Security patches cripple Windows XP computers

Windows customers were up in arms over a Microsoft security patch that left their PCs locked down with the notorious Blue Screen of Death. This was yet another glaring example of the problems organizations experience when rolling out patches quickly.

In a follow-up article to Microsoft’s patching problems, evidence suggested that a rootkit infection was behind problems Windows users experienced after installing several security updates. According to the computer expert who discovered the infection:

“This particular rootkit can be very difficult to detect. Atapi.sys is an important driver for all Windows systems and it loads very early during the boot process, so infecting this file can make it very hard to detect or remove the rootkit before it loads.”

Zeus Trojan found on 74,000 PCs in global botnet

It was reported that over 74,000 computers at nearly 2,500 organizations around the world were compromised over the past year and a half in a botnet infestation designed to steal login credentials to bank sites, social networks and email systems. While Operation Aurora had its own success with popular networks internationally, the number of corporate and government systems infected paled in comparison to the Zeus Trojan.

The Wall Street Journal reported that Merck, Cardinal Health, Paramount Pictures and Juniper Networks were among the targets in the attack.

To make matters worse, a competing crimeware toolkit called SpyEye is waging a turf war against the mighty Zeus bot. For $500, aspiring rival cybercriminals can use the tool to uninstall Zeus from an infected system and keep SpyEye running on the system to steal credit cards and email accounts. Talk about cyber gang warfare.

Malicious PDF files comprised 80% of all exploits in 2009

In the often-seen case where hackers gravitate to the most popular Internet applications, it was reported that rogue PDFs accounted for 80% of all exploits by the end of 2009. And much like other leading technology companies, Adobe continues to patch several critical vulnerabilities in Adobe Reader and Adobe Acrobat for Windows, Mac and Linux.

Google teams up with NSA to fight cybercrime

As a result of Operation Aurora, The Washington Post reported that Google has teamed up with the National Security Agency (NSA) to help the Internet research firm defend itself and its users from future attacks. The Director of National Intelligence call the Google attacks a “wake-up call,” and that cyberspace cannot be protected without a “collaborative effort that incorporates both the U.S. private sector and our international partners.”

Unfortunately, what we are continuing to see in early 2010 is that patching and other traditional antivirus software are failing to adequately defend our systems. In fact, if anything they appear to be causing more problems. Organizations are better off focusing on ways to effectively stop Web-malware and malicious code from executing in the first place. This is where a solution such as application whitelisting can defend even flawed networks from running malware within their operation systems. If it’s not an authorized application, it does not run in the system. It’s that simple.

As always, I thank you for stopping by to read this blog. I hope it continues to bring to light some of the important issues we all face as security professionals. Come back soon.

The US government relies on commercial industry to safeguard the Internet, telecommunications, power, water, and other critical infrastructure that underpin our national economy. Elements of this infrastructure also directly support our ability to project military power worldwide.

Industry works closely with the government to advance the ‘state of the possible’ in cyber defense. As a former CIO and military systems analyst, I have witnessed several generational cycles of defensive technology developments in the cyber arena. In the mid-90s, for example, system administrators configured firewalls (from standard computer systems) by hand, and reviewed log files (either manually or through then-clever application of scripts) to detect, characterize, assess, and potentially contain cyber intrusions. Today, automated intrusion prevention systems are available as commercial-off-the-shelf (COTS) products, integrated with firewalls and incident management solutions to allow very rapid detection and blocking of cyber attacks. This is just one example of how industry has worked closely with the government to deliver significant advances in cyber defense technologies.

Unfortunately, our cyber adversaries today have proven relentless and highly flexible in their endless pursuit of effective attacks (for an entertaining perspective on the topic, please read Toney Jenning’s “Caddyshack & The Defense of Cyberspace: No More “Wack-a-Mole”” post on GlobalSCAPE’s blog site). Those of us in the information security industry understand that the next major terrorist strike very well may come from the cyber domain or, at a minimum, include cyber attacks as part of a broader operation. From a traditional national security perspective, it is a near certainty that future adversaries will continue to develop their cyber attack capabilities. Such asymmetric warfare capabilities are increasingly attractive, given the overwhelming superiority of US forces in conventional, force-on-force combat.

As a result, GlobalSCAPE, our partners and many others in the industry are working tirelessly to deliver next-generation cyber defense capabilities and stay one step ahead of our adversaries. Our continued development in this area is a national imperative. We are excited by the prospects for transformational solutions like application whitelisting to allow more assured defense of the cyber frontier. We’ll be addressing a variety of cyber defense topics in future posts. Stay tuned!

As I mentioned in last week’s entry, “Latest Microsoft patch illustrates the dilemma and dangers of fire drill patching,” relying on antivirus defenses to protect endpoints ties organizations to fire drill software patching. Reactive software application patching will never provide the level of protection today’s companies need to adequately protect their networks against harmful malware. As Mr. Westervelt goes on to write:

Rootkits are fairly common. They are installed by attackers who first gain access to the machine by exploiting a vulnerability. Once inside, the rootkit is deployed giving the attacker the ability to mask intrusion and gain root or privileged access to the computer. It can also be a package of spyware programs that monitor traffic and record keystrokes. Antivirus vendors typically have trouble detecting rootkits.

What these recent stories point out is that malware infections on these devices only highlights the fact that existing desktop security isn’t working properly. Why else are these companies regularly patching? The desktop security paradigm of antivirus and patching simply isn’t working.

Unfortunately, what we’re seeing is that patching itself is also causing problems with their systems. Organizations are better off focusing on ways to effectively stop Web-malware and malicious code from deploying in the first place than aimlessly reacting to cyber criminals exploiting the known and unknown vulnerabilities within their network. Playing catch up with more patches is not only a losing proposition for IT security professionals, it seems to be compounding the problem.

Operation Aurora – Google responds to attacks

Operation Aurora received a significant amount of press in January due to the high profile nature of Google’s response to the attacks. Not only did Google indicate that the attacks had originated from China, but that they were targeting theft of e-mail credentials of Chinese dissidents. Google responded publicly on their blog and indicated the potential that they may move out of China all together:

“These attacks and the surveillance they have uncovered — combined with the attempts over the past year to further limit free speech on the web — have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.”

Operation Aurora – More than just Google affected

Operation Aurora impacted more than just Google. The Washington Post reported that the “Google China cyberattack part of vast espionage campaign,” They went on to report:

“Computer attacks on Google that the search giant said originated in China were part of a concerted political and corporate espionage effort that exploited security flaws in e-mail attachments to sneak into the networks of major financial, defense and technology companies and research institutions in the United States, security experts said.

At least 34 companies — including Yahoo, Symantec, Adobe, Northrop Grumman and Dow Chemical — were attacked, according to congressional and industry sources.”

This is one of the most blatant instances of coordinated targeted attacks taking advantage of a zero day attack against main stream businesses.

Operation Aurora – Application whitelisting would have stopped it

The foundation of the attacks was the installation of a Trojan horse that allowed for remote control of the infected system. Because it was a targeted attack taking advantage of a zero day vulnerability (one that had not yet been disclosed) it bypassed traditional endpoint security solutions, but for any system protected by application whitelisting it would have prevented the malware from executing.

Data breach costs continue to rise in 2009

I came across this interesting report of a study from Ponemon on data breaches. In their survey of 45 companies, they experienced average data losses of $6.75 million in 2009. Interestingly enough, they attribute a mere 24% of the data breach losses to malware. Since this data was self reported, I question whether this really gives an accurate picture of how much data is being lost to cyber attacks. One thing we do know is that the largest data breach in history, of Heartland Payment Systems, was a result of cyber attack and it’s not a stretch to assume that many more are attributed to similar attacks.

Protection of our critical infrastructure remains a hot topic

Two articles highlighted the continued need for security against attacks on our critical infrastructure.

• Vanson Borne conducted a research report titled “In the Crossfire: Critical Infrastructure in the Age of Cyberwar.” This report was based on interviews of 600 IT and security executives at critical infrastructure enterprises and points to their growing concern of cyber attack and readiness.
• The U.S. Department of Energy announced that they would set up a national energy cyber security organization to help focus on protecting our national power grids.

So 2010 has picked up where 2009 left off and the need for strong protective endpoint security remains top of mind for almost all world businesses. Awareness continues to grow of the power of application whitelisting and we expect 2010 to be a break through year for this technology.

These attacks also illustrate the growing need for, and strength of, application whitelisting solutions. As Aurora first gained access by attacking an endpoint within Google’s network to trick a user into installing malware, even leading antivirus software designed to detect such viruses and malicious code couldn’t stop it from running within the network.

There couldn’t be a better illustration of the reactive nature of patching and antivirus. In order to defend our IT resources we must move to an endpoint security tool that both protects against attacks we have never seen and makes up for security deficiencies in software that can lead to vulnerabilities. In this, the outcry has been against Internet Explorer, but these types of attacks aren’t unique to one application or vendor as long as our endpoint security remains reliant on after the fact detection of weaknesses, patching, and signatures. We posted a blog on this topic last week titled: “The French and German governments agree… And they are both wrong” that has generated a lot of discussion between security professionals.

This is where application whitelisting fills the gaps of other endpoint security tools. With traditional AV technologies constantly playing catch-up with new and more complex forms of Web-based malware, whitelisting shuts the door on any unauthorized application from launching in the first place. Along with its industry-wide and political ramifications, Operation Aurora is yet another example of why application whitelisting is becoming a critical component of any endpoint security strategy.