Roger Halbheer on Security » Incidents

EMET–Protection Against Zero-Days

Roger Halbheer — Sun, 23 Oct 2011 22:27:33 +0000

The Enhanced Mitigation Experience Toolkit is definitely not new but I recently realized that not too many people know about it – and they should. EMET helps you to raise your shields against zero-days and any exploit in the wild. I do not say that it is a silver bullet but it is definitely going into this direction – a little bit.

You can find all the necessary information on EMET here:

That’s the article on our support website: The Enhanced Mitigation Experience Toolkit
Here a TechNet blog post: New version of EMET is now available
To download EMET v 2.1
And a BlueHat session

Before you start, please make sure that you have the Bitlocker recovery key ready (you are running Bitlocker, don’t you?) or that you suspend Bitlocker for the time of the configuration as EMET might change your Data Execution Prevention settings, which change your bootloader, which invalidates the Bitlocker signature, which needs to be proven.

I always love to strengthen my policies and see when something breaks and how. I started to use it and it actually provides you a fairly straight-forward interface with what is running and in which state:

You can then configure your applications and define on which level you want them to be protected. It might then happen that this pops up:

I wont tell you which application it was but I was a little bit scared…

Anyway, if you did not use it yet, I think you should!

Roger

Microsoft Malware Protection Center on Facebook and Twitter

Roger Halbheer — Thu, 28 Jul 2011 12:14:09 +0000

I know, I have been fairly slow in blogging currently but I was fairly busy with a few cool projects (which I will disclose later) and – time flies if you are having fun

Just a quick one:

The MMPC on Facebook and Twitter

The Microsoft Malware Protection Center (MMPC) officially launched its Facebook page and Twitter account. From this Welcome page, you can read the latest blog posts, see the latest Twitter feeds, and find out what threats most affect your desktop.

Roger

A Security Comparison: Microsoft Office vs. Oracle Openoffice

Roger Halbheer — Tue, 19 Apr 2011 09:40:25 +0000

Actually, there is not much to say about this. It is a blog post by CanegieMellon called A Security Comparison: Microsoft Office vs. Oracle Openoffice and just does what it says. However, I do not particularly like the security comparison of products built solely on vulnerabilities as this shows only one side of the equation – an important one but only one.

For all the ones still claiming that Open Source software creates less vulnerabilities, here you find the some stats on Office:

Interesting, hmm….

Roger

Microsoft Security Update Guide, Second Edition

Roger Halbheer — Mon, 28 Mar 2011 15:32:40 +0000

A while ago we released the Microsoft Security Update Guide to explain how we release security updates and how you should/could work with our updates. It encompasses these themes:

Get to know the security update release process
Learn how to evaluate risk
See how to mitigate security risks
Understand how quickly you need to apply updates
Assess your update
Get ongoing security

If you are somehow linked to the security update process in your organization, you should download it and look at it here: Microsoft Security Update Guide, Second Edition

Roger

Infrastructure Planning and Design Guide for Malware Response

Roger Halbheer — Sun, 20 Feb 2011 16:25:52 +0000

A new version of this guide went live – I think something, you should look at. There is a metrology and a process in detail:

So, if you want to learn more: http://technet.microsoft.com/en-us/library/cc162838.aspx

Roger

Fighting a Botnet

Roger Halbheer — Thu, 17 Feb 2011 19:42:49 +0000

Microsoft Malware Protection Center published a document on Battling the Zbot Threat, a special edition of the Security Intelligence Report. It is a very good document, worth looking at.

This is the intro (to make you curious for more):

This document provides an overview of the Win32/Zbot family of password-stealing trojans. The document examines the background of Win32/Zbot, its functionality, how it works, and provides telemetry data and analysis from calendar year 2010 about how this threat is detected and removed by Microsoft antimalware products and services.

Roger

Security Intelligence Report v9 is online

Roger Halbheer — Wed, 13 Oct 2010 15:46:05 +0000

Usually I blog intensively on the release of the Security Intelligence Report. However, this time I am out of office and have just little time to give you insight. We spent a lot of work to make it more comprehensive and give you a more stable view over quite some time. So there is a great opportunity to see trends regarding different figures like the Malware Infection Rates.

Additionally we re-designed the website. This is the most comprehensive report in the industry, so you should look into it: Security Intelligence Report

Roger

Stuxnet talks – do we listen?

Roger Halbheer — Tue, 12 Oct 2010 14:45:48 +0000

Stuxnet is a severe threat – that’s something we know for sure. But if we look at it – what do we really know? What can we learn?

Let’s start from the beginning. As soon as Stuxnet hit the news, it was interesting to see, what was happening. There was a ton of speculation out there about the source and the target of the worm, especially since it hit mass-media. It is obvious that this is a story which is interesting for a broad audience – however, wesecurity professionals need different sources.

If you look at this interview at CNN, they are giving background information but in the meantime are pushing for the story.

Unfortunately, even professionals seems to build their defense on what is heard somewhere because someone said… This is not the right source of information.

So, a lot of speculation on different channels, social media as well as mass media. What do we learn from that?

Rely on trusted sources only if you want to run your incident response.

I think, this is not the first time I am promoting this approach

If you want real information on Stuxnet, there you go:

This is one side of the problem. What about the critical infrastructure? It seems to be common knowledge that Stuxnet is leveraging a vulnerability in the Siemens PLC code to manipulate parameters in control systems. This leads us to an interesting question, which is how to protect embedded systems.

So far, I am convinced that within the industry we know fairly well how to protect classical IT systems like servers and PCs. If we extend this to embedded systems, the problem becomes much bigger. I once worked on this problem for medical devices. I was talking to the hospitals and they were telling me that they are not allowed by regulation to touch any technology on a medical device (even though they are connected to their internal network to exchange patient data). If you talk to the regulator, they are telling you that they are satisfied with a risk management process by the vendor (nobody really checks the risks in the process as the regulation does not address this) and if you talk to the vendor they do not want to take the cost of maintaining the software on these devices – a classical example of passing the hot potato from one player to the other. This is a latent risk, which might be above the acceptable risk threshold for a society.

What can we do to approach this? On a tactical level, this means reducing the risk by shielding such systems. Do not attach them directly to the network but indirectly behind a reverse proxy. On a strategic level, we have to look at it from a maintenance perspective like any other IT-system. E.g. FDA realizes that not patching a system might create higher risks than patching systems. This by itself is a remarkable statement. This does not – by no means – allow you to just deploy without testing but probably without re-validating.

When it comes to SCADA systems, one of my readers, Shoaib Yousuf, wrote a really good article published in Computerworld and CIO in Australia called Smart grid security: Critical success factors showing the different approaches to secure such systems.

What do we learn from that?

Realize that systems with embedded IT have to be maintained and protected like any other IT device, taking into consideration the special safety needs.

And then finally, who are the players behind Stuxnet? A lot of people in the press and the blogosphere talk about an “act of war”. This is hard to tell based on public sources as there is too much speculation and misinformation. Fact is, that nations are ramping up their cyber capabilities and/or are partnering with high-skilled groups in that area. But does this already mean that we have seen a nation state attacking another one with Stuxnet?

Do not rely your judgment on sources, where speed is more important than accuracy (something I often see in Twitter).

Scot Charney recently decomposed the threats in his paper called Rethinking Cyber Threats and Strategies (or – if you really want – the pdf-version J). He separates four categories of attacks:

Conventional Cybercrime
Military Espionage
Economic Espionage
Cyber warfare

What did we see with Stuxnet? We do not know and just jumping on the bandwagon of the mass-media because it is “cool” would be a little bit too easy. Fact is that the industry come together to fight this beast – which is the right thing to do – and I hope that the governments come together to find the criminals behind the worm and take appropriate actions.

What do we learn from that?

Do not draw conclusions on who is behind an attack just because of the media (being them social media or mass media).

Finally, this just leads me to my final plea, as fairly often, when I blog on such things: Without good collaboration within the industry, between the industry and the governments and between governments, it will be very, very hard to fight such attacks.

And the “really finally”, as security professionals, we have to make sure that at least we keep an eye on the facts and to not help to spread fuzz

Roger

How to Detect a Hacker Attack

Roger Halbheer — Thu, 30 Sep 2010 12:33:03 +0000

This title immediately caught my attention and probably yours as well: How to detect a hacker attack – something I definitely want to know. And then I realized that the article a) is written from a techie and b) does not really cover the attacks I am worried of most. But I will address this toward the end and would appreciate your ideas as well.

If you look at the article, it gives 4 tips:

Suspiciously high outgoing traffic for dial-up and ADSL

Look out for strange looking files in the root directories of your drives and/or too much disk activity.

If your personal firewall is reporting blocking large packets of data from the same IP address

A lot of hackers still rely on trojans and backdoors. So, if your anti-virus software starts finding a lot of those, try increasing protection, use an Internet security suite instead of a basic anti-virus

That’s just an excerpt. If I look at my mom and dad – they never look at 1 (I do not do it either), 2 (I would just see it if I would clean up my machine), 3 (It might be in the event log but who is looking at the even log?). 4 is definitely a good thing as we said since ages (actually since Blaster) that there are three things you should do to protect your PC:

Switch on your firewall
Keep your software updated
Install an anti-malware solution and keep it updated (see Microsoft Security Essentials)

If we take it to a company level, the 4 tips about might look slightly different: 1 is network monitoring (if you see the anomalies), 2 is rarely done, 3 is rarely done and 4 again I hope is done.

But what really worries is me are not the attacks we are finding with the 4 tips above. Those are not the ones, which keep me up at night as they are noisy.

What about the stealth, targeted attacks – the real attacks? They do not create a lot of traffic (as the data is slipped out slowly), they hide the files “behind” other files, the use the universal firewall tunneling protocol (called HTTP) to transfer data and the malware they are using is just written for this single purpose: To attack just you!

How do we defend against those attacks? How do we even find them? They will sneak in through social engineering and I have to admit, that I am not clear what we can do against them – really. A few things come to my mind:

Risk Management – start with understanding your risk exposure not only from a technical side but who could be interested for what in your environment. How likely are you to be targeted by e.g. industrial espionage?
Patch Management – this is for sue. However, the targeted attacks often do not leverage technical vulnerabilities but the user. But staying on the latest versions of all your software is key to defend. This does not only mean security updates but “real” versions as well. If you are still on Windows XP, your risk exposure is significantly higher than on Windows 7
Information Protection – the classical encryption does not help here as the malware might impersonate you and then simply copy/past the data or transfer the data in plain text. I think that Rights Management Services could at least lower the risk of data loss.

What else? What do you do? I would be really interested hearing your ideas and approaches

Roger

Interpol’s Chief’s Facebook Identity Stolen

Roger Halbheer — Mon, 20 Sep 2010 12:52:37 +0000

This is one of the risks, not a lot of people look into: It is fairly easy for me to setup a Facebook account in another person’s name. This is what happened to Ronald K. Noble, head of Interpol: Interpol Chief Ronald K. Noble Has Facebook Identity Stolen.

Roger