secure view #4 small web

8/8/2019 Secure View #4 Small Web

1/36

4th quarter 2010

WEAK LINKS: Changes in the methods and targets of the cybercriminals attacks

DESPERATE JAILBREAKERSIs it actually safe to jailbreak an iPhone?

THE ENEMY AT THE GATERogue AVs are rapidly becoming one of the biggest threat to users

ARTIFICIAL INTELLIGENCE IN THE REALMS OF IT SECURITYAutonomous systems that treat infections

EXPERTSCOMMENT

BUSINESSES UNDER ATTACK

How to protect your company

from cybercriminals


2/36

www.a-school.com www.a-school.ru www.a-school.pl


3/36

CONTENTS

NEWS

Breakthroughs and trends

in the IT security industry 4-9

REPORT

Black Hat USA 2010:

News and trends from

Black Hat U SA 2010 10-11

TOP STORY

Businesses under attack:

Everything you should know

about corporate threats 12-17

ANALYTICS

Desperate Jailbreakers:

Recent smartphone

security issues 18-21

The enemy at the gate:

Rogue antivirus

programs on the rise 22-25

TECHNOLOGY

Articial Intelligence

in the realms of IT security:

Cyber Helper an autonomous

system that treats infections 26-29

Under control: Analyzing

application activities 30-31

FORECASTS

Weak links: Changes in

the methods and targets of

the cybercriminals attacks 32-33

INTERvIEW

Keeping pace with iruses:

Current malware sample

processing techniques

with Nikita Shvetsov 34

A WORD FROM THE EDITOR

Dear Readers,

I am sure that the majority of you reading thiswork for a company of one sort or another. Ten

to one your company has its own Internet site,

communicates with its clients and partners over

email, and possibly even uses Instant Messaging

too. Often, many of you will take some work home

with you, burning the midnight oil on yet another

important document. Just the thought of working

without a computer and the Internet, or not being

able to complete an urgent job at home when you

need to, would seem utterly strange for a lot of

people these days.

So where is this all leading you may ask? Well,

working in an ofce, you cant have failed to notice

that there is a security solution installed on yourcomputer. A similar solution should be installed

on your companys servers where their ofce is

located. If that it is not the case, then it is very

unfortunate indeed, but lets put that dismal

scenario aside for now and move on.

Antivirus, or more complex security package

installed by your companys systems administrators

are designed to protect your computer from attack

by criminals, butare you sure that your company

has a complex security policy in place? If the system

administrator does not regularly install updates for

the operating systems and any third-party software

installed on the users computers, there can be no

guarantee that a determined cybercriminal wont

nd an unpatched vulnerability in the system and

use it to their advantage.

Are you sure that your smartphone, which you

rely on for daily business communications, or the

notebook that you or your boss are working on at

home or in the ofce are protected from such a banal

thing as loss? After all, if the notebook that you lost

or had stolen at the airport ended up in the hands of

specialist crooks, all of your condential information

would be right there in front of them. At least, that

would be the case if your device didnt happen to

have a suitable encryption solution installed and a

complex login and password security program.

However, lets not get ahead of ourselves for

the moment. Just read this issues Top Story and

consider carefully whether you have closed all of

the loopholes through which a cybercriminal might

attack your company, and while we are talking

about threats, do you and your colleagues know

enough about rogue antivirus programs and how

they can penetrate your computer?

See you next issue!

Alexander Ivanyuk

Editor-in-ChiefAlexander Ianyuk

SECUREVIEW

SECUREVIEW Magazine

4TH Quarter 2010

Editor-in-Chief: Alexander Ivanyuk

Editor: Darya SkilyazhnevaDesign: Svetlana Shatalova,

Roman Mironov

Production Assistants:

Rano Kravchenko

Editorial matters: [email protected]

http:// www.secureviewmag.com

1997 - 2010 Kaspersky Lab ZAO.

All Rights Reserved. Industry-leading Antivirus Software

The opinion of the Editor may not necessarily agree with

that of the author.

SECUREVIEWMagazine can be

freely distributed in the form of theoriginal, unmodied PDF document.

Distribution of any modied versions

ofSECUREVIEWMagazine content

is strictly prohibited without explicit

permission from the editor.

Reprinting is prohibited unless with

the consent of the editorial staff.


4/36

NEWS

www.secureiewmag.com4|SECUREVIEW 4thquarter 2010

vULNERABILITIES ENCRYPTION

Research by the I.N.R.I.A (The

French National Institute for

Research into Computer Science

and Control) has shown that

there are serious vulnerabilities

in the BitTorrent peer-to-peer

protocol. The vulnerabilities

allow BitTorrent users to be

spied on. An attacker might

be able to deanonymize a user

even behind an anonymizing

network such as Tor.

Tor operates on the basis

of the construction of chains of

proxies, as well as multilayered

trafc encryption. The researchers

propose three methods of attack

to deanonymize BitTorrent

users on Tor.

The rst method of attack

consists of inspecting the

payload of some of the

BitTorrent control messages

and searching for the public

IP address of the user. In

particular, the announcement

messages that a client sends to

the tracker in order to collect alist of peers distributing content,

and the extended handshake.

Messages sent by some

clients immediately after

the application handshake

occasionally contain the public

IP address of the user.

The second method of attack

consists of rewriting the list of

peers returned by the tracker in

order to include the IP address

of a controlled peer. As the user

will then connect directly to the

peer controlled by the attacker,

the latter can deanonymize the

user by inspecting the IP header.

Whereas this hijacking attack

is accurate, it only works when

the user relies on Tor alone

to connect to the tracker.

The third and nal method of

attack consists of exploiting

the DHT (Distributed Hash

Table) to search for the public

IP address of a user. Indeed,

whereas Tor does not support

UDP, BitTorrents DHT uses

UDP for transport and when

a BitTorrent client fails to

contact the DHT using its Tor

interface; it reverts to its public

interface, hence publishing its

public IP address in the DHT.

As the content identier and

the port number of a client

transit through the exit node,

and port numbers are uniformly

distributed, an attacker can

use this information to identify

a BitTorrent user in the DHT. This

DHT attack is very accurate andworks even when the peer uses

Tor to connect to other peers.

Using the hijacking and

DHT attacks, researchers

deanonymized and proled close

to 9,000 public IP addresses

of BitTorrent users on Tor.

In particular, they have exploited

the multiplexing of streams from

different applications into the

same circuit to prole the web

browsing habits of the BitTorrent

users on Tor.

Researchers have devised

a new kind of random number

generator for encrypted

communications and other uses

that is cryptographically secure,

inherently private and certied

random by the laws of physics.

Although the events around

us can seem arbitrary, none of

them is genuinely random in

the sense that they could not

be predicted given sufcient

knowledge. Indeed, truerandomness is almost impossible

to come by. That situation is

a source of persistent concern

to cryptographers who need

to encrypt valuable data and

messages employing a long string

of random numbers that form

a key to encode and decode the

message. For practical purposes,

encoders typically employ

various mathematical algorithms

called pseudo-random number

generators to approximate the

ideal. However, they can neverbe completely certain that

the system is invulnerable to

adversaries or that a seemingly

random sequence is not, in fact,

predictable in some manner.

Now though, Stefano Pironio and

Serge Massar from the Universit

Libre de Bruxelles (ULB), in

partnership with European and

American quantum information

scientists, have demonstrated

a method for producing

a certiably random string of

numbers based on the principles

of quantum physics. Their solution

relies on a discovery made by

physicist John Bell in 1964:

two objects can be in an exotic

condition called entanglement

in which their states become

so utterly interdependent that

if a measurement is performed

to determine a property of one,

the corresponding property of the

other is instantly determined as

well, even if the two objects are

separated by large distances.Bell showed mathematically

that if the objects were not

entangled, their correlations

would have to be smaller than

a certain value, expressed

as an inequality. If they

were entangled, however,

the correlation rate could

be higher, violating the

inequality. The important

point is that the violation of

a Bell inequality is possible

only if we are measuring

genuine quantum systems,says Pironio. Therefore if

we verify a Bell inequality

violation between isolated

systems, we can be sure that

our device has produced true

randomness independently of

any experimental imperfection

or technical detail. But to build

something concrete out of

this initial intuition, we had to

quantify how much randomness

is actually produced and

whether it is secure in

a cryptographic setting.

Deanonymizing

anonymizers

Random numberscertied by Bells theorem

Source: http://arxiv.org/PS_cache/arxiv/pdf/1004/1004.1267v1.pdf

Source: www.physorg.com/pdf190468321.pdf
http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/http://www.secureviewmag.com/


5/36

NEWS

www.secureiewmag.com 4th quarter 2010 SECUREVIEW|5

Dr. Jacob Scheuer from

Tel Aviv University has

developed a unique

optical system of secret

cryptographic key

distribution. The researcher

claimed that his system is

potentially uncrackable.

Transmitting binary lock-

and-key information in

the form of light pulses,

his device ensures that a

shared key code can be

unlocked by the sender and

receiver and absolutely

nobody else. Dr. Scheuer has

found a way to secure the

transmitted ones and zeros

using light and lasers. The

trick, says Dr. Scheuer, is

for those at either end of

the fiber optic link to send

different laser signals they

can distinguish between,

but which look identical to

an eavesdropper.

Rather than developing

the lock or the key, weve

developed a system which

acts as a type of key bearer,

the researcher explains.

ANTIvIRUS TESTING THE EXPERTS COMMENT

Recently, I was sitting around

with a number of colleagues

from Kaspersky Lab, discussing

everybodys favorite subject:

the state of AV testing these

days. During the chat,

somebody brought up the

name of a new, obscure testing

organization in the Far East.

Nobody else had ever heard

of them and so my colleague,

Aleks Gostev, jokingly called

them a rogue Andreas Marx.

It then occurred to us that

some of these new testing labsthat have recently appeared

mimic the tactics of Rogue AV

products. What exactly do I

mean? Well, as we know the

rogue AV business model is

based on selling a false sense

of security; we professionals

know it is fake, but the vict ims

dont. People buy a Rogue AV

program hoping that it will solve

their security problems, but at

best the products do nothing

and at worst, they install

additional malware.Rogue AV testers are somehow

similar in behavior. In their

case, the business model is no

longer based on a false sense

of security, but instead, on a

false sense of insecurity. So,

how do they operate? Well, it

seems to start with a number

of tests which look legitimate

and mimic real world conditions.

Then, the tests slowly become

more complicated and security

products do worse and worse.

Sometimes, the product thatdid best in the previous test

suddenly becomes the worst

in the group. In other cases, all

products fail miserably. Finally,

the main idea emerges: that

all security products are bad

and utterly useless. Hence,

the false sense of insecurity

is promoted through the tests:

you are insecure, your money

was misspent beware! Going

further, the rogue AV testers

use various techniques such as

not disclosing product names

in published test results and

attempting to sell these results

for serious amounts of money.Here are some of the

characteristics we identied as

being specic to rogue AV testers

and can help you to spot them:

1. They are not afliated

with any serious testing

organization, such as AMTSO.

Sometimes, the Rogue AV

testers could also show fake

afliations or even falsely

display (say) the AMTSO logo

on their website, in order to

remove suspicion and doubt.

2. They publish free publicreports, but charge money for

the full reports. In general,

the public reports should look

as bad as possible for all the

tested products, to maximize

the prots from selling the

full reports.

3. The public reports are full of

charts that look complicated

and intelligent, but sometimes

reveal amusing mistakes.

4. They claim all AV (or security)

products are useless. This is

the foundation stone of anybusiness based on the false

sense of insecurity.

5. They charge for samples and

methodologies, usually very

large sums of money, to make

sure the awed methodology

and samples cannot be

reviewed externally.

Reputable testers will make

samples and methodologies

freely available to the developers

of the products that they test,

and instead, charge for the

rights to publish the results in

magazines or for the permission

to use the results in marketing

materials. Charging money forsamples is a clear indication that

something wrong is going on.

There are other characteristics,

but I think everybody has got

the point by now.

Just like the explosion in Rogue

AV products, making them one

of the most protable crimeware

categories, I suspect Rogue AV

testers will follow and in the

process, they will also become

an extremely protable category.

Of course, the worst thing is

that they will provide a strong,negative value to the entire IT

security industry.

So, if you are trying to compare

security solutions, I recommend

sticking to established testing

organizations such as Virus

Bulletin, AV-TEST.ORG and AV-

COMPARATIVES or reputable

magazines with a good history

behind them. If in doubt, ask for

AMTSO afliations and nally, do

not forget about the list of hints

that can help you to spot Rogue

AV testing behavior.Do not become a victim of the

Rogue AV testers!

The Rise of the Rogue AV Testers

Costin Raiu

is the Director

of Kaspersky Labs

Global Research

& Analysis Team

CRYPTOGRAPHY

Laser key

Source: http://www.sciencedaily.com/releases/2010/03/100323121834.htm


6/36

NEWS


SOCIAL NETWORKS

A group of researchers have

demonstrated the fundamental

limits of privacy in social

networks with personalized

recommendations. The

recommendations cannot

be made without disclosing

sensitive links between users.

Facebook recommends

new contacts based on

the pattern of connections

between existing users, whilst

Amazon recommends books

and other products based on

purchase histories and Netix

recommends movies based on

historical ratings. To be sure,

these sites produce helpful

results for users that in turn

can dramatically increase sales

for the merchant, but they can

also compromise privacy.

For example, a social network

recommendation might reveal

that one person has been in

email contact with another, or

that an individual has bought

a certain product or watched

a specific film. It may even be

a breach of privacy to discover

that your friend doesnt trust

your judgment in books.

Today, researchers say

that privacy breaches are

inevitable when networks

are exploited in this way. In

fact, theyve worked out a

fundamental limit to the level

of privacy that is possible

when social networks are

mined for recommendations.

The scientists approach is

to consider a general graph

consisting of various nodes

and the links between them.

This may be a network in

which the nodes are books,

say, and a link between

two nodes represents the

purchase of one book by the

owner of another. The team

considers all these links to

be private information. Then

researchers consider an

attacker who wants to work

out the existence of a link in

the graph from a particular

recommendation. So given

the knowledge that people

who bought book X also

bought book Y, is it possible to

determine a purchase decision

made by a specific individual?

To do this, scientists dene

the privacy differential as

the ratio of the likelihoods

that the website makes such

a recommendation both with

the private purchase decision

in question and without it.

The question they then ask is to

what extent recommendations

can be made while preserving

this privacy differential.

It turns out that there

is a tradeoff between

the accuracy of the

recommendation and the

privacy of the network.

So a loss of privacy is

inevitable for a good

recommendation engine.

Fundamental privacy limits

of recommendations

Source: http://www.technologyreview.com/blog/arxiv/25146/

Amazon recommends books and other products based on purchase histories

ONLINE SERvICES THREATS

An international research

team has demonstrated the

possibility of hijacking Google

services and reconstructing

users search histories.

Firstly, with the exception

of a few services that can

only be accessed over HTTPs

(e.g. Gmail), researchers foundthat many Google services

are still vulnerable to simple

session hijacking.

Next they presented the

Historiographer, a novel

attack that reconstructs

the web search histories of

Google users, i.e. Googles

Web History, even though

such a service is supposedly

protected from session

hijacking by a stricter

access control policy. The

Historiographer implements areconstruction technique that

rebuilds the search history

based on inferences received

from the personalized

suggestions fed to it by the

Google search engine. The

attack was based on the fact

that Googles users receive

personalized suggestions for

their search queries based on

previously searched keywords.The researchers showed that

almost one third of monitored

users were signed in to their

Google accounts, and of

those, half had their Web

History enabled, thus leaving

themselves vulnerable to this

type of attack.

The attacks demonstrated

are general and highlight

concerns about the privacy

of mixed architectures using

both secure and insecure

connections. The researchdata was sent to Google and

the company has decided

to temporarily suspend

search suggestions from

Search History in addition to

offering Google Web History

pages over secure protocol

HTTPs only.Hijacking Google servicesSource: http://arxiv.org/PS_cache/arxiv/pdf/1003/1003.3242v3.pdf


7/36

NEWS


Researcher Stephan

Chenette has released

a Firefox plug-in called

FireShark designed to build

visual diagrams of criminal

connections as well as

schemes for the malicious

distribution of code. The

plug-in allows the capturingof web traffic from a browser,

the logging of events and the

downloading of content to disk

for post-processing analysis.

The software has the

potential to become a very

powerful forensics and

antimalware tool.

The plugin can be

downloaded free of charge

from the authors site.

ENCRYPTION

Toshiba Research EuropesCambridge lab has announced

an important breakthrough in

quantum encryption.

The researchers have

succeeded in demonstrating

the continuous operation

of quantum key distribution

with a secure bit rate

exceeding 1 megabit per

second over 50 km of fiberfor the first t ime. Averaged

over a 24 hour period, this

is 1001000 times higher

than anything reported

previously for a 50 km link.

It was achieved using two

innovations: a novel light

detector for high bit rates

and a feedback system which

maintains a high bit rate at all

times and requires no manual

set-up or adjustment.

Significantly, the

breakthrough will enable

the everyday use of one-

time pad encryption, a

method that is, in theory,perfectly secret. Although

ultra-secure, the application

of one-time pad encryption

has been restricted in the

past as it requires the

transmission of very long

secret keys the same

length as the data itself. For

this reason it has only been

used for short messages

in situations requiring very

high security, for example

by the military and securityservices. The achieved

bit rate breakthrough will

extend the application of this

ultra-secure communication

method for everyday use.

Record in quantumkey bit rate

Source: http://www.toshiba-europe.com/research/crl/qig/Press2010-04-19-

qcbreakthrough.html

QUANTUM COMPUTATIONS

A new scheme for making

quantum money could lead to cash

that cannot be counterfeited.

Just like ordinary cash,

quantum cash would be

exchanged in lieu of goods.

It would be sent and received

over the Internet without the

need to involve third parties

such as banks and credit card

companies. That would make

transactions anonymous and

difcult to trace, unlike todays

online transactions which

always leave an electronic

paper trail. Thats one big

advantage over todays money.

Another is that quantum states

cannot be copied, so quantum

cash cannot be forged.

But quantum cash must have

another property: anybody

needs to be able to check that

the money is authentic. That

turns out to be hard because

the measurement of quantum

states tends to destroy them.

Its like testing regular dollar bills

by seeing whether they burn.

But there is a way around this

based on the ideas behind

public-key encryption. The idea

here is to nd a mathematical

process that is easy to do

in one direction but hard

in the opposite direction.

Multiplication is the famous

example. Its easy to multiply

two numbers together to get

a third but hard to start with

the third number and work

out which two factors created

it. The question for quantum

money gurus is whether a

similarly asymmetric process

will provide similar security

assurances for quantum cash.

A research group led by

Edward Farhi has developed

secure quantum cash based

on a new kind of asymmetry.

The scientists took their

inspiration from knot theory,

a branch of topology that

deals with knots and links.

The purported security of the

proposed quantum money

scheme is based on the

assumption that given two

different looking but equivalent

knots, it is difcult to explicitly

nd a transformation that turns

one into the other.

Uncounterfeitable

currency

Source: http://www.technologyreview.com/blog/arxiv/25135/

Visualizingthe malicious web

Source: http://www.reshark.org/

For example, FireShark makes it easy

to see compromised legitimate sites

redirecting users to malicious domains


8/36

NEWS


Egyptian researchers have

proposed a mutual authentication

protocol that prevents attacks on

low-cost RFID tags.

RFID systems are vulnerable

to a broad range of malicious

attacks ranging from passive

eavesdropping to active

interference. Unlike in wired

networks where computing

systems typically have

both centralized and host-

based defenses such as

rewalls, attacks against

RFID networks can target

decentralized parts of the

system infrastructure, since

RFID readers and RFID tags

operate in an inherently

unstable and potentially

noisy environment.

RFID tags may pose a

considerable security and privacy

risk to the organizations and

individuals using them. Since

a typical tag provides its ID to

any reader and the returned ID

is always the same, an attacker

can easily hack the system

by reading a tags data and

duplicating it in the form of bogus

tags. Unprotected tags may be

vulnerable to eavesdropping,

location privacy, spoong, or

denial of service attacks.

Low-cost RFID tags like

Electronic Product Codes (EPC)

are poised to become the most

pervasive devices in history.

There are already billions of

RFID tags on the market being

used for applications like supply-

chain management, inventory

monitoring, access control

and payment systems. When

designing a really lightweight

authentication protocol for

low cost RFID tags, a number

of challenges arise due to the

extremely limited computational,

storage and communication

abilities of such devices.

The scientists have proposed

modications to the Gossamer

mutual authentication protocol

used by the tags. The proposed

protocol prevents passive

attacks, as active attacks are

discounted when designing a

protocol to meet the RFID tags

requirements. The analysis of

the protocol shows that the

added modications increase the

security level of Gossamer and

prevent eavesdropping on public

messages between reader and

tag. However, the modications

do not affect the computational,

storage or communication

cost of Gossamer.

Source: http://airccse.org/journal/nsa/0410ijnsa3.pdf

WIRELESS SECURITY

Securing RFID

ENCRYPTION

Security-conscious organizations

evaluate a large number ofdevelopmental technologies for

building websites. The question

often asked is, What is the

most secure programming

language or development

framework available?

WhiteHat Security has issued a

report which highlights the answer.

The reports Top-10

key findings are:

Empirically, programming

languages/frameworks do

not have similar security

postures when deployedin the eld. They are shown

to have moderately different

vulnerabilities, with different

frequencies of occurrence,

which are xed in different

amounts of time.

The size of a web applications

attack surface alone does

not necessarily correlate

to the volume and type of

issues identied. For example

Microsofts .NET and Apache

Struts, with near-average

attack surfaces, turnedin the two lowest historical

vulnerability averages.

Perl had the highest average

number of vulnerabilitiesfound historically by a wide

margin, at 44.8 per website

and also the largest number

currently at 11.8.

Struts edged out

Microsofts. NET for the

lowest average number of

currently open vulnerabilities

per website at 5.5 versus 6.2.

Cold Fusion had the second

highest average number of

vulnerabilities per website

historically at 34.4, but has

the lowest likelihood of havinga single serious unresolved

vulnerability if currently

managed under WhiteHat

Sentinel (54%). Closely

following was Microsoft ASP

Classic, which at 57% beat

its successor Microsoft .NET

by a single point.

Perl, Cold Fusion, JSP, and

PHP websites were the

most likely to have at least

one serious vulnerability,

at roughly 80% of the time.

The other languages /frameworks were only within

ten percentage points.

Among websites containing

URLs with Microsofts. NETextensions, 36% of

their vulnerabilities had

Microsoft ASP Classic

extensions. Conversely, 11%

of the vulnerabilities

on ASP websites had

Microsofts .NET extensions.

37% of Cold Fusion

websites had SQL Injection

vulnerabilities, the highest

of all measured, while Struts

and JSP had the lowest with

14% and 15%.

At an average of 44 days, SQL

Injection vulnerabilities werexed the fastest on Microsoft

ASP Classic websites, just

ahead of Perl (PL) at 45 days.

79% of Urgent Severity SQL

Injection vulnerabilities were

xed on Struts websites,

the most of the eld. This is

followed by Microsofts .NET

at 71%, Perl at 71% and the

remainder between 58% and

70% Apercent.

The report is based on data

from 1,659 websites

What web programming languageis the most secure?

Source: http://www.whitehatsec.com/home/resource/stats.html


9/36

NEWS


One of the major threats to

virtualization and cloud computing

is malicious software that enables

computer viruses or other malware

that have compromised onecustomers system to spread to

the underlying hypervisor, and

ultimately, to the systems of other

customers. In short, a key concern

is that one cloud computing

customer could download a virus

such as one that steals user data

and then spread that virus to the

systems of all the other customers.

If this sort of attack is feasible,

it undermines consumer

condence in cloud computing

since consumers couldnt trust

that their information would

remain condential, said Xuxian

Jiang, Assistant Professor ofComputer Science at North

Carolina State University.

For instance, in Blue Pill attacks,

as demonstrated by Polish security

researcher Joanna Rutkowska,

a rootkit bypasses the digital

signature protection for kernel

mode drivers and intercepts the

operating system calls.

But Jiang and his Ph.D. student

Zhi Wang have now developed

a piece of software called

HyperSafe that leverages existing

hardware features to secure

hypervisors against such attacks.

We can guarantee the integrity

of the underlying hypervisor

by protecting it from being

compromised by any malware

downloaded by an individual user,

Jiang says. By doing so, we canensure the hypervisors isolation.

For malware to affect a

hypervisor, it typically needs

to run its own code in the

hypervisor. HyperSafe utilizes two

components to prevent that from

happening. First, the HyperSafe

program has a technique

called non-bypassable memory

lockdown, which explicitly and

reliably bars the introduction

of new code by anyone other than

the hypervisor administrator, Jiang

says. This also prevents attempts

to modify existing hypervisor code

by external users.

Secondly, HyperSafe uses

a technique called restrictedpointer indexing. This technique

initially characterizes the

hypervisors normal behavior and

then prevents any deviation from

that prole, Jiang says. Only

the hypervisor administrators

themselves can introduce changes

to the hypervisor code.

CYBER SECURITY

TECHNOLOGY

An international team

of researchers has published

a report about global cyber

espionage systems titled

Shadows in the Cloud.

The report contains the results of

their investigations into a complex

cyber espionage ecosystem that

as the authors say, Systematically

compromised government,

business, academic and other

computer network systems in

India, the ofces of the Dalai

Lama, the United Nations and

several other countries. The report

also contains an analysis of data

stolen from politically sensitive

targets and recovered during the

course of the investigation.

The report analyzes the malware

ecosystem employed by the

Shadows attackers, which

leveraged multiple redundant

cloud computing systems, social

networking platforms and free

web hosting services.

The following is a summary

of the reports main ndings:

The cyber espionage

network is complex

The theft of classied and

sensitive documents is rife

There is evidence of

collateral compromise

The command-and-control

infrastructure leverages

cloud-based social

media services

There are links to the

Chinese hacking community

Researchers are proposing

a paradigm-shifting solution

to trusted computing that

offers better security and

authentication. The European RE-

TRUST project (http://re-trust.dit.

unitn.it/) promotes a technology

that ensures remote, real-time

entrusting on an untrusted

machine via the network.

Remote entrusting providescontinuous entrustment for the

execution of a software component

by a remote machine, even though

the software component is running

within an untrusted environment.

The proposed technology provides

both software-only and hardware-

assisted remote entrusting.

Whereas hardware-assisted

entrusting requires a special

chip either on the computers

motherboard or inserted into

a USB drive, RE-TRUST useslogical components on an

untrusted machine to enable

a remote entrusting componentto authenticate via the network

the untrusted machines operation

during runtime. This means it

ensures that the software isrunning properly and that the code

integrity is maintained, thus almost

completely guaranteeing security.

Investigating global

cyber espionage

Better remote entrusting

Source: http://Shadows-in-the-Cloud.net

Source: http://www.sciencedaily.com/releases/2010/04/100413131939.htm

Concentrations of non-unique IP addresses of compromised hosts (from the report

Shadows in the Cloud)

Entrusting by remote software authentication during execution

SECURITY THREATS

Protecting hypervisors

Source: http://www.scienticcomputing.com/news-HPC-New-Security-for-

Virtualization-Cloud-Computing-050310.aspx


10/36

REPORT |Black Hat USA 2010


Stefan is a Senior SecurityResearcher for KasperskyLab. He specializes in webapplication security, web-basedthreats and malware 2.0. Stefan

is involved in several innovativeresearch projects, rangingfrom malware databases orhoneypots, to web crawlerswhich continuously scanthe Internet to identify andneutralize the latest threats.As a member of the GlobalResearch and Analysis Team,Stefan publishes analysesof hot information securitytopics on threatpost.com andsecurelist.com, the KasperskyLab information and educationportals on viruses, hackersand spam. Stefan is alsofrequently invited to speak at

major international securityconferences such as VirusBulletin, RSA and AVAR.

Article byStefan Tanase

Black Hat is the place where IT and computer

security happens. Now in its 13th year, researchers

latest ndings are published during presentations

spread over 11 conference tracks and two days.The two opening keynotes this year were delivered

by Jane Holl Lute, the current Deputy Secretary of

Homeland Security, and Michael Vincent Hayden,

former Director of both the National Security Agency

and the Central Intelligence Agency. This doesnt

come as a surprise, especially after Jeff Moss, the

founder of the Black Hat and DEF CON conferences

was sworn in to the Homeland Security AdvisoryCouncil of the Barack Obama administration.

This years event featured more than 200 speakers

discussing their latest research around essential

security topics ranging from infrastructure, reverse-

Las vegas The Security Researchers OasisEach year, the entire security industry waits for the Black Hat Briengs in

the sweltering Las Vegas desert. This year was no different, with more

than 6,000 people interested in security gathered from all over the world

at Caesars Palace, Las Vegas, Nevada the place where the conference is

traditionally held. From private companies and government agencies throughto security researchers, system administrators and law enforcement ofcers -

everybody was there. Security researchers from all over the world come to

Black Hat to identify security threats and work collectively to create solutions.

The Black Hat community is one of the greatest assets we have for defending

the safety and security of the Internet, said Jeff Moss, founder of Black Hat.

Caesars Palace the place to be for Black Hat


11/36

Black Hat USA 2010|REPORT


engineering, malware +, ngerprinting

and exploitation, to the latest topics in IT

technology - cloud/virtualization and cyber

war and peace.

JACKPOTTING ATMS

One of the most highly anticipated talks

at Black Hat USA 2010 was delivered by

Barnaby Jack, Director of Research at

IOActive Labs. Barnaby discussed two types

of attacks against automated teller machines

(ATMs) running Windows CE: the rst one was

a physical attack using a master key which

can be purchased on the Internet and a USBstick to overwrite the machines rmware with

a custom-built rootkit; the second one was a

remote attack exploiting a vulnerability in the

ATMs remote administration authentication

mechanism which allowed the attacker to

remotely rewrite the rmware.

The talk itself was eye-opening and

disappointing at the same time. It was

amazing to see the depth that Barnaby

had achieved when reverse-engineering

the ATMs and building a custom software

tool called Dillinger to overwrite the

machines operating system, take complete

control of the ATM and send commandswhich remotely instructed the ATM to start

dispensing cash. Incidentally, Dillinger is

named after the famous bank robber. The

disappointing part from an avid researchers

point of view was that he only focused on

Windows CE-based ATMs, an old operating

system which is not widely used in other

regions of the world.

For instance, the two attacks that

Barnaby demonstrated, the physical and

the remote attack, would not be possible in

most European countries, but its a whole

different story in the United States.

All in all, seeing such progress being madein ATM security research denitely makes

you think twice about using ATMs, especially

when traveling. In fact, with the amount of

skimming going on anyway, why not avoid

using ATMs altogether?

THE CLIENT-SIDEBOOGALOO

Nicholas Percoco and Jibran Ilyas,

Members of Trustwaves SpiderLabs team,

presented Malware Freak Show 2010, a talk

that extended their initial Malware Freak

Show presentation delivered at DEFCON

17 in 2009. This years talk explored four of

the most interesting new pieces of malware

that were obtained during more than 200

investigations they conducted in 2009.

An interesting fact which emerged as a

result of combining intelligence from cases

they were both involved in was that attackers

spend an average of 156 days exploring a

victim network before getting caught. This is

an alarmingly high number which conrms how

low the general level of security awareness

and education is among businesses.

The presentation included the anatomy

of a successful malware attack, a prole

on each sample and victim and a live

demonstration of each piece of malware

discussed: a memory rootkit, a Windows

credentials stealer, a network sniffer rootkit

and a targeted attack malware program that

uploads documents to an FTP server.

TRACKING CYBER SPIES

AND DIGITAL CRIMINALS

Greg Hoglund, who literally wrote the

book on Windows rootkits, presented some

techniques to track down the origins of

malware samples. Malware attribution,

which is dened by Greg as Finding the

humans behind the malware, aims to know

more about the people who create maliciousles. This type of information can be very

useful during forensic investigations.

His basic premise is that software is not

easy to write and programmers adhere to

the if it aint broke, dont x it principle.

Once a programmer has written a piece

of code which works, they are not going to

rewrite it, but instead will most likely reuse it

at every opportunity.

Each cybercriminal or cybercrime group

normally reuses the code that they create.

To prove this, Greg performed a case study

on a Chinese RAT (Remote Administration

Tool) called gh0st RAT. He showed theaudience how he discovered that malware

samples from 2010 are still using code from

2005 making it possible to link ve-year-

old samples together. These techniques are

very developer-specic.

In his conclusion, Greg called on the security

community to understand that generally it

is better to focus on identifying the authors

behind the malware than the malware itself.

ATTACKING

PHONE PRIvACY

Cryptography researcher Karsten Nohl

presented vulnerabilities, tricks and ideas

which he used to successfully crack A5/1, the

encryption system used to protect GSM calls.

One of the biggest breakthroughs that helped

him with his research was the fact that

some GSM packets, the keep-alive ones, are

predictable in the stream of different packets.

The x for this vulnerability was released

two years ago, but none of the GSM networks

have implemented the patch yet, even though

the patch is rather simple.

It is much easier to intercept the part of

the call that is coming from the tower to the

mobile phone, rather than the one going from

the mobile phone to the tower. This is due

to the fact that mobile phones dynamically

adjust the output power of their signal to

save battery power and can be on the move

in areas surrounded by buildings, while the

towers are transmitting high power signals,are stationary and are located in high areas.

So, the majority of GSM networks

nowadays are quite unsafe. They are either

using very insecure encryption, or in countries

like China and India, none at all. A mitigation

technique to this threat would be to switch

your phone to UMTS-only mode, although not

every phone supports this and 3G coverage is

not available in remote areas.

UNTIL NEXT YEAR

There were many other interesting

presentations, as you can see from the Black

Hat online archive: http://www.blackhat.com/

html/bh-us-10/bh-us-10-archives.html.

As usually happens when thousands of

security researchers gather in the same

place, there were several incidents that

made this years Black Hat very memorable

for example, the live stream got hacked

by a security researcher at Mozilla who

responsibly disclosed the vulnerabilities

found to the third party company which was

providing the streaming service.

This and other things make attendingBlack Hat a thrill and a challenge at the

same time. RE

Barnaby Jack shows how jackpotting works on vulnerable ATMs
http://www.blackhat.com/html/bh-us-10/bh-us-10-archives.htmlhttp://www.blackhat.com/html/bh-us-10/bh-us-10-archives.htmlhttp://www.blackhat.com/html/bh-us-10/bh-us-10-archives.htmlhttp://www.blackhat.com/html/bh-us-10/bh-us-10-archives.htmlhttp://www.blackhat.com/html/bh-us-10/bh-us-10-archives.html.


12/36

TOP STORY|Corporate threats


Article byJoerg GeigerChief Technology Expert

at Kaspersky Lab

Todays computers store and process alltypes of ofcial information; they generate

business activity reports, they perform

economic analyses and undertake planning

and they are used for technical modeling and

design. Companies advertise their products

via the Internet and communicate with society

in general using computers. Goods are

readily bought and sold through the medium

of electronic trading and Internet shops. In

the course of everyday business activity,

computers and smartphones have become an

indispensable communications tool for workers,

clients and company managers alike. The

burgeoning capabilities of todays IT equipmentmean that companies can now benet from a

whole new world of commercial possibilities.

Such companies rely heavily on stable IT

infrastructure to maintain their business

processes and competitive advantage.

As mentioned previously, the presence of

nancial or condential information attracts

the shadier elements of society who wish

to nefariously grab a slice of the pie for

themselves, and in addition, it should be

remembered that companies can and do suffer

enormous losses due to the availability of

condential information to insiders. Serious

security incidents can incur punishment bythe state in most countries, violation of

security standards is a prosecutable offence

carrying criminal responsibility, and whereapplicable, the withdrawal of state-issued and

other licenses.

The incentive to hack corporate networks

grows as commercial information becomes

more and more valuable and as business

processes are automated. The tendency is

for business IT to not only develop automated

management and recording systems, but

technological processes as well IT is already

a major player not only in accountancy,

warehousing and HR, but in manufacturing

and production as well. Today it is completely

unacceptable to leave corporate IT systems

under-protected, or worse still, unprotected. A

Businesses under attack

Joerg Geiger has 11

years experience inIT-Journalism. Havingcompleted his Diploma inComputer Science, Joergworked as a Senior Editorfor a number of differentprinted and onlinemagazines. For the last3 years, Joerg has beena freelance contributorto German newspapers,websites and various ITcompanies and specializesin operating systems, IT-Security and mobile IT.

Modern companies cannot survive without information and computertechnologies. IT has become an inseparable part of any commercial

venture, state-run enterprise or worldwide business system.

However, IT has also developed into a potent source of problems

and threats which companies must face. With the help of malware,

hackers are able to steal condential information from computers

which in turn can lead to damaged commercial reputations, the

collapse of business deals and the infringement of intellectual

property rights. Under the control of hackers, corporate computer

networks can spread spam and malware, not only locally, but to

the computers of trusted clients and partners as well. Software

and hardware failures lead to unwanted downtime, the interruption

of important business processes and the loss of working time

by personnel. This is only a small part of the modern corporate

threatscape which we will look at in more detail within this article.

The Internet has long since been used for the majority of corporate

nancial transactions


13/36

Corporate threats|TOP STORY


companys IT infrastructure must include

reliable and comprehensive protection

against computer threats.

GOALS AND TASKS

It is interesting to note that malware

specifically designed to target

corporate information systems does not

exist. The tools of the hackers trade

remain the same regardless of whether

the target is a private individual or a

company, the only real difference is

the scale of damage, so companies

have to pay particular attention to

their own protective measures. The

cybercriminals are far more interestedin attacking companies than private

individuals as the potential rewards

from such attacks are considerably

higher. It is very rare indeed for a

hacker or virus writer to work for

nothing. Usually when they feel the

need to put their professional abilities

to the test they try to ensure that their

efforts are duly remunerated.

Hackers that attack companies

generally do so for the following reasons:

To steal condential information,

including nancial, with a view to

proting from its usage or resale,for example, databases belonging to

nancial organizations

To disable a companys IT

infrastructure with a view to

extorting money from that company

for returning its IT infrastructure to

operational condition. Additionally,

a hacker may want to do damage toa companys reputation or interrupt

their business processes by the use

of DDOS attacks

To use the IT resources of one

company for the purpose of attacking

other companies

Those who order hacking attacks

are usually dishonest competitors,

nancial fraudsters or people involved

in industrial espionage. For example, it

may be that on the day that a company

is due to launch a new product, hackers

acting behalf of a competitor take

down that companys website, thereby

depriving the company of a lot of

potential customers who would have

otherwise visited it. Another common

example is a competitor acquiring

detailed information concerning an

important business deal from a rival

companys computer system and the

deal subsequently being undermined.

Then there is always the scenario in

which nancial information is stolen by

an insider in order to initiate an illegal

transaction. In the most dangerous

cases, vital social infrastructure can

be put out of operation if the company

responsible for maintaining it becomesthe subject of a hackers attack.

METHODS OF ATTACK

How do cybercriminals gain access to

corporate information? What vectors

of attack do they choose? First of all,

the particular attributes of corporate

networks play right into the hands of

the cybercriminals, such networks are

typically: large-scale, distributed across

geographical sub-divisions, hierarchic in

composition with heterogeneity of the

component parts, carrying high levels

of trafc and supporting a signicant

number of users.

Networks belonging to large

enterprises with geographically diverse

subdivisions have equipment located

in different towns and sometimes even

different countries, as well as hundreds

of kilometers of communications cables.

All this makes it very difcult to prevent

unauthorized network access or the

interception of condential information

transmitted over the network. An

attacker can surreptitiously connect to

some part of the network and secretly

monitor the channel trafc without

alerting anyone to their presence, or

masquerade as an authorized user

and send requests for information and

messages in the name of a legitimate

user. Hacking can occur on both private

and publicly accessible sections of a

network usually the Internet. In such acase, the cybercriminal does not need to

Cybercriminals do not have to attack a whole organization

to get their hands on nancial or condential information.

It is much simpler to carry out an attack by targeting an

individual victim in an administration or HR department

where the level of computer literacy is usually fairly low

A hacker does not usually need direct access to the target computer within an organization: these days attacks are

carried out remotely via the Internet


14/36



be physically near the hacked channel,

using hackers tools and methods

available on the Internet it is possible to

hack a network remotely.

Probably the most popular method

for infecting computers is via the

use of programs called Trojans which

inltrate a target machine through

malware links in spam, instant

messaging, drive-by downloads and the

exploitation of vulnerabilities in different

software applications.Of all of the abovementioned methods

of infection, it is the vulnerabilities

in software that is one of the biggest

problems within the corporate

environment. Large corporate networks

are made up of a huge number of

component parts: workstations, servers,

laptops, smartphones, all of which

may operate under the control of a

different operating system. The situation

gets even more complex when the

functional diversity of the component

parts of a large corporate network

are factored in also; the hardware willservice different subdivisions, perform

different tasks and differ from unit

to unit, not to mention that it is often

produced by different manufacturers.

It is almost impossible to keep track

of all the programs installed on all of

the systems and devices mentioned.

IT administrators need to constantly

update programs and install patches

for the entire systems resources, but it

is a complex task, made more difcult

by the fact that an administrator may

have to wait a signicant amount

time for a much-needed patchwhile the manufacturer creates and

distributes it. As a result, a corporate

network can remain susceptible to

attack by cybercriminals who can

exploit a vulnerability, for example, by

installing malware in an old version

of Adobe Reader, with ensuing dire

consequences for the computers on

the corporate network. In such a case,

even technical specialists may suspect

nothing if they do not keep themselves

up to date regarding the latest detected

vulnerabilities in application-

dependent software.Another loophole used by the

criminals is the multiplicity of staf f and

the resulting multiplicity of computer

network users and access points. The

larger the numbers of end-users and

nodes, the more chance there is of

an accidental oversight in security

procedures or an intentional violation

of security policy. It is more difcult

for the administrators to determine

users loyalties, especially as users

could typically be both staff members

and for instance, clients. Therefore it is

more difcult to control them today,

simple methods of recording user

information are no longer suitable, more

complex methods like authentication,

authorization and auditing are required.

Modern corporate IT systems need to

be able to do much more than just allow

or disallow a user access to something,

they need to have the exibility to

provide degrees of access, taking into

consideration factors such as - time,

group membership, editing rights etc.

Nowadays a corporate user has a wider

range of services available to them;

very often they have Internet access,

which is awash with malware, a mobile

connection which has become unsafe

and remote access from home which

makes it difcult for the employer to

check whether passwords to access the

corporate servers are stored in a secure

manner. Unfortunately, companies

rarely do have all-encompassing security

policies in place, thus the cybercriminalscontinue to actively abuse the situation

and commit targeted attacks.

EDUCATION

One of the keys to successfully

minimizing corporate attacks is to

educate staff on a constant basis,

and not just technical staff, but

administrative staff too. It is more

often than not the latter group who

are responsible for the large numbersof successful attacks carried out

using social engineering techniques.

Obviously, when a user has no real

knowledge of the basic rules of

computer security there can be no

guarantee that hackers wont be able to

enter the corporate network; regardless

of whether or not a highly qualied

administrator has implemented the most

stringent security settings.

Teach your staff not to react to

emails and IM messages of a dubious

nature, which may well contain

malicious hyperlinks in the body of themessage. Explain to them that a letter

or SMS message from a friend can be

The Structure of a typical corporate network is usually much more complex than the one displayed in the picture


15/36



compromised and that it is always better

to think twice and check before clicking

on any messages received. Remind

your staff again and again that There

is no such thing as a free lunch; banks

and social networks will never ask you

about your login or password simply

because they have problems with their

infrastructure, or their database of

users is being updated. It is imperative

to teach your staff to think twice and

remain cautious.

COMPLEXITY

So, what can be done within the

framework of corporate security to

prevent the criminals from gaining

the upper hand? The most important

thing is to understand that protection

of the corporate network needs to be

complex and multilayered. Before the

design and installation of a secure

network can take place it is necessary

to consider all of the possible threats to

the integrity and condentiality of the

information that it will contain, as well

as to think about how the network could

be penetrated, for example, via external

media and software vulnerabilities. The

measures taken to counter any threats

must be complex and should include

organizational and technical methods.

Organizational means of protection

should include a set of company

procedures and a structured approach

to working with documentation and

information. A companys management

has to clearly understand what

information is considered condential,

which staff can have access to such

information and how to arrange a system

so that a breach of those access rules

cannot occur.Technical means of protection

can include all kinds of equipment

for nullifying electromagnetic

radiation and avoiding electronic

eavesdropping, access control

mechanisms, encryption systems,

antivirus programs, firewalls, etc.

One should remember that within the

realms of complex technical procedures,

it is very important to restrict the use

of external media such as ash drives

and portable hard disks; it is also

recommended that the possibility of

recording data to CD-ROMs is removed

or otherwise controlled. This is

achievable through technical means, for

example, by closing ports at the BIOS

level to which an ordinary user would

not have access. Additionally, most

corporate antivirus solutions have inbuilt

If the use of portable storage media is not strict ly

managed, then the protection of condential information

can be forgotten

Modules allowing the centralized management of corporate network protection are present in every major business IT security solution


16/36



functionality that provides control over

USB and other peripheral ports. Those

staff members whose work regularly

entails the use of portable storage

media must be provided with, and made

to use, an automatic encryption system

that will protect any information stored

on it in the event of the theft or loss

of the media.

Other similarly important measures,

which are quite often overlooked by

companies, include the protection

of wireless access points and data

transmission channels. If you have

protected the whole infrastructure, but left

your WiFi networks without WEP encryption

and not implemented a monthly password

changing policy, then you have protected

nothing. Generally speaking, the use of

WiFi inside a company should be as limited

as possible. It is necessary to regulate

the distance that the signal can travel

by adjusting the radiated power of the

transmitter, provide users with temporary

passwords, dene which WiFi networks

guests can connect to and limit access to

internal resources, etc.

CENTRALITY

Protection of a corporate network is a

round-the-clock, yearlong process and

should embrace the entire informationlifecycle - from its arrival at the company

through to its destruction, loss of value

or downgraded level of condentiality.

Reliable protection means real time

control over all the important events and

occurrences that may inuence security.

It is very important to implement the

centralized management of a security

system. This approach allows the

speedy acquisition of a complete

picture of network events from a single

access point and provides a centralized

approach to the resolution of tasks; it is

a method for checking and effectivelyresisting generic threats. At the same

time, the application of different security

policies across the various subdivisions,

as well as an individualized approach

to the resolution of tasks should not be

excluded. The centralized management

of network security via a single interface

has the advantage that system

administrators do not have to spend a

lot of time familiarizing themselves with

several different security solutions.

Modern corporate antivirus solutions

offer companies precisely this level

of control. As a rule, such solutionswill contain some sort of centralized

management system that allows

adjustment of the many different

security-related software modules that

control; the antivirus system setting,

the setting up of individual and group

application parameters, access to

different resources, database updates

and the continuous monitoring of the

network status and dynamic response in

the event of critical situations.

SUFFICIENCY

Any security system has to be

sufciently robust. This means that it

should provide the maximum level of

protection, availability and resiliency.

To do this, a security system must have

a reserve of hardware and software to

cope in situations where a component of

one or the other type fails. Additionally,

the system has to employ effective

technologies that can cope with existing

threats and are able to combat new

attacks thanks to imbedded extra

capabilities such as heuristics and

enhanced signature detection processes.

Heuristics analyzers, as well as script

emulators and le execution emulators,

are used when a program sample is

not present in antivirus databases and

allows program execution to be emulated

inside an isolated, virtual environment.

This is absolutely safe and allows all ofthe programs actions to be analyzed in

advance, so that its potential to cause

harm can be estimated with a high

probability prior to real world execution.

In this way, new threats are being

detected before they become known to

virus analysts and their signatures can

be included into antivirus databases

accordingly. Taking care to ensure that a

system is sufciently robust prolongs its

usefulness as a means of defense.

REASONABLE BALANCE

It is always the case that a reasonable

balance needs to be struck between the

capabilities of a security system and its level

of resource-intensity. The more options

and functions a solution has, the more

computer, human and other resources that

are consumed. This is unacceptable for a

corporate network as it will generally have

high enough working loads already - it must

simultaneously serve a large number of

users, search vast databases, transmit big

volumes of trafc and do all of the above

precisely and quickly. Manufacturers

of antivirus products pay a great deal of

attention to the balance between productivity

and protection of systems. For this reason

there are parameters that can be set to run

system scans only at times when nobody

is working on a computer, i.e., when a

computer is locked or its screensaver is on.

This allows, for example, a deep heuristic

analysis to take place during an antivirus

scan without interference to the work of the

staff. Additionally, modern antivirus products

include technologies that can signicantly

increase the operating speed of an antivirus

application through always-on protection andon-demand scanning. Speed is also gained

by excluding the multiple checking of les that

have been scanned already, provided that

this does not pose a threat of infection. By

complimenting each other, such technologies

can greatly reduce the time and resource-

intensity required for the antivirus scanning of

different objects, les and operating systems.

It is necessary to encrypt not only the data that the phone contains, but also the data stored on any accompanying

memory card in the event that important information is stored on that too


17/36



FLEXIBILITY

A security system should also be exible and

scalable, in other words it should be adaptable

to a wide range of tasks, working conditions

and quantitative characteristics of a corporate

network. Todays computer networks can expand,

contract and change their conguration very

quickly. Threats are also changing with alarming

rapidity and security system should be ready for

it. To meet this requirement, high quality security

solutions need the means to update practically

all of their program components - for example,

malware protection solutions should update not

only their antivirus signature databases, but

also their malware behavior pattern recognition

capabilities and their own operating algorithms.

INTERACTIvITY

Another important requirement is interactivity.

The security system has to be able to interact

with an experienced user, system and network

administrator. It has to provide a user with sufcient

information upon which to base operational

decisions and be able to warn a user about

potential errors. It is preferable that the systems

settings and security modules are understandable

to a layman who has no specic knowledge in

the eld of information security. This allows

corporations to quickly train their own specialists

and means that medium and small business canhave a protected system without the need to employ

security administrators or even IT specialists. In

order to do this, antivirus solution developers pay

increased attention to their product interfaces,

trying to make it as simple and straightforward

as possible. Special signicance is given to the

provision of notications when the security of the

system is under threat. The system must inform an

administrator of what actions should be performed

in order to restore normal defensive levels. The

interface must also allow the administrator to

quickly jump between tasks such as virus scanning,

antivirus database updating, etc.

COMPATIBILITY

AND HETEROGENEITY

Compatibility is a denitive requirement of

a security system it must be able to fully

operate in a complex, heterogenic corporate

network without any negative impact on the

other components. Any corporate antivirus

system has to be able to function with a range

of different devices. Modern computer systems

can consist not only of workstation computers,le servers and mail servers, but notebooks and

smartphones too. Smartphones are commonly

synchronized with computers, and if a user opens

a malware link on their telephone, there is a real

chance of transferring that virus to the corporate

network during the process of synchronizing mail

or calendar items with the networked computer.

Whilst on the subject of smartphones, it is

worth comparing them to portable information

storage devices all messages and mail

correspondence, as well as the contents of

ash memory and memory cards which are

used for the additional storage of information

should be compulsorily encrypted. Only then

it is possible to guarantee the integrity of the

stored information in the event of the loss of a

device. When choosing a protective solution for

mobile devices, close attention should be paid

to ensuring that it has the capability to block a

lost smartphone, even if the SIM card is changed

by a thief. Otherwise the criminal will be able to

drop off the radars of those seeking to retrieve

the device, and having removed the SIM card

from the phone, will be able to do anything

they wish with the phone and the valuable

information it contains.

Also, it is worth remembering that when a

company uses machines with different operating

systems, all of them should be protected, as if

only one of the systems is secure, it means none

of them are safe. If an administrator thinks that

there are not many viruses for the Mac OS X out

there so the risk to the company is negligible

and therefore it is not critical to protect

Macintoshes - they would be absolutely wrong.

It is through just such an open gate to the world

of Windows computers that the most harmfulmalware threats may come, for example, by way

of a malware link which becomes active once

inside a Microsoft environment. Another route

is the Trojan program which automatically copies

itself to a ash memory card on a computer

running under the Mac OS X and is later inserted

into a different workstation running under

Windows management.

RESUME

New threats and vulnerabilities in the world ofcomputer security are growing as never before

and there are no indications that the situation is

going to improve any time soon. Nevertheless,

if you as a company administrator or security

specialist provide proper protection on all

fronts, then there is a good chance that your

companys business will prosper. Educate your

staff about computer safety on a regular basis.

Distributed security policies and access rights

should be compulsory and provide protection

solutions for all nodes on the network, from the

gateways to the endpoints - and dont omit the

bosses smartphones or notebooks. Remember;

economize just once on network protection andit is possible that the whole of the companys

business could be lost as a result. RE

Kaspersky Labs

products for corporateusers are complex

solutions for heterogenic,distributed networks andthat is very important at

the present time. Oursolutions for Windows,

Linux, Mac, NovellNetWare and mobile

operating systemsare simple to installand use. Kaspersky

Labs solutions provideprotection for all types

of network nodes from mobile devices

to servers. They can

control all incoming andoutgoing data flows, fromemail and Internet traffic

to internal networkinteractions and theyalso provide powerful

management tools too.All of KasperskyLabs solutions

include the KasperskyAdministration Kit

management consolewhich allows the

centralized organizationand control of network

protection for the whole

company, integratingall the different levelsof protection into one

system. The solutionsprovide scalability,notification of the

status of the networksantivirus protection,

control over the use ofexternal devices, special

security policies formobile users, support

for network accesscontrol technologies and

customized reporting,allowing administratorsto manage the system

in an effective wayvia a straightforward

interface.

Nikolay GrebennikoChief Technology Ofcer at

Kaspersky Lab

EXPERT COMMENTS


18/36

ANALYTICS |


ANALYTICS |Smartphone Security

The exploit, embedded in the website

jailbreakme.com, was intended to provide

a simple way for iPhone and iPad users

to "jailbreak" their phones a process

that allows the installation of third-party

applications that are not expressly approved

by Apple. Yet, security experts were instantly

drawn to the much darker potential for this

exploit to be abused to install malicious

programs on all of these devices and not

just those belonging to jailbreakers.

The hackers who discovered the flaw soon

released a patch to block future attacks

against jailbreakers, and Apple issued anofficial fix to protect regular iPhone users a

few days later. Still, the incident has thrown

a spotlight on the simmering, high-stakes

tension between security and usability in the

mobile computing market.

While technically speaking all jailbreaks

exploit security vulnerabilities or configuration

weaknesses in the underlying operating

system, nearly all previous jailbreak exploits

required the user to connect their iPhones

to his or her computer with a USB cable. If

you were lucky, the jailbreak would work;

otherwise, you might be the proud owner of a

very expensive paperweight.All of that changed on 01 Aug, with the

debut of a powerful and highly reliable new

iPhone exploit embedded in jailbreakme.com,

which allowed iPhone users even those on

the most recent 4.0 iOS to jailbreak merely

by visiting the site with the iPhone's Safari web

browser and dragging the slider bar across the

device's touchscreen.

Instantly, the process of jailbreaking

became more akin to casual web surfing and

less like patching and praying. At the same

time, tens of millions of people were exposed

to a powerful, remote exploit that criminals

could use to install malware just by convincingan iPhone or iPad user to browse a hacked or

malicious website.

Desperate JailbreakersIt was late July, and Apple was still reeling from an uncharacteristic

backlash by the media and its typically adoring customer base over

a design aw in the antenna of its much-vaunted new iPhone 4.0

that effectively wiped out wireless reception for many users.

Then, at the beginning of August, hackers published a remotely

exploitable security vulnerability in the device that left tens of

millions of iPhone users exposed to malicious drive-by downloads.

Brian Krebs is editor ofkrebsonsecurity.com, adaily blog dedicated toin-depth Internet securitynews and investigation.Until recently, Krebswas a reporter for TheWashington Post, wherehe covered Internetsecurity, cybercrimeand privacy issues forthe newspaper and thewebsite. Krebs got hisstart in journalism atThe Post in 1995, andhas been writing about

computer security,privacy and cybercrimefor more than a decade..

Article byBrian Krebs

Now to unblock an iPhone, iPod touch or iPad, i ts enough just

to visit a special website


19/36

|ANALYTICS


"My grandma doesn't know what

jailbreaking is and never had to worry

about what jailbreakers were up to

because if she wanted to jailbreak her

phone she had to plug it into a computer,

download some special tools, and then

it might work," said Charlie Miller, a

renowned iPhone hacker and researcher

with the Baltimore, Md. based rm

Independent Security Evaluators. "But

now, here was something that could

radically change your phone just by

visiting a webpage, all of a sudden

this meant instead of doing something

fun and friendly like jailbreaking the

phone, it could do something evil, where

grandma goes to some site and the

same vulnerability is used to download

code to the phone."

PATCH WARS

Four days after jailbreakme.com went

live, Apple announced it would soon

be releasing a patch it had developed

to protect users. Almost immediately,

jailbreaking advocates lit up Twitter.com

and other social media sites, warning

people not to download the Apple patch

because it would un-jailbreak those

devices, or possibly worse.

That advice struck some security

experts as a scary sign of things tocome. Mikko Hypponnen, Chief Research

Ofcer for Finnish computer security rm

F-Secure Corp., was among those who

publicly chastized the team for telling

people not to apply the patch.

"Imagine if this would have

happened with Microsoft Windows,

where someone creates a zero-day

exploit, doesn't report it to Microsoft,

then publishes the exploit, and when

Microsoft responds with a patch there

are thousands of people telling the

world not to patch it," Hypponen said.

"If they want to give that kind of advice

to people who have jailbroken their

phones, that's great. But now they've

made everyone vulnerable because

these exploits are out there affecting

everyone and even people who

haven't jailbroken their phones aregetting the advice not to upgrade, when

in fact they should."

Within days of releasing its exploit,

the crew responsible for creating the

web-based jailbreak a group called

the iPhone Dev Team, along with a

developer known by the screen name

"Comex," - released "PDF Warner," a

tool that jailbreakers could install to

receive a warning if a website tried

to use the jailbreak flaw to install

malicious software.

The Dev Team even released its own

unofcial patch for those who had

jailbroken their phones, which went

further in protecting jailbroken users than

did the ofcial patch from Apple, which

does nothing to x the aw in iPhone

devices older than iPhone 2.x versions.

Will Strafach, an independent software

developer from Connecticut who helped

test the exploit used on jailbreakme.

com, acknowledged that the unofcial

patch took a bit longer than expected,

and that it is still not installed by default

after people use jailbreakme.com. Still,

he noted that neither this exploit nor a

similar, remotely exploitable jailbreakme.

com exploit released back in November2007 resulted in any malicious attacks.

"Not much detail will be released

about how the exploits work until after

Apple has issued their patch, sothere

has never to date been a malicious

payload I have seen for the two

jailbreakme.com exploits," Strafach said.

Strafach is technically correct. Then

again, the only real threats to emerge

against the iPhone have worked only

against jailbroken device, by exploiting

default settings lef t behind during

the jailbreaking process. In November

2009, the relatively harmless "Ikee

worm" spread rapidly amon

secure view #4 small web

Documents