Security in a Shared Space

The Problem

When your network is located in a facility where you are the only business, physical security is easy. You can be reasonably sure that the only way someone can compromise your network is by defeating your perimeter defenses. Frequent scans, effective antivirus and properly configured firewalls and IDS software should be sufficient to secure such a network.
When your network is in a shared location, such as an office building, it is more difficult to ensure that your wired network is fully secure. This is because in many shared spaces network cabling runs through the offices of other companies. In addition, network resources such as servers and routers may be located in shared server rooms.

The Attack

There are two different types of attacks that are unique to a shared space. The first is unauthorized access to a server located in a shared server room. This probably presents the greatest risk because the attacker is able to access all of the resources on the server and may be able to install backdoors or other malware on the server.
The second type of attack is tapping, where a network cable passing through another business's space is cut, and a router is installed on the line. This would allow additional computers to be connected to the network.

Detection

The only way to detect unauthorized access to a network device in a shared location is log analysis. For example, a script should be created that transfers the authentication log (which records login attempts) to another location. This exported log file should then be reviewed frequently for suspicious activity. The server should also be checked to ensure that only required users have the ability to log on, and unauthenticated or guest accounts are disabled.
Detection of tapping is more difficult. Periodic scans should be performed to look for unexpected devices. These scans should include thorough port scans that will scan the IP in question even if a ping is unsuccessful.

Prevention

The only way to prevent unauthorized access to a resource in a shared area is to lock the resource any time it is left unattended. The passwords should also be checked to ensure they are complex to protect against brute force attacks.
Tapping is impossible to prevent. However, the damage potential could be minimized or eliminated. First, routers and firewalls on the network should be, if possible, set to only allow traffic from devices with certain known mac addresses. This will prevent most attackers from accessing any resources on the network. Second, no resource on the network should be accessible to unauthenticated users, and all passwords on the network should be complex. Although an attacker would be able to use the network connection until a scan detects their access, they will not be able to gain access to the network's resources. Finally, regular scans should be run on outgoing traffic through the router. This will reveal the presence of any unauthorized devices.

Antivirus 2009 Case Study

Overview

Antivirus 2009 is a type of scareware that generates fake antivirus warnings, to trick users into installing malicious software on their computer. This malware is particularly aggressive, in that it demonstrates many of the latest self-protective measures in taking control of the victim computer. Once installed, the application will attempt to force the user to purchase Antivirus 2009, which is a fake antivirus application. Once purchased, the application will then install additional malware on the victim computer.

Infection Source

Most of the observed infections result from visiting a web site that has been compromised. On visiting the compromised site, the user's browser will display two popups, one of which covers the entire screen and emulates an anti-virus scan, and a second, smaller, script generated box that appears to be an antivurs scan report showing an infection. The warning is fake; at this point the user has not been infected.
If the user clicks on either of the popups, the program will install the virus. Internet Explorer, Mozilla Firefox, Opera and Chrome all seem to follow identical infection methods. It is unknown that the installer is able to exploit browser vulnerabilities to force an installation.

Results of Infection

Once the malware has been installed on the victim computer, the malware begins installing supporting software, and attaching itself to several processes. The first step in the infection seems to be the installation of a DNS server and a web server on the computer, which bind to 127.0.0.1. The DNS server will resolve domain names of common antivirus manufacturers to the web server at 127.0.0.1.
The next step appears to be the neutralization of antivirus software installed on the computer. In some cases, this is accomplished by redirecting the update mechanism of the anti-virus application to the fake web server on the computer to deliver empty or corrupt antivirus updates. In other cases, the existing definitions may be infected or corrupted, which results in the antivirus application appearing to work correctly, although it is no longer able to test for certain types of infections.
Finally, the malware attempts to disrupt the user's ability to access the internet. Traffic to security and antivirus web sites is redirected to the malware's internal web server. Opening a browser also triggers warning popups on a set delay. As the malware is able to bind to more processes, eventually the infected computer becomes unusable.
It is important to note an interesting self-defense capability of the malware, which is an executable killer. The malware monitors all processes looking for attempts to install antivirus applications. If such a process is detected, the malware is able to kill the process before installation begins.

Prevention

The best case scenario is prevention. Testing indicates that Kapersky Antivirus, AVG and other packages that include a "Web Shield" type of component are able to prevent infection regardless of browser (I have tested this with Explorer, Firefox, Opera and Chrome) and fully mitigate the attack, with an appropriate warning.

Removal

Removal of the Antivirus 2009 malware is extremely difficult. Most malware will simply prevent the download of new antivirus software (which this malware is quite adept at). This can be circumvented by downloading the antivirus application on a clean computer and burning the software and the latest update file to a CD. However, in many cases this malware will detect the attempt to install the software. It is sometimes possible to prevent this by renaming the installer.
If antivirus is installed on the compromised computer, it will almost immediately come under attack by the malware. It is important to make sure the antivirus software has a self-defense feature to prevent the compromise of the definitions file. In some cases, antivirus software may need to be run dozens of times before the infection is fully cleared. Other times, a full reformat of the hard drive is the only option.
The following sites have detailed information on possible removal options:

• Windows XP/Vista Blog
  
• CNET
• 2-spyware
• Bleeping Computer

Update (1/28/2009): Microsoft's recent Malware Removal update targeted this specific malware. More information about the update and the results of its use can be found here.

What To Do if you have been Hacked or Infected

Although I am writing this primarily for home computer users, many of the same principles apply for business networks. However, in a business environment, your IT department should handle cleaning the infection and checking the network for additional problems.

The Symptoms

How do you know if your computer has been compromised? It may be obvious - your computer might be displaying the incorrect pages when you browse the web, or it may be more subtle - your computer may be running slowly. I have had some friends tell me recently that their web-based accounts were hacked, but had not been accessed from any computer other than their own (possible keylogger).

Cleansing

The first step is to remove any and all hostile software that may be on your computer. This includes viruses if you have been infected, and backdoors if you have been hacked. If your computer is compromised, assume that your antivirus software was compromised as well. Uninstall it. From a clean (unaffected) computer, download the latest version of Avast Antivirus, AVG, or whatever antivirus software you have a license for, and burn the software onto a CD. From the CD, install the software on the affected computer. Update the software, run a full scan, reboot, scan again, until you are clear.

Securing

Once your computer is clean, you will need to secure the computer so this does not happen again. Download and install a high end firewall application (if you are looking for something free, Zone Alarm is one of the best free firewalls). Also, find and install a quality anti-spyware application.

Mitigation

Now that your computer is cleaned up and secured, it is time to mitigate the damage that could have been caused by the compromise. The first step is to secure your network. If you have any computers on the same network as the compromised computer, uninstall and reinstall the antivirus software, and rescan those systems to make sure any viruses were not transferred between systems. Also, any external backup media you use MUST be scanned before it is reused.
Finally, change all of your passwords on the compromised system, as well as all passwords that you used while using that computer. This includes all web-based e-mail systems such as GMail, social networks like Facebook and MySpace, your bank if you use online banking, etc. If your PIN number for any of your credit cards was on the computer, change the pin number. If any of your credit card numbers were stored on the computer, notify the banks that issued the cards.

Onion Security

Onion Security is a methodology for securing a network in layers, like an onion. This type of security approach helps keep the network insulated against attacks.

The problem

You have a medium to large network, consisting of internal workstations and externally accessible servers. There are multiple vectors of attack available to a determined attacker.
Most networks rely on security measures such as perimeter firewalls to protect the entire network. In an environment where new vulnerabilities are being discovered daily, such an approach is ineffective. If you rely on a firewall, for example, and a network user visits a compromised web site, and is infected by a virus, the attacker now has a way around the perimeter defenses. Once the perimeter is breached, what protects the remaining resources on the network?

The Solution

Onion security is implemented by securing every resource on the network. This includes strong perimeter security measures as well as strong internal protection. Of course, every workstation and server should have effective and up to date anti-virus software, but in addition each workstation should have it’s own software based firewall. Most of the workstations on your network do not need to be able to communicate directly with one another. The firewalls should limit communication between workstations, and only allow communication with servers. This should help limit the spread of viruses and intrusions to the network.
Access to server resources such as shared files should also be limited. Financial information should only be accessible to users in the Finance department, for example, and marketing files should only be accessible to marketing personnel. In this way, a compromise can be further controlled. If a marketing computer is compromised, for example, the attacker cannot access anything from the finance department. This provides yet another layer of protection.

Internet Security Review - 2008

2008 was an interesting year in the security field. Many things changed, from the way computers were being infected, to the goals of attacks.

• New goals – Traditionally, malware had any of several goals. Hackers may try to commit identity theft, or to use a compromised computer as part of a botnet to send spam, or to steal usernames and passwords to online bank accounts. In 2008, however, it is estimated that between 50 and 75 percent of attacks were aimed at stealing online gaming accounts, mostly for World of Warcraft. Blizzard Entertainment (maker of WoW) has responded with numerous security advisories and enhancements, including the release of a hardware authenticator that can be used to lock down accounts. Blizzard has reported that 2008 saw the highest subscription rate as World of Warcraft became one of the most played games in history, and 2008 also saw the highest rate of account compromise.
• New types of malware – In addition to the more familiar malware, such as adware, spyware, keyloggers and Trojans, two new classes of threats became common during 2008; extortionware and scareware. Extortionware is a class of virus that encrypts all files of a specific type on the infected system with a high level of encryption, and then gives the victim instructions where to pay to get the decryption key. Scareware infects the system with a fake antivirus system that warns the user of multiple infections, in an effort to coerce the user into purchasing the antivirus product, which is a fake application that installs keyloggers and other malware.
• New methods of infection – Missing in 2008 were stories about widespread, net traversing e-mail viruses. Instead, most of the infections in 2008 resulted from hacked web sites. Even as search engines tried to combat the problem by warning users of potentially malicious links in their own results, the search engines themselves were used as a tool to spread infections, as forwarders on well known and trusted sites were abused to put malicious links at the top of the search engine results.
• New ways to hide hacks – Hackers that attacked web sites employed new methods in 2008 to hide their attacks from site owners, abusing .htaccess rules on attacked sites to cause attack code to only be displayed to users following links from the major search engines. This method leaves the attack code virtually invisible to the search engine spiders that attempt to warn users about malware, and to the owners of the web site, who would rarely use a search engine to visit their own site, and would thus never be exposed to the attack code.

As the threats have intensified, new defensive measures began to gain popularity to combat the wide range of emerging threats.

• Hardware authentication – To combat the high rate of account compromise, Blizzard became the first company to implement on a large scale a hardware authentication mechanism. Although similar technology has been proposed on smaller scales by banks for their customers, or implemented on a small scale by companies to secure internal information, 2008 saw the first major push by a large corporation to introduce and implement this technology.
• Web site prescreening – Many of the larger anti-virus providers began incorporating technology to scan web pages before they were loaded by the visitor. For some systems, this meant that the antivirus company would check the page before it was requested by the user. For others, it means that the page would be loaded into a “secure” area of the computer’s memory to be scanned before being rendered by the browser. This helped alleviate some of the threat of hacked web sites. However, the technology still has not become prevalent.

As the threats have intensified, a robust, multi-tiered approach to security remains essential. Anti-virus software is no longer enough to protect a network. Numerous components working together are required to ensure the security of any system or network.

• An external hardware firewall or router – The external firewall/router is the first line of defense for any network, hiding the network from drive-by attacks by blocking unsolicited incoming network traffic.
• Internal software firewalls – All systems on the network should be protected by robust software firewalls that can monitor traffic between connected systems looking for suspicious traffic. Free software firewalls include Zone Alarm and Comodo Pro. The firewall included with Windows is not sufficient for this.
• Strong Anti-virus – a strong antivirus application is required on every computer on the network. This software must be kept up to date, checking for updates at least once a day. One of the top rated Anti-virus applications currently is Kapersky. There are some highly rated free AV applications such as Avast!, however these applications generally do not have all the features of a commercial product.
• Anti-Spyware – A commercial or freeware anti-spyware application should be run regularly to look for malware that might have been missed by the antivirus software. This can happen with new viruses, as malware may take days or weeks to be identified and added to the scan lists of different antivirus products.
• Regular updates – As patches are released for security software, browsers, operating systems, and software, it is essential that they be applied immediately. Almost any vulnerable application can be used to attack your system, so patches must be applied as soon as they become available.

It is no longer enough to simply rely on your wits, avoiding potentially dangerous places on the web to stay safe. Any trusted web site can be compromised and become a threat to the safety of your computer and network. Only by keeping up to date with your patches and employing proper security measures can you protect yourself.
Its not paranoia. They are out to get you.

Welcome

Welcome to my new blog. In this blog, I hope to address many of the network and Internet security issues affecting administrators and end users. My goal is to post new topics weekly, and I will respond to comments and suggestions regularly. If you have any suggestions for topics you would like to see addressed on this blog, please add a comment here.

Thanks for visiting. I hope you find the information on this blog useful.