Posts tagged definition

Who Was The First To Use The Term Exfiltration?

Information security professionals seem to use the word exfiltration with increasing frequency. However, it remains a relatively geeky way of referring to the process whereby data leaves a compromised network. That’s why I was surprised to see VeriSign use this term to describe its 2010 data breach in a 2011 SEC filing when saying, “Information stored on the compromised corporate systems was exfiltrated.”

First Use of Data Exfiltration with the SEC

VeriSign isn’t the first company to introduce the term exfiltration into SEC documentation in the information security context. As far as I can tell, the first mention can be attributed to SRA International. SRA’s May 11, 2009, 10-Q statement mentions several malware infections identified by the company’s IT and security staff. It continues:

“While we have not determined that specific information was exfiltrated, our forensic analysts suggest that the virus was designed for this purpose and, based on indirect evidence found, there is the possibility that data was compromised.”

These were probably the incidents that prompted SRA to file a notice with the Maryland Attorney General and notify its employees and customers of the breach in January 2009.

Origins of the Term Exfiltration

Oxford English Dictionary defines exfiltrate as:

Withdrawing “(troops, spies, etc.) from a dangerous position.”

It also refers to exfiltration as the “action or process of filtering out” and points to a geological book published in 1866 by P. H. Lawrence. In it, the author states:

“The opal is a product of exfiltration from the rock in or near which it occurs.”

The first mention of the term in the context of information security that I could find dates to the unclassified NSA paper published in 2002 and titled Microsoft Office 2000 Executable Content Security Risks and Countermeasures. It explains:

“Customizations with VBA or ActiveX provide a powerful programming capability within Office applications. An attacker can write a wide range of attacks from altering system settings and exfiltrating information to dangerous denial of service attacks such as deleting all files on a hard drive.”

Do you know of earlier uses of the term exfiltration, especially when used to discuss data breaches? I’m curious.

Lenny Zeltser

How Security Companies Assign Names to Malware Specimens

There have been several attempts to standardize the conventions used to name malware samples. Yet, picking malware names in a consistent manner is harder than one might assume. Security companies tend to assign names to malware according to variations of the CARO naming scheme. CME was another effort for assigning identifiers to malicious programs; this project focused on high-profile malware and is no longer active.

The CARO Naming Scheme

The security community benefits when security companies agree on a name when referring to a particular malware specimen, For instance, a single name can act as a tag to the relevant information resources as tools, so that individuals can quickly locate them when responding to malware infections. While agreeing on a single name for a particular sample is hard to accomplish in most cases, companies can agree on the general approach to assigning names to malware specimens.

A naming scheme that came the closest to being adopted by antivirus firms is CARO. According to Dr. Vesselin Bontchev,

“The fundamental principle behind the CARO Malware Naming Scheme is that malware should be grouped into families, according to its code similarity. The other fundamental principle is that malware names should be unique - that is, every different malware variant, no matter how minor, should have a different name from that of any other malware.”

The resulting format follows the pattern “[<type>://][<platform>/]<family>[.<group>][.<length>].<variant>[<modifiers>][!<comment>]”, where the tags in square brackets are optional.

Though CARO wasn’t universally adopted directly, security companies base their naming conventions on CARO for the most part. For instance, Microsoft Malware Protection Center names malware like this:

(The diagram above was created by Microsoft.)

The Common Malware Enumeration (CME) Initiative

Even when companies use a CARO-based naming scheme, the firms might differ in how they name identical malware specimens, for instance by using different approaches to selecting the Family Name component. To aid companies in referring to a popular malware specimen by a common name, MITRE launched the Common Malware Enumeration (CME) initiative.

According to the FAQ, the goals of CME were to:

“Reduce the public’s confusion in referencing threats during malware incidents.

Enhance communication between anti-virus vendors.

Improve communication and information sharing between anti-virus vendors and the rest of the information security community.”

The CME effort is no longer active. According to the CME website, CME identifiers were meant to be assigned to “high-profile threats.” However,

“The changed nature of the malware threat since late 2006—away from pandemic, widespread threats to more localized, targeted threats—greatly reduced the need for common malware identifiers to mitigate user confusion in the general public.”

It’s unfortunate that CME is no longer being maintained, but I understand the realities that make efforts such as CME impractical. Yet, there is still plenty of popular malware that affects a lot of people, and we could benefit from assigning common names to malicious programs that catch the public’s eye. Instead, security companies tend to assign various eye-catching names to popular specimens, as I’ve discussed in a follow-up post.

Lenny Zeltser

Explaining Computer Security Terms to Ordinary People

When you spend much of your time working with information technology, it’s easy to forget that the terms we use on daily basis might not be meaningful to non-IT people. It’s often wise to stay clear of technical jargon when communicating with non-techies; however, it’s not possible to avoid all computer terminology. This is especially applicable when having security awareness discussions with non-security personnel.

With this in mind, I collaborated with Lance Spitzner and Ed Skoudis from SANS Institute to succinctly define the most commonly-used computer security terms in a way that could be understood by “ordinary” people. The list includes such terms as firewall, exploit, patch, etc. If you’d like to recommend other terms or have suggestions for tweaking the definitions, please let me know.

Along these lines—because I love the idea of defining terms—I cannot resist presenting some of the more specialized definitions that I formulated in the past on this blog:

  • Clickjacking is the practice of deceptively directing a website visitor’s clicks to an undesired element of another site.
  • Social networking is communicating while being mindful of relationships among people. This term is used in the context of the Internet to refer to online interactions using social networking websites such as Facebook, Twitter, LinkedIn, Google+, etc.
  • A honeypot is a decoy IT infrastructure component that is designed and deployed to be attacked. It can take the form of a system, a network or an application, and may be implemented as a real or emulated resource.
  • An exploit kit is a tool that automates the exploitation of vulnerabilities in the victim’s workstation or mobile device, usually targeting browsers and programs that a website can invoke through the browser. 

Lenny Zeltser

[Flash 10 is required to watch video]

Clickjacking—the practice of deceptively directing a website visitor’s clicks to an undesired element of another site—is surprisingly effective. It’s been often used to propagate links to malicious websites on Facebook. More recently, similar techniques have been shown effective in de-anonymizing website visitors and even tricking them into granting attackers access to OAuth-secured data. Let’s see what such attacks entail.

Classic Clickjacking to Propagate Links on Facebook

In a classic clickjacking scenario, an attacker establishes a malicious website that invisibly embeds the Facebook “Like” or “Share” button in a transparent iframe. The iframe floats over a page element that the victim is likely to click on; alternatively, the invisible iframe follows the mouse cursor. When the victim clicks within the malicious site, the click is directed to the invisible “Like” or “Share” button. This approach isn’t limited to Facebook interactions, of course, as the attacker can embed elements from other sites in the iframe.

Consider a message below, which is typical of what you might see on Facebook if one of your connections was trapped by a clickjacking site:

Wondering why your friend might share a link with you, you click on it, only to find yourself on a site that seems to embed a YouTube video. However, you probably won’t see the Facebook “Like” buttons that I revealed when taking the screenshot below:

The “Like” buttons are floating over the two locations where the person is likely to click to play the video: in the middle of the supposed video player and in the bottom left corner. The actual victim wouldn’t see these buttons, because they would be invisible in a transparent iframe. By attempting to play this video, the person will actually press the “Like” button, increasing this site’s visibility on Facebook.

Newer Variations of Clickjacking Techniques

In a paper Clickjacking Attacks Unresolved, Lin-Shung Huang and Collin Jackson document more insidious variations of clickjacking attacks. For instance, they provide a proof-of-concept demonstration how an attacker can determine the identity of the visitor to the malicious website by asking Facebook for this information.

I captured this Facebook User De-anonymization demo in the video embedded in this blog post. The video shows the Facebook “Like” button following the victim’s mouse cursor; in a real attack, the button would be invisible. When the person inadvertently clicks the “Like” button, he becomes a fan of the attacker’s Facebook page. Then, according to the paper:

“The attacker’s web page is notified when the victim clicks on the Like button via FB.Event.subscribe(‘edge.create’, …), triggering the attacker’s server to pull the fan list from his Facebook page and identify the newly added fan. The attacker’s server queries the user’s public profile via Facebook Graph API, and then removes the user from the fan list.”

This allows the attacker to obtain to identifying information about the person, such as name, gender, local and Facebook ID. The paper’s authors demonstrate that a similar attack works using the Twitter “Follow” button:

Clickjacking and Timing Attacks

Huang and Jackson also describe a click-timing attack called double-clickjacking, which can be used to trick the victim into authorizing the attacker’s authorization request to third-party OAuth providers. This approach works even when websites implemented some of the common iframe-focused clickjacking defenses, such as X-Frame-Options. According to the paper,

“Although the attacker can no longer embed the approval page in an IFRAME, it is possible to load the [OAuth] approval page in a pop-under window. A pop-under window is a basically a popup window that is hidden behind the main browser window right after it was opened. Since modern browsers block popup windows unless triggered by user-initiated clicks, we require multiple clicks in this specific attack to bypass popup blockers.”

To see the proof-of-concept code of double-clickjacking in action, follow the link in the Clickjacking Attacks Unresolved paper.

What to Do About Clickjacking?

Clickjacking incidents affect many people, and are unlikely to subside. To date, most of these attacks have been used for distributing malicious links on Facebook. However, the same approaches can be used for more insidious scenarios, as Huang and Jackson have demonstrated. Their paper outlines some of the approaches that the developers of websites and browsers can use to mitigate clickjacking risks; however, these techniques are far from being comprehensive. Worst of all, it’s hard to come up with practical advice to end-users to avoid getting hit by this attack vector. Advising people not to click on web page elements isn’t really an option.

Lenny Zeltser

Announcing the Certified APT Nerd (CAPTN) Credential

I am pleased to announce the new Certified Advanced Persistent Threat Nerd (CAPTN) credential. This certification program is designed for information security professionals looking to demonstrate their proficiency in APT topics.

Only individuals who meet the following prerequisites qualify for the prestigious CAPTN designation. The person must:

  1. Feel a moderate level of discomfort when hearing the term APT used in marketing literature
  2. Have a strong opinion regarding APT being a who or a what
  3. Have read both 2010 and 2011 Mandiant M-Trend reports the day they were released
  4. Know Richard Bejtlich’s APT characterization by heart
  5. Have written a poem, literary essay or fictional short story on the topic of APT

In addition to meeting the criteria above, the candidate must also pass the rigorous 5-question CAPTN exam.

Do you have what it takes to be a CAPTN? Good luck!

Lenny Zeltser

What is an Information Security Expert?

I think of an expert as an individual who has attained superior performance in a particular domain. According to Dr. K. Anders Ericsson’s research on the topic, expertise is accomplished by instruction and extended practice, even though experts’ performance might look “so effortless and natural that we are tempted to attribute it to special talents.”

How can one become an information security expert? What does it mean to be one? Three types of expertise come to mind…

An Expert in an Area of Information Security

A classic way of thinking about an expert involves focusing on the specific area in which the person possesses the expertise. Even though the field of information security is a niche in the larger context of information technology or jobs in general, infosec has numerous areas of specialization, including:

  • Application security
  • Network defense
  • Intrusion detection
  • Incident response
  • Security program management
  • Virtualization security
  • Malicious software

Therefore, one way to consider whether someone is an information security expert is to consider the extent to which the person has attained superior performance in one or more of the infosec domains.

An Information Security Expert with Business Savvy

Individuals who do not exhibit superior performance in one of the information security domains—sometimes called generalists—wouldn’t fall under the previous definition of an expert. However, another category of an information security expert is a person who has extensive understanding of business practices relevant to security.

Since information security exists in support of organizational goals, rather than an end in itself, infosec professionals can stand out in their ability to understand the business processes that influence their decisions and actions. This is why some information security professionals have perused an MBA education or are focusing on learning the business of the organization where they work.

“Business” isn’t a subset of information security, but rather a context within which security is conducted, which is why I didn’t list it among the infosec domains in the previous category. Also, note that business savvy is different from the skill of managing people.

An Expert in Combining Information Security Components

Another type of an infosec expert is a person who is able to piece together components from various security domains into a cohesive entity, be it a solution to a particular problem or an overall security program. This type of an expert is sometimes called an architect, as he is able to design a greater whole from the individual building blocks.

Security architecture could be listed as one of infosec domains. Yet, I see it as an overarching skill that typically stems from the experience of succeeding and failing at integrating security controls with each other. In the best case, such expertise is paired with the business savvy I mentioned in the previous scenario.

One perspective on expertise, described by Dr. Ericsson, is that experts “acquire a larger number of more complex patterns and use these new patterns to store knowledge about which actions should be taken in similar situations.” This, in my mind, is the key characteristic of an expert security architect.

It’s easy to mistake an expert security architect for a generalist, because such a person might no longer have in-depth expertise in any one of infosec domains.

Becoming an Information Security Expert

A common path of progressing in an infosec career involves mastering one security domain, then possibly another. The person might then find the need to obtain business expertise and also develop architecture skills. Those who achieve superior performance at one or more of these area are considered experts. Yet, like with all generalizations, this is one of many possible paths.

Becoming an expert is usually a matter of spending sufficient time on attaining the expertise. However, time alone isn’t enough. Dr. Ericsson points out that:

“Most individuals who start as active professionals or as beginners in a domain change their behavior and increase their performance for a limited time until they reach an acceptable level. Beyond this point, however, further improvements appear to be unpredictable and the number of years of work and leisure experience in a domain is a poor predictor of attained performance.”

Then what’s the magic ingredient? In addition to time spent practicing in the relevant field, a critical element is the extent to which the practice was deliberate, focusing on improving specific aspects of the person’s performance. This is where the individual’s education, training and apprenticeship experiences probably come into play.

Update 1: I outlined my thoughts on the role that notoriety plays in promoting one’s infosec expertise in a follow-up post.

Update 2: For more thoughts on information security careers, read Michael Kassner’s interview with Andre’ DiMino and I.

Lenny Zeltser

Pros and Cons of Virtual Patching to Address Vulnerabilities

Virtual patching is the process of addressing a security vulnerability by blocking an attack vector that could exploit it. Let’s take a look at the manner in which virtual patching is implemented and explore the pros and cons of such practices.

Virtual Patching Capabilities of Security Products

I first heard the term virtual patching around 2003, when ISS integrated its vulnerability-scanning tool with its intrusion detection/prevention products to block exploits that targeted identified vulnerabilities. The usage of the term persisted; it now appears in the context of network and host-level IPS as well as database and web application security products:

The concept of virtual patching seems to be particularly popular among web application firewalls (WAFs) and is emphasized by most WAF vendors even if they don’t use this term. For a good overview of how WAFs can be used to implement virtual patching, see Michael Shinn’s article Virtual Patching for Web Applications with ModSecurity.

The Usefulness of Virtual Patching

The desire to implement virtual patching stems from the challenges organizations encounter when trying to keep up with the deployment of security updates to custom and off-the-shelf applications. Vulnerability management is a bear that few enterprises have tamed due to the numerous technological and business reasons that I won’t get into here.

Applying a virtual patch through the use of an IPS or a WAF buys the organization time to develop, test and install the fix to the underlying vulnerability. That is very valuable and is, in my mind, the reason why we’ll continue to see the increase in the adaption of virtual patching practices.

The Dangers of Virtual Patching

The biggest limitation of virtual patching is that it addresses some, but not all, ways in which the vulnerability might be exploited. For instance, a custom rule implemented on a WAF to block access to a particular vulnerable web page might not address an issue on another web page that makes use of the same vulnerable code.

The danger of virtual patching is that with the virtual patch in place, the organizations has few incentives to move forward with fixing the underlying vulnerability despite the limitation outlined above. Virtual patching encourages complacency and is risky for the enterprise in the long term.

A virtual patch is a temporary band-aid. It might be well-suited to address a particular threat vector; however, it rarely offers the long-term benefit of actually fixing the problem that exposes the affected system or application.

I’d love to learn hear from the individuals whose companies formally incorporated virtual patching into their vulnerability management programs. What works? What doesn’t?

Update: For my information about Web Application Firewalls, see my post discussing why WAFs are on their way to becoming ubiquitous.

Lenny Zeltser

Cross-Side Scripting Demystified

What is cross-side scripting? It’s time to define this often-misused term to help the community understand the practice and risks associated with cross-side scripting:

Cross-side scripting (XSS) is the practice of writing across the side of an object.

It really is that deceptively simple. The side can belong to any object, such as paper, computer monitor, Rubik’s Cube, truck and house. Purists insist that XSS writing be placed diagonally across the object’s side. However, modern XSS practices often incorporate writing that is horizontal with respect to the object’s X-axis.

Some of the risks of cross-side scripting include:

  • Defacement of the object’s surface without the owner’s consent. In this respect, XSS is sometimes compared to graffiti.
  • Wear and tear of the writing instrument, particularly when XSS takes place without regard for the instrument’s durability specifications
  • Gradual strain injury of the person engaged in frequent XSS practices. (Similar to repetitive strain injury.)

The most effective way of resisting cross-side scripting attacks involves avoiding the use of objects that have sides—for instance, employing a spherical structure in the building’s architecture instead of a parallelepiped. Another risk mitigation strategy involves coating the object’s sides with writing-resistant materials, such as those that follow the ASTM D6578 - 08 standard.

Cross-side scripting is sometimes confused with of cross-eyed scripting and cross-site scripting. The description of these terms is outside the scope of this note.

If you found this cross-side scripting definition useful, you might also like my 10-Step Guide to Hacking Logs.

Lenny Zeltser

Honeypots as Part of a Modern IT Infrastructure

A honeypot is a decoy IT infrastructure component that is designed and deployed to be attacked. While the development of commercial honeypots seems to have lost steam, there is a plethora of innovative and freely available honeypot tools. Let’s take a look at the pros and cons of using honeypots as part of a modern IT infrastructure.

The Value of Honeypots

As I discussed in the Stopping Malware on its Tracks article, they can strengthen the defensive posture of a mature enterprise in several ways:

  • Slow down an intruder’s progress by having him waste time breaking into a system that offers no value to the attacker. For instance, the free LaBrea tool stalls port scans and worm propagation activities by creatively responding to an attacker’s network connections.
  • Decrease the rate of false positives, which often plague network IDS. Since a honeypot, by definition, should not participate in production activities, almost any connection to it is an indication of malice. Free tools Honeyd and InetSim can emulate servers, devices, and even networks to increase the span of such monitoring without requiring multiple physical systems.
  • Capture malware samples for analysis. Since malware is a part of most modern intrusions, capturing it before it finds its way to a production system assists in incident response. Free tools that can assist in this task include Nepenthes and Dionaea.
  • Understand the intruder’s intentions by observing his interactions with the compromised environment. This can be accomplished by deploying a series of honeypots to fool the intruder, whether a human or a program, about the authenticity of the targeted system. The bootable Honeywall disk, distributed for free by the Honeynet Project, can help enable this.

Note that in most cases, these examples refer to honeypots that are deployed on the internal network, rather than being directly accessible from the Internet.

For more honeypot tools, see my earlier post Specialized Honeypots for SSH, Web and Malware Attacks.

The Challenges of Using Honeypots

Perhaps the biggest challenge of using honeypots is the risk that they might get compromised. In that case, they might be used to attack the organization that deployed them or to attack other organizations. This is, in part, why many organizations aren’t using honeypots. However, a low-interaction honeypot that sits on an controlled network segment and is monitored by the security staff might present a sufficiently low risk, allowing the organization to begin experimenting with honeypots.

For an overview of honeypot technologies and deployment options, take a look at Anand Sastry’s article Honeypots for network security: How to track attackers’ activity. Anand advised that a high-interaction honeypot be deployed on a “separate network for the host OS for management purposes.” In contrast, low-interaction honeypots are less likely to “be fully compromised by an attacker, thus making them easier to protect.”

I recently attended an incident response talk by Richard Bejtlich, where he mentioned the usefulness of honeypots for intrusion detection. He recommended that only organizations that have mature security practices deploy honeypots. The implication is that there are other elements of the overall security incident cycle that should be considered beforehand.

Update: I discussed this note on the Exotic Liability podcast, Episode 70. For a counter-point to my thoughts, take a look at Michael L. Dickey’s blog posting on practicality of honeypot deployments.

Lenny Zeltser

Why On-line Social Identity and Reputation is a Big Deal

We’re at a cusp of an era where the reputation of one’s on-line social identity is becoming as critical as one’s “real world” reputation. Control over social identity data is the prize for which privacy advocates, individual consumers and business are fighting.

Who Are You?

In a formal setting of the “real world,” we typically think of our identity as our name or perhaps a personal identifier such as the driver’s license number. In the on-line world, though, our identity is defined by our social network and how we interact with its participants.

We are whom we know and what we do with them. That’s our social identity on-line.

Credit Reputation vs. Social Reputation

Trade practices in the “real world” began with the barter system, but ran into limitations where Pearson A wanted an item from Person B, but Person B didn’t want anything of Person A’s. Cash took care of that stumbling blog, and allowed trade to flourish. The next challenge to commerce was cash flow: individuals or companies might not have enough cash to make a purchase today, but would have the cash tomorrow. The system of borrowing (e.g., trading on credit) took care of that limitation. The challenge with borrowing, from the lender’s perspective, is whom to trust? Credit rating bureaus appeared to keep track of persons’ and organizations’ credit worthiness.

The credit worthiness of a customer in the “real world,” often represented by individuals’ FICO scores, represents the person’s financial reputation.

In contrast, an on-line consumer’s reputation and “business-worthiness” is often measured in terms of the person’s social identity. Knowing the consumer’s social identity—his contact details, his on-line friends, his interests—allows companies to engage the person and “convert” him into a paying and hopefully loyal customer.

Individuals look up the social reputation of others all the time as well. You and I do it when we Google a person we just met to see what they wrote about himself and others. We may also look up the person’s profile on a social networking site, such as LinkedIn and Facebook to see if we share any friends and interests. The expectation is that it is hard, though of course not impossible, to create a fake reputation on social network that’s rich with social activities.

Social Identity Reputation Score

How do you know whether an email address of a person is accurate? Look it up in one of many social networks to see if the address is associated with an active profile. How do you know whether the profile is fake? Look at the number of the person’s social connections, the frequency with which the person interacted with others, the time during which the person has been active on-line and the richness of the person’s social networking activity. The more meaningful activities you observe, the more trustworthy is the person’s social identity.

The trustworthiness of the person’s on-line social identity can be measured. We can come up with a formula that accounts for the elements of the person’s social activities, such as those I listed above, and converts them into something we might call a social identity reputation score. Let’s even give it an acronym to make it official: Social Identity Reputation Score (SIRS).

SIRS is the FICO score of the on-line world, and it will be as crucial to the economy in the future as the FICO score is today.

My friend Slava Frid brought up the similarity between the concept of SIRS and Google’s PageRank during our conversation. Just like Google computes a coefficient of importance to elements of an HTML page, so too can we compute a number to measure the relative value (related to trust or importance) of a social identity.

Importance of the Email Address

The workflow for determining the person’s SIRS, which I outlined above, starts with the person’s email address, because the email address can be used to discover the person’s social networking activity.

Companies that aggregate social data, such as Rapleaf, will be becoming increasingly important. They will be increasingly valuable from a business perspective and increasingly scary from a privacy perspective. When describing how individuals are profiled on the web, Om Malik explained:

Think of Rapleaf as the provider of the FICO score about an email address. That email address comes with Facebook ID, Flickr ID, Twitter account information and other social details. For a marketer, or even someone trying to hit you up for business, this is pretty relevant data, for it allows them to target a customer and connect them socially. In another scenario, you can buy an email list of a million addresses for $1000, check them against Rapleaf and end up with about 10,000 emails worth targeting. That’s a pretty good deal.

Rapleaf seems perfectly positioned to calculate people’s SIRS. Maybe the company already does it today.

Privacy and the Social Identity

People often feel comfortable some sharing details about themselves, such as the car they drive, their income and age range, and so on, as long as they maintain anonymity. The notion of anonymity is starting to change in the on-line world: your name and “physical world” details might be less important than your social identity.

People’s privacy considerations on line are starting to change beyond protecting the person’s “physical world” identity. Individuals recognize that they need to give up some information about themselves to establish a social identity. However, we want to control which aspects of our identity are available to which entities.

This granularity of social identity data sharing is the crux of privacy debates, and the reason we are concerned about issues such as Facebook data sharing and data aggregators such as Rapleaf.

As on-line social networks increase in importance for regular, “real world” interactions, so will the criticality of social identities. The battle is only still at its onset.

I wrote several posts on social networking and associated security risks. If you’re interested in this topic, be sure to take a look.

Update: If you found this note useful, take at the posting by Bindu Reddy, titled Why We Need PageRank for the Social Web, in which Bindu proposed the idea of engagement score as a way of measuring the “level of social engagement that a person can generate with a post on their [social media] stream.”

Lenny Zeltser