Security Blog

This is hardly a new thing – it is about a particular kind of spam trying to persuade you to give up login credentials. This has been labelled as “Phishing“, which some of you may be bored of reading about again. Unfortunately it is still the case that people fall victim to phishing attacks despite the warnings that have been sent out over time. If you search the Sophos Naked Security blog for “phishing” you will get an enormous number of results – at least 15 pages (I lost patience at that point).

Phishing basically works by sending large numbers of emails (thus it is spam) with a message intended to alarm people into either replying with details they should not reveal, or into clicking a link to a web-based form to gather the same kind of details. Usually banking details, or login credentials.

In short, don’t reveal your details via email or to a web form sent to you via an email. Password are your personal information and should never be revealed to others :-

• Banks do not ask you for your password or other details via email.
• The University will never ask you for your password.
• Law-abiding organisations will never ask for it either.

There is usually an attempt to craft the email to look as though it is some kind of official communication, varying from the extremely sophisticated with very little signs that it is not an official email to really rather poor attempts. Common mistakes that are found in the less sophisticated phishing attacks include :-

1. Sending from an email address with an official sounding name (“The IT Support Department”) which is not used within the organisation – here at the University our “IT Support Department” is called “Information Services”.
2. Sending from a non-organisation email address.
3. Addressing the email in excessively formal … almost archaic  phrases. And indeed any use of non-colloquial English.
4. Lastly, referring to services using generic terms rather than specific local terms – “Webmail” rather than “GroupWise”.

From: Helpdesk<info@ttu.edu>
To: Recipients <info@ttu.edu>
Subject: Storage Limit Exceeded
Date: Tue, 17 Apr 2012 23:47:09 -0400
Reply-To: info@mail.com
Sender: fanzhiy@Cardiff.ac.uk
Dear members,
You have exceeded the storage limit on your mailbox. You 
will not be able to send or receive new mail until you upgrade
your email quota. Kindly update your account by clicking here, 
https://docs.google.com/spreadsheet/viewform?formkey=dEwLUxMejBNalg0dkNMY0FxcDVlRGc6M
Regards,
Technical Team.

But performing detail text analysis on every email you receive just to see if it is a phishing attack is both a little tedious and completely unnecessary. There is a very simple technique to use :-

1. Ignore the instructions in the email.
2. If you have the slightest doubt over whether the instructions are for real, contact the relevant organisation over the phone (or at the very least with a newly composed email). In the case of the University, contact the IS Service Desk on x7777.

But still with a serious point :-

And the serious point is that tacking the technical side of security may actually make things worse!

The DNSChanger malware that has been effectively neutralized by the take over of the Estonian servers hosting the rogue DNS servers will have a sting in the tail for those still infected when the servers are switched off on 9 July 2012 – no access to your favourite web sites or any service that requires a DNS lookup – in practice nothing will work.

Forbes  have published a story from the FBI regarding this – note that DNSChanger affects Macs too. Some direct advice from the DNSChanger Working Group (DCWG) is here.

To check whether you are infected, use the DNSChanger Check tool that is linked to from the DCWG – if you are infected then you have until 9 July to disinfect your computer.

As we have had our first reports of Apple machines infected with malware, it is probably time to go into more detail on the Flashback infection. This is spread via a Java vulnerability that Apple neglected to fix as soon as it was fixed on other platforms, and they are apparently regretting this neglect. The executive summary of what to do about this is :-

1. Make sure you are running OSX 10.6 (Snow Leopard), or OSX 10.7 (Lion), and apply any updates as soon as possible. Some updates released in the last few days will protect you against this malware.
2. If you are running OSX older than 10.6, then your options are somewhat limited. The chief advice is to upgrade – you should not be connecting an unsupported operating system to any network and especially not the University network. If that is not currently an option, the advice from Apple is to disable Java (which may of course stop some things from working). Note that disabling Java will not necessarily stop the Flashback malware from working; detailed descriptions are a little thin on the ground but suggest that the Java vulnerability is used to download additional components that are not necessarily Java-based.
3. Install an antivirus product such as Sophos or a suitably recommended alternative – and bear in mind that some malware is spread by purporting to be an antivirus product.

What Is Significant About This ?

After all, most of the advice above is what is routinely advised and malware has been a fact of life for decades. Well, Apple users can traditionally (and quite rightly) point out that malware is typically a problem for Windows users. Because of this, Apple users have been somewhat less than proactive in making sure they are protected against malware.

However it has always been a possibility that a mass malware infection could be a problem for Apple users, and now we have actually seen such an infection in the real world. And now Apple users need to protect themselves just as Windows users have. Whilst there have been previous malware outbreaks causing problems for Apple users, these have all relied on tricking users into installing malware – specifically fake antivirus products. This outbreak is different, because it does not require the user to actively do something they would be wiser not to – it just happens when the user visits a nasty website.

How Big Is This ?

The information (and here) indicates that there are in the region of 800,000 infected OSX machines out there in the world. After an initial surge to 600,000, and then a fall to about 150,000, the number of infections is rising again. It is quite possible that this could be a persistent malware issue that survives for a considerable length of time.

What Does It Do ?

There appear to be several different variations of the Flashback malware. Some of which require the user to enter their password to install part of the content; and some which will install the malware whether or not the user types their password at the relevant prompt.

After the malware has successfully invaded the computer it “phones home” to report that it is ready for use, and to download instructions. Some of these command and control servers have been taken over, but there is no guarantee that they all have been.

And as to what exactly the malware author is using all these OSX machines for, well nobody seems to know.

For Further Information

There is a great deal of information about Flashback out there, but some of the highlights include :-

• BBC News: http://www.bbc.co.uk/news/science-environment-17623422
• Sophos: http://nakedsecurity.sophos.com/2012/04/05/mac-botnets-gaining-traction-using-drive-by-java-exploit/
• Dr Web: http://news.drweb.com/show/?i=2341&lng=en&c=14 (The original research).
• Telegraph: http://www.telegraph.co.uk/technology/apple/9201908/Apple-Flashback-virus-outbreak-tackled.html

Whilst it has always been theoretically possible for Apple’s computers to be infected with viruses, the combination of greater security built into OSX and the larger population base of Windows-based computers has meant that the Apple user has been relatively safe in the past. However this has now changed.

Whilst we may wish to take the advice of an anti-virus vendor with a pinch of salt, it seems that widespread infection of OSX machines is a reality. With upwards of 600,000 OSX machines in one bot army, the problem is still nowhere near as large as Windows users suffer from.

But as advised by Sophos, OSX users need to :-

1. Apply OSX updates as soon as possible after they are released.
2. Upgrade unsupported versions of OSX as a matter of priority. If you are running OSX version 10.6 or lower, you should be getting an upgrade now! And if you are still running an Apple with a PowerPC chip inside, it is time for a new machine.
3. Consider installing an AV product – of course officially you are not allowed to connect a machine to the University network (including wireless and in halls) without AV protection.

One common method of attack used in targeted attacks on organisations is the use of fake emails – an email that appears from someone important in an organisation telling someone else to do something unwise. Such as requesting that an important password be changed, or advising someone to check out some sort of attachment.

Often there is some good reason why normal security policies should be avoided – “I can’t bring in my photo ID card to get my password changed; I’m at a conference in Thailand” – which whilst they sound reasonable, can be simply a means of bypassing normal procedures. These are not intended to be inconvenient to the user (although often are), but are intended to protect the organisation.

What surprises many people when they first learn of it, is that faking emails is remarkably easy. That “From” header that appears when you read an email is literally no more than a comment – it could easily be provided by an attacker as there is no form of checking on it.

Now how common these attacks are, and how likely the University is to be targeted by them is unknown. But there are some counter-measures, although the best counter-measures are social rather than technical.

Technically it is possible to use a cryptographically strong digital signature on emails to ensure that an email arriving was sent by whom it purports to be sent by. Unfortunately, the most common method to do this, is rather technical and difficult to use – I get confused using it although I have been signing my emails for a long time now.

But the most obvious protection is common-sense: Does this request that came in via email make sense? Is the sender likely to ask me to do this ? Is it suggesting I bypass normal procedures and policies ?

If in doubt, contact the sender via phone (and look up the number elsewhere) to check.

According to various reports, a bunch of malicious protesters (Anonymous) have announced plans to attach the global root DNS servers on the 31st March 2012. Another part of the same groups has distanced itself from the attack.

Is this really going to happen ? And if it does, what effect will it have ?

Well the only answer to the first question is to wait until the 1st April to find out. After all it is perfectly possible that this is merely a publicity stunt.

And the quick answer to the second question is that nobody really knows. But the likelihood is that any impact will be minimal, and not be noticeable to anyone using the Internet. In the worst case scenario, it is likely that some random top-level domains (com, uk, etc.) will “disappear” for possibly a short duration, although it is impossible to predict which such domains will disappear.

The worst case scenario is quite unlikely – this is not the first time that the root nameservers have been attacked in this way.

It should be noted that it will have no effect within the port.ac.uk domain – every name within that domain remains resolvable to our network without the root nameservers.

The Detail

Despite the claims by Anonymous, the DNS infrastructure is very well protected – most of the root nameservers are in fact clusters of a number of real servers hiding behind a single network address. But if a distributed denial of service attack is big enough and goes on for long enough, it could have a negative effect on the root nameservers. In fact this is not the first denial of service attack against the root name servers – one occurred as far back as 2002, and during that attack no user services were significantly impacted (a report on the incident is still available and Wikipedia also has an article).

The root nameservers provide answers that tell other nameservers where master nameservers for the top-level domains are – .com, .org, .uk, etc. If all of the root nameservers are inoperative for long enough, all of the names on the Internet will effectively disappear, but this doesn’t happen immediately.

What happens when you visit google.com (or any other place), is that your machine asks a nameserver to look up that name. This in turn looks up com (and caches the result), and in turn looks up google.com on the nameserver that is returns from the com lookup.

The caching is controlled by the DNS TTL parameter on the answers that come back from nameservers. That value is usually set to about a day … or longer for such important domains; which means that if the denial of service attack occurred at just the right time and all nameservers were synchronised so their cache timeouts on each record started at exactly the same time, then even if the root nameservers were disabled by the attack, the caching would eliminate any issues.

In practice the “random” nature of caching means that a number of cache entries will expire during the hypothetical outage, so disruption will occur for random ISPs and for random top-level domains. If the root nameservers are so severely disrupted that no answers can be obtained.

This worst case scenario is dependant on some quite unlikely things occurring, so although it is a possibility, it is a very unlikely possibility. And this all assumes that the root nameserver administrators are all on a month long conference with no Internet access – they’ll be “doing stuff” on this.

BBC’s Click programme recently undertook an investigation into financial malware – viruses that concentrate on grabbing your bank details and adding in transactions to steal money. Viruses such as “Zeus“.

These infections lurk on your computer to intercept attempts to access your bank, and will insert elements into a web page to grab additional details that can be used at a later date to access your bank account. And many of the most popular anti-virus products are unable to spot these infections!

The key advice from the banks were :-

1. If a transaction takes a lot longer than usual, it may be that the details are going via the fraudster’s servers.
2. If you are asked for more information than usual – perhaps the entire password where you are normally asked for certain specified letters from within it – then the malware may be inserting questions into what appears to be the bank’s web page.
3. If you do suspect something and need to contact your bank, use the phone and not email.

Normally UK banks will refund money lost to fraudsters in this way, but that will not compensate you for the shock that someone has been riffling through your bank account. Ideally you will want to avoid using an infected PC to begin with, which is easier said than done when the mainstream security products can fail to protect you!

Operating system updates or more specifically operating system patches – some operating system vendors call their patches updates to help add to the confusion – are exceptionally irritating when you investigate what they are. To bring in a foolish analogy (as everything needs), operating system patches are roughly the same as a car manufacturer issuing a recall notice – varying from “please bring in your car sometime in the next month to get the cupholders replaced”, to “please don’t drive your car until we’ve picked it up and returned it after fixing the brake software”.

It is rather extraordinary that in many cases you have to pay to obtain access to the operating system patches, and in fact that people actually pay real cash for operating systems that require this number of patches. After all a car manufacturer that issued 9 different recall notices in a single day and repeated this time after time would quite quickly go out of business. As an example of how bad things can be, some patch details from a recently patched system :-

I could go on with further details, but it is rather too depressing – on the day after the vendor released 9 patches they released another patch, and yet another the day after.

So What Are The Patches ?

Patches vary from fixing problematic conditions found when using certain bizarre combinations of hardware and software (such as running an older release of an operating system on newer hardware), to plugging security holes that have been discovered. One thing that they all have in common is that they are fixes to the operating system.

They essentially repair parts of the operating system so that it functions according to how the operating system is specified. Or to put it another way, they do not add in any functionality changes. In this they differ from application patches which often require extensive testing to ensure that the application still functions as expected; whilst everyone hopes that the operating system vendor performs extensive patch testing, the need for site-based patch testing is a great deal less than for application patches.

Why?

As the saying goes, “If it ain’t broke, don’t fix it”.

Well firstly the idea that an operating system isn’t broken just because it is still running is essentially wrong – the fixes they have included in the patches are perhaps for conditions that do not occur every day, but they are still fixes which means that the operating system is broken.

As a special case of “broken”, some of those patches are to apply security patches to an operating system to fix security holes that could be potentially used by an attacker (who could be on the “inside”) to break into a system. In this case, not patching could be considered to be somewhat negligent and the old method of exclaiming “Oops!” won’t keep the Information Commissioner too happy.

Lastly, the longer you leave a system without patching it, the harder it becomes to patch – apart from anything else the list of patches keeps getting longer!

Or to put it another way, it is easy to see that there is a risk in patching a critical server; it is just as true that there is a risk in not patching a server. Because the risk of not patching a server increases over time, there is no case where the risk of patching will always override the risk of not patching.

According to Sophos’s Naked Security blog, Apple have today issued a rather large set of updates for OSX. The updates include a number of very serious security vulnerabilities so we would recommend anyone running OSX apply this update as soon as possible.

For the record, I have patched my laptop (running Lion) without any apparent issues, although as is always the case your experiences may be different.