Infogressive, Inc.

Are you getting tired of advertising saturating the Internet?  Tired of the flashy vegas-esque slot machine inspired web portals of today?  Pop-ups, loud, obnoxious flash movies everywhere and over-animated nonsense.  There is more than meets the eye to this annoying evolution, read on.

While this isn’t a cutting edge technique to protect machines from malware, it is a very under-utilized method so I figure it qualifies as blog worthy.

Sites like yahoo, msn, facebook, cnn, local newspapers, etc. all integrate third party advertising sources into their content.  So a majority of those flashy little ads come from servers outside of the site owners’ control.  So imagine the exposure of an ad from a huge player like doubleclick.net.  One of their ads could appear on all the sites previously mentioned simultaneously.

Big shocker, the bad guys figured this out pretty quickly, so what did they do?  They attack the ad servers at their source vs. attacking one site at a time, thereby reaching a much larger audience with less effort.  The goal once they gain control is to replace benign content with their malicious content.  Then unsuspecting visitors go to their trusted sites with their vulnerable applications (Flash player, Internet Explorer, Firefox, Safari, Quicktime, etc) while the evil guys sit back and take control of one machine after another (millions).

So what is the answer to this annoying threat? 127.0.0.1!

When you type in a website into your browser, the default action of your machine is to check the local host file.  It’s nothing more than a flat text file containing hostnames and IP addresses.  It checks this file first and if a “hostname” appears in the local file it never will do a DNS (Domain Name Server) lookup.  If it doesn’t find it in the local host file, then it will query a DNS path to resolve the website.  So why not use this functionality to our advantage?  What if we could download a host file that contains a list of the most popular advertising sources and points them all to a blackhole?  Good news, we can!

http://www.mvps.org/winhelp2002/hosts.htm

If you replace the host file on your machine(s) with the one mvps.org provides, every time your machine attempts to get an image/movie/file from any source contained in the file, it will attempt to get it from 127.0.0.1 (your local host) instead of going out to the Internet to actually retrieve the file.  The file from mvps also contains some known malware sites, so it not only helps with ads but will help with security as well.  Woohooo! No more slot machine in my browser!

A question for businesses to ask themselves, why would you want your employees to be receiving ads at work?  Why put your organization at more risk from “drive-by” attacks?  Unless you specifically work in the Internet advertising space or marketing space, I would think the answer would be clear.

This isn’t a complete solution, but it is another layer of improvement.  Below are some advantages and disadvantages that come to mind with this technique.

Advantages

• Free
• Easy to implement
• Low overhead (memory/CPU)

Disadvantages

• User Experience: ads will be replaced with connection reset windows (only a cosmetic problem)
• Slows down page loading (temporary while DNS cache is replaced with 127.0.0.1)
• Manageability (can be pushed out via Active Directory)
• Doesn’t catch everything (but it’s better than nothing)

Illustration of expected user experience

Nearly every organization that has ~50 employees or more has an accountant and a lawyer on staff, or those that don’t, certainly retain the services of them.  Yet even with all of the breaches in main stream media, cybersecurity professionals are still having to explain why we’re needed before we get to the important stuff, how to improve the defenses or correct their weaknesses.

This is particularly a problem in my opinion with small/medium businesses, especially community banks.  They pay accountants and lawyers to keep their books in order and to keep them out of court, yet they don’t hire any security experts to protect their most important assets, their customers and their money.  If and when electronic breaches occur they lose customers and money.  We see them hiring a lot of independent “computer people” and organizations that target them because they know they have regulatory requirements.  It is rare that either the independent consultant or the organizations that purely target community banks have the knowledge and expertise to properly secure banks against the constant barrage of attacks they face.

Granted I’m a bit biased, but I would encourage more small organizations to ask to seek the credentials and experience of the individuals they are paying for their cybersecurity services.  After all, would you hire an accountant without a degree or without the proper training?  Would you hire a lawyer straight out of law school to represent you in an important case?

Protecting your electronic assets is as important as ever.  All of us continue to become more dependent on computers and the Internet, hire people that understand how to protect your business.  Ben Franklin’s saying, “An ounce of prevention is worth a pound of cure” definitely applies to cybersecurity.

I’ve been to a bunch of cybersecurity conferences in the past month or two. They were mixed in their target audiences and attendees. Everything from Department of Defense, FBI, generic IT, ethical hacker, etc. I keep hearing the same discussions and the same theories about signature that, string that defense. I keep trying to explain to these groups of professionals and people within the industry that signatures just do not protect us against targeted attacks.

As an illustration, I recently did a presentation that utilized the Adobe printf vuln that was annouced clear back in like November 2008. I simply uploaded the pdf to virustotal.com in front of the crowd and they were amazed at how many current virus engines did not detect it as malware. Needless to say, I had the room’s attention from there on out.

Everyone, including the product vendors, seems to be so focused on coming up with reactive signatures that they’re missing the key point. By the time signatures are created for the masses and implemented it is FAR too late. The damage for those organizations that are specifically targeted is already done. The vulnerabilities have been announced, exploits have been developed, and critical data has been compromised by the time the signature reaches it’s intended purpose. The good thing is that signatures are way ahead of the patches from vendors, but that’s a whole other blog.

The immediate question I get from people is so what do you suggest we do differently? My typical answer is Defense-in-Depth. Put multiple layers of defense between your organization and those that target you. For most people out there, that means you have to do more than put up perimeter protection. Yes, it means that you have to do more than implement a firewall. Even with the best walls of defense you still should have something that monitors file integrity on your systems (aka tells you when your system is compromised). The probability that systems will be compromised at some point is good, so wouldn’t you like to know when that occurs as close to immediately as possible? I would.

Vendors are starting to catch on to this whole idea of behavioral heuristics as it applies to security technology. They are trying to create rating algorithms, deem source and destinations green and red, blah blah blah. While I think we as a community are definitely on the path of becoming more proactive vs. reactive, I’m not sure how fast we can create technology that can predict something as unpredictable as human behavior on the Internet.

As an example, SourceFire was in our office yesterday showing us their RNA product. It’s definitely cool to create baselines and alert off of changes to those “normal” activities. I also like the idea of only alerting me on things that systems are truly vulnerable to and/or changing the severity of alerts based on the real potential. As I said, I think we are moving in the right direction here, just don’t depend on signature-based defenses only. If you do, it won’t be long and you’ll be calling my company to do forensics investigations instead of penetration testing

It’s always fun being a security guy and receiving attacks. I find myself respecting some of the SPAM I get from time to time for its sheer psychological and technological brilliance. However, on May 26th, 2009 the attack I received wasn’t as funny. I’m sitting in my office working trying to make a living and I receive the following text message which is obviously disruptive at best:

From: jason@server-system.net
|VISA alert: #740875 ACCOUNT FROZEN, call us at 1-866-527-0498

Unfortunately I have some of my cards send me balance alerts and such so my first instinct was “Oh great, which stupid credit card company do I have to sit on hold with now in order to fix something they screwed up?” The more I looked at it, I was like that number doesn’t look familiar at all. Then I looked at the from address with more scrutiny and then the lightbulb went off, oh this is bogus you idiot! So even the guy with alphabet soup after his name was *almost* fooled by this little act.

Based on my years of wireless telecom experience, I’m sure all the wireless providers are frantically trying to stop these attacks. I’m sure the technology behind the scheme is very similar to email-based social engineering attacks. A botnet, randomized text and subject, same story new medium. I called the number to gain insight, but it was already dead. My guess is that they use VoIP somehow to further their anonymity. I look forward to getting another message so that I can call it more quickly to gain further insight. If someone else receives one of these, please share the phone number immediately so that I can call it!

This type of attack will only gain in popularity. Consumers will get increasingly annoyed with unsolicited text messages. With the lack of awareness, I’m sure the attack is considerably more successful vs. a traditional email-based attack. A majority of people no longer trust their inbox, but their cell phones are another story. Make sure your friends and family are aware that anonymous sources can send text messages just like they do via email.

I know this is old news, but I got a big chuckle when I got a post card in the mail today from TDAmeritrade:

To All Account Holders Or Prospective Account Holders Who Provided PHYSICAL OR EMAIL ADDRESSES TO TD AMERITRADE

This was my notice of the class action lawsuit in lieu of their little data breach.

In all of the explanation in fine print (designed so that fewer people actually read it I’m sure) they ensure me via one bold line:

The consultant conducted four analyses since August 2007 and found no evidence of identity theft resulting from the data breach.

Another good line is  “The Company denies any liability in the matter.” Big Shocker.

So disregard the whole point that you were breached.  Or let’s not.

A 2.5 billion a year financial institution, holding 225 BILLION DOLLARS of customer’s money.  Despite all that wealth and magnitude, you couldn’t protect my data.  Nevermind that my inbox was flooded with targeted phishing attacks sent to (this is the best part) a completely unique address I only supplied to TDAmeritrade.  I’ll be the first “Account Holder” to stand up and say I’d like to raise the BS flag on the “alleged” language in my postcard and change it to confirmed.

I guess they should have listened to the customer from Nebraska that took the time out of his busy day to bring this matter to their attention a year ago.  I tried to tell them, I repeatedly tried to explain, I sent emails, I tried to do my fair share to alert them.  What did I get in return?  I got the scripted response, “We’re aware of the problem and are working to correct it.  We understand your concern and apologize for any inconvenience.”  Oh and based on the fine print on my postcard I may get a free year of an Internet security product.   Thanks, but no thanks.  I think I will start to post blogs about every organization that I believe to be compromised, well at least the ones that give me the scripted response that is…..

Sadly my team at Infogressive could have prevented this incident for far less cost with so much less reputational loss.  I think a big, “I told you so” is in order here.  I know Ameritrade has some smart people that work there, I personally know some of them.  I hope that they are listening to them more intently these days.  Psssst, hey you may want to implement best practices as a 2.5 billion dollar a year bank, just a thought, just my $.02.