More exploits attacking more vulnerabilities in Internet Explorer, as well as Firefox, Chrome, Safari, and Opera are coming in 2010.  Predicting more malware attacks is equivalent to telling Seattle residents to expect rain in 2010.  If you’re curious as to why this is so, check out this explanation:

Never Ending Vulnerabilities for Web Browsers

Microsoft reports they’ve only seen exploits in the wild that successfully attack Internet Explorer 6 (six) users.  However, various security intelligence organizations as well as the alert Microsoft posted indicates that pretty much every version of Internet Explorer is affected.

McAfee reported that the recently publicized attacks on Google by Chinese hackers to gain information on Chinese dissidents exploited this vulnerability.  It seems unlikely that Google would be using IE6 because organizations that do tend to be stuck with a web application they’d developed in-house that only works on IE6.  So, this goes beyond IE6 to the newer versions.

Reports indicate 30 more enterprise organizations have been targeted with this exploit.  The number of organizations targeted by these attacks will grow as more malware developers create attack code and sell it to the 1000’s of malware distributors.  Remember, as any industry matures, specialization breaks out.  So, the malware creators tend to make their money selling their binaries to malware distributors in the form of web kits, which are automated software tools that enable non-technical people to launch and manage malware attacks and Botnets.

What Puts You Most at Risk from These Zero Day Exploit Attacks?

Just use Internet Explorer to visit websites!  Its not just the sordid websites, any website that you normally use.

This is because cyber criminals have been using their malware to find and infect the computers used by the webmasters that maintain websites.  As webmasters and most other people foolishly believe that their anti-virus software would let them know if they were infected, or that their computer would suddenly slow down and behave oddly.  Organizations should require webmasters to re-image their computers twice a year or more, unless they’re willing to get security software protection that stop zero-day malware attacks.

To those visiting this blog for the first time, and are unfamiliar with the term zero-day, if your computer protection requires ‘virus definition files’ or signature updates, consider yourself unprotected!  There are loads of blog posts here on the subject.

Some Attack Details on CVE-2010-0249 (or Microsoft Knowledge Base Article 979352)

From Microsoft, “The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.”  In short, when an Internet Explorer user visits a compromised website they become a victim of a drive-by download attack that drops an executable somewhere in user-space.  This temporary executable launches and assess your computer: what operating system, user’s login privileges, installed security software, etc.  It then downloads and installs the permanent malware ideal for your computer.  As most cyber criminals do not create their own malware any more but instead buy it from professionals, if you get hit with a zero-day drive-by download attack like this, you won’t notice a thing before, during, or after.  In other words, your computer won’t slow down.  That happens when your computer has multiple infections.

Microsoft has already updated their alert page on this exploit and will likely do so again.  As of January 15, there were no practical precautions one could take to avoid one of these attacks.

What Can You Do to Protect Yourself and others from these Zero Day Attacks?

Install some zero-day protection software!

Blue Ridge offers software for consumers and organizations that would stop these and other zero-day drive-by download attacks, and more.  Consumers should get AppGuard, which can be tried for free for 30 days.  Organizations should investigate AppGuard Enterprise.  These recently won “Best Anti-Malware Product” from GSN’s Homeland Security Awards.  Those that need to lockdown and audit the computers in their organization might look at EdgeGuard, which includes the protections of AppGuard as well as the controls and audit capabilities an enterprise needs to plug data leaks and curb insider theft risks.

Microsoft on its November 2009 Security Patches

MS09-063 / CVE-2009-2512

Web Services on Devices API Memory Corruption

Microsoft Exploitability Index Assessment: Inconsistent exploit code likely

Affected Computers: Windows Vista

Vulnerability: The vulnerability could allow remote code execution if an affected Windows system receives a specially crafted packet. Only attacks on the local subnet would be able to exploit this vulnerability.

Blue Ridge on Protection: Though an unlikely attack vector, AppGuard or EdgeGuard would block such attacks that launch from user-space while drive-by download attack protection is enabled. This Microsoft patch should be implemented as soon as practical.

MS09-064/ CVE-2009-2523

License Logging Server Heap Overflow

Microsoft Exploitability Index Assessment: Inconsistent exploit code likely

Affected Computers: Windows 2000, Service Pack 4

Vulnerability: The vulnerability could allow remote code execution if an attacker sent a specially crafted network message to a computer running the License Logging Server. An attacker who successfully exploited this vulnerability could take complete control of the system.

Blue Ridge on Protection: Neither AppGuard nor EdgeGuard officially support Windows 2000.

MS09-0065

CVE-2009-1127, Win32k Null Pointer Dereferencing Vulnerability

CVE-2009-2513, Win32k Insufficient Data Validation Vulnerability

CVE-2009-2514, Win32k EOT Parsing Vulnerability

Microsoft Exploitability Index Assessment: Inconsistent exploit code likely: CVE-2009-1127; Consistent exploit code likely: CVE-2009-2513, CVE-2009-2514

Affected Computers: Windows XP SP2, Windows Vista, and others, Windows 7 is unaffected

Vulnerability:

CVE-2009-1127. An elevation of privilege vulnerability exists because the Windows kernel does not properly validate an argument passed to a Windows kernel system call. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-2513. A remote code execution vulnerability exists in the Windows kernel-mode drivers due to the importer parsing of font code when building a table of directory entries. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-2514. A remote code execution vulnerability exists in the Windows kernel-mode drivers due to the improper parsing of font code when building a table of directory entries. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Blue Ridge on Protection:

CVE-2009-1127. AppGuard or EdgeGuard would block such attacks that launch from user-space while drive-by download attack protection is enabled. Should such an attack elevate a guarded application to run with kernel mode privileges, AppGuard or EdgeGuard protection would not be degraded. This Microsoft patch should be implemented as soon as practical.

CVE-2009-2513. AppGuard or EdgeGuard would block such attacks that launch from user-space while drive-by download attack protection is enabled. This Microsoft patch should be implemented as soon as practical.

CVE-2009-2514. AppGuard or EdgeGuard would block such attacks. This Microsoft patch should be implemented as soon as practical.

MS09-066/ CVE-2009-1928

LSASS Recursive Stack Overflow Vulnerability

Microsoft Exploitability Index Assessment: Functioning exploit code unlikely

Affected Computers: Windows XP SP 2/3, but Windows Vista/7 are unaffected

Vulnerability: This is just a denial of service vulnerability and of little practical value to cyber criminals.

Blue Ridge on Protection: Irrelevant. Low priority patch.

MS09-0067

CVE-2009-3127, Excel Cache Memory Corruption Vulnerability

CVE-2009-3128, Excel SxView Memory Corruption Vulnerability

CVE-2009-3129, Excel Featheader Record Memory Corruption Vulnerability

CVE-2009-3130, Excel Document Parsing Heap Overflow Vulnerability

CVE-2009-3131, Excel Formula Parsing Memory Corruption Vulnerability

CVE-2009-3132, Excel Index Parsing Vulnerability

CVE-2009-3133, Excel Document Parsing Memory Corruption Vulnerability

CVE-2009-3134, Excel Field Sanitization Vulnerability

Microsoft Exploitability Index Assessment:
Inconsistent exploit code likely: CVE-2009-3127, CVE-2009-3128, CVE-2009-3132, CVE-2009-3133, CVE-2009-3134
Consistent exploit code likely: CVE-2009-3129, CVE-2009-3130, CVE-2009-3131

Affected Computers: Microsoft Office XP SP 3, Office 2003 SP 3, Office 2007 SP 1/2

Vulnerability:

CVE-2009-3127. A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3128. A remote code execution vulnerability exists in the way Microsoft Office Excel handles specially crafted Excel files that include a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3129. A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files that include a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3130. A remote code execution vulnerability exists in the way Microsoft Office Excel handles specially crafted Excel files with malformed BIFF records. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3131. A remote code execution vulnerability exists in the way that Microsoft Office Excel parses documents containing a specially crafted formula embedded inside a cell. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights in the context of the currently logged on user.

CVE-2009-3132. A remote code execution vulnerability exists in Microsoft Office Excel as a result of pointer corruption when loading Excel formulas. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed formula. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3133. A remote code execution vulnerability exists in Microsoft Office Excel as a result of memory corruption when loading Excel records. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3134. A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Blue Ridge on Protection: AppGuard or EdgeGuard would protect computers from attacks attempting to exploit any of these vulnerabilities: CVE-2009-3127, CVE-2009-3128, CVE-2009-3129, CVE-2009-3130, CVE-2009-3131, CVE-2009-3132, CVE-2009-3133, and CVE-2009-3134.

Simply put: any such attack would either seek to spawn a malicious executable in user-space, which would fail to launch because of drive-by download attack protection, or the attack would attempt to place a malicious executable elsewhere, which would be blocked because AppGuard and EdgeGuard do not allow ‘guarded’ applications to write elsewhere.

MS09-068/ 3135

Microsoft Office Word File Information Memory Corruption Vulnerability

Microsoft Exploitability Index Assessment: Consistent exploit code likely

Affected Computers: Microsoft Office 2007 SP 1/2, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2, Microsoft Works 8.5, Microsoft Works 9

Vulnerability: The vulnerability could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Blue Ridge on Protection: AppGuard or EdgeGuard would block these attacks without additional configuration.

Adobe on its November 2009 Security Patches

CVE-2009-3489, APSB09-17

Potential Photoshop Elements Privilege Escalation Vulnerability

Affected Computers: Photoshop Elements 8.0, Photoshop Elements 7.0

Vulnerability: A moderate vulnerability has been identified in Adobe Photoshop Elements versions 8.0 and 7.0. The vulnerability could allow a user with valid login credentials and/or physical access, who successfully exploits the vulnerability, to execute arbitrary commands with elevated privileges. Adobe is not aware of any exploits in the wild for the issue.

Blue Ridge on Protection: AppGuard or EdgeGuard would block an attack that attempted to exploit this vulnerability without any additional configurations. Users should make certain that Photoshop Elements has been added to the ‘Guard List’. This patch should be implemented when doing so is convenient.

Related Articles:

SANS: Client-Side Software Vulnerabilities Are Highest Priority But Most Neglected Risk

Why Should UnPatched PC Software Concern You?

“Because of the measures taken to provide safety to our clients, your password has been changed.  You can find your new password in attached document”

Security vendor Websense reports they have observed over 350,000 of these email messages (spear phishing attacks).  Its only a matter of time until the millions of other Facebook users receive one.

As of 27 October 2009, only 14 out of 41 anti-virus/spyware products detected this attack (per Virus Total, reported by MX Lab).

When Facebook users open the email attachment, short-lived malware connects to two servers and downloads additional files (Pushdo, also known as Cutwail).  Once Pushdo is installed and running, it sends out more of these email spear phishing attacks to other Facebook users.  This Trojan is also known as a new Bredolab variant.

This is a clever piece of malware.  It tries to elude security researchers and personal firewalls that restrict outbound PC communications by injecting its own code into a legitimate process svchost.exe and explorer.exe.  If it detects virtualization or honeypot characteristics within a host, it goes dormant to thwart the AV vendor consortium from quickly generating detection signatures.

The Trojan creates several files (%AppData%\wiaservg.log, %windir%\temp\wpv861256600826.exe, and %Programs%\Startup\isqsys32.exe.  It also launches two processes: a svchost.exe and something called isqsys32.exe.

What does this malware do once successfully installed?  Whatever it wants!  It may steal money from your online bank account or just silently operate as part of a Botnet.  The Botnet operators can remotely tell it to do what they want at a later time.

Consumer and Enterprise Computers Are at Risk

With Facebook users routinely accessing it from their work computers, they are placing their employer at risk.

Effective Protection from these Facebook Zero Day Trojan Attacks

Consumers with AppGuard, and organizations with either AppGuard Enterprise or EdgeGuard deployed, are protected from these attacks.  They should already have “drive-by download protection” enabled as well as have their email software guarded.

Related Articles

Botnets Inside the Gates, Every PC Must Defend Itself

Employee Owned Computers are Data Leak Risks to Employers

Business Protection from AntiVirus-Failure Caused Fraudulent Bank Transfer Losses

Todays Spear Phishing Attacks Can Wipe Out Small Businesses in One Click

Secunia Casts More Doubt on Signature-based-Only Anti-Malware Defense

These figures come from an information security vendor named Dasient. They offer free and paid services for assessing website health. Their free service, which requires registration with a valid email address, sends out a periodic email stating your website either is or is NOT on any of the malware infected website blacklists. They also offer paid services whereby they scan your website(s) periodically for malware and alert you if ever malware is detected.

Websites Infected via Webmaster’s Computer

Though many websites still get infected the old fashioned way, by exploiting a vulnerability in the web server or other software. Cyber criminals have found that compromising a webmaster’s laptop or desktop is far easier.

It begins with a typical malware attack infesting an arbitrary computer. Once running, it scans the host webmaster characteristics: FTP programs, web authoring tools, HTML files, etc. Some research points to the malware altering HTML files located on the webmaster’s computer just prior to or while they are uploaded to the server. The beauty of this approach is that doing so leaves no anomalous log entries on the server. Whereas the other common method, which involves stealing the webmaster’s login credentials, does leave such breadcrumbs (e.g., server log: login from an unfamiliar IP address).

There are at least three common methods employed for stealing webmaster credentials to infect legitimate websites. First, the malware looks for the presence of typical webmaster software and then looks for its password store, which tends to be located in relatively the same place, unencrypted. Second, the malware download and installs a keylogger. Third, the malware monitors all FTP traffic and parses out any credentials, which are frequently unencrypted. There’s a bonus to this approach. The malware can listen for FTP traffic originating from other nearby machines. So, the webmaster must be mindful of where his/her computer is located when accessing the servers.

Any Website May be Infected; Any Visitor May Get Infected

Web browsers are amongst the most security flawed client software application classes in existence. They offer very poor compartmentalization, keeping activities from one tab or window, separate from another tab or window. And, matters will only get worse as cyber criminals exploit the undiscovered country of vulnerabilities amongst the browser itself, its library components, plug-ins, and add-ons. If that were not enough, many browsers will automatically load another application when a specific document is encountered. So, Microsoft Excel would load when a xls document is encountered, for example. Thus, its not just a matter of ensuring that web browsers are vulnerability free. These others must be as well.

Use Two or More Different Web Browsers

By using Internet Explorer or Firefox for sensitive activities such as online banking, and using the other for general purpose browsing, one effectively compartmentalizes these activities such that cyber criminals cannot merely subvert internal web browser security but instead must infect the entire computer. More here

Your Anti-Virus/Spyware Will NOT Protect You

Though old malware still circulates around the web, cyber criminals are increasingly discarding their newly created attack code after only 48 hours to ensure that the signature-based or patterns-based technologies of your anti-virus/spyware cannot detect them. The more short-lived the attack code, the less likely anti-virus/spyware vendors’ honeypots will ever encounter the attack code for which to develop a detection signature. Cyveillance recently found in its lab tests of leading anti-virus/spyware products against NEW malware an average detection rate of 29%.

You Need Computer protection Designed to Stop NEW or Zero-day Malware Attacks!

Blue Ridge offers AppGuard for consumers and small businesses, which protects them from whatever they encounter. AppGuard co-exists with any anti-virus/spyware product already installed. Your existing anti-virus/spyware excels at stopping OLD malware (more than one month old). AppGuard excels at stopping NEW malware. You could rely only on AppGuard. But, layered protection is always good. And, good anti-virus/spyware software is available for free: Microsoft Security Essentials for consumers; Comodo AV for enterprises (remember to disable the HIPS).

For the enterprise, Blue Ridge offers AppGuard Enterprise, a centrally managed computer protection software solution. Organizations looking for extensive audit and control over their computers can either buy EdgeGuard, or conduct a field upgrade from AppGuard Enterprise to EdgeGuard later, via a policy update.  Small enterprises can outsource computer protection, control, and audit to Managed EdgeGuard.

The protection in these solutions is called AppGuard Technology. Check out this white paper if you wish to understand how it works. [link] AppGuard Technology not only snuffs out drive-by download attacks but also prevents attacked applications such as Adobe Reader from being coerced by attackers to directly harm a PC. Users can also install MBRguard to stop nasties such as KillDisk as well as sophisticated MBR based Rootkit attacks.

Related Articles

ALERT: Malicous PDF’s Exploiting Adobe Acrobat, You May Be Next

Botnets Inside the Gates, Every PC Must Defend Itself

SANS: Client-Side Software Vulnerabilities Are Highest Priority But Most Neglected Risk

(Beladen) Websites Unknowingly Attacking PCs

Signature Based AntiVirus Technologies vs Malware Detection with a Coin Toss

Cloud Computing Economics Can Save Organizations Real Money (Quick Background)

Historically, an enterprise acquires and deploys robust hardware to host private and publicly facing server applications. This includes component and system redundancy to attain those additional nines for availability. It also includes the infrastructure software and IT personnel to manage these beasts, which consume a considerable amount of costly electricity and Internet/network bandwidth.

Imagine if an enterprise partnered with another to share all of the above. This might reduce their costs by half. Add another partner, reduce them more. That’s cloud computing. Its analogous to the progression in the 1990’s from private line to frame relay and ATM to MPLS, Metro Ethernet, DSL, cable and other local Internet access media. Add in web services and other technologies, an enterprise would realize workflow, analytic, and transaction economic gains.

Shared Cloud Computing Software Promises Better Application Security

We can assume that cloud based software will be more secure than custom applications or even self-hosted shrink-wrapped applications because more users means more risk means more stress and penetration testing and more aggressive patching of discovered vulnerabilities. This reminds me of Kerckchoffs’ Principle, which characterizes the value of peer review of cryptographic algorithms. This does NOT mean that new algorithms or new applications will not have problems early on. It means that over time they will either converge toward having no vulnerabilities or will be discontinued in favor of something better.

Cloud Computing Poses Horrifying Enterprise Data Leakage Scenarios

A cloud computing service provider tends to employ robust physical security at its data center as well as various network-based cyber security services to limit access. All this exists to prevent unauthorized access and disclosure of what can be extremely confidential information. Now enter the end-user with valid, perhaps robust authentication, whose privileges may be tightly regulated via fine-grained authorization policies and audit records.

Here’s the rub! A typical cloud computing end-user accessing a cloud computing service:

• Uses any web browser (i.e., unpatched and actively exploited vulnerabilities)
• With who knows what plug-ins and extensions (i.e., unpatched and actively exploited vulnerabilities)
• With one or more other browser tabs/windows opened simultaneously running dynamic applet code (i.e., man-in-the-browser attack)
• All of this running on any computer in who knows what state of a malware compromise (i.e., signature-based malware detection yields less than 50-50 shot at identifying today’s malware)
• Traversing either a very safe or an extremely dangerous local network for Internet access (i.e., man-in-the-middle attack)
• From any location in the world (i.e., identity theft)

Whatever a cloud computing application authorizes an end-user to access can also be accessed via any of these data leak risks!

How Reliable is Endpoint Data Leak Detection?

Most IT personnel tend to be network-centric in their mitigations of security risks. So, malware has evolved accordingly by encrypting its communications to the mother ship, obfuscating/hiding its communications within seemingly legitimate traffic, using ever changing Botnets to mediate communications, and in the case of laptops, limiting communications to when off-enterprise. Ironically, many IT personnel don’t trust personal firewall logs for malware communication detection because malware could compromise the logs.

And, if cloud computing only audits data access by user ID and IP addresses, how does one really know what data has traversed and/or resides on what computer of an unknown state? So really, how reliable can data leak detection be?

Endpoint Security Considerations Minimizing Cloud Computing Data Leaks

Examine your employee workforce from the standpoint of their roles. To do his/her job, does an employee require a stateless computing environment where no data is stored locally? Or, does an employee require a general purpose computing environment where confidential data storage may or may not be necessary?

For the stateless computing environment roles, consider network computers, Live CDs, and other stateless technologies. While this greatly minimizes, it doesn’t absolutely eliminate data leakage, it certainly simplifies information accountability: where is it?

For roles requiring a general purpose, make computer protection from zero day malware your top priority. We recommend AppGuard Enterprise and EdgeGuard, which are centrally managed security software products. Next implement endpoint security policy enforcement to harden the computers and minimize potential for insider mistakes. For policy enforcement, which also includes assessing and correcting issues with other 3rd party security software (e.g., antivirus, disk encryption, etc.), we recommend EdgeGuard, which offers both protection and policy enforcement. EdgeGuard also takes most of the pain out of allowing employees to operate computers with local admin rights.

Enterprise: Worry about Mini-Botnets more than the Big Botnets

Trend Micro is expected to report that the global median for the duration a computer is Botnet infected is over 300 days.  Further, they will also report that approximately one fourth of all detected Botnet zombies are enterprise computers.  The enterprise share may actually be higher because the numbers are more difficult to estimate because multiple enterprise computers share a single public IP address.

Damballa, a network security firms that offers network appliances that detect Botnet communications within an enterprise, recently published figures that both challenge and complement the Trend Micro findings.  They estimate that 7% to 9% of detected Botnet communications stem from enterprise owned IP space, or less than half what Trend Micro estimates.  I suspect that the Trend Micro research is based upon a significantly larger set of data points, some 100 million detected Botnet IP addresses.

Damballa reports that less than 5% of their detected enterprise Botnet computers were part of the loud, monster Botnets such as Koobface and ZDbot, meaning most infected enterprise computers are part of mini-Botnets.

Despite lacking the comparative scale of the big Botnets, the mini-Botnets are impressive, lacking nothing in terms of malware attack code variants or command and control sophistication.

Multi-Stage Malware Infestations Maximize Penetration and Value for Cyber Criminals

Mini-Botnets employ black market malware kits that enable them to launch intelligent, multi-stage attacks on computers.  These kits automate production of never-before-seen malware attack code (i.e., zero day attack/exploit), which means no signature exists for typical anti-virus/spyware software to detect them.  Targeted email attacks, or spear phishing attacks, either include virus/worm/Trojan tainted attachments or a hyperlink to a compromised web server, 100,000’s of which are legitimate sites.

When a PC gets hit, temporary malware launches and assesses the computer, determines the best options for infestation, downloads the necessary code, and loads it into the PC.  This staged process is even used to conduct privilege escalation attacks such that computers running with limited user accounts (i.e., no local admin rights) can still be infested with rootkit-based malware.  Third generation rootkits are effectively invisible to commonly available detection techniques.

Mini-Botnets Quietly, Systematically Harvest Information

Once one or a few computers in an enterprise are part of a Botnet, the operators quietly explore network shares, application/database servers, network topology, available communication protocols, and other client computers, and they collect credentials so they can dig deep into information resources as needed.  They infect other computers when they seek to access additional information.

On the other hand, they may infect end-user documents and/or multimedia that are likely to be sent to another enterprise.  For the other enterprise, they may create a separate Botnet, meaning a separate command and control system.  This way, if one mini-Botnet is discovered, the other may continue unabated.

If all this seems unsettling, and it should, consider the steps following the harvesting of information.  Someone has to read through it to determine what is valuable and who would buy it.  These are significant challenges.  Consider the distinction between insider information and intellectual property from the Botnet operator perspective, for example.  Intellectual property materials not only require analysis but they also require a buyer, whereas insider information can yield considerable gains (e.g., stock market trades) without finding a trustworthy buyer.  The collection of enterprise information creates demand for a new black market industry of analysts and brokers.  This suggests that the enterprise might prioritize its anti-data leak efforts toward the most readily identifiably valuable and exploitable information.

Data Leak Prevention Could Inadvertently Help Cyber Criminals

As the bad guys work out how they are going to find gold nuggets in the gravel, data leak practitioners should be careful not to mistakenly make matters easier for the bad guys.  Note, part of data leak prevention implementation involves classifying and tagging information/documents so that security policies can be enforced based on content.  The tags could be exploited by the bad guys to more easily find the gold.  Maybe these tags should be encrypted, and maybe even polymorphic/variable.

Laptops Make Great Mules for Data Leaks

Large organizations have already begun to deploy network-based data leak prevention systems.  Some are merely intrusion detection, looking for suspicious outbound communications.  Some actually inspect communications content.  Neither detects anything leaking from laptops off the enterprise.  Blue Ridge offers centrally managed endpoint security policy enforcement agents that are location aware/based.  Why can’t Botnet malware?

Cost Effective, Zero Day Malware Prevention is Paramount

Implementing data leak prevention systems is very burdensome.  Detecting Botnet communications is already hard and getting worse as they get more sophisticated.  So, ultimately, the enterprise must focus on preventing virus, worm, Trojan, and other zero-day malware infestations on their client computers.  But, signature-based anti-virus/spyware security software found on typical enterprise computers misses 71% of Botnet attack code, because its altered every 10 minutes to elude detection.  The big and familiar vendors offer massive endpoint security suite software with features that detect/block Botnet attack code.  However, these features are so difficult to configure and maintain that they are usually disabled or severely under-utilized.  In other words, their effective protection is far less than what the vendors report via their independent lab tests.

Blue Ridge Recommendation

Deploy one of our AppGuard Technology solutions designed to provide zero-day protection from Botnet attack code.  AppGuard is available as a free 30 day trial, no registration required.  Administrators can get a very good sense for how little effort is required to configure and maintain AppGuard, AppGuard Enterprise, or EdgeGuard.  Check out their respective product pages to determine, which is best for you.  For more information on how they protect computers better than your existing anti-virus/spyware security software, check out our zero day computer protection white paper.

A Different, Better Approach to Zero Day Attack Computer Protection

These security software solutions take a different approach to computer protection than that of anti-virus/spyware products that rely on virus signatures.  They place the applications under guard that process the incoming and potentially malicious content, instead of picking out the good from the bad out of a nearly infinite variety.  However, we steered away from protection that depends on knowing good behavior from bad behavior by those guarded applications, to a deterministic approach.

We focus on preventing the guarded applications from doing harm by blocking write operations to critical PC resources.  Secondly, all those endpoint places where users have write access, we prevent unknown/unauthorized executables from launching at all.  We call this user-space, and one can consider USB as such. Guarded apps can launch from user-space (typically 2 to 4 applications from user-space are listed), this amounts to user-space whitelisting, which is considerably less effort to implement than total whitelisting.  With the at-risk applications and unknown user-space executable launches precluded from writing into ‘Program Files’ and ‘Windows’ directories, total whitelisting is far, far less of a value-add, and that’s where the bulk of the total whitelisting implementation pain lies.

Related Articles

SANS: Client-Side Software Vulnerabilities Are Highest Priority But Most Neglected Risk

Never Ending Vulnerabilities for Web Browsers

Employee Owned Computers are Data Leak Risks to Employers

Business Protection from AntiVirus-Failure Caused Fraudulent Bank Transfer Losses

Why Should UnPatched PC Software Concern You?

Todays Spear Phishing Attacks Can Wipe Out Small Businesses in One Click

Signature Based AntiVirus Technologies vs Malware Detection with a Coin Toss

Disabling JavaScript Does Not Prevent These Adobe Acrobat Zero-Day Exploit Attacks

Unlike the Adobe Acrobat exploit attacks that surged in summer 2009, this month’s exploits cannot be thwarted by disabling Javascript. And unlike some other Acrobat exploit attacks, these new ones affect every version of Acrobat that ever existed (listed below).  Even converting PDF documents to some other format and back to PDF does not guarantee safety.

Adobe is expected to release a patch on 13 October 2009. Given the visibility they can expect, there’s a good chance this patch won’t cause any unforeseen problems. Still, if Adobe is rushing, as I expect they are, I’d wait and see how others fare with this emergency patch.

Acrobat Reader Alternatives

There are alternatives to Acrobat Reader. I don’t know if any of them are affected. If you choose that route, make certain that when somebody double-clicks on a PDF in Windows Explorer, or when a web browser or something else launches a PDF, that Acrobat Reader does NOT launch.  The easiest precaution is to uninstall Adobe Acrobat.

Your AntiVirus/Spyware Will NOT Protect Your Computer(s)

I’ve writen many posts on this subject. To recap, with the automated tools in the hands of cyber criminals today, it takes them seconds to create a tainted PDF that your anti-virus/spyware software would not recognize as malware. The anti-virus/spyware vendors on the other hand, must discover each of these PDFs, generate a signature, and distribute them to all customer computers. But wait, the cyber criminals will continue to employ the malware best practice of discontinuing use of each PDF after 48 hours or less. This reduces the odds dramatically of the vendors stumbling upon a particular PDF so that a signature can be generated and distributed.

So, if you receive a PDF from someone you know, and if you open it without non-signature-based protection, then you are implicitly trusted that the person that apparently sent it to you did so, and that his/her computer is NOT already infested without the knowledge of that person you know.

A person that ignores my advice that opens a PDF from a friend, or from a legitimate website, probably will NOT notice anything.  Some executable from who knows where will be downloaded onto their computer and launched without asking or indicating anything.  This is called a drive-by download attack.  This executable will almost certainly be temporary from the perspective of the cyber criminals responsible for it.  It exists to assess the computer it landed upon, determine what is the most advantageous thing to do to and with the computer, and then do so.  If the user is logged in with a limited user account (LUA), or without local admin rights, that temporary executable may download and launch another applet that conducts a privilege escalation attack so as to be able to install software deep into the core of the operating system, making it practically invisible to detection tools.  Again, the vast majority of people that read these PDF documents will not notice a thing wrong.  They may however, discover weeks or months later, something horrible in the real world that is ultimately traced back to their computer.

What Can You Do, PDFs Must Be Read, But Safely

Consumers should get software like AppGuard, which places Adobe Acrobat under guard and snuff’s out drive-by download attacks sprung loose by this Acrobat exploit.  Organizations should consider something like AppGuard Enterprise or EdgeGuard.

A Different, Better Approach to Zero Day Attack Computer Protection

These security software solutions take a different approach to computer protection than that of anti-virus/spyware products that rely on virus signatures.  They place the applications under guard that process the incoming and potentially malicious content, instead of picking out the good from the bad out of a nearly infinite variety.  However, we steered away from protection that depends on knowing good behavior from bad behavior by those guarded applications, to a deterministic approach.

We focus on preventing the guarded applications from doing harm by blocking write operations to critical PC resources.  Secondly, all those endpoint places where users have write access, we prevent unknown/unauthorized executables from launching at all.  We call this user-space, and one can consider USB as such. Guarded apps can launch from user-space (typically 2 to 4 applications from user-space are listed), this amounts to user-space whitelisting, which is considerably less effort to implement than total whitelisting.  With the at-risk applications and unknown user-space executable launches precluded from writing into ‘Program Files’ and ‘Windows’ directories, total whitelisting is far, far less of a value-add, and that’s where the bulk of the total whitelisting implementation pain lies.

Related Articles

SANS: Client-Side Software Vulnerabilities Are Highest Priority But Most Neglected Risk

Never Ending Vulnerabilities for Web Browsers (the new class of attacks discussed here, applies to Adobe products too)

Disable Non-Microsoft/Apple Software Auto Update Features

Widespread Attacks Underway, Disable Adobe Flash or Install Protection Software (Summer 2009)

Business Protection from AntiVirus-Failure Caused Fraudulent Bank Transfer Losses

Is a PC Using a Limited User Account (LUA) Safe from Drive-by Download Attacks?

Why Should UnPatched PC Software Concern You?

Websites Unknowingly Attacking PCs

Cybercriminals Robbing Social Network Users

Todays Spear Phishing Attacks Can Wipe Out Small Businesses in One Click

Affected Versions of Adobe Acrobat

Adobe Acrobat Standard 9.1.3; Adobe Acrobat Standard 9.1.2; Adobe Acrobat Standard 8.1.6; Adobe Acrobat Standard 8.1.4; Adobe Acrobat Standard 8.1.3; Adobe Acrobat Standard 8.1.2; Adobe Acrobat Standard 8.1.1; Adobe Acrobat Standard 7.1.3; Adobe Acrobat Standard 7.1.1; Adobe Acrobat Standard 7.0.8; Adobe Acrobat Standard 7.0.7; Adobe Acrobat Standard 7.0.6; Adobe Acrobat Standard 7.0.5; Adobe Acrobat Standard 7.0.4; Adobe Acrobat Standard 7.0.3; Adobe Acrobat Standard 7.0.2; Adobe Acrobat Standard 7.0.1; Adobe Acrobat Standard 7.0; Adobe Acrobat Standard 9.1; Adobe Acrobat Standard 9; Adobe Acrobat Standard 8.1; Adobe Acrobat Standard 8.0; Adobe Acrobat Standard 7.1; Adobe Acrobat Reader 9.1.3; Adobe Acrobat Reader 9.1.2; Adobe Acrobat Reader 8.1.5; Adobe Acrobat Reader 8.1.4; Adobe Acrobat Reader 8.1.3; Adobe Acrobat Reader 8.1.2; Adobe Acrobat Reader 8.1.1; Adobe Acrobat Reader 7.1.2; Adobe Acrobat Reader 7.1.1; Adobe Acrobat Reader 7.0.9; Adobe Acrobat Reader 7.0.9; Adobe Acrobat Reader 7.0.8; Adobe Acrobat Reader 7.0.8; Adobe Acrobat Reader 7.0.7; Adobe Acrobat Reader 7.0.6; Adobe Acrobat Reader 7.0.5; Adobe Acrobat Reader 7.0.4; Adobe Acrobat Reader 7.0.3; Adobe Acrobat Reader 7.0.2; Adobe Acrobat Reader 7.0.1; Adobe Acrobat Reader 7.0; Adobe Acrobat Reader 8.1.2; Adobe Acrobat Reader 8.1; Adobe Acrobat Reader 8.0; Adobe Acrobat Reader 7.1; Adobe Acrobat Professional 9.1.3; Adobe Acrobat Professional 9.1.2; Adobe Acrobat Professional 8.1.6; Adobe Acrobat Professional 8.1.4; Adobe Acrobat Professional 8.1.3; Adobe Acrobat Professional 8.1.2; Adobe Acrobat Professional 8.1.1; Adobe Acrobat Professional 7.1.3; Adobe Acrobat Professional 7.1.1; Adobe Acrobat Professional 7.0.9; Adobe Acrobat Professional 7.0.8; Adobe Acrobat Professional 7.0.7; Adobe Acrobat Professional 7.0.6; Adobe Acrobat Professional 7.0.5; Adobe Acrobat Professional 7.0.4; Adobe Acrobat Professional 7.0.3; Adobe Acrobat Professional 7.0.2; Adobe Acrobat Professional 7.0.1; Adobe Acrobat Professional 7.0; Adobe Acrobat Professional 9.1; Adobe Acrobat Professional 9; Adobe Acrobat Professional 8.1.2; Adobe Acrobat Professional 8.1; Adobe Acrobat Professional 8.0; Adobe Acrobat Professional 7.1; Adobe Acrobat 9.1.1; Adobe Acrobat 7.0.3; Adobe Acrobat 7.0.2; Adobe Acrobat 7.0.1; Adobe Acrobat 7.0

Most victims have absolutely NO IDEA that their computer has been compromised. Television commercials from ISPs and some vendors leave many believing that malware infections are indicated by a severely slowed down computer. This occurs when cyber criminals are sloppy.

Most attacks occur as drive-by download attacks when web surfing. These are characterized by a temporary malicious application silently downloading into the user-space of the victim’s computer, which:

• Assesses the PC
• Downloads the ideal permanent attack codes
• Launches different attack codes until successful installation
• Deletes itself

The typical end-user notices nothing. The next most popular attack vector is by way of email attachments. Most of these are spear phishing attacks whereby victims receive an attachment from someone appearing to be familiar. Cyber criminals try to take advantage of the trust be bestow on our friends, family, and colleagues. And, many of this spear phishing attack emails really do originate from the familiar person’s computer. Of course, that person has no idea their computer is infected. So, any time you open an attachment or visit a web page recommended by a friend, you’re implicitly assuming that their computer has not been hacked. In other words, ‘trust no one’. Pretty lame, I know.

So, the good people of SANS and their partners echoed previous assertions that roughly 90% of these malware attacks target programming mistakes in the software applications of a PC, leaving 10% targeting operating system vulnerabilities.

So, with this massive cyber criminal’s preference for targeting software applications, one might expect consumers and enterprises to more aggressively implement security patches on software applications. Wrong! On average, the measured time to patch is at least twice as long for software applications as is for operating systems. This will improve, particularly as Adobe, which has been shamed into action, implements more agile auto-update mechanisms in their client-side software. Other vendors are doing so as well.

As we recently wrote, most vendors with auto-update mechanisms are vulnerable to man-in-the-middle attacks. Yes, the auto-update feature that is to reduce risk from attack by implementing patches more rapidly does in fact help facilitate a successful malware attack.

Auto-update features are useless when there are no vendor patches available to rebuff existing attacks in the wild. The Zero Day Initiative website maintains a list of categorized vulnerabilities that have not yet been publicly disclosed. These were discovered and reported by ‘good guys’ so that the respective vendors could fix the programming mistakes. The list names the vendors but not the specific products.  A severity of low, medium, and high is provided, as well as the vulnerability report date.

The latter may cause any rational person some distress.   Undisclosed vulnerabilities are months old, many are over a year old.   A race is afoot, between the respective vendors seeking a vulnerability patch and cyber criminals seeking a vulnerability exploit. Yet more disturbing, what vulnerabilities have the bad guys discovered and already begun exploiting that are not yet reported to the respective vendors?

Known or unknown software vulnerabilities, cyber criminals are systematically minimizing their risks of malware detection by

• Changing their attack code every 48 hours
• Implementing obfuscation techniques (e.g., Lucky Sploit’s PKI encryption of its communications)
• Self-destructing when a honey pot (i.e., computers intentionally placed at risk to become infested security researchers and security intelligence vendors so they can discover new malware) is detected
• Limiting the distribution of their attack code (e.g., targeted attacks, cap the number of infections per malware sample, etc.) to minimize detection

Bottom line: most computers are not protected and their end-users may never know they’re victims.

Blue Ridge Solutions

AppGuard Technology prevents harm from malware attacks on unpatched software applications, allowing them to run as their developers intended.

AppGuard

• Places software applications under ‘guard’; prevents drive-by download attacks from launching
• For consumers and small businesses

AppGuard Enterprise

• Centrally managed AppGuard
• For medium to large organizations

EdgeGuard

• Centrally managed AppGuard
• Endpoint audit and control: security configuration management, application control, 3rd party security software remediation, network access control (NAC) / network access protection (NAP)
• Comprehensive operational awareness over computers located anywhere
• For medium to large organizations

Managed EdgeGuard

• Managed security service based on EdgeGuard

Security Within the Web Browser is Unacceptably Porous

If a web browser is connected to a malicious web server while connected to other web servers, that malicious web server can steal data from or inject data into those other exchanges either in the same or a different tab or window. Consider that a typical web page viewed in a web browser is often connected to a dozen or more web servers. Website owners cannot possibly guarantee that none of the other web servers are malicious. With the advent of tabbed browsing, a wonderful convenience I utilize everyday, an end-user accessing your enterprise resource planning (ERP) system or some other critical asset will likely be connected to other public web servers as well.

Until web browsers implement internal session authorization controls, I use two web browsers. I use one for general purpose browsing and the other for sensitive matters. I also try to refrain from accessing two or more ‘sensitive’ web servers simultaneously with that web browser.

In this post, I won’t get into web browser settings that reduce risk. However, I would say that one can configure the ‘sensitive’ browser to visit only known, trusted sites. This doesn’t prevent end-users from using the other web browser for ‘sensitive’ matters, however. One might configure critical corporate web servers to refuse all web browsers but one kind. Sophisticated end-users can readily spoof this. Fortunately, they are the ones that can better appreciate the rationale for such a restriction.

Enterprise SSL VPN administrators ought to question their vendor as to what mechanisms are available for locking their SSL VPN gateway to only one type of web browser, and perhaps even to employer-owned computers, if possible.

I hope the next generation of web browsers, such as Google Chrome and Microsoft Internet Explorer 8, which spawn separate processes per browser tab, make a big difference.  They must also deal with the colossal challenge due to interoperability vulnerabilities among the web browser, its library objects, and its plug-ins.   Meanwhile, two web browsers can be more secure than one.

Overall PC Security Risks from Web Browser Vulnerabilities (Zero-Day Exploit Attacks)

This approach mitigates risks from weak internal browser security. It does nothing to prevent malware from exploiting flaws in the web browser eco-system (browser, library objects, and plug-ins).  Cyber criminals conduct drive-by download attacks that ‘drop’ a temporary malicious application into user-space (any folder or hard drive where a user without local admin rights can write) to assess the PC, download the ideal permanent malicious software, and install it, without an end-user noticing anything.  Alternatively, if a drive-by download attack fails, they can coerce the web browser itself to implant the malicious software.  Either way, they can then steal, delete, or ransom anything of value on the targeted computer itself or interacting with it.

Anti-Virus/Spyware and Host Intrusion Prevention System (HIPS) Software Yield Weak Computer Protection

Whether dealing with internal web browser security or overall PC security due to web browsers, the vast majority of consumer and enterprise computers are NOT protected from today’s virus, worm, Trojan, and other zero-day attacks.  Its only a matter of time, and when it comes, only a small percentage of computer users will notice a change.

Most anti-virus/spyware computer security software relies on a signature-based technology developed over a decade ago.  Recent lab tests by Cyveillance observed a detection rate of 29% in June 2009, down from 45% in July 2008.  The reason for this is simple.  When estimating the time required to discover a new malware sample, vendors require about a month to distribute to their anti-virus/spyware agents a new signature that detects the NEW malware.  As of mid 2009, roughly half of Cyber criminals are using automated tools to alter their attack code every 48 hours to ensure no signature exists to detect their attack.  As more use these tools, the effectiveness of anti-virus/spyware will drop even further.

HIPS products have long promised to stop the NEW malware.  However, they are so complex that they are either completely disabled or severely underutilized.  Anti-virus/spyware vendors striving to improve protection with the addition of heuristics, generic signatures, and other higher level forms of detection borrowed from HIPS products are guessing whether an inbound file or communication is good or bad.  Consequently, usability concerns pertaining to false-positives and uncertainties (i.e., user-prompts) require these newer features to be throttled down.  The cyber criminals continue to elude them with ever greater ease.

Recommended Solution from Blue Ridge

Dealing with the internal web browser security issues is best dealt with using separate web browsers, and by the vendors themselves re-engineering the web browser from the inside out.  However, the web browsers themselves represent a clear and present danger to the computers and their users.

Blue Ridge offers three products and an enterprise managed security service that places web browsers and other at-risk applications ‘under guard’, preventing them from harming their host PC and user directly or indirectly (i.e., drive-by download attack).   AppGuard counters these as well as USB malware risks for consumers and small businesses.  AppGuard Enterprise does likewise for larger organizations with need of robust, centralized management of computer protection.  EdgeGuard and Managed EdgeGuard not only protect computers but also audit and control them.  In short, audit provides administrators operational awareness overall computers located anywhere so they can identify and quantify their risks.  The control enables them to implement security best practices including application control, security configuration management, 3rd party security software remediation, network access control (NAC) / network access protection (NAP), as well as customizable and remote posture assessment and configuration modifications.

Related Articles

Never Ending Vulnerabilities for Web Browsers

Businesses Not Protected from Malware-Caused Fraudulent Bank Transfers

Is a PC using a Limited User Account (LUA) Safe from Drive-by Download Attacks?

Enterprises at Risk from SSL VPN Security Vulnerabilities

Curbing 10 Costly Behavior Data Leak Problems

Employee Owned Computers are Data Leak Risks to Employers

Revised: 22 September 2009

Porous Compartmentalization within Web Browsers Undermines SSL VPN

Researchers at DefCon 2009 recently published a comprehensive study on the unexplored opportunities for malware makers on attacking the interoperability of applications and their plug-ins, particularly web browsers. I recently posted an article on this blog articulating the nature and significance of these risks that indicate that web browser vulnerabilities are at least one or two orders of magnitude more numerous than previously thought. In short, the data interactions of any single web browser tab or window ought to be private and unadulterated by any other software object within the web browser. It isn’t so and will not be for a long time. Note, malware within a web browser is and manipulates other software objects.

Many information security practitioners recommend the use of two or more separate web browser applications to better compartmentalize web activities from others until the promise of web browsers spawning separate processes per tab/window is convincingly demonstrated over time. This slight digression raises another point about endpoint policy enforcement and authentication (two sub-sections below).

SSL VPN More Vulnerable to Malware Infested Computer Risks

But malware on a computer with IPSec or any other form of VPN is just as susceptible, right? Yes and no! Yes, malware intended to steal information can do so on either. However, with SSL VPN, the malware need only adapt to eavesdropping on web communications, whereas with IPSec VPN the malware must do so for all relevant applications. Similarly, altering or conducting additional activities is easier too. Further, an SSL VPN session can literally be hijacked, such that remotely controlled malware can continue to covertly use it without an end-user’s knowledge.

SSL VPN End-user Convenience versus Enterprise Security

More important than the above comparative susceptibility, however, end-users can use ANY computer to launch an SSL VPN session. Detecting malware after infestation, particularly on machines that run with local admin rights, is nearly pointless with the increased use of 3rd generation Rootkit based malware. Cyveillance recently found signature-based tools failed to detect over 71% of the malware samples they gathered in the wild that were less than a month old to test. I recently wrote another article concerning the data leak risks to organizations allowing employees to work from employee owned computers.

Man-in-the-browser malware is among the toughest to detect and deter.  Sophisticated attacks from compromised or malicious websites, for example, employ public key cryptography to effectively obfuscate their malware attack code as it enters or leaves a computer (e.g., “Lucky Sploit” Malware ToolKit). If the attack code limits its operations to within the web browser, the chances of its detection are far, far less than if it tries to ‘venture out of the browser’.   So SSL VPN communications are easier for malware to compromise than IPSec.

SSL VPN vendors offer browser plug-ins to assess the status of security software on a computer. This says nothing about the state of the computer an hour, day, or a year earlier. With today’s stealthy malware, endpoint health assessment must ultimately be a continuous, cradle to grave, practice. Employees understandably would have reservations about their employers continuously monitoring an employee-owned computer.

SSL VPN Must Require a Dedicated Web Browser that is Site-Locked

Cross site scripting attacks, for which no near term, practical defense yet exists, utterly confuse web browsers and their end-users such that they do not know whom they are communicating. An organization that must use SSL VPN can enforce policies that site lock a web browser to one or more SSL VPN gateway IP addresses. Malicious and mischievous end-users can circumvent policy enforcement tools not specifically designed to prevent this, however. Browser applets cannot do so continuously.

SSL VPN vendors could theoretically employ web browser applets that rigorously interrogate a web browser seeking an SSL VPN session to determine whether or not it truly is the designated web browser. Frankly, I don’t know if the vendors actually offer such a capability yet, or whether this proves effective. And keep in mind, the article reference above concerning browser/plug-in/library object interoperability, as well as object integrity shortcomings (not all web browsers provide for digitally signed validation of software objects), SSL VPN plug-ins and other software objects present and are subject to other problems.

Regardless, SSL VPN gateways do not effectively authenticate computers (not to be confused with end-user authentication). So, if one ignores the risks from the host computer, dedicated, site-locked web browsers can reduce risks.

SSL VPN Depends on End-users Properly Responding to Man-in-the-Middle Attacks

Indirectly, the preceding sections imply man-in-the-browser attacks, whereby malicious software objects unknowing operate within the browser to eavesdrop, manipulate, and even hijack a session. Man-in-the-middle attacks, however, generally exploit end-user ignorance. Most end-user click on a web browser’s continue button when a prompt says the ‘certificate for this server is invalid’, trying to alert the end-user to the attack. Like opening email attachments, organizations can tell end-users not to do so, but they do. And, they will click that ‘continue’ button too. Endpoint policy enforcement tools can ensure end-user discretion is eliminated. But then, we return to the challenge of the SSL VPN gateway authenticating the browser, the computer, and the end-user too.

Side-story: Years ago, I showed a marketing colleague something on my computer display. It was a prompt from my web browser, alerting me to some web server’s invalid certificate. She agreed to make a quality screenshot of it. Almost immediately, she questioned why her display was so different from mine. She had clicked ‘continue’ on the prompt and said she always does so. The poor thing then endured one of my lectures.

Remember, end-user authentication is essential and most forms in use are vulnerable to man-in-the-middle attacks. One-time pass code systems authenticate the end-user but not the SSL VPN gateway. Out-of-band authentication (e.g., cell phone text message) is a worthy mechanism if it at least implicitly authenticates the SSL VPN gateway too. Client VPN software completely eliminates dependence on end-users making the correct security choice.

SSL VPN Fine Grained Filtering Compared to IPSec and Local Ethernet Switches

SSL VPN gateways perform proxy operations insofar as remote access user computers do not communicate directly with anything on the other side of the SSL VPN gateway. This proxy server functionality benefits organizations because it can filter out risky content such as HTML ‘put’ arguments that would try to write something to a server. Such filtering reduces the exposure of important servers to the endpoint population. Most SSL VPN gateways include such capabilities. As to what percentage of deployments actually makes significant use of it, I cannot say.

One might ask, however, how many organizations employ a proxy server between local end-users and their important servers? After all, Ethernet switches do not do so. Any endpoint, remote or local, is a potential malware infested threat to all enterprise servers. How commonly do they internally deploy an SSL VPN gateway for this purpose? Are SSL VPN gateways sufficiently compatible with ALL of the enterprise applications employed? Doubtful!

Enterprise content filtering is becoming more and more comprehensive. They perform both proxy and non-proxy filtering of traffic. Does it make sense to effectively manage two sets of proxy servers: one for local endpoints and SSL VPN gateways for remote computers? Deploying a single system for both local and remote computers is considerably more practical. From this perspective, there are operational savings from using a layer 2 client VPN solution for remote access to protect important servers from the risks from client endpoint exposure.

SSL VPN Offers Lower Operations Costs

Presumably, SSL VPN does not require installation of persistent client software, sparing organizations of installation and software testing requirements. However, SSL VPN vendor value-add capabilities, which help make their data sheets and marketing materials look impressive, often do install persistent client software. When features require local admin rights for first-use, then persistent client software is in play, which can fail, be exploited, and must be patched/updated from time to time. I wrote of this in a white paper called the “Case for Agent-based NAC Solutions”. This tends to undermine the argument that SSL VPN doesn’t require client side testing and life-cycle support but Client VPN software does.

Client VPN, however, always requires software installation. I can appreciate the dilemma of small medium businesses lacking a centralized software distribution and configuration management system.
However, those that do have them, such as federal organizations that must comply with Federal Desktop Core Configuration (FDCC) requirements and large commercial organizations can push out software installations quite easily.

So, it comes down to known operations costs versus unknown security losses. SSL VPN represents a massive data leak risk. Yet, with the inability to detect malware infestations, man-in-the-browser attacks, and man-in-the-middle attacks, how would an organization plausibly know what data they are leaking daily, particularly if unknown computers are used for SSL VPN connections?   No easy answer, so turn this perspective around to a basic security question: do you know where your data and documents are, and where they’ve been? Many security practitioners argue if this answer is grossly unknown, then one cannot assert having good security. SSL VPN exacerbates this challenge.

Do SSL VPN Security Weaknesses Matter to Organizations?

The primary purpose for SSL VPN deployment is to provide low operations cost remote access to organization employees so they can access and input data so their employers benefit from increased productivity. Ideally, organizations also consider security a primary factor in SSL VPN deployment, seeking private communications without tampering by outside parties and reduced exposure of the application servers to malice. Given that most of my concerns regarding SSL VPN security have been expressed for years and SSL VPN continues to be so widely employed, is SSL VPN security really a priority among IT decision-makers, or are those professionals really unaware of them?

If One Must Use SSL VPN, Invest in Computer Protection

Blue Ridge offers several computer protection products, AppGuard, AppGuard Enterprise, and EdgeGuard, and a managed security service called Managed EdgeGuard. They protect computers from malware attack code of all ages whereas anti-virus/spyware products found on nearly all enterprise computers are only effective at stopping malware over a month old and used extensively by cyber criminals in the wild. Equally important, from both the end-user and enterprise administrator, they are considerably more ‘usable’ than alternatives from other vendors.

Secondly, encourage your end-users to use one web browser for SSL VPN, and FOR NOTHING ELSE. Consult your SSL VPN provider for its most robust mechanisms for rejecting other web browsers. The dual browser strategy reduces the risks from man-in-the-browser threats.

For More SSL VPN Risk Mitigation, Invest in Computer Protection AND Control

The above recommendation depends upon the voluntary compliance of end-users to NOT use the SSL VPN dedicated web browser for OTHER purposes. Organizations can eliminate this dependence with EdgeGuard and Managed EdgeGuard, which can lock-down web browsers in the manner implied above, even when end-users operate their computers with local admin rights.

The EdgeGuard solutions can also provide IT personnel considerable operational awareness into the state of their endpoint population to identify and quantify their risks. Further, EdgeGuard can then enforce the subsequent security configuration policies from these audits to dramatically reduce endpoint exposure to attack and data leaks. They can also assess and remediate numerous and common problems in 3rd party security software products. Studies typically reveal that one out of every four enterprise computers are at greater risk because a security software product is out-of-date, disabled, or otherwise underutilized. EdgeGuard identifies and corrects these issues to maximize the value of these investments and minimize endpoint risks. EdgeGuard can also snuff-out unwanted software applications (e.g., peer-to-peer, rogue instant messengers, etc.), assess/implement Microsoft security patches, as well as conduct custom script based assessments and configuration changes uniquely required for an endpoint population.

EdgeGuard is designed NOT to replace typical endpoint management tools but supplement them so organizations do not have to buy into the expensive and sticky all-in-one promises of the big vendors. Consequently, IT personnel do not have to abandon their proficiency with their familiar tools and learn how to use something else.

As much employee work is conducted on employee-owned computers, employers are justifiably concerned about the security of these computers. Some employees are opposed to their employer managing EdgeGuard agents on their home computers but are more open to a trustworthy third party, such a Managed Edgeguard.

For Organizations with Much to Lose, Little to Spend, and a Need for Truly Secure Remote Access for Telecommuters/Teleworkers

Supplementing the above endpoint security solutions, Blue Ridge offers the BorderGuard VPN product and a Managed VPN managed security service to deliver highly secure and end-user friendly remote access. These solutions have been deployed world-wide for over a decade.

They employ IPSec VPN technology that employs a proprietary key exchange process, which is largely responsible for the lack of any reported vulnerabilities or security breaches for over a decade. If one goes to the National Vulnerability Database and searches on the keyword ISAKAMP, an acronym associated with all other IPSec offerings, no other vendor can boast such a record.

The key exchange process, called security enhanced Internet key exchange (SE-IKE) envelopes the entire key exchange process within mandatory mutual public key authentication, which literally double encrypts each key exchange message with two different RSA keys. Consequently, SE-IKE is immune to protocol attacks, man-in-the-middle attacks, and others, whereas all other IPSec and SSL VPN offerings are not. Note, most IPSec deployments of other vendor offerings utilize shared secret keys, which expose their VPN to virtually undetectable man-in-the-middle attacks if just one of their unpatched VPN appliances/routers is compromised. Unlike SSL VPN, Blue Ridge VPN solutions eliminate dependence on end-users making correct security decisions.

These BorderGuard solutions can use either the PKI credentials facilitated by their central management system or utilizes 3rd party PKI credentials such as DoD CAC and HSPD-12.

BorderGuard remote access differs considerably from SSL VPN and other IPSec offerings in another prominent ways too. Each remote access connection or tunnel is a truly layer 2 connection whereas SSL VPN and other IPSec offerings are not. Any application/communication protocol that can traverse Ethernet, does so problem-free through a BorderGuard tunnel, which is like a secure Ethernet extension-chord. And lastly, BorderGuard tunnels add considerably less bandwidth, latency, and jitter overhead. Case in point, BorderGuard tunnels secure satellite VOIP communications among Iraqi ministry and other government facilities. Other well-known products had added too much overhead, leaving only BorderGuard solutions operational.

Related Articles:

Flaws in Web Browser Security Undermine SSL VPN Security

PC Malware Driven Security Breach Disclosures—A Case of Worms

Data Leak Prevention and Network Access Protection (NAP)

Websites Unknowingly Attacking PCs

Is a PC Using a Limited User Account (LUA) Safe from Drive-by Download Attacks?

Business Protection from AntiVirus-Failure Caused Fraudulent Bank Transfer Losses

Employee Owned Computers are Data Leak Risks to Employers

Never Ending Vulnerabilities for Web Browsers