Infosecurity

In partnership with:

Paul Henry — technical knowledge gap promoting weak enterprise security

Paul Henry, vice president of strategic accounts at Secure Computing, is one of the world's foremost global information security experts, with more than 20 years experience managing security initiatives for Global 2000 enterprises and government organizations. Here he speaks to Brian McKenna, for Infosecurity, about recent and near-future changes to the threat landscape, and how the security community needs to better shape up.

More and more of what used to be thought of, or indeed is still thought of, as security, is being operationalized. And so, security teams in big companies, especially, need to become more strategic and change their focus to intellectual property control or getting a better handle on the insider threat problem, and so on. Are you seeing that among your associates and customers as a trend? Analysts in firms like Gartner often say this kind of thing.

I’m seeing evidence of a problem that goes against what they’re saying. I’m seeing a lack of technical expertise as still being one of the biggest problems that we have in network security today. This lack of technical expertise is the bane of the majority of our issues.

If IDC and Gartner et al. got their way, we would have MBAs running the network security department, not security experts!

But, security is a business issue, right? It’s a people and process issue as much as it is about technology?

It’s a people and technology issue. The problem here is that you can train 10,000 employees not to click on an e-mail attachment. Out of 10,000 people however, if only one person does it, they’ve detonated your entire network.

You have to have sensible safeguards. I agree that people are your first line of defence, but you absolutely have to have technical safeguards.

With respect to the requirements to watch intellectual property, to keep a better guard on personal data, things like credit card numbers and all of that, I fully agree. Especially today in the United States where we have been totally inundated with the loss of personal information and disclosure of personal information on the internet. Things need to be improved along those lines.

But your essential point would be not to forget that infosec is a technical discipline?

Exactly, yes. To me, training the employee not to send out intellectual property in an e-mail, that’s a wonderful thing. But you will have employees who are going to do it anyway. Therefore, you need the technical safeguards in place that will scan the e-mail attachments for watermarks or keywords that would be associated with personal or intellectual property.

For example, a sales company's intellectual property is their customer list – you’ve got an employee who is about to leave the company, so he e-mails the customer list to his prospective employer. No amount of training will prevent him from doing that, you need something that is able to recognize the names on that customer list and is able to stop it going out.

So much of what is said around security is that it’s very much a business thing now, that security professionals within big companies need to get out of the technical detail and see the bigger picture, align security with the needs of the business and risk management policies, and so on.

Business must support security, and security has to meet the business case, or management is never going to buy in, I agree with that.

My problem is that I can very easily see that if I go down this path where security is regarded as a business process, we’re going to have weak security. Security will become policies and procedures without technical safeguards.

For example, take the AOL incident last month. They released a bunch of search data, and their policy and procedure was to sanitize the search data by removing the user name from the search query. That’s all well and good from a policy and procedure perspective, but what ends up happening is the search queries themselves contained people’s credit card numbers, driver’s licence numbers, names, addresses, etc. — it makes it very easy to identify who is doing the searching. That’s a great case of “yeah we had a procedure in place to sanitize the data”, but it didn’t go far enough. They needed a technical safeguard that would have caught things like credit card numbers, driver’s license numbers, etc.

What are you seeing that’s recent and developing among the hacking community?

We’re still seeing a continued use and expansion of the technique of ‘fuzzing’ technolgies. Fuzzing is the use of artificial intelligence to test software applications. In its simplest form, what it does is throw random data at software inputs, in the hope of causing that software to do something unexpected. If they see that there is something unexpected, they essentially have found a bug. They further explore that bug to see if it can be converted to an exploit.

It is quite incredible how quickly this whole process works. It has a widespread use today in the hacking community - there are a dozen different fuzzing tools that you can download from the public internet for free. Anyone can become a fuzzer. It does demand some knowledge, some command line knowledge, and some awareness of programming in order to track the bug down and convert it to an exploit. But is easier than having to have a degree in computer science or ten years experience in software applications!

When did this technology really come to your attention as something that was widespread?

About a year ago, we kept seeing more of this discussed in the chat rooms. Back in July, one organization, in order to show the power of fuzzing tools, made a claim on the internet that it would find a new bug in browsers every single day for the month of July and post them on the internet. And they accomplished that. They did in fact find 31 new bugs, and they posted them on the internet.
I’m speaking about the Metasploit project, the author which is HD Moore.

Was that over a range of browsers?

Actually, the vast majority was of course, IE. They did find a couple in the others.

But another trend we’re seing is that the guys that are using this stuff are no longer working on current versions of Windows. Just a couple of weeks ago, a new vulnerability was released on the Net on Microsoft Word for Office 2000. Right now, you have so many people concentrating on current applications, that to stand out in the crowd, some guys are taking this stuff and using it on older applications.

Presumably that exploitation of older Windows systems will have more effect on consumers than on business?

Yes and no, a lot of businesses have never moved from Office 2000 to Office 2003, because of the cost of licensing. And they tend to think it has been a year or two since the bug has been out there, so they must be safe, but you really can’t drop your guard.

Another thing we are seeing, especially in a lot of the news groups that we track, is the tremendous increase in the number of reports of ‘cross-site’ scripting bugs. There has been a huge increase there.

Now, I don’t have too much of a concern here, as in the vast majority of cases, the impact of cross-site scripting issue, is fairly benign. You might be able to make something appear on a website through the use of a cross-siting link that shouldn’t be there, that type of thing, but most people with half a brain are able to realize when it is not a normal link.

How would you explain the huge increase in this that you’re tracking in news groups? What is the driver?

I think it’s frustration. On pretty much every website you go to today, you find the ability to execute some kind of cross-site scripting. They are in fact bugs, it is improper coding that permits them to have them, but I haven’t seen a great value from a hacking perspective from cross-site scripting.

So it’s a case of ‘we’ll do it because we can’?

It is, but it’s also a case of the people who own these sites not doing a very good job of eliminating the flaws.

Does Secure Computing have a big research capability in terms of monitoring the underground? How many guys have you got doing this work?

We’re in 68 different countries today, all of our support people do reporting. I would say the number is probably around 200.

So comparable to something like ISS’s X-Force?

X-force and Symantec are probably bigger. Our research is more finely tuned, and we’re looking specifically for application layer issues.

What about botnets? It was said at the beginning of the year, that 2006 would be the year of the botnet.

It most certainly seems to be. They are growing. What we’re finding, through research and US government and law enforcement, is that there has definitely been a trend in organized crime, assuming some level of control of botnets. There is definitely a surge in use of botnets for things such as contract spam, as it allows the spammer to remain completely anonymous. Spammers have had an incredible go for the last year, because legally people are coming after them. A guy in Australia last week was arrested for having sent 2.1 billion spam e-mails over the year from Australia. But by using a botnet, you remain anonymous. Essentially you’ve got 10,000 PCs that don’t belong to you but are sending your spam. The botnets are rented on a daily basis.

How much are they rented for these days?

It depends; rates are as little from 300 dollars for an hour, up to 3,000 dollars an hour. Consider that, you’re controlling literally 10,000 PCs for pocket change.

The other area where botnets have seen a great deal of usage is in click-through advertising. That was the main thrust of a Business Week article I was interviewed for recently. They were doing research on click-through and it turned to botnets very quickly. When using a botnet for click-through advertising revenue generation, the clicks appeared to be perfectly good/normal traffic. As long as you’re not clicking a number of times from the same PC in a very short period of time, it will be difficult for anyone to pick it up.

Talk me through the significance of this

People are getting outrageously high numbers of clicks on the ads they would place on the internet. There is an interesting money chain here. The person that creates the ad gets a little bit of money, every time the ad is clicked. The person who hosts the ad on their web page also gets paid when that ad gets clicked. So, you have bigger players like Google and Yahoo, and then the smaller websites that also host these ads.

The problem comes in to play when any one of the food chain wants to increase their revenue, as they can simply use the botnet to produce fraudulent clicks. It makes more money for them. The other side of the coin is if I wanted to have a negative effect on my competitor, I could hire a botnet to create fake leads and cost them extra money in their advertising, by hiring a botnet to click on their ads.

Is that more of a theoretical possibility?

No, it has happened. I haven’t done it! But I have seen others that have. Not only are you costing your competitor money, but you’re giving them addresses that are virtually worthless. They will be trying to follow up on leads that have no value.

Botnets are essntially being fuelled by application layer vulnerabilities, that is what is providing the mechanism to insert the malware onto these PCs. This ties back to fuzzing of course, which is creating the vulnerabilities in the first place.

That sounds to me like a set of technologies that could exponentially increase the number of vulnerabilities?

Absolutely, look at this historically. Just a few years ago they were reporting only 100 vulnerabilities a month. There has been a five-fold increase in just a few years. It’s so scary.

Is this largely ascribable to fuzzing technology?

It’s a combination of application layer vulnerability and fuzzing, which is an accelerator for application layer vulnerabilities.

I can see how fuzzing is a force multiplier, as is the drive to do it in the first place.

In a survey I saw in the UK, 87% of the people surveyed agreed that security was a very important issue regarding software applications. Yet when asked if they had a programme in place to enhance software security, less than 20% indicated that they did.

We created the economical problem ourselves when agreeing to the ridiculous license terms from software vendors. Today when you buy a piece of software, you accept it along with all the bugs and problems, so you have no recourse. We created a monster there, there’s very little incentive for them to improve it.

Going back to the botnet phenomenon, is the size of the botnet of less importance than one might think?

It depends on what you’re doing, if you’re trying to do denial of service attacks, you only want computers to have very big pipes. As things have evolved, you are able to identify the botnets with the big pipes quickly because of the weighted traffic, so people have moved now towards a larger number of computers sending less traffic to make them harder to detect. It can remain a little more stealthy. A lot of research has gone in to DDOS attacks over the last year or two, people are really waking up to it and are now starting to protect them selves.

So in terms of how things are going to shape up in the next 6 months or so, the trends that you are talking to me about seem quite old now, will there just be more of them?

Yes, nothing earth-shattering, just more of the same.

What about the people behind them? Is it still an ex-Soviet bloc picture, or is western organized crime emerging as a cyber-crime player?

It does seem that a great deal of it is still coming from the old East European bloc countries. However I did see a surprising change recently. Brazil for many years had been the leader of website defacement, but this has changed to Turkey. That occurred three or four months ago.

Part of what we’re going to see in the shift, now that organized crime is in it, is that people are going to tend to follow the money.

And what would you expect to see developing?

The community that is involved will be a little bit more cautious about letting it get out of their hands and moving to other people. Now that there is money involved, people are going to hold their associations a little closer to their chest.

You don’t think the whole cyber crime thing is a bit hyped? Yes, it’s organized but there are not really big sums of money that are being generated, surely?

You could refer to it as unorganized crime, because you do have less people and it is less organized than what we traditionally call organized crime. But the fact that organized crime has now stepped in and is doing the same old scams outside of the internet — the old protection scams, ‘either you pay me or I’m going to put you out of business’, that’s the primary tie into organized crime.

We see organized crime directly involved in the sale of personal information on the internet, we see them involved in identity theft overall, especially in credit card number trafficking. There is still a great deal of that out there.

Blackberries and PDAs are much more common now than they used to be two to four years ago. I know this is something you’ve paid a lot of attention to.

Someone has found a Blackberry-related vulnerability and created the exploit code that allows you to use a Blackberry communications channel — literally to serve though that channel into the enterprise network. It’s called 'BB proxy'. It’s more of an issue of architecture, than a Blackberry issue. The problem simply put, is that whenever someone installs a device that uses encryption, they tend to mistakenly believe that the encryption somehow makes them secure. When, in fact encryption only provides for the confidentiality of data whilst it is in transit. So, again, someone would install a Blackberry, or another device which uses encryption, and they would not secure the endpoints. By not securing the endpoints, you’re opening the door for someone to use your encrypted tunnel for someone to enter your network.

For example, if you’re using your laptop as a remote user with a VPN connection, that connection is encrypted. The problem is if the hacker gets a Trojan on your laptop, he can then use that to go through your VPN connection into your corporate network, unchallenged.

Now, you can’t detect the hacker in your network because he’s using an encrypted tunnel. A second example is the Blackberry, with the Trojan BB Proxy, if they’re able to get that on your Blackberry, they can use the connection for your blackberry to surf up the encrypted channel to the enterprise server. Where’s the enterprise server? Behind the firewall! He’s got a back door right into your internal network. Encryption is not security, it’s only confidentiality – you need to secure the endpoints.

Is there anything else that you think should be top of mind for enterprise IT security professionals which you want to put across?

When you look at our foe today, our foe is using global resources. In other words, you’ve got an organized criminal in an Eastern bloc country, who’s using botnets that are controlled by someone in Brazil. The guy in Brazil is using an exploit that was found by someone who happens to be in Australia. It’s a global co-operation. To date, we have been trying to solve the problem on our individual gateways to the internet. Perhaps it’s time that as a security community, we start thinking more on a global basis. And we start sharing data on a global basis in order to fight the threats.

Are you seeing evidence of that beginning to happen?

We’re doing a great deal of research in it, and it’s very promising. As an example, if we’re able to locate a botnet in Korea, why should we not share evidence of that botnet and prevent connections to networks from that botnet globally? We need to change our perspective and start acting as a global community to attack the menace that seems to have gone global itself.

Are there associations and alliances that are helping to move that forward?

I think there are organizations that are, that was the primary reason we purchased Ciphertrust, because of the work and research they’ve done in that area.

We live in a crazy world today. For example, a huge company in France are blocking 95% of e-mail that comes into their organization because of spam. That is an incredible number!

That has gone up from, what, 70% a year ago?

Yes, it’s appalling. E-mail has become almost useless.