What you don't know can hurt you.
If you've been following security lately, you probably know all about the big vulnerabilities. You've built defenses for denial-of-service attacks, and you've stopped the Storm worm. You've got your Microsoft Windows patches scheduled for the month, and you know about all the malware that hides in spam.
At the end of the day, though, the biggest threats might be the ones that don't get talked about, that don't end up in CERT advisories or trade publications. You can't track every vulnerability -- their sheer volume almost guarantees there will be a few that operate below your radar.
With this in mind, the folks here at Dark Reading have developed a list of some of the most dangerous and least-discussed IT security vulnerabilities we've seen in recent weeks. Some of these are emerging threats; others have been operating at a low level for years. Some of them you may know about; others might be new to you.
We didn't rank them, nor are we saying that these are the only unheralded vulnerabilities out there. So if you know of other little-discussed, but potentially pointy security flaws, tell us about them via our message board. You'll be helping out those who don't know as much as you do.
And now here's our list of little-known, yet possibly dangerous, security flaws:
- Page 2: Cross-Site Request Forgery (CSRF)
- Page 3: Network Access Control Flaws
- Page 4: PHP Remote File Inclusion
- Page 5: Rogue Anti-Spyware
- Page 6: Stealth Malware by Design
- Page 7: Targeted Attacks
- Page 8: Rustock Trojan Horses
- Page 9: SOX-Breaking Accounting Flaws
Next Page: Cross-Site Request Forgery
By now you know all about cross-site scripting (XSS) and how frustratingly pervasive it can be on your Website. (See Beware of the Quiet Ones, Hackers Feel Fallout From XSS Postings, and Microsoft, Hacker Attack XSS.) But there's a potentially more dangerous -- and just as common -- bug that's lying in wait on your Website as well: Cross-Site Request Forgery (CSRF). (See Killer Combo: XSS + CSRF.)
CSRF has flown under most security pros' radar for nearly a decade, but nearly every Website is vulnerable to it. It allows an attacker to use a legitimate URL that initiates typical Web functions such as conducting a transaction, changing an email address, or transferring funds. "The attacker takes that URL and loads it to a Web page they control," says Jeremiah Grossman, CTO and founder of WhiteHat Security. (See CSRF Vulnerability: A 'Sleeping Giant'.)
When a user visits the attacker-controlled Web page via a legitimate link, his browser is forced to make malicious requests -- and the user is none the wiser. The catch: Neither the original Website nor the user's computer is necessarily compromised. And there's no surefire way to detect CSRF bugs today.
As XSS mitigation increases, security experts worry that attackers will start using CSRF to attack Web applications. So far, luckily, CSRF hasn't done much damage (that we know of, anyway). It accounted for less than 0.1 percent of bugs reported in last year's Common Vulnerabilities and Exposures (CVE) report. (See Bug Disclosures Decline.) But Mitre, which oversees the CVE, says that figure is misleading, because researchers haven't yet focused on searching for CSRF flaws.
"There is a real disconnect here between what Web app security researchers are finding on the professional auditing side, versus what's being publicly recorded in the CVE," says Steven Christey, principal information security engineer for Mitre. "Researchers who publicly disclose [vulnerabilities] just aren't looking for [CSRF bugs]."
The most famous CSRF attack was the Samy worm that crippled MySpace last year. The attacker used a toxic combination of XSS and CSRF exploits to wreak havoc on the social networking site.
How can you protect your site? Fix your XSS bugs. Make sure users log off one site before they visit another, and regularly clear their cookies. The more you can do on the front end, the better, because cleaning it up requires recoding your Web apps, security experts say.
Next Page: Big NAC Attacks
Across the security industry, network access control (NAC) has become nearly synonymous with endpoint security. (See Vendors Get Their NAC Together.) Most every enterprise loves the idea of a technology that prevents users from bringing insecure machines onto the network, and most companies that haven't already deployed NAC are planning on it. (See NAC: More Is More.)
Quietly, though, hackers and security researchers have been finding holes in the widely-hailed technology. A closer look at these holes might be enough to make you think twice about implementing NAC in your enterprise. (See NAC Vendors in the Hot Seat.)
It all started last July, when Ofir Arkin, CTO of Insightix, made a presentation about NAC at the Black Hat conference that exposed some potential problems with the technology. (See Researchers Break Down NAC Defenses.)
The vulnerabilities lie primarily in the way current NAC products are designed, Arkin explained. For example, most NAC technology assumes that users will be granted access to the network via Dynamic Host Control Protocol (DHCP), which keeps IP addresses in a pool and hands them out as each user is authenticated. Through DHCP, NAC systems can restrict user access and recognize unauthorized attempts to gain entry to sensitive information.
However, an insider with access to the corporate network often has the option to configure his PC with a static IP address, Arkin observed. With a valid IP address, the insider could effectively bypass all of the NAC controls and remain undetected by NAC defenses.
"All you really need is a user name and password, and you can do whatever you like," Arkin said.
Then, when Black Hat reconvened in Europe in March, researchers in Germany demonstrated a tool that allows an unauthorized PC to disguise itself as a legitimate client in a Cisco Network Admission Control (NAC) environment, effectively circumventing the networking giant's end-point security strategy. (See Cisco's NAC Gets Hacked.)
The tool springs from a couple of "design flaws" discovered in Cisco's NAC, according to Michael Thumann, CSO at ERNW, who developed the tool with Dror-John Roecher, a senior security consultant. The flaws were found in the communication between the client and Cisco's Admission Control Server (ACS), and therefore would apply to any Cisco NAC environment, regardless of what hardware models or software versions were installed.
The first flaw is a lack of authentication between the client and the ACS server, Thumann explains. "The client has an IP address, but there's currently no way to authenticate the device."
The second flaw -- and this would apply to any NAC environment that relies on the client to provide its own policy compliance information -- is that there is no way to verify that the client is telling the truth about its configuration. "This means that a client can essentially be set up to lie to the policy server about its antivirus capabilities and so forth," Thumann says.
Next Page: PHP Remote File Inclusion
Another Web-based flaw you probably don't know about is PHP Remote File Inclusion (sometimes called PHP RFI, or PHP-include).
Flaws in PHP, a popular Web programming language, let an attacker take over a machine, and some researchers say this exploit is becoming popular among botnet herders.
PHP RFI attacks are on the rise. According to the 2006 Common Vulnerabilities and Exposures (CVE) report, the exploit is now the third most exploited vulnerability, rising from number four in a matter of a few months. PHP RFI vulnerabilities in 2006 increased 1,000 percent from the previous year, and they now account for 13.1 percent of all reported flaws. This puts PHP RFI just behind the better-known SQL injection (13.6 percent).
What makes PHP RFI so unnerving is it's easy to exploit -- and attackers love low-hanging fruit. Botnet herders especially like the flaw as a means to snare new command and control nodes to manage their constantly changing armies of zombies. (See Firewall Wish List.)
"RFI is extremely powerful and easy to use, so it's no surprise it's attractive to attackers," says Steven Christey, principal information security engineer at Mitre. And many Web hosting firms leave the "registered globals" feature enabled, he notes, which leaves their customers at risk. (See Beware of the Quiet Ones.)
How can you protect yourself against a PHP RFI attack? Disable the registered globals feature in PHP -- something not all organizations do.
Next Page: Rogue Anti-Spyware
When malware starts masquerading as security software, you know you're in trouble. And quietly, that very scenario is cropping up more and more frequently, observers say.
There's been a surge in rogue anti-spyware applications, according to researchers at Trend Micro. The volume of these threats has jumped 500 percent -- from 2 to 10 percent of all infections Trend Micro has detected via its free HouseCall scanning service. The researchers say 10 percent of all new computers get infected by these rogue programs within the first 24 hours.
The latest attacks -- mainly aimed at less technically savvy home users -- use fraudulent security software as a lure, says George Moore, threat researcher for Trend Micro. It's a combination of social engineering and crafty pop-ups posing as Windows alerts. "Pushing fraudulent security applications is becoming increasingly popular," he says.
Attackers can make anywhere from $30 to $80 a victim by selling them phony security tools, Moore says. (See Pop-Ups Fake Security Alerts.) "It looks, feels, and acts like legitimate software."
So far, it's mostly a money-making scheme, rather than a spam or bot-herding exercise. But the bad guys end up with your credit card information, so it's actually more dangerous. "They use several ways to get onto the machine -- through silent installs on emails, Google ads, IM, hacked MySpace pages, and fake video codecs that install the rogue application," Moore explains. (See Video Sites Buoyed by Spyware-Driven Fraud.)
The attackers are using hacked Web servers -- including some college sites -- to distribute their code, and they employ "bleeding-edge" Windows exploits as well, Moore adds. "I've seen some Websites where [rogue code] was elaborately written so it looks like a program on your local machine is saying your machine is infected." All it takes is for the user to click on a button to "clean" up the machine, and it becomes infected.
Moore says there are multiple gangs behind the rogue anti-spyware. One recent case came to a head with a class action lawsuit against WinFixer, which allegedly created dozens of these applications. The best defense is to be sure you have a legitimate security app running on your machine -- most of these tools can detect these so-called freeloader or parasite programs.
Next Page: Stealth Malware by Design
It's been called "stealth by design" (SBD) -- malware that's even sneakier than your average rootkit. Unlike a traditional rootkit, which tries to mask its processes, SBD malware doesn't leave many tracks you can trace.
Joanna Rutkowska, one of the world's leading researchers on stealth malware, coined the phrase "stealth by design." Rutkowska, founder of Invisible Things Lab, developed a proof-of-concept backdoor program that had its own TCP/IP stack, as well as its own private "shell," so it didn't have to create any processes it would need to hide. (See Invisible Things Comes to Light, Rutkowska Launches Own Startup, and Black Hat Woman.)
Some antivirus vendors, including Symantec, later detected some rootkits in the wild -- specifically one called Rustock (see least-known vulnerability #7) that demonstrated behavior similar to the SBD model, she says, but doesn't quite make the grade.
But SBD malware isn't necessarily a rootkit. SBD cannot only control the system like a rootkit does, but also "spy" on it, Rutkowska says. "In both cases, stealth is the key feature."
So why won't your AV software catch it? "Most of currently used rootkit/stealth malware detection -- used by both antivirus vendors as well as forensic investigators -- is based on searching for hidden objects, [such as] hidden processes, hidden files, etc.," Rutkowska explains. "SBD malware cannot be detected this way, by definition."
Luckily, this extra-stealthy malware is probably too sophisticated for the everyday attacker to create. But preventing it will be no easy task: "We just need to prevent untrusted code from getting into kernel," Rutkowska says. "Unfortunately, this is not a simple process, and I don't believe that we will have an effective kernel prevention mechanisms for general purpose operating systems like Windows anytime within the next few years."
Next Page: Targeted Attacks
Until recently, you could pick up most of the information you needed about a specific attack vector by studying its behavior in other systems or in other organizations. But what do you do when there's only one attack -- and it's aimed directly at you?
That's the question that many enterprises -- particularly high-profile organizations -- are facing with increasing frequency. Instead of a massive attack on hundreds of users, security pros are now trying to defend against one message, sent to a single user, containing a backdoor Trojan -- or worse.
Such narrowly-targeted attacks are becoming more popular than ever, according to a new report issued in April by MessageLabs. The messaging security company says it identified 716 emails in 249 targeted attacks in March. The attacks targeted 263 different domains, belonging to 216 different customers. (See Targeted Attacks on the Rise.)
Most of the email attacks came in the form of malware hidden in a Microsoft Office document. Some 45 percent of the attachments were PowerPoint; 35 percent were Microsoft Word files. Only 15 percent were .exe files, according to MessageLabs.
Nearly 180 of the 249 attacks were sent to a single individual in the company via a single message, MessageLabs said. Fewer than 20 of the attacks identified as "targeted" were sent to more than 10 people in a company.
The number of targeted attacks has grown since 2006, but that may simply reflect the fact that vendors are becoming more adept at identifying them, MessageLabs said. "Previously, they may have been lost in the general noise of one to two million pieces of malware per day."
There doesn't appear to be any pattern to the types of companies that are targeted for attack, MessageLabs found. Military organizations were among the most targeted, followed by electronics, aviation, and retail. "Target organizations are those with data worth stealing," the report says.
Many of the targeted attacks come from a single gang in Taiwan, MessageLabs says. "One gang has been using the same two attack files since November 2006," the report says. "In the month of March, they used these files 151 times, which makes them one of the highest-profile gangs, accounting for just over 20 percent of all targeted emails."
Next Page: The Rustock Trojan
Things have been kind of quiet with Rustock lately -- maybe too quiet. But over the past year, Rustock has been the backdoor rootkit behind a wave of pump-and-dump stock spam that was the scourge of the investment world.
Rustock, which can morph itself every time it infects a file, was especially effective because it had staying power on the infected machine. Most rootkit detectors couldn't see it. (See Rustock a Model for Future Threats.)
Some of the spamming botnets that deployed Rustock used advanced techniques like encrypted HTTP connections, rather than the traditional botnet path, the very conspicuous Internet Relay Chat (IRC) method. That makes it tough to detect at the network level, too.
Joe Stewart, a security researcher with SecureWorks, says he's seen a noticeable drop-off in Rustock-based attacks since April: "We have no clue why," he says. "Maybe the business model didn't work on stock spam. Or maybe it's because of a law enforcement effort," such as the Securities Exchange Commission's (SEC) crackdown in March on pump-and-dump spamming.
But the Rustock creator is a rootkit author, Stewart notes, so it may just be that he's keeping a low profile with stealthier malware. "He may have gotten even better at hiding," says Stewart, who earlier this year injected himself into a Rustock botnet in order to study it.
Stewart says there may be a Rustock variant that antivirus programs can't recognize as yet.
Next Page: SOX-Busting Accounting Flaws
For the past two years -- and in some cases, even longer -- public companies have been putting dollar after dollar into tools and technologies that were supposed to bring their companies into line with the reviled Sarbanes-Oxley security guidelines.
Now, many of them are beginning to realize that SOX is not necessarily a technology problem.
According to observers and auditors in the SOX space, the reason most companies fail their audits these days is because of sloppy accounting practices, not system or security flaws. The vulnerability is in the finance department, not IT.
"What we've seen recently is that nearly half of the compliance deficiencies that companies encounter are on the accounting side, while less than 5 percent are IT systems related," said John Pescatore, vice president and distinguished analyst at Gartner, at the Gartner Security Summit earlier this month. (See Security's Sea Change.)
That auditing experience may help break the wave of companies spending heavily on security technology in order to speed compliance, Pescatore predicted.
Security, which had been Gartner clients' top priority in 2005 and number two in 2006, dropped to number six this year, Pescatore reported. And after breaking into the top 10 business priorities for the first time last year (it was number seven), security has once again fallen out of clients' top 10 lists.
So if the "vulnerabilities" in SOX audits are in accounting, not in IT, does that mean compliance will become a less effective lever for getting approval on security budgets in the coming year?
Not necessarily, experts say. In the retail industry, a different sort of compliance -- the Payment Card Industry's Data Security Standard (PCI DSS) -- is becoming the new SOX, and may help keep security spending up, at least in industries where credit-card handling is important, they say. (See Retailers Still Lag in PCI Compliance and Data Security Vendors Establish PCI Security Vendor Alliance.)
The Staff, Dark Reading