computer
FRAUD & SECURITY ISSN 1361-3723 April 2011 www.computerfraudandsecurity.com
Featured this issue: Contents NEWS In plain view: open source intelligence Microsoft takes down Rustock 1 esearchers can gather a surpris- referenced and filtered to provide Comodo certificates forged 3 Ring amount of information on insightful intelligence. The challenge is FEATURES targets by harvesting data that is to find and manage the data, although In plain view: open source already publicly available. a number of automation tools are now intelligence 5 From newspaper archives to court available. Danny Bradbury explores Researchers can gather a surprising amount of information on targets by harvesting data that records, and even simple Google the not-so-shady world of open source is already publicly available. From newspaper searches, there’s a vast array of data intelligence. archives to court records, and even simple Google searches, there’s a vast array of data freely available that can be cross- Full story on page 5… freely available that can be cross-referenced and filtered to provide insightful intelligence. The slow road to professionalisation Danny Bradbury reports. he question of whether the infor- professions such as doctors and lawyers, The slow road to professionalisation mation security industry should where formal recognised qualifications, 9 T The question of whether the information secu- be ‘professionalised’ is a contentious membership of an industry association rity industry should be ‘professionalised’ is a one. While some practitioners do not and adherence to an enforceable code of contentious one. While some practitioners do not see the value, others are convinced that see the value, others are convinced ethics is mandated. Cath Everett looks change is necessary to protect both themselves that change is necessary to protect at some of the current initiatives that are and their customers. Cath Everett looks at some of the current initiatives that are taking place in both themselves and their customers. taking place in this area and what the this area and what the future might hold. Many would like to see practition- future might hold. Malvertising – exploiting web ers operating in a similar way to other Full story on page 9… advertising 11 Advertisers use Web 2.0 functionality to provide flexibility and portability in sharing third-party Malvertising – exploiting web advertising content across different networks, websites and dvertisers use Web 2.0 functionality To appreciate the severity and preva- blogs. But attackers can take advantage of flaws in features such as widgets and iframes to redi- Ato provide flexibility and portability lence of this class of attack, the Open rect browsers to malicious websites that deliver in sharing third-party content across Web Application Security Project malware. Aditya Sood and Richard Enbody of Michigan State University discuss the exploitation different networks, websites and blogs. (OWASP.org) recently placed invali- model of malvertisements and the way different They use widgets, frames and Javascript dated redirects and forwards in its ‘2010 modes of attacks are used to infect users. banners in order to load and execute top 10’ list. Aditya Sood and Richard The UK fraud landscape for content from ad servers into user web- Enbody of Michigan State University financial services 16 sites. But attackers can take advantage discuss the exploitation model of malver- Fraud in the financial services industry is a topic that constantly makes headlines, says Duncan Ash of flaws in features such as widgets and tisements and the way different modes of of SAS UK, but is the situation really as dire as the iframes to redirect browsers to malicious attacks are used to infect users. media would have us believe? websites that deliver malware. Full story on page 11… Aggregation: the hidden risk 18 Wendy Goucher of Idrach looks at the dangers companies face when they accidentally or delib- Microsoft takes down Rustock erately aggregate their staff members’ access to nce again, Microsoft has used Building on its experiences in shutting sensitive information. Olegal channels to fight spam- down the Waledac botnet, Microsoft’s REGULARS spewing botnets. Working with Digital Crimes Unit (DCU) filed a law- Editorial 2 federal law enforcement agencies in suit in US District Court against ‘John News in brief 4 the US, the firm was able to take the Does’ it said were “controlling a Calendar 20 Rustock botnet offline. Continued on page 3….
ISSN 1361-3723/11 © 2011 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. NEWS
Editorial Office: Elsevier Ltd The Boulevard, Langford Lane, Kidlington, Epsilon and Silverpop (another email Oxford, OX5 1GB, United Kingdom Editorial Fax: +44 (0)1865 843973 ata breaches are now so com- marketing firm that suffered a data E-mail: [email protected] Dmon that it takes something beach recently) were themselves both Web: www.computerfraudandsecurity.com special to catch people’s attention. victims of a social engineering attack, Publisher: Greg Valero The Epsilon Interactive saga has that using spear-phishing. Last November, E-mail: [email protected] special ingredient. It’s not just the Return Path, a firm that offers services Editor: Steve Mansfield-Devine potential size of the breach, it’s the such as tracking email delivery and E-mail: [email protected] fact that so many well-known brand which is used by both Epsilon and Editorial Advisors: names have been embarrassed. Silverpop, issued a warning about Silvano Ongetta, Italy; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; Epsilon – owned by Alliance Data phishing attempts against email service David Herson, UK; P. Kraaibeek, Germany; Systems – provides a mass emailing providers, direct mail firms and gam- Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; service for around 2,500 companies. It ing sites. People responsible for email Donn B. Parker, California, USA; Peter Sommer, UK; sends out around 40 billion messages a operations were targeted at more than Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, year and styles itself as the world’s larg- 100 companies. The spear-phishing USA; Bill J. Caelli, Australia est ‘permission-based’ (ie, opt-in) email emails originated from a number of Production Support Manager: Lin Lucas marketing operation. It’s thought to sources, including online greetings card E-mail: [email protected] have around 250 million email address- sites and botnets. Subscription Information es and associated details in its databases. Security specialists constantly fanta- An annual subscription to Computer Fraud & Security includes 12 issues and online access for up to 5 users. Hackers – described as “highly sise that high-profile exploits like this Prices: sophisticated cyber thieves” by will help raise consciousness and lead E1139 for all European countries & Iran US$1237 for all countries except Europe and Japan Epsilon – managed to breach the firm’s to a safer future in which people are ¥151 620 for Japan defences and steal the names and email more aware of the risks. Well, dream (Prices valid until 31 December 2011) To subscribe send payment to the address above. addresses for people on the mailing on. But while we’re waiting for that Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 lists of around 50 of Epsilon’s clients. miracle to happen, there are lessons Email: [email protected], or via www.computerfraudandsecurity.com. It’s believed that millions of details available for those who want to make Subscriptions run for 12 months, from the date payment is may have been purloined, making the effort. received. Periodicals postage is paid at Rahway, NJ 07065, USA. Postmaster send all USA address corrections to: Computer it the biggest data breach ever. This I suspect the company that will Fraud & Security, 365 Blair Road, Avenel, NJ 07001, USA quickly led to warnings that those learn the most is Epsilon itself. We all
Permissions may be sought directly from Elsevier Global Rights affected should expect a large increase know that breaches wreck reputations. Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, email: [email protected]. You in the amount of spam they receive. Only time will tell how Epsilon will may also contact Global Rights directly through Elsevier’s home page But the danger goes way beyond that. stand with its very large, very public (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make It’s true that spammers love getting clients, many of whom – including payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 email addresses they know to be live. M&S and Mothercare – have had to 750 4744, and in the UK through the Copyright Licensing Agency Rapid But add names to those addresses, send explanations and apologies to Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other and details of companies with whom their customers. Some customers have countries may have a local reprographic rights agency for payments. Derivative Works those people have done business – received such messages from more Subscribers may reproduce tables of contents or prepare lists of arti- and from whom they are expecting than one company. cles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside to receive emails (and may even have Those companies will have had the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. whitelisted) – then you have a situa- their own reputations tarnished. Electronic Storage or Usage tion ripe for spear-phishing and other For a while, Twitter was alight with Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of targeted scams. customers demanding to know why an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form Some of the affected firms are Epsilon had their details – after all, or by any means, electronic, mechanical, photocopying, recording or banks – such as Barclays, Citigroup, JP they thought they were signing up to otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at Morgan Chase and US Bank – so the receive information from, say, M&S. the mail, fax and email addresses noted above. Notice potential for serious financial harm is And that’s a big lesson for everyone. No responsibility is assumed by the Publisher for any injury and/ there. But even with companies that Although you may go to great lengths or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any meth- aren’t financial institutions, the hackers to secure your systems, remain compli- ods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, inde- may be able to exploit the trust of their ant and generally adhere to the very pendent verification of diagnoses and drug dosages should be made. customers by using bogus sites to push best practices for security, if you share Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a fake AV or obtain anything from login information with a supplier or business guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. credentials to credit card information. partner, any weakness on their part can Some reports – notably in Australian have grave consequences for you. 02065 newspaper ITNews – suggest that Steve Mansfield-Devine Pre-press/Printed by Mayfield Press (Oxford) Limited
2 Computer Fraud & Security April 2011 NEWS
…Continued from page 1 are now effectively under the control of computer botnet and thereby injuring Microsoft’s sinkhole C&C servers. As Comodo Microsoft and its customers”. The suit is common with many botnet trojans, certificates forged was supported by security firm FireEye, the Rustock malware is programmed to enetration by hackers into a the University of Washington and drug change the domain names it contacts Preseller of Comodo digital cer- company Pfizer, manufacturer of Viagra over time, but Microsoft has registered tificates – part of the company’s – as Rustock is perhaps best known for these future domains. However, the sys- Registration Authority (RA) scheme its pharmaceutical spam. tem vulnerabilities that allowed the zom- – has resulted in the forging of SSL Then, working alongside the US bie machines to become infected in the certificates for sites such as Skype, Marshals Service, the DCU raided the first place presumably still exist. As the Yahoo, Windows Live, Google mail seven Internet hosting firms it believed operators of Rustock are still at large, it’s and Mozilla. These certificates could were home to command and control possible they will simply build another have been used for mounting Man (C&C) servers for Rustock. They botnet from scratch. in the Middle (MitM) or phishing removed equipment – mainly hard disks attacks if Comodo hadn’t responded but also some computers. The botnet “The action by Microsoft has quickly to prevent it. immediately went offline, suggesting that set a legal precedent that An Iranian hacker later claimed Microsoft hit the right seven companies. may prove useful in future responsibility for attacks on two resel- The disk drives are now being examined fights against spammers. lers – GlobalTrust.it and InstantSSL. for evidence that might lead to the bot- Some of the confiscated it, both based in Italy. He said he was net’s operators. hardware did not belong able to obtain the encryption keys used It’s unusual for C&C servers to be to the hosting companies, to provide root authority to SSL certifi- hosted in the US, or even in the West. so Microsoft had to build cates. It’s not known which (if either) Most spamming operations use ‘bul- a legal case for its removal of these firms was the one whose keys letproof’ hosts in countries such as the were used to create the rogue certifi- It did this by showing that Ukraine. However, by using US-based cates, as Comodo has refused to name hosting firms – mostly smaller compa- the spam sent by Rustock the company. nies that had no idea what was going had a financial impact on It’s also not known if the hacker on – as well as deploying TLS encryp- Microsoft’s Hotmail system” acted alone, as he later claimed: ini- tion and disguising the communications tially, Comodo said that it suspected between bots and C&C servers as forum While Rustock is one of the big- the attacks were state-sponsored and messages, Rustock managed to evade the gest and most notorious of spamming confirmed that they came from Iran. attention of spam-fighting services such botnets, the takedown appeared to The hacker said he breached security by as Spamhaus. However, FireEye’s analysis have little effect on overall spam lev- exploiting insecure password-handling of the traffic and Microsoft’s use of sink- els. Although there were some reports as part of the Italian sites’ Certificate hole C&C servers allowed the firms to that they’d dropped by as much as a Signing Request (CSR) processes. identify both the command nodes and third immediately after the takedown, The nine fake certificates were revoked infected machines. MessageLabs said that it was seeing within hours by Comodo, but the The action by Microsoft has set a legal ‘normal’ levels of spam. And TrendLabs exploit wasn’t publicly disclosed until precedent that may prove useful in future pointed to the dent made in spam levels action was also taken by browser ven- fights against spammers. Some of the con- after the McColo takedown – and how dors. Two days later, Google blacklisted fiscated hardware did not belong to the they soon recovered. a handful of certificates during a browser hosting companies, so Microsoft had to Kaspersky has just released its spam update and then Mozilla and Microsoft build a legal case for its removal. It did this report for February 2011, which showed followed suit on subsequent days. by showing that the spam sent by Rustock India as the leading source – the US Later it emerged that two other resellers had a financial impact on Microsoft’s was in eighth place (this is before the were compromised (which may or may Hotmail system and also that the C&C Rustock action). The report noted that not be the Italian firms named by the servers were in violation of the US CAN- spam traffic from the US fell rapidly hacker), although no forged certificates SPAM Act. In the end, the court agreed to after the Pushdo/Cutwail botnet closed, were issued. Comodo said the companies’ the seizure of third-party equipment. but climbed again just as rapidly. RA privileges had been withdrawn. There is still no indication of who was “Spammers are gradually regaining Comodo has also started overseeing the behind the botnet, nor how much they their position following the closure of validation processes used by its resellers were making from it, although FireEye major botnets in the second half of last and is introducing two-factor authen- said that they were spending $10,000 a year, and we foresee a return to spam tication for them. It has been criticised month on the hosting services. levels of 81-82% by April-May 2011,” for allowing resellers to issue certificates The compromised computers that said Maria Namestnikova, senior spam directly from the root, and Comodo said form the botnet are still infected, but analyst at Kaspersky Lab. it is reviewing this procedure.
3 April 2011 Computer Fraud & Security NEWS
In brief UK employees share company data major security flaw. To avoid repeated logging inspection without requiring a warrant. The More than a third (37%) of UK employees have in, the service creates an authentication token searching of such devices has long been shared privileged company data with friends on the user’s machine. The host_id token is controversial. Privacy rights organisations and family. And more than a fifth (21%) who stored in %APPDATA%\Dropbox\config.db have said that it potentially exposes sensi- use laptop or desktop PCs have transferred such on Windows machines. (It’s uncertain if the tive corporate or personal data, especially as data to their own computers – even though same vulnerability exists on other platforms, the Department of Homeland Security has more than half (58%) of these machines were but it’s likely.) If this token is stolen – for exam- a policy of copying or downloading data if shared with, or could be accessed by, other ple, by malware – and transferred to another necessary. And there have been claims that people. These are the findings of a survey by machine, that machine will be able to log in removing devices to another facility for foren- LogRhythm, which asked OnePoll to ques- to the user’s Dropbox without raising any sic inspection, without cause for suspicion, tion 1,000 UK workers. The research also alerts. This is because the token is not tied to is a violation of the Fourth Amendment. showed that, perhaps inspired by Wikileaks, the machine on which it was created and so However, a Ninth Circuit court has ruled more than a quarter of employees (26%) would Dropbox does not see it as a ‘new’ machine con- that such searches are within the law when be prepared to become whistleblowers and leak necting to that account. More details are avail- performed at US border locations. sensitive material if they thought it was in the able at:
4 Computer Fraud & Security April 2011 Feature In plain view: open source intelligence
Danny Bradbury, freelance journalist Danny Bradbury Researchers can gather a surprising amount of information on targets – people or companies – by harvesting data that is already publicly available. And some- times they even surprise themselves. Suddenly, sourcing publicly available information has become like drink- For example, Steve Wilson, an IT securi- (OSINT). The 2006 National Defence ing from a firehose. But it is also a key ty consultant and digital forensic analyst Authorization Act in the US defines it as tool for everyone from law enforcement at Electric Cat, didn’t expect the results “produced from publicly available informa- through to merger and acquisitions of a demonstration he was giving to be tion that is collected, exploited, and dis- teams, headhunters, and anti-fraud as good as they were. He was explaining seminated in a timely manner to an appro- departments in private organisations. to a special interest group how to extract priate audience for the purpose of address- Stephen Leece, director at the UK’s useful information on individuals from ing a specific intelligence requirement.” Open Source Intelligence Centre, publicly available data. He pulled down describes some underlying methodologies a selection of images of a woman from Who wants yesterday’s that can help to guide open source intel- the popular photo sharing site, Flickr. papers? ligence. “You can easily source a 25-year “She was a model and photographer, archive of news and business provided by but then I found out she used to be a In past times, that could have been as someone like Thompson or Reuters,” he lapdancer,” he said, recalling that she simple a process as reading regional points out, “that answers the ‘is there any- went by names other than the one on her newspapers and listening to speeches thing in the newspaper?’ question.” Flickr account. “From that single photo, given in public forums. These days, such The type of outlet publishing informa- I drilled down, and ended up with names sources are still highly relevant, but there tion can also be indicative. Many special- and phone numbers of her aliases from is far more of that information to sift ised stories about industries will appear the things she’d posted in forums.” through. And the availability of other in the trade press before they make it to The audience at his demo were kinds of information, such as metadata the newspapers (if they do at all). shocked, but shouldn’t have been. Using in documents and social networking There are other sources now open publicly available information to build data, has made open source intelligence to open source intelligence researchers. a comprehensive profile of a target has even more useful, while also making it Leece points to the relationship between become an increasingly important part harder to manage. entities, codified in social networks. And of information warfare. As early as the late 1940s, certain parts of the intel- ligence community were systematically mining the public record to find unique perspectives on their targets.
“The availability of other kinds of information, such as metadata in documents and social networking data, has made open source intel- ligence even more useful, while also making it harder to manage”
The military has long realised the Figure 1: In Maltego, running a transform on an email address can show you where it crops up online, and how. importance of Open Source Intelligence
5 April 2011 Computer Fraud & Security Feature
hits per day by subscribing to RSS feeds on a selection of search terms in Google. “You have to be very neat and clever,” he says. But not too clever. A beautifully- crafted search string designed to whittle away the chaff in search results may only return one or two stories a day, which might be too reductive for researchers. “Lockheed Martin is now training gov- ernments and specialists in how to use these different tools,” he says. In any case, Leece points out that much of the information available on non-obvious subjects isn’t available via Figure 2: The edge-weighted view in Maltego helps researchers evaluate the significance of search engines: 80-90% of the informa- specific entities. tion you need isn’t in Google or Bing, he structured information can provide some open formats. Search engines, of course, says. Rather, it lies in the deeper web. critical pointers for open source intel- have become a useful tool, and ‘Google This deeper web may be hidden ligence researchers. hacking’, as advocated by experts such behind paywalls, or closed to search “It’s the key identifiers that people as Johnny Long, creator of the Google engine spiders. There are swathes of use- spend a lot of time on; something that Hacking Database, has become a popu- ful information embedded in documents you can use for an entity,” Leece says. lar hobby. such as County Court judgements, Leece “So in the UK, you’ll ask whether a That said, Peter Wood, CEO of pen- says, and it is areas such as these where person is a registered voter, and whether etration testing and information secu- the real open source intelligence begins. they have a telephone. You could put rity company First Base Technologies, “It is a very legitimate way to start map- three or four elements together to find says that he has had his more complex ping. It is very niche, and perhaps only a classic profile, and you can then put Google search queries blocked by the your forensic, technical accounting teams these things together and create an infor- engine. “At one point I got quite worried will ever go there.” mation path.” about manual Google hacking becoming an automated process and being used Focusing on forensics From database to by black hats to drill down into open search engine ports,” he recalls. If many researchers find going to the Another potential problem is the Registry Trust website, searching for a Much public domain information has skill involved in throttling the volume County Court judgement and paying a historically been located in databases, of information returned by the search fee to be beyond them, then the skills but things have expanded into more engines. Leece recalls retrieving 1,000 required to target still more technical data sources will be even more rarified. Forensics tools can reveal much about the source of a document, the method of its production and distribution, and even the location of its subject.
“Furnishing oneself with an individual’s address, com- bined with their employer, gives you their likely routes to work. It also gives you the likely location of their chil- dren’s school”
It is often not even necessary to extract Figure 3: Creating a network diagram with Maltego. such data using specialist tools. Instead,
6 Computer Fraud & Security April 2011 Feature sites such as Flickr do it for you. In 2009, journalist Matthew Honan cyber- stalked a woman as an experiment.1 He saw her taking pictures with an iPhone 3G in a San Francisco Park. Searching on Flickr that night, he found the pic- ture that she had taken, and was quickly able to work out where she lived and what her apartment looked like, simply by examining her photo stream. Wilson loves geolocation informa- tion, explaining that it makes a target even more multidimensional. Furnishing oneself with an individual’s address, combined with their employer, gives you Figure 4: Maltego can be used to track higher-level concepts for open source intelligence purposes. their likely routes to work. It also gives you the likely location of their children’s private databases. Any of these can be addresses and want to see they’re linked. school, along with a handful of locations mapped to other entities using trans- You could do this by hand, but it will where a spouse might shop for groceries. forms, and users of the product can take you a little time,” he says. It all contributes to the broader profile also write their own transforms. In Wilson likes to mix manual and on a target. Each new piece of informa- Temmingh’s example, the email given automated techniques, largely by hack- tion creates new places to look, and by the person registering the offending ing his own scripts. “There is a lot of should be cross-referenced against exist- domain may show up in a WHOIS list- developing code segments, and rapid ing information in the target profile. ing. Maltego might find evidence of the prototyping,” says the former Unix Technical evidence from digital foren- address used in online forums, which programmer, who says that his script- sics complements information gleaned could lead to further leads. These leads – ing skills are evolving over time. “The from other sources such as search engines which might include IP addresses, phone last script I wrote for Flickr involved or specialist databases perfectly. In many numbers or other entities – could even- 150 lines of Perl, and a friend did the cases, one can inform the other. tually lead to the identification of the same thing with three lines of Python,” malicious party. he recalls. However, where possible Automating open source Temmingh says that Maltego doesn’t he also uses tools such as Maltego, or intelligence do much more than someone could do other tools, such as CLITrack, which with technical skills and a browser. Its extracts EXIF data from photographs “A kiddy porn domain is a good exam- beauty lies in its ability to scale, and and enables their location to be plotted ple,” says Roelof Temmingh, co-creator visualise. “Let’s say you have 200 email in Google Earth. of Maltego, a product that merges open source intelligence and forensics. “Someone had to register it with the name and email address. The name is in the personal space, but that’s a point where the two touch each other.” Maltego allows users to run trans- forms, which are functions that map one entity onto another. An entity is something that the user might want to investigate. Examples include domains, websites, email addresses, individuals, name servers, locations and telephone numbers. New entity types can be created, drawing data from any source includ- Figure 5: Maltego also has unicode support to help mine the increasing percentage of data that isn’t ing closed information sources such as in Latin character sets.
7 April 2011 Computer Fraud & Security Feature
Total awareness in the same group as them, but the company Instead, it’s simply a question of restricted this information over time. understanding the risks. “We have seen At a governmental level, the idea of auto- However, there are relatively easy ways people using the same passwords in dif- mating this information harvesting and in. “We could, with a client’s permis- ferent environments, and that’s a learn- storing it in databases for further use has sion, do the kind of thing that was done ing point,” he says. Using your spouse’s grown to monstrous proportions. John at Blackhat a few years ago, where you middle name or the place where you Poindexter, former national security advi- create a fake profile and then befriend bought your dog suddenly becomes far sor to Ronald Reagan, proposed the idea of someone,” says Wood.2 “Befriending less attractive when you understand the a massive intelligence database containing someone gives you everything you need.” risks. It was what enabled college student both open and closed-source information David Kernell to hack his way into Sarah after the terrorist attacks on the World Trade “High net-worth individuals Palin’s personal webmail account during Centre. DARPA (the Defense Advanced and companies with employ- the 2008 presidential election. Research Projects Agency) funded the ees in sensitive positions Ultimately, there is little new under project, which was called Total Information should be aware that open the sun, but approaches vary as new Awareness, in 2002. The project, headed by source intelligence can be technologies come along. Keeping a the newly-created Information Awareness used for nefarious purposes” watchful eye on unclassified information Office, was designed to mine large amounts in the public domain has always been a of transactional information from the US Social networks open up a whole new tactic for those tasked with investigating public, and included elements such as world of information, because at least as specific targets. However, the opportu- Evidence Extraction and Link Discovery. much value is contained in the relation- nities for harvesting, automating and Funding for the comprehensive programme ships between entities as in the entities codifying that information to produce was later choked off by Congress, although themselves. If you wanted to find out new insights has exploded along with reports suggest that elements of the project everything about writers covering women’s the Internet. Open source intelligence is continued to survive in the intelligence issues in middle eastern countries, along entering a new era. community. with other contacts who were interested in It isn’t just law enforcement and intel- the same subjects, then a search of relevant About the author ligence organisations that might want to periodicals, combined with some judicious Danny Bradbury is a freelance technology combine forensic, personal and organi- social network analysis, would get you a writer who has written regularly for titles sational data to build a comprehensive long way toward your goal. including The Guardian, Financial Times, profile. One company considering the The danger, of course, is that malicious National Post, and Backbone magazine purchase of another, for example, could actors can use the same techniques. High in addition to editing several security and learn a great deal by examining the people net-worth individuals and companies software development titles. He specialises in that work there, and where its infrastruc- with employees in sensitive positions security and technology writing, but is also ture is located. If eight IP addresses sud- should be aware that open source intelli- a documentary film maker and is currently denly spring up geolocated in Nigeria, the gence can be used for nefarious purposes. working on a non-fiction book project. chances are that the firm may have estab- Even if individuals (or their families) don’t lished a branch office there. Why? attract the attention of kidnappers, they References “You can learn from whether a firm has might well invite a spearfishing attack, in 1. Honan, Matthew. ‘I Am Here: a centralised or decentralised IT depart- which a malicious party gathers enough One Man’s Experiment With the ment,” Temmingh says. “You can see that open source information about them to Location-Aware Lifestyle’. Wired, they’re consolidating, or that everyone mount a convincing attack. Open source 2009,
8 Computer Fraud & Security April 2011 Feature
OSINT websites Forensics, discovery, footprinting tion:
Cath Everett, freelance journalist Catherine Everett
The idea of ‘professionalising’ the information security industry has long been a controversial one. Many practitioners, particularly those that have been around suitable qualifications to enter practice for a long time, are simply not convinced that such a move is either necessary or undertake Continuing Professional or has any value. Development (CPD) activity to remain in it is not particularly welcomed outside Although they may maintain member- longed training and a formal qualifica- of highly regulated industries such as ship of one or more of the many extant tion’ (Oxford English Dictionary defini- financial services (though here, too, the industry bodies, it is mainly for status tion of the term ‘profession’). advent of professional standards reasons rather than out of any desire to Maintaining membership of indus- was resisted by many older financial be formally recognised as participating try associations is thus often seen as a advisors when they were introduced in a ‘paid occupation that involves pro- chore and the idea of having to gain in the 1990s).
9 April 2011 Computer Fraud & Security Feature
The situation is also not helped by the after undertaking a course of only a few At this point, however, there are no fact that the numerous CPD schemes days’ duration generates the risk of creat- plans to develop the principles into a available have to date not been stand- ing cowboys that have the potential to more formal, enforceable code of prac- ardised. Moreover, any credits gained by bring the industry into disrepute. tice, although Creasey does not entirely participating in one are not necessarily Although there appear to be no current rule out the idea. interchangeable with another and can moves towards either consolidating the “We have more important things to sort often differ quite radically in value. number of industry bodies or rationalising out at the moment, which is about develop- the numerous CPD programmes on the ing the professional rather than professional- “There is currently no accept- market, work has been going on to at least ising the industry,” he says. “It’s about mov- ed definition of what an come up with a set of core principles to ing forward one step at time and we believe information security profes- govern responsible practitioner behaviour. it’s more powerful to try and get practition- sional actually is or does” While falling far short of an enforceable ers to adopt a de facto standard.” code of practice, the principles, which One of the issues is that using the Another issue is that there is currently were jointly developed by the Information principles as the basis of a code would no accepted definition of what an infor- Security Forum (ISF), the Information require the creation of an agreed set mation security professional actually is Systems Audit and Control Association of information security terminology or does. This means that there is no for- (ISACA) and the Information Systems (which is currently being worked on by mal profile, no mandatory requirement Security Certification Consortium (ISC)2, ISO, the International Organisation for to be a member of an institute or have are intended to provide guidelines for Standardisation) as well as involving con- minimum qualifications and no unified, good practice. siderable work looking at the pros and enforceable, globally recognised code of cons of professionalisation. practice, as is the norm with established Independent principles As a result, Creasey adds: “While we professions such as doctors or lawyers. might consider doing that in future, it’s Jason Creasey, the ISF’s global alliances not in our agreed work programme, but it Mixed quality leader, explains the rationale: “There’s is on our radar.” a massive proliferation of standards, The problem for potential employers codes of practices and ethics, but they’re Code of practice and customers in this scenario arises written by individual organisations and from the mixed quality of the practition- owned by them. So we thought there Advent IM’s Gillespie says that, person- ers on the market and the fact that there was a requirement for an independent ally, he would welcome such a step, is no standard, formal means of assess- and non-proprietary set of principles to although he acknowledges that, “the ing their knowledge and/or experience. promote responsible security behaviour.” quantity of industry bodies and lack of For example, David Porter, director of a mandatory route into the profession, Resilient Thinking, says he tends to look “We have more important including the disparity of qualifications, at an individual’s track record, recent job things to sort out at the makes this highly unlikely”. testimonials and word-of-mouth feed- moment, which is about Such an enforceable code would not back. “It’s about having an audit trail of developing the professional only ensure that practitioners remain inde- proof, so pick up the phone and speak to rather than professionalising pendent of the business, in the same way their previous boss,” he advises. the industry” that financial or audit professionals are, but On the other hand, Mike Gillespie, a would also help in protecting both them director at information security consul- The organisation chose its partners and their customers, he believes. tancy Advent-IM, looks for “a basic set of based on the fact that they were “leading “As we all know, it can sometimes be a underlying skills and knowledge in spe- international [rather than local] bodies” fine line between providing services to the cific key areas rather than qualifications and the next phase will see ISACA and customer and satisfactorily addressing stat- per se” and takes a more “show-me rather (ISC)2 marketing the principles among utory requirements,” Gillespie says. “Also, than tell-me” approach to recruitment. their membership as well as trying to how many consultants either hide behind But in an organisation where informa- secure the endorsement of other industry policy because they lack the risk manage- tion security is not the core business, bodies – particularly in the US where ment skills or say what the customer wants such judgements are likely to be much awareness is especially low. Discussions to hear either because they want the work more difficult to make. And the fact that are also ongoing as to whether the guide- or because they get intimidated?” inexperienced pretenders can set them- lines should likewise be embedded into But Gillespie is not entirely convinced selves up in business with no sanction their qualifications. about how much difference the principles,
10 Computer Fraud & Security April 2011 Feature which he describes as “a bit basic”, will purposes by commandeering more than The next step will be to host an ongo- make in and of themselves. While he says 21,000 computers around the world. ing series of workshops over the next 12 that the “unification of views” from dis- Carolina canvassed the opinions of a months or so and to circulate reports parate industry bodies can only be a good number of information security prac- based on the outcomes to members of the thing, he points out that their value to the titioners as to whether they considered working group, although other individu- industry is likely to remain limited “until the move right or wrong. The responses, als will be invited to join as appropriate. and unless businesses [rather than individual which ranged from “it’s absolutely appall- “If this gains traction and popular sup- practitioners] are made fully aware of their ing and law enforcement should throw port, we might be able to start abstracting existence and accept and embrace them”. the book at them” to “they deserve to get out basic principles to describe what ethical “It’s a good starting point if only for an award” – which, incidentally, they later practices are and maybe write them down as debate such as this,” he says, “but it will did – prompted him to explore what ethi- a rule set,” Carolina says. “But if we do that, be interesting to see the status of the cal guidance was currently available, most it will only be published with highlighted principles in a year’s time.” of which he found unhelpful. case studies as you have to have examples As a result, as of early February this and context. In my professional opinion, Ethics project year, Carolina kicked off the first in a without that, it’s not much value.” series of ethics workshops, made up of While such initiatives are, unfortu- Meanwhile, another potential step on no more than 25 IISP members. “This is nately, still rather fragmented in nature, the road to professionalisation is the an area where people are crying out for what they would appear to suggest is creation of an initiative entitled the guidance, especially in the private sector,” that the information security industry is Information Security Ethics Project, he says. “We want practitioners to have slowly starting to move down the path which is sponsored by and housed better information so that they feel less of becoming more professionalised. within the UK’s Institute of Information exposed and better informed to make As Gillespie concludes: “Things are Security Professionals (IISP). hard decisions.” changing. There are lots of pockets of The idea behind the project came work being done and, while they’re from the Institute’s general counsel, Things are changing not consistent or global, you can see a Robert Carolina, who is also a sen- day when the industry will get there – ior visiting fellow at Royal Holloway The half-day discussion centred on a series although it’s a long road yet.” University’s information security group, of hypothetical case studies that were where he teaches in its information secu- used to debate the right and wrong ways About the author rity MSc programme. to respond in each scenario and, most Cath Everett is a freelance journalist who In early 2009, Carolina wrote an article importantly, why. The aim was to look for has been writing about business and tech- for Computer Weekly about the legal- points of commonality and difference in nology issues since 1992. Her special areas ity – or otherwise – of the actions of the individuals’ beliefs and approaches and to of focus include information security, HR/ BBC’s Click TV programme team when use those areas where opinion diverged as management and skills issues, marketing it created its own botnet for educational the basis for further discussion. and high-end software. Malvertising – exploiting web advertising
Aditya K Sood, Richard J Enbody, Michigan State University
Online advertisements provide a convenient platform for spreading malware. Since ads provide a significant portion of revenue on the web, significant effort can be redirected. Of particular use to is put into attracting users to them. Malicious agents take advantage of this malicious agents is that redirection is skillful attraction and then redirect users to malicious sites that serve malware. built into online advertising so the mali- cious user only needs to co-opt a redirec- Search engines’ intimate tie-in with significant effort goes into attracting tion that is taking place. As a bonus, the advertising also assists malicious agents: users to particular sites from which users user expects a redirection to take place, so
11 April 2011 Computer Fraud & Security Feature
order to redirect traffic from malver- tisements that are distributed across the World Wide Web. When a user clicks on a malvertisement, the traf- fic is redirected towards a malicious domain rather the legitimate one. • Generally, no verification check can be imposed on advertisements to detect whether the redirect occurs appropriately or not. This lack of verification results from the nature of the web-advertising model that makes it difficult for a publisher to scrutinise web traffic related to ad delivery. • Attackers can also tamper with spon- sored links to distribute malicious executables directly into the system as a part of drive-by-download infection. Internet Explorer has been a popular target because of both its popularity and its ability to run custom exploits through ActiveX controls [8]. The irony is that advertisers pay the publishers for the advertisements while the attackers exploit those same ads to spread malware. Malvertising modes Most of the web malware is triggered through web injections to exploit the vul- nerabilities in web software and domains. Figure 1: Registering a widget on a vulnerable advertising domain. Different modes of infections are used for injecting malicious advertisements the redirection to a malicious site is less it is hard to determine the integrity of in vulnerable domains. To appreciate of a red flag. content that is shared among different the severity and prevalence of this class Another feature of online advertis- domains across the web. of attack, the Open Web Application ing that can be co-opted by malicious The result is that online marketing has Security Project (OWASP) recently placed agents is the dynamic delivery of ads. A opened up new avenues for profit gen- invalidated redirects and forwards in its standard approach is to provide HTML eration while at the same time providing 2010 ‘top 10’ list.2 code snippets that are used in conjunc- a convenient platform for malware deliv- tion with normal websites in order to ery. Malvertising growth is being assisted Malvertising with embed advertisements. For example, by the following: malicious widgets Doubleclick.net provides millions of ads • Malicious agents can register nearly that are served to different domains as any domain and can use it as a stor- and redirection dynamic content – that is, the content of age base for malware in order to con- The advent of Web 2.0 popularised advertisements can change dynamically duct drive-by-download attacks by widgets for use in advertising and traffic based on user or content characteristics. redirecting users to their malicious redirection.3 However, flaws in the design Service Level Agreements (SLA) exist domains.1 Generally, these types of of some web widgets pose high risks to between ad distributor and website to domains do not comply with any domains using those widgets for advertis- define appropriate content, but they are types of security or privacy standards. ing.4 As mentioned above, the redirection neither designed for nor appropriate for • Malicious agents can use different can be co-opted by malicious users to applying effective security. In particular, modes of malvertising infections in redirect traffic to malicious sites.
12 Computer Fraud & Security April 2011 Feature
For example, we detected a widget vulner- ability in a popular news publisher web- site. The normal procedure is for a user to register, which allows the publisher to render news from various popular chan- nels and embed them into the user’s web- sites and blogs. However, because of flaws in the publisher’s system, it’s possible to redirect traffic. In order to install the widget, the pub- lishing domain requires certain steps to be performed by a user to facilitate the ability of the widget to include third- party content. Specifically: • The widget can only be installed after registration. The user selects the wid- Figure 2: Installed widget. get code based on the target platform – such as blogger, MySpace etc – in the vulnerable publishing domain as HTTP specification includes the iframe which the widget is to be installed. follows, where ‘outbrain.com’ is a vulner- to embed one web page into another. • Once the registration is complete, the able advertising domain and ‘xsstesting- Iframes can be used to load dynamic publisher requires the user to log in blog’ is a blog that serves malware: content for advertising. This functional- to his or her website or blog so that ity of iframes can be exploited to trigger widget installation can be completed. http://outbrain.com/most-viewed. infections. Iframes are used extensively After installation, the publisher starts action?sourceUrl=http://www. in order to bypass Same Origin Policy sending news and advertisements to xsstestingblog.blogspot.com (SOP) and launch a Cross Domain the registered user website. Attack (CDA).5,6 Attackers can easily • After the widget is embedded in the Step 3: Users who go to the widget embed hidden iframes that serve mal- user’s site, the user is able to receive thinking that they are entering the pub- vertisements in order to spread malware random content from various content lisher’s site find themselves redirected to while interacting with legitimate users. providers through a vulnerable adver- the attacker’s site. A successful attack can Usually, iframes are exploited using the tising domain that acts as an interme- be seen as a response request mechanism following procedures for running mali- diate service provider. in Figure 3. cious code: For advertising purposes, the vulner- This attack is the outcome of a design 1. Scripts in iframes are allowed to execute able publishing domain uses redirec- bug in the widget implementation. in the context of the browser process (the tion links in order to advertise on the Attackers can exploit this scenario by more powerful the context, the greater publisher’s website. However, web traffic generating malicious advertisements the vulnerability that can be exploited). can be easily redirected from where the (using the publisher’s name) that are 2. There is no specific security restriction widget is installed to any domain. This embedded with redirected URLs which on Active X object usage. shows that inclusion of the widget in exploit the design bug in the vulner- 3. Browser redirection can be done easily any random domain can result in traffic able publishing domain in order to through iframes. redirection from a vulnerable publisher’s execute redirection towards the malicious 4. Access to local objects is not restricted website through advertising links. The domain. This shows how a vulnerable completely. attacker can exploit this scenario by per- advertising widget can be subverted by The hidden iframes used for malvertis- forming three steps: an attacker. ing are constructed as follows: Step 1: The attacker registers as a legitimate user (in order to get a widget Remote malvertising with the same domain as shown in Figure 2. ers to hide the objects that are used Step 2: The attacker can activate the for spreading malware. The concept