Wednesday
Aug202008
Of Hackers and Malware
While attending the recent Black Hat security conference held in Las Vegas, I was struck by a recurring theme. First of all, this year's Black Hat conference was more malware-centric than conferences of years past. Second of all, a hacker well-versed in penetration testing doesn't necessarily have much of a background in malware developments (and vice versa). It's this latter point that kept bubbling to the top in my own perceptions of the various talks.
As an example, one particularly well received session was "Methods for Understanding Targeted Attacks with Office Documents" presented by Bruce Dang of the Microsoft Secure Windows Initiative (SWI) group. While folks I discussed it with seemed to think the talk was particularly informative and insightful, I found it lacking in focus and overall a bit of a PR pitch. The reason? Bruce began by minimizing the sophistication of the social engineering used in targeted attacks, making it sound no more difficult to discern than a standard phishing attack. He also qualified the vulnerabilities as "zero-days acknowledged in the public". Neither of these comments would hit home with a casual observer, but for someone involved in the anti-malware industry for over a dozen years, the comments seemed disingenuous at best.
True targeted attacks often include timely mentions of confidential or closely guarded information - the type of information that only an insider (or very determined attacker) might know. The email delivering the attack often appears to come from someone in-house, and someone from whom the recipient might ordinarily expect to receive the specific type of information. And unlike phishing, the composition is highly personalized with accurate names, titles, and contact details. In short, the email appears to be as legitimate as any other bonafide internal correspondence. True targeted attacks also often use vulnerabilities that are not yet "acknowledged in the public" and thus would fall outside of the scope of Dang's talk. In other words, the presentation was less about targeted attacks and more about mundane exploits of vulnerabilities in Office products. The session was wrapped up with a pitch to buy Office 2007 and install MOICE, an Office 2007 Open XML format converter that has the side benefit of breaking the functionality of much of the older Office malware.
A more surprising example was a talk given by Robert Hansen (aka Rsnake), the founder of ha.ckers.org, sla.ackers.org, and SecTheory, and Tom Stracener, a researcher for Cenzic (Web app security). The issue dealt with Google hosting gadgets on their own servers (gmodules), which the presenters allege leads to a higher level of trust from users and hence a corresponding higher level of risk. The presenters felt that Google's main purpose was user tracking (for advertising) and thus they weren't strongly focused on the security of the user-provided apps. My take: I agree that hosting the apps on Google owned servers can cause users to assume a higher level of trust. But the location of the gadgets also provides a one-stop shop if there is a problem. In other words, if a particular gadget were found to be malicious, there's a single point of resolution. If it weren't so centrally maintained, remediation would be far less timely and much less complete.
The most telling example of the disconnect was a comment by Rsnake that these gadgets will take off as a target when malware turns to profit as a motive. In reality, malware has been profit-motivated for more than a few years now. By a very criminal element. Who are leveraging far more effective targets than trying to smuggle a malicious Google gadget onto the gmodules server. Consider the millions of Web pages compromised in the ongoing SQL injection attacks that impact millons of users and have no central point of resolution. Concerns about Google gadgets pale in comparsion.
As an example, one particularly well received session was "Methods for Understanding Targeted Attacks with Office Documents" presented by Bruce Dang of the Microsoft Secure Windows Initiative (SWI) group. While folks I discussed it with seemed to think the talk was particularly informative and insightful, I found it lacking in focus and overall a bit of a PR pitch. The reason? Bruce began by minimizing the sophistication of the social engineering used in targeted attacks, making it sound no more difficult to discern than a standard phishing attack. He also qualified the vulnerabilities as "zero-days acknowledged in the public". Neither of these comments would hit home with a casual observer, but for someone involved in the anti-malware industry for over a dozen years, the comments seemed disingenuous at best.
True targeted attacks often include timely mentions of confidential or closely guarded information - the type of information that only an insider (or very determined attacker) might know. The email delivering the attack often appears to come from someone in-house, and someone from whom the recipient might ordinarily expect to receive the specific type of information. And unlike phishing, the composition is highly personalized with accurate names, titles, and contact details. In short, the email appears to be as legitimate as any other bonafide internal correspondence. True targeted attacks also often use vulnerabilities that are not yet "acknowledged in the public" and thus would fall outside of the scope of Dang's talk. In other words, the presentation was less about targeted attacks and more about mundane exploits of vulnerabilities in Office products. The session was wrapped up with a pitch to buy Office 2007 and install MOICE, an Office 2007 Open XML format converter that has the side benefit of breaking the functionality of much of the older Office malware.
A more surprising example was a talk given by Robert Hansen (aka Rsnake), the founder of ha.ckers.org, sla.ackers.org, and SecTheory, and Tom Stracener, a researcher for Cenzic (Web app security). The issue dealt with Google hosting gadgets on their own servers (gmodules), which the presenters allege leads to a higher level of trust from users and hence a corresponding higher level of risk. The presenters felt that Google's main purpose was user tracking (for advertising) and thus they weren't strongly focused on the security of the user-provided apps. My take: I agree that hosting the apps on Google owned servers can cause users to assume a higher level of trust. But the location of the gadgets also provides a one-stop shop if there is a problem. In other words, if a particular gadget were found to be malicious, there's a single point of resolution. If it weren't so centrally maintained, remediation would be far less timely and much less complete.
The most telling example of the disconnect was a comment by Rsnake that these gadgets will take off as a target when malware turns to profit as a motive. In reality, malware has been profit-motivated for more than a few years now. By a very criminal element. Who are leveraging far more effective targets than trying to smuggle a malicious Google gadget onto the gmodules server. Consider the millions of Web pages compromised in the ongoing SQL injection attacks that impact millons of users and have no central point of resolution. Concerns about Google gadgets pale in comparsion.
Overall, the conference was excellent. But the net sum was a feeling of unease. The criminals seem to be one step ahead of security researchers.
Mary Landesman
Reader Comments