Duty, Honor, Country 9 th Colloquium for Information Systems Security Education United States Military Academy, West Point, New York 7-10 June 2004

Duty, Honor, CountryDuty, Honor, Country

9th Colloquium for Information Systems Security Education

United States Military Academy, West Point, New York7-10 June 2004

www.ncisse.org

5th Annual IEEE Information Assurance Workshop

“The West Point Workshop”United States Military Academy, West Point, New York

10-11 June 2004www.itoc.usma.edu/workshop

Submission deadline for IAW and CISSE papers is 31 March 2004

Duty, Honor, CountryDuty, Honor, CountryColonel Daniel Ragsdale, Ph.D.Colonel Daniel Ragsdale, Ph.D.

[email protected]@usma.edu

Information Security in 2004 and Beyond: Information Security in 2004 and Beyond: Emerging Threats to Our Way of LifeEmerging Threats to Our Way of Life

The 17The 17thth Annual Federal Information Systems Annual Federal Information Systems Security Educators’ Association (FISSEA)Security Educators’ Association (FISSEA)


Three Alternative Titles

“Whose &*%$* computer is it anyway?”

“The Unholy Alliances and a Call to Arms”

“Viral Devastation”


FISSEA

Returning Home Executive Board Service Presentation Highlights

One Joke No Silly Glasses No Imitations

Experiments Raise hands


Why we should all lie awake at night?

Dyslectic, agnostic, insomniac? The environment has radically changed We are losing ground!! Publicly known vulnerabilities and

attacks The proverbial “tip of the iceberg”

Users and managers are not getting it!


Virus Advisory

McAfee Raises Risk Assessment to Medium on New W32/Netsky.j@MM Worm

McAfee receives over 70 Samples an Hour of W32/Netsky.j

Yahoo News - Monday March 8, 6:16 pm ET


Bagle.J Pokes a Hole in Internet Service

Virus is an e-mail attachment intended to generate spam.

Use anti-virus software if you have opened what appears to be a security warning

Montreal Gazette March 9th


Another day another Netsky

Sophos is reporting two more versions named Netsky-J and Netsky-K.

Both worms use the familiar technique of using its own SMTP engine

On the 10th March Netsky-K will play random sounds between 10 a.m. and 11 a.m.

PC Pro March 9th


Worm Poses As Microsoft Patch

Plays off fears of worms by masquerading as a patch from Microsoft

Sober.d arrives with a subject that reads "Microsoft Alert: Please Read!"

The worm also comes in a German "Microsoft Alarm: Bitte Lesen!"

Internet Week 8 March


Sinister New crop of viruses dogs PCs

Latest barrage of computer bugs likely tied to organized crime

The Internet often compared to the Old West Now seen as more sinister domain of gang

warfare and organized crime. A recent plague of viruses, including 20

variations of the viruses Mydoom, NetSky and Bagle

Orlando Sentinal March 9, 2004


The New Players

What motivates them? Fame

Fortune What mindset do they all share?

It is OK for them to use your systems and access your data without your explicit prior approval


The Unholy Alliances

Spam Entrepreneurs Adware / Spyware Providers File Sharers Phishers Porn Purveyors Hackers

Sliding scale of legitimacy!


Virus and Worm Trends

More common More sophisticated Faster Spreading Significant code re-use Often More lucrative Increasing number of infection vectors Better social engineering


Quiz for “Trained Professionals”

Who has ever: Downloaded software at work? Opened a malicious attachment? Bought through a spammer? Had a “fanny acting” system? Installed a HW firewall at home? Personally affected by identity theft?


Implications

For Individuals Identity Theft ($) Credit Cards ($) Privacy Threats

For Businesses Propriety Information ($) Resource Theft ($) Productivity Losses ($)

United States National Security


MyDoom

Fast spreading Virus DDOS Backdoor!! SMTP Engine


Netsky

Swamped many SMTP gateways in about 10 minutes

SMTP Engine Intentionally timed to spread just after

AV updates Zip files are a real problem


W32/Bagle.j@MM

Was missed by many filtering packages Competing with the Netsky writers SMTP Engine Also opens a backdoor


Adware / Spyware Saddam Escapes!

EULA The Software provides you the opportunity

to access content for no charge. In return for the right to access this Content, you acknowledge and agree that the Software contains additional software products provided to PSD Tools .... In addition, the Software will interoperate with your current instant messaging client so as to permit the automatic sending of advertising messages originating from your Computer to your contact or “buddy” list regarding Content offered by PSD Tools or its suppliers.


What now?

Office / Agency / Home Restrictive Policies

No attachments No software downloads

User / Manager Education Spyware Zappers and Browser Plug-in

Checkers and Startup Checkers Hardware Firewall / Routers More Secure Wireless Configurations Automatic Updates and Patches


Other Issues

Don’t overly rely count on the “Live Update” feature of AV software.

Despite efforts to educate Many still opened the infected email and the

zip file because the email came from high level trusted sources.

Some sites make it a practice of returning infected emails to the sender, including the infected attachment can cause other sites to become infected.


Education, Education, Education

The threat is greater than it has ever been

Technology alone will not solve the problem

Restrictive policies and user discipline are essential

Battlelines…


Backups


Spam:It's Not Just for In-Boxes Anymore

System Tray and Startup

Start -> Run… -> msconfig

Stephen ManesFrom the February 2004 issue of PC World magazine


Best Practices Against Spam 1. USER AWARENESS - User awareness of spam and how to avoid it, User awareness that you cannot stop only manage what you receive (ie via website & awareness programs) and not having harvestable addresses on public websites (ie use images).

2. CENTRALISED FILTERING - A level of centralized filtering using heuristics or Bayesian, where tagged spam is sent to a junk folder with an auto expiry (especially while filtering process is being developed and refined, or is sent to the user and tagged as spam, or a combination of both based on variable scoring.)

3. CLIENT FILTERING - An additional level (to gateway filtering) of User defined filtering that includes opt in/opt out, variable level client filtering with the option of the User receiving tagged spam to a junk folder or simply choosing to delete it from the server prior to receiving tagged spam. (Note all of this additional to gateway filtering).


Spaf: Future Impact of Viruses on Internet

I'd like to point out that the majority of the problems we have had have two things in common. In fact, I would say that these are two necessary conditions for every mail-based worm we have seen in the past couple of years, and at least one of the two is necessary for all the others:

They include an executable for Windows They are based on an executable encoded using MIME in email

Those of us on machines running Solaris, HP/UX, MacOS, BSD, Linux, etc have simply had to deal with all the extra email fallout, but the Malware has not established itself on our machines.

There are fundamental architectural problems in Windows that makes these kind of things work so well (from the attackers' point of view). I don't believe they are being addressed as part of the MS security push, either. So, one way to protect yourself from these attacks is to consider a switch to another OS, at least for machines that handle email.

That's not to say that other operating systems aren't susceptible to viruses -- they are. However, those other systems don't allow general user accounts such unfettered access to structures and resources that make worms so easy to establish, insert deeply into the system, and propagate so quickly.

As to the second point, if we simply start blocking any executable content attachments, we will do a lot to stop these kinds of things (not to mention recover disk space and bandwidth, cut down on trojans, and reduce the number of pranks users play on each other). I block .(com|cmd|exe|pif|scr|bat) files on general principle. I also bounce .doc files, and I am now bouncing .zip archives. This has never caused me any real difficulty in collaboration with others. If anything, it has cut down on the junk people simply mail because it is easy. Sending around 50K files for a 3 line memo is a waste of resources.

ANY executable type routinely sent via email is going to result in a danger. Our community has established that we can't train our users to avoid clicking on attachments. It is also clear that the anti-virus programs, as a rule, don't catch all the new malware. So, let's be proactive and simply shut down the vector -- stop allowing users to send executables in email.

I've expressed this before on this list and been mildly flamed for suggesting that people stop exchanging dangerous file types. However, I'm sure that most (if not all) of those who were so quick to criticize my advice have also had to clean up multiple instances of malware since. To me, it's like walking in a 1970s restaurant and suggesting that people stop smoking because it is harmful to everyone there. After being booed out, I've been enjoying the fresh air and watching all the smokers cough and succumb to repeated lung diseases. The addicts are so far gone they can't envision what it is like to be free of the addiction so they argue with anyone who suggests they can.

I average over 200 email messages a day (NOT counting spam). In 25 years online, I have never had a computer virus or worm on my personal machines, with the exception of the Morris Worm in 1988. I do not have any anti-virus software scanning my email, either. It's not rocket science: I use a Mac, and I don't open or accept executable attachments unless I have prearranged for them and know what they are. I use a mailer that doesn't auto-open attachments. I don't use Word. So long as people want to put patches on fundamentally unsound software and procedures, problems will continue. If we want to really make a change, it requires actually *changing* things rather than putting new patches in place.


More Worm Stuff On Mon, 09 Feb 2004 15:44:10 EST, Michael Sofka <[email protected]> said: > But, there are Linux trojans and worms (do google searches of slapper > and bliss, for example). It's been 17 months since any made headlines > (an eternity in Internet years), but they do exist. In addition, some > windows viruses can infect applications run under WINE.

I was around for slapper. and Bliss and Lion. and for *MORRIS*, for that matter.

So nobody needs to tell me "they do exist". However, security is about trade offs - what's your best payback for effort, and are you spending more on security than you're likely to lose?

Which is more likely to produce *effective* results:

1) Buying an A/V package for a single-user Solaris workstation that scans for PC viruses (when the box isn't even a mail or file servers).

2) Buying an A/V package for that Solaris box that scans for Solaris viruses and worms.

3) Shelling out for a copy of the SANS Step-by-step for Solaris and a copy of Tripwire (or a copy of the Center for Internet Security benchmark for Solaris and the freeware Tripwire, and a long afternoon, if your budget is tight). Won't stop many viruses, but will help with all the OTHER attacks that Solaris boxes *are* prone to...

Now, what can you conclude about the all-too-common site that blindly mandates (1) or (2), but *doesn't* require (3) just to connect to the network?

And as the original poster has *already* clarified, their site *does* realize the truly poor price/performance of Unix/Linux A/V and is willing to grant exemptions.


With the fun we are all having with viruses, we are wondering how many > institutions are just dropping executable attachments all together. > It's something that I know a lot of virus/mail gateway software can > do, but are a lot of schools doing that?

For a short period of time, our central mail servers were configured to delete executable attachments from email messages. As a result of complaints from faculty, IT management instructed us to find another way to deal with the potential risks of executable attachments in email.

Our central mail servers run Sendmail Switch 3.1.3 + MIMEDefang + McAfee uvscan + SpamAssassin on Solaris 8. Attachments which uvscan identifies as + malicious are discarded. Executable attachments which are not identified as malicious are renamed by appending '_unknown' to the file

name. For example, 'trojan.exe' becomes 'trojan.exe_unknown'. We rename based on the filename extension, and there are approximately 70 extensions on the list. During the 48 hour period ending at midnight last night, the servers renamed 253 attachments, including 135 .zip, 21 .dll, 17 .pif, 16 .scr, 16 .exe, and 15 .adp.

When an attachment is renamed, a MIME part is inserted at the top of the message advising the recipient that the attachment has been renamed and warning the recipient of the potential risks of executing files which arrive by email. The recipient can save the attachment as a separate file, rename it, and launch it, however, it will not be launched automatically by the user's email client. It is a compromise. We may deliver malicious content, but we make the user work to execute it.

It's pretty rare that people actually legitimately try to send a .exe file, but when they do, they get a bounce back and can then deal with it by zipping the .exe first - not a big deal, and it lets us reject most new viruses before the signatures are even out. In the case of this latest virus, because it came through zipped, it got through our virus scanner for about 45 minutes. In that 45 minutes, many dozens of machines on campus got infected by users who had forgotten the golden "don't open attachments" rule.


Social Engineering

Biggest single problem area Then

Phones and Personal Contact Now

Email and Web Browsing


“Phishing”


Silent Port “Knocking”

Documents

Duty, Honor, Country 9 th Colloquium for Information Systems Security Education United States Military Academy, West Point, New York 7-10 June 2004