received: (qmail 29794 invoked from network); 29 Jun 2008 09:53:08 -0000
Received: from ec2-75-101-198-26.compute-1.amazonaws.com (HELO ec2-75-101-198-26.compute-1.amazonaws.com) (75.101.198.26)
  by server-14.tower-117.messagelabs.com with SMTP; 29 Jun 2008 09:53:08 -0000
From: "Microsoft" 

How long before all email from EC2 is blacklisted? It was only a matter of time before services like this started to be used for sending spam, but this is the first time I’ve seen it in the wild.

WOMBAT 2008 papers accepted

Friday, April 4th, 2008

We were happy to be informed that both papers submitted by The Honeynet Project to the upcoming WOMBAT honeynet workshop in Amsterdam this month have been accepted. Max Kilger and Tom Holt from the UNCC Honeynet Project Chapter will be presenting a paper on Techcrafters and Makecrafters: A Comparison of Two Populations of Hackers and I will be presenting Honeynet Project: Data Collection and Data Analysis (with Jamie also attending). We’ll post the paper here once it has completed the review and the IEEE pre-publication process.

Global Distributed Honeynet (GDH) Phase Two starting

Wednesday, April 2nd, 2008

After doing a lot of work leading phase one of The Honeynet Project’s Global Distributed Honeynet (GDH) last year, I’m please to announce that internal development has begun on GDH Phase Two today. Initially this will result in new public Honeywall releases (version 1.4 this month integrates a second generation of our Hflow data fusion tool, followed by version 1.5 which will hopefully support attacker source IP to keystroke mapping in all Sebek related tools at last! Hopefully the three month kick start phase will be extended throughout 2008 and we’ll be releasing lots of interesting research data once an expanded global sensor network is operational. GDH Phase Two will include also client honeypots (based on Capture-HPC) and should also see some long overdue improvements to our Honeysnap reporting tool too.

UKHP attend ISOI4

Tuesday, March 4th, 2008

I was one of the attendees at the fourth ISOI workshop last week, which this time was held in sunny San Jose. Once again, the event had an interesting range of presentations and discussions, mostly focused around what system defenders could do now to make a difference to the continuing tide of cybercrime observed every day. There was also plenty of opportunity to catch up with people in the security community, and put faces to names, so thanks to Gadi and co for the continued invites. I also got a bit of time to hang out with various Honeynet Project people and some of the guys from Shadowserver, and hopefully we’ll see some interesting spin offs in the coming months. Being from the UK, the obligatory Silicon Valley geek tourism was also fun too.

WOMBAT Workshop 2008

Wednesday, February 20th, 2008

The Honeynet Project have been invited to submit a paper to the upcoming invite-only Worldwide Observatory of Malicious Behaviors and Attack Threats (a href=”http://wombat-project.eu”>WOMBAT) honeynet workshop at Vrije University in Amsterdam on the 21st and 22nd of April. David and Jamie from the UKHP will be organising the Honeynet Project’s submissions, and we hope to have at least one presentation accepted for publication in the journal of the IEEE.

For more details see http://wombat-project.eu/2008/04/wombat-closed-workshop-april-2.html