DNSSEC Fortifies Web

Friday, July 30, 2010

Two years after a major flaw was exposed in the Internet’s Domain Name System (DNS), a major upgrade to the infrastructure protocol that fixes that weakness is now up and running in all of the Internet root servers. DNSSEC, which has been in the works for nearly two decades, was fully deployed in the root this month, the final level of deployment needed to finally get the deployment of the security protocol officially off the ground. DNSSEC is considered the key to preventing attacks exploiting the now-infamous cache-poisoning vulnerability revealed at Black Hat USA in 2008. Rod Beckstrom, president and CEO of ICANN, the governing body for Internet domains, today heralded the addition of DNSSEC at the root as the biggest development in the Internet since the introduction of the Web: “By any measure, this is a historic development,” he said in a press conference here announcing that the root had been signed with DNSSEC.  Nine top-level Internet domains have also now been signed with DNSSEC, including in .uk, .org, and others. “We expect another dozen or so to take this step over the coming weeks,” Beckstrom said.  He says others should be DNSSEC-signed in the next 12 months.

DNSSEC certifies that a domain is what it claims to be: “When you receive an email from your bank, you’re actually going to know it came from your bank,” said Dan Kaminsky, the researcher who exposed the DNS flaw.  Kaminsky, who is chief scientist at Recursive Ventures, originally dismissed DNSSEC as a solution due to the major undertaking and cost it would entail to deploy it, but he later endorsed it as the best way to secure DNS. Kaminsky said DNSSEC allows domains, or companies, to assert that they are who they say they are, and aren’t bad guys posing or spoofing.  “We’ve never had the ability to do that efficiently before,” he says. DNSSEC will work hand-in-hand with other authentication technologies, such as the DKIM (DomainKeys Identified Mail) protocol, said Russ Housely, chair of the IETF.  “[This] way we’re going to reduce vulnerabilities not just for the domain system, but for other apps” such as email, he said. The next step in addition to building plugins for DNSSEC is to hack at it to find any weaknesses or flaws in the technology, Kaminsky said.  “Now it’s the time to find any problems with it,” he said.  “My hope is that we will find all of these things early.”

Kaminsky’s company has been writing DNSSEC tools as well as working with other researchers to run penetration tests on DNSSEC, and will release a report on the results on September 1.  Meanwhile, among the tools Kaminsky and his team have been working on is a tool called Phreebird, which is an online DNSSEC signing application. During a live demonstration in his Black Hat presentation here today, Kaminsky used Phreebird to deploy DNSSEC, noting that it took just two minutes to execute.  The goal is to make DNSSEC deployment simple and fast, he says.  “The fix two years ago for DNS was a Band Aid, “he said.  “Someday, DNSSEC has to be as easy to deploy as that patch was.” Now that the root is signed with DNSSEC, he said, it’s time to build tools for it, and to try to break it.

Reference : http://www.darkreading.com/securityservices/security/management/showArticle.jhtml?articleID=226300226

Cloud Security Alliance

Wednesday, March 3, 2010

Novell and the Cloud Security Alliance have announced a vendor-neutral “Trusted Cloud Initiative” for developing standards and certification of cloud security, compliance, identity management and other best practices…..The Cloud Security Alliance is a group of consultants, vendors, and cloud users that formed a non-profit group at the end of 2008 to address the lack of standards for cloud computing…..There are no defined levels of security in cloud computing, and it’s difficult to get a discussion going when one party can’t be sure of the terms that the other is using.  The Trusted Cloud Initiative is aimed in part at creating a shared set of standards that can be verified by neutral third parties.

“By building a consensus security reference guide and certification roadmap, we are creating common ground for both enterprises and cloud providers, and expect to accelerate cloud adoption,” said Alan Boehme, senior VP IT strategy and enterprise architecture at ING Americas, a branch of the Dutch insurance conglomerate, in Monday’s announcement…..”Our customers need a visible seal of trust.  We strongly believe education, clarity, and industry-approved security guidelines will propel the adoption of clouding computing” said Dipto Chakravarty, VP of engineering, Identity and Security unit at Novell…..Members of the Cloud Security Alliance include Microsoft, Dell, Rackspace, Qualys, HP, Intel, Cisco, McAfee, Salesforce.com, Symantec, the DMTF (formerly Distributed Management Task Force) standards body, and the Information Systems Audit and Control Association (ISACA)…..Nils Puhlmann, chief security officer at Zynga Game Network, a producer of online social games, including FarmVille, said the alliance will pay attention to other standards efforts and adopt them, whenever it can.  “We are committed to aligning the Trusted Cloud Initiative with other standards efforts,” he said in the announcement. But the alliance will be responsible for “assembling the reference model and certification criteria from existing standards, and we we will complete it in 2010,” he said.

Reference : http://intelligent-enterprise.informationweek.com/showArticle.jhtml?articleID=223101299

Botnet Factories

Thursday, February 25, 2010

In 2005, a Russian hacker group known as UpLevel developed Zeus, a point-and-click program for creating and controlling a network of compromised computer systems, also known as a botnet.  Five years of development later, the latest version of this software, which can be downloaded for free and requires very little technical skill to operate, is one of the most popular botnet platforms for spammers, fraudsters, and people who deal in stolen personal information.  Last week, the security firm NetWitness, based in Herndon, VA, released a report highlighting the kind of havoc the software can wreak.  It documents a Zeus botnet that controlled nearly 75,000 computers in more than 2,400 organizations, including the drug producer Merck, the network equipment maker Juniper Networks, and the Hollywood studio Paramount Pictures.  Over four weeks, the software was used to steal more than 68,000 log-in credentials, including thousands of Facebook log-ins and Yahoo e-mail log-ins.  “They had compromised systems inside both companies and government agencies,” says Alex Cox, a principal analyst at NetWitness.  A survey conducted by another security firm–Atlanta-based Damballa–found Zeus-controlled programs to be the second most common inside corporate networks in 2009.  Damballa tracked more than 200 Zeus-based botnets in enterprise networks.  The largest single botnet controlled using the Zeus platform consisted of 600,000 compromised computers.  The Zeus software is less important for its conquests than for its high regard among cybercriminals.  “Zeus is incredibly popular with people that want to tinker and start their own small business, if you will,” says Gunter Ollman, vice president of research for Damballa.

A group of four or five developers started working on Zeus in 2005.  The following year they released the first version of the program, a basic Trojan designed to hide on an infected system and steal information.  In 2007, the group came out with a more modular version, which allowed other underground developers to create plug-ins to add to its functionality.  The latest Zeus platform allows users to build custom malicious software to infect target systems, manage a far-flung network of compromised machines, and use the resulting botnet for illegal gain.  The construction kit contains a program for building the bot software and Web scripts for creating and hosting a central command-and-control server.  Independent developers have created compatible “exploit packs” capable of infecting victims’ systems using vulnerabilities in the operating system or browser.  Other developers focus on creating plug-in software to help would-be cybercriminals make money from a Zeus botnet.  Some add-ons focus on phishing attacks–delivering the images and Web pages needed to create fraudulent banking sites, for example.  Other add-ons give bot operators the tools to create spam campaigns.  “There is a whole cottage industry around creating add-ons for Zeus,” says Don Jackson, a security researcher with the Counter Threat Unit at SecureWorks, a company based in Atlanta…..Even the basic Zeus kits include obfuscation techniques to help escape detection by antivirus software and other security measures.  In one experiment, consultant Alex Heid of Internet Security Services found that only about half of antivirus software detected a known Zeus payload.  After employing some simple techniques for masking the code, the detection rate dropped even further, to 10 percent.  “The cybercrime technologies are advancing faster than the security technologies,” Heid says.  Once Zeus has compromised a system, it gives the user no sign that it’s there, according to Jackson. “What does Zeus look like when it infects your computer?  Well, stare at your computer now, and that’s what it looks like,” Jackson says.  “It’s designed to do its job and do it successfully and do it silently.”  While both Damballa and NetWitness sell technologies and services for detecting compromises on corporate networks, they do not provide software for end users.  “Most enterprises that we work with have a large number of users, so they basically give up on defending their computers,” Ollmann says.  “You make the best attempt with antivirus and firewalls, but they accept that some percentage of their systems are going to be infected, so they focus on detecting and rebuilding the (compromised) systems rather than defending against all threats.”  Cox adds that focusing on the communications between infected systems and a command-and-control server is usually the best way to catch infections.  “Understanding what normalcy looks like on your network so you can pinpoint abnormality is what is really important in the current threat environment,” he says.  “Don’t trust only your existing security controls, and get eyes on your network.”

Reference : http://www.technologyreview.com/computing/24641/

Security Software Market In Asia Pacific

Tuesday, January 26, 2010

As most economic figures point to a smooth recovery, the outlook for the IT security industry in 2010 is expected to be optimistic in 2010.  According to the figures recently released in the IDC Asia/Pacific Semiannual Security Software Tracker, most security markets in the Asia/Pacific excluding Japan (APEJ) region are expected to post strong double-digit growth in 2010 compared to 2009.  According to the study, the largest growth will be in the Security and Vulnerability Management (SVM) market which is forecast to grow some 19% to US$115.44 million in 2010.  The Secure Content and Threat Management (SCTM) market can expect an 18.4% growth with revenue forecast to reach US$1134.82 million in 2010 compared to 2009.  The Identity and Access Management (IAM) market is estimated to grow by 15.2% to reach US$ 326.38 million.

(click for full image)

“The rise in the security market is fuelled by the increasingly sophisticated threats and management overheads facing each IT organization.  The security landscape has been seeing new threats growing explosively in number and complexity – attacks that exploit the vulnerabilities of applications, insider sabotages, identity fraud and unauthorized access to corporate systems and networks.  Regulatory compliance requirement is also a significant driver for security solutions.  Companies are required to align with international regulations, standards and best practices when collaborating with business partners around the world.  Many of these companies have turned to SVM products to establish a security management framework for various compliance requirements such as policy compliance, log archiving and auditing,” said Judy Wu, Research Manager for IDC Asia/Pacific Security Research.  At the same time, previous purchase and deployment of security products over the years have increased management and integration complexity.  The excess workload due to the sheer number of systems and applications that an IT organization needs to manage has forced companies to adopt advanced security tools to automate their operational requirements as much as possible.  The SVM segment is a key growth area across Asia/Pacific as companies turn to SVM’s capabilities – such as patch management, policy enforcement and security incident analysis and management – to reduce complexity and increase management efficiency…..

Reference : http://www.idc.com/getdoc.jsp?pid=23571113&containerId=prHK22160710
Related : https://mmadan.wordpress.com/2006/06/01/security-software-market-in-asia-pacific/

The Open Web Application Security Project (OWASP) today released a new top 10 list at its conference in Washington, D.C., that focuses on Web application security risks rather than the way its previous lists highlighted the most common weaknesses found in Websites…..Injection attacks top the 2010 OWASP Top 10 list of Web application security threats, including SQL, OS, and LDAP injection, followed by cross-site scripting (XSS), broken authentication and session management, insecure direct object references, cross-site request forgery (CSRF), security misconfiguration, failure to restrict URL access, unvalidated redirects and forwards, insecure cryptographic storage, and insufficient transport layer protection.  The list is considered a “release candidate” that will be published in its final form in 2010.  New to the list are security misconfiguration and unvalidated redirects and forwards…..Web redirects typically steer users to other pages and sites, and when the data for the destination pages isn’t properly validated, users can be redirected to phishing or malware sites by attackers.

Malicious file execution and information leakage/improper error-handling are no longer on the top 10 list.  OWASP says that while malicious file execution is still a big problem in many environments and was especially high in 2007 with PHP vulnerabilities, now that PHP ships with default security, it’s less of a problem.  While information leakage/improper error-handling are rampant vulnerabilities, the impact of them isn’t usually as critical.  The OWASP report also includes how to assess the possibility that your Web application would be at risk of these types of Web attacks, as well as mitigation tips…..The top 10 comes on the heels of WhiteHat Security’s report yesterday of the most common vulnerabilities discovered in its clients’ Websites.  In that list, XSS was No. 1 and SQL injection No 5.  But Jeremiah Grossman, founder and CTO of WhiteHat, says SQL injection flaw finds were likely underreported.  SQL injection flaws can be difficult to detect in scans because developers who disable verbose error messages as a way to protect against SQL injection attack can also inadvertently make it difficult to find SQL injection flaws, according to Grossman.

Reference : http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=221700095

(click for full imge)

Web App Security Testing Whitepaper

Wednesday, October 21, 2009

This article looks at some of the more popular vulnerabilities, such as cross-site scripting and SQL injections, and introduces tools you can use to help safeguard not only your sites, but the data and networks that power them.  It focuses on teaching you how to find potential exploits in your code and fix the vulnerabilities.

Reference : http://www.ibm.com/developerworks/web/library/wa-appsecurity/index.html?ca=drs