About Us  |  Search  | FAQ  | Contact Us
New age of hacking
Home
Banking
STP
Risk Management
BCM
CLS
Human Resources
e-commerce
Features
Smarts Cards
Interviews
Optimise CRM
Data Warehousing
Disaster Recovery
Swift Messaging
Securities
M-commerce
Africa
Finance
BPM & Workflow
Capital Markets
Global Custody
Outsourcing
 

 

 

 

The new age of hacking

Why conventional IT security must change or die

www.cryptic.co.uk

Conventional security methods have from the outset been focused on protecting corporations from external attack. The perception that the threat was only from the outside has alarmed companies into introducing expensive technologies to reduce both their visibility and vulnerability to the outside world. Over time, more and more technology has evolved to guard against obscure techniques, resulting in a range of incompatible and sometimes conflicting tools almost exclusively aimed at preventing external hacking attempts.

The complexity and diversity of today's operating systems, networks and applications has created thousands of vulnerabilities, some discovered, most not. Astonishingly only a few technically competent people in the world have the ability to use these techniques, in the limited defence of which organisations are spending almost their entire security budget.

Without question, large organisations do have to protect themselves from these attacks. Smaller companies, however, are being forced to buy into this expensive technology in order to protect themselves from a minority, who are probably not even aware they exist.

More importantly, as most of these vulnerabilities have not been discovered, no one can be sure that they are actually secure, as there is a never-ending battle between the hardened hacker and security companies trying to outwit each other.

The most common technology being developed to protect corporations is that of sniffing the network i.e. examining every packet of information ( in some cases not even that ) around the network, then trying to analyse it as quickly as possible for known threats. The increase in the performance of hardware and networks, and the use of cryptography, place severe limitations on security technologies, which are having to make difficult decisions on what they need to process and what they have to ignore.

It is self evident, therefore, that this method for detecting threats using network analyses is now out of date, by virtue of being not only inaccurate, but also vulnerable to false positives and open to attack and abuse.

A recently developed hacking technique is to send network information using ACK segments only. This technique allows the transmission of information directly, undetected, through even the most popular firewalls. But that is only the tip of the iceberg. At Infosec 2001 at Olympia in May, we warned the industry about the growing use of S.T.A.T tools ( Security Targeted Attack Tools).

Developers of network based intrusion systems developed tools to test their detection capabilities by automating and emulating external hacking signatures. These methods have now become public domain, enabling hackers to send waves of false attacks aimed at flooding and disabling security products, thus rendering them ineffective.

 

The first of these to surface was the so-called Stick threat, initially a Linux program which attacks the intrusion detection system (IDS) by sending hundreds of fake threat signatures across the network in order to flood the security tool.

Then, on Friday 11th May 2001, our research team discovered a new type of trojan that was designed to attack the very security products that were being used to detect it. Not only did it bring to a halt firewalls, but also virus checkers and even EXE blockers. These tools can also prevent people installing security software in the first place. These new hacking techniques are being largely ignored by the industry either through the lack or research or, more likely, lack of a solution.

These new trojans (Super Trojans) cannot only remove security products, but they also have the ability to change themselves to avoid detection. The latest process used to target victims is not by sending an email or wrapping the threat to another file but by embedding active code into web sites.

The simple process of browsing a web site is enough to infect the visitors with these new dangerous Super Trojans. Just imagine if the Microsoft homepage, Yahoo or Amazon were to be targeted - millions of users could be compromised or even attacked without their knowledge. We have even seen an example of this code, which will wipe clean any machine that browses a vulnerable site.

In recent weeks we have seen a proliferation of a new type of threat, which utilises a technique known as SMTP tunnelling. This enables the threat to communicate to the hacker using the standard email protocol so it goes unseen through several layers of security products.

Over the last few years we have been monitoring in detail the increasing amount of new categories of threats available from the Internet, This is where the risk to corporate security is the greatest. This is due to the ease of acquisition and use of these tools, enabling anyone with basic computer literacy to circumvent / exploit conventional security methods.

Our in-depth research shows that there are currently over 265 separate categories of threat to the corporate security infrastructure or corporate reputation. Surprisingly, existing security technologies cover only a few of these categories.

One of the biggest concerns for all organisations should be the theft of their data by external and more importantly internal users. Tools which hide confidential information in other seemingly harmless files, and which can then be sent out via email, are a major concern. This technique is called digital steganography and it is a cause for alarm that so few companies, even security companies, are unaware of it.

We have recently discovered a refinement on this technique known as SPAM steganography where a user can pass a confidential document through a piece of software which then generates a SPAM email, which can be emailed outside the organisation. Tools which examine email content will see these emails as a junk email. The presence of easy-to-use tools on a network should be of high concern as confidential information, such as blueprints and IPR's, can be leaked outside the company and go unchallenged.

 

A popular technique used by most conventional security products is the use of hashing to detect threats (hashing is the technique of building a mathematical formula, which represents the threat exactly and which is then used to detect the threat on a network). There is a single, fundamental flaw in this approach. It is too accurate.

A .00001% change in a threat's code will enable it to go undetected. We have seen an increase in self-modifying trojans that exploit this technique to their advantage. This technique is used to bypass one of the most common forms of threat detection used by many security vendors today.

We have studied companies' concerns about security technology in a diverse range of market sectors and have identified the main failures in current solutions.

Issue - Time delays in updating threat databases

n Current security is reactive not proactive. Companies are currently having to wait hours and sometimes days to obtain an update to protect them, during this window threats are spreading like wildfire through their systems.

n Updates should be on demand and customers should have the ability to add known threats to the detection engine of any security products on the fly.

n The process of updating products should be automated so that no user intervention is required.

Issue -Security companies only focusing on 'news relevant' threats

n Too much time is being spent on the inclusion of 'news relevant' threats (threats that have been reported recently in the news). A more thorough approach should be the constant, proactive discovery and addition of all categories of threats.

n Data should come from diverse multiple sources not just the vendor security company. In fact a collaborative approach where by a world wide central repository of threats is contributed to by all active customers. These threats should then be verified and updated to all connected customers.

 

Issue - Tools which only detect the known threats from a known threat list

n This has been a problem for security vendors for a while now. Most vendors rely totally on a limited internal database of known threats, which means that new unseen threats go completely undetected. This is reactive security.

n What is required is proactive security; detecting the generic capabilities of threats using multiple methodologies in order to detect the unknown, which are threats by virtue of their behaviour not their known fingerprint.

n The need to detect unseen or changed executables on the network is paramount. A range of suspicious capabilities such as the ability to talk IP, and the presence of a hidden FTP server or keyboard logger should be examined.

Security vendors and corporate users alike must understand that these types of hidden threats can only be discovered by a generic process . Organisations can no longer afford to be reliant purely on the detection of a few known threats.

Issue - Resource usage or degradation in network or system performance
A large number of systems we have analysed have implemented a real-time or memory resident technique, which is used constantly and is a noticeable resource issue. Some of these tools even impacted to such a degree that users were switching them off and rendering them ineffective. To be useful, products should be able to -:

n Scan complete IT systems before the user has even logged in

n Increase system performance and not cause an overhead

n Discover and report on downloaded tools which cause heavy system usage

n Detect denial of service tools, or music / video or mass downloading tools which cause major network traffic

Issue - Only security companies have the ability to add to the product
One of the most frustrating problems users experience is their inability to be proactive, when they encounter or are attacked by a new threat..

n Users should have the ability to drag and drop any threat into their security product and have it instantly added to its internal threat database.

n The ability to add programs for auditing or for adding out of date or vulnerable programs.

n The ability to see if a user has restored a backup, which has downgraded the security patches.

 

Heavy training required or the increasing cost of trained staff through higher costs to employer

n Security tools should be installable and configurable easily without expensive external consultancy

n The users should not have to be security experts

n Users should have the ability for information about security breaches to be reported automatically to management.

Dedicated hardware / service and support to run the products

n All too many products today require dedicated, supported hardware platforms to run. These have to be maintained, and monitored which adds extra cost and time to implementing solutions.

Stability of the software when they bind to low level resources

n One of the most annoying features of cutting edge products is that most of them, in some way interfere with or bind to the operating system itself, often causing the infamous 'blue screen of death'. Security should be invisible to the end user, in terms of both network and resource usage.

Use of simple cryptography to hide threats
One of the most common and easiest ways to avoid detection is the use of encrypted files. All security or AV products we are aware of at this time ignore the contents of encrypted files.

n The presence of any encryption tools should be monitored

n Users in companies should not be able to download and use unauthorised encryption or compression techniques as these could be used against the company's best interests.

Use of simple wrapping tools or hex editors to avoid detection
We have seen an increase in the use of binders and wrappers, which are used to hide or change the appearance of harmful executables and to avoid their detection.

n In order to demonstrate how surprisingly easy it is to avoid detection, we recently changed single bytes in a file with the result that the threat evaded even the most popular virus checkers.

n Generic detection is required to find the presence of wrappers, binders and other tools of concealment.

n The use of active content web based threats is set to become the de facto standard of global threat distribution. Conventional security focuses too much on the detection of these individual threats rather than blocking the highlevel distribution technique used by these threats.

Limited capacity in fingerprinting databases
We have all seen the degradation in products as their fingerprinting engines increase in size. Vendors are now being forced to be selective in what they index, and some are even removing older threats. Old threats are just as dangerous as current ones, so removing them is increasing risk.

n We estimate that any security product, in order to be future proof, will need to be able to deal with tens of millions of fingerprints in the longer term rather than the tens of thousands they currently address.

n This has to be done without impacting system performance and hindering productivity.

n The Internet is a big place and will continue to proliferate. Fingerprinting techniques will increasingly only be useful to identify an exact threat, whilst generic methods will become mandatory to effect a comprehensive solution.

Summary
The security industry and business users alike need urgently to increase their awareness of the changes to security issues brought about by the proliferation of freely available threats from the rapidly expanding Internet.

With the inbuilt capability, which modern attack tools have to change their appearance at will, or to pass straight through traditional security measures, a new methodology is required, which will identify problems on a generic basis and, in effect, recognise the unknown or never-before-seen.

Going one stage further, this new methodology will need to be user empowered, so that businesses can become proactive in the fight against the biggest crime wave yet encountered in the history of mankind.

Finally, with a new armory, easily configurable to their discrete requirements, corporations will for the first time be able to protect their most valuable assets, their secrets and copyrights, by simply instructing their security tool to protect them.

Pie in the sky or Utopia? The plain fact is that the mischievous few are utilising technology advances at a far faster rate than the guardians of our security. Things can change and they will have to change; and change fast.

Dave Duke
Director of Shape Research
(A division of Cryptic Software Limited)

 

 

Banking

Secure Banking
Internet Banking
Clicks not Bricks
Better Infrastructure
Banking Software
Automated Dealing
Synergys going dotty
Focus on Technology
Issues
Web Based Banking
Trading room costs
Offshore fund managers
New age of hacking
Electronic trading
Money laundering
The Perfect Storm
Supplier Financing
Speculative Bubbles
Index Funds
Convenience banking
Two-tier banking
Gaining Clickshare
Cutting out paper
Tracking trends
Integrating
E-commerce
Banking on Security
Real Time
security under scrutiny
Personal touch Banking
ISMA
Sell side value
GSTPA for FX
Informatics
Anti Money Laundering
21st Century Banking

 
 
 

 

Home  |  About Us  |  Search  | FAQ  | Contact Us