Previous month:
October 2012
Next month:
December 2012

November 2012

Logging: A Vanishing Art Form


In March 2011, the Anti-Phishing Working Group (APWG)’s Internet Policy Committee published the responses to a survey of organizations whose Websites had been compromised and subsequently used to host phishing pages.

Images by zagazou76
I’ve been looking at the reported incidents since March
2011 to see if any trends emerge. While many aspects of defending Websites against attack and compromise still desperately need improvement, logging stands out as one
of the most clearly under-utilized.

One reason to log events on servers, hosts, and switching equipment is to record what is happening on your network so that you can identify unusual or suspicious activities. Yet when asked after an attack, “How was the attack discovered or reported?” only six percent of respondents indicated that they or their colleagues discovered it from Web server logs -- and that percentage appears to have dropped in the most recent sample.

A second reason to log events is to have information available during an incident to help identify and mitigate the attack. Thirty-four percent of respondents indicated that they reviewed system and Web server files as part of their incident response; again, that percentage appears to have dropped in the most recent sample.

It should come as no surprise that compromises are more commonly reported to web site owners than discovered by them. Even conceding that organizations increasingly outsource Web-hosting (and this is also reflected in the survey responses), log collection and analysis appear to be vanishing as arts and practices. Can it really be true that we’re not paying attention to logging in the era of advance persistent threats and state-sponsored cyber-espionage? Apparently so, and the reality is sobering, ironic, comical, and downright depressing.

In baseball parlance, I’m about to serve you a meatball: Educate your partners in the value, art, and practices of log collection. Here are a few recommendations to pass along:

Enable logging on all systems. There is enormous value in having multiple perspectives of the same events or traffic. Data on, for example, which system or executable is generating traffic, whether the same traffic is emanating from multiple systems, common traffic destinations, and commonly resolved domain names is essential when investigating a Website hack, data exfiltration attack, hosts running unapproved (unlicensed) software, or even performance bottlenecks.

Log as much as your pocketbook will spare. What and how much to log may seem like an art form, but many resources are available for you to recommend. Brian Honan’s presentation on log management offers simple, solid advice and examples. As you identify what you will log, keep in mind that you can learn as much from allowed events as denied.

Synchronize time across your network. Correlating events you log from switches and hosts is best accomplished when all systems are operating on the same UTC time. 

Collect logs at a central, secure repository. Centralized logging facilitates troubleshooting and incident response. You can also use log data to assess network performance; performance is often an easier "sell" in an organization than security. Secure, centralized logging can be implemented relatively inexpensively using syslog-ng. Dedicate a server to only collect logs. Physically secure the server, harden it, run it on a separate LAN segment, and restrict access to the server. Depending on your security needs, you can even choose to operate the log server in stealth mode.

Convincing your partners to embrace centralized logging is step one. The next and harder step is to convince and assist them in actually making use of what they’ve logged. Begin by pointing them to the dismal statistics I presented here. Emphasize that frequent log analysis is also beneficial in correcting network problems that affect availability (online presence) or performance. We’ll talk about what to recommend if your partners buy in to this proposition in a future article.

Originally posted at The Champion Community 16 August 2012

Dorkbot: Malware That Uses Your Contacts to Spam, Infect Your PC, Steal Your Personal Data

The smart folks at Microsoft's Malware Protection Center have written a nice analysis of the Dorkbot infection vectors. Dorkbot is a worm that injects code into Windows explorer, spreads other malware and ransomware, and attempts to steal usernames and passwords for social networking and messaging sites (Facebook, AOL, Yahoo!, Twitter, Gmail...), merchant sites (eBay, PayPal, Moneybookers, AlertPay...) and domain registrar/hosting portals (e.g., GoDaddy, Monicker, Namecheap...). Social networking and messaging site accounts can be used to spam, merchant accounts can be used for theft or fraud, and  registrar (hosting) accounts can be used to deface or upload malicious links to hosted web sites (via FTP), to deny service, or to alter DNS settings.

In some respects, Dorkbot is a new form of blended threat: rather than relying on traditional networking distribution methods to infect hosts (e.g., exploiting file sharing vulnerabilities, drive-by downloads, removable media), it uses messaging services and social networks as distribution platforms.  

Like many malware, the Dorkbot malware socially engineers or convinces users to click on malicious URLs. What makes Dorkbot particularly nasty is that:

  • the URLs are not found on web pages or in email but in instant messages
  • the URLs often use URL shorteners (and some of these are not safe)
  • the URLs may appear in social networking messages that come from one of your Contacts
MMPC has a nice graphic that explains what a Dorknet contact spam looks like in a messaging application. The consequence of clicking on the URL is the same as if you clicked on malicious link in a malicious spam email or at a criminal's web site you unintentionally or unwisely visited.

Dorkbot presents an oportunity to point out that your contacts may not always be as trustworthy as you imagine. You simply cannot be certain whether a message you receive is coming from your contact or a malware that's infected someone who has added you as a contact.

Here are some simple tricks or rules to follow:

  • Keep your computer "patch current".
  • Detect and remove this threat. Visit Microsoft or an AV vendor you use and trust to find Dorkbot removal tools (remember, only visit vendors you trust).
  • Before you click on a URL in an unsolicited message you receive from a contact (especially one that literally comes "out of the blue"), consider asking the contact a question. Dorkbot probably can't hold a conversation with you.
  • Be wary of shortened URLs, especially URLs generated by shortener services that do not perform security checks on the URLs they shorten.
Techspot has another, related article describing how Dorkbot spreads via Skype to install ransomware