The State Of Vulnerability and Security Part II

The State Of Vulnerability and Security Part II

I didn’t think that I’ll be writing a second part of my first story but not so long an interesting but controversial article came up on my feed written by John Prisco CEO of Triumfant in order to be more specific and explain why this article is controversial and surely needs to be reviewed I’ll be giving a lot of technical aspects of cyber-security ones that the article didn’t really talk about .

First of all I won’t be saying that the article is biased or looks more like an AD than a real article, “ Major security technology vendors are running a billion dollar con by selling software that they know won’t work. This scam makes them arguably more corrupt than the hackers themselves.” clearly what John is saying is that “AV’s doesn’t work .”,I’ll give you a little explanation what in reality an AV mean an anti virus is basically a doorkeeper using methods like Heuristics and Behavioral analysis to detect suspicious and malicious software known as malware let’s talk first about Malwares :

Malwares are divided into meany subcategories there are Banking malwares like Zeus/Spyeye/Carberp/Tinba/Citadel/Kronos what makes those dangerous is that they’re being sold as crime kit that anybody can install and use them to siphon bank accounts and credentials on the fly most of those are being detected by AV companies either they’re encrypted or not (we’ll talk about encryption later) because once the first sample is found defining a signature is easy because they all share the same malicious behavior to work ,those target individuals more than institutions .

Then there are the superstar banking malware like Kuluoz/Gauss/Shylock/Gataka/Dyreza… those are operated by a team of cyber crooks that develop their own kits and use them privately they not only target individuals but also Institutions and Banks ,and they involve a higher level of complexity than normal banking malware .

The both categories share one special method that is used to grab the necessary credentials and steal money called WebInjects a more advanced version of those are ATS (automatic transfer system) which transfer all funds available in an account to a drop account used by a money mule which is the “fish” I mean the guy that goes and cash out the money for the real crooks .

Other malwars that are targeted by AV products and can be removed easily are Lockers(Ransomware mainly),Loaders(Simple malwares used to handle a botnet),R.A.T(remote administration tools),POS malware,DDOS and Stressers those are used to use power of computers in Mass in order to attack a server or website to take it off the grid like what happened to the PSN back in Christmas or what happens everyday when you try to open a website and it’s simply down (the same attack is used by Anonymous group).

All these are easy to detect by AV vendors or anyone with some info-sec expertise why because they not only share the same behavior but they tend to follow a suspicious execution flow that a legitimate software won’t for example using Native API’s on windows while they can use the user mode known as Ring 3 API’s they use rootkits to hide which is obviously very suspicious ,for example why will FireFox for example hide it’s files or registry keys or it’s process from task-manager .

One of the many way used by AV’s to detect malwares is Heuristic Analysis which is effective but still can be the victim of fake positives,heuristics use rules that define suspicious action made by a malware in general for example :

A program that copy itself into another program (basic virus thing)
a program which tries to write directly to the disk
a program which tries to remain resident in memory after it has finished executing .
a program which decrypts itself when run (a method often used by malware to avoid signature scanners)
a program which binds to a TCP/IP port and listens for instructions over a network connection (this is pretty much what a bot — also sometimes called drones or zombies — do)
a program which attempts to manipulate (copy, delete, modify, rename, replace and so forth) files which are required by the operating system
a program which is similar to programs already known to be malicious

Heuristics are more complex in AV software than that they detect hooks,API calls and many things but I’m trying to be less technical and technical at the same point .

AV’s doesn’t focus on that only they also use Memory scanning,Signature scanning,Network Analysis for example a request sent without a header is considered suspicious…

Even Crypting the binary now is becoming useless for cyber crooks as all crypters use the same method Crypt → Decrypt maybe they’re not detected when your PC is being scanned but once it’s executed and the file is Decrypted it will be gone with the wind .

The Lambda Scenario

“Now let’s just say that Bob who works as an accountant for KPFC who deals with Software like Excel,MS Word … everyday and use Internet Explorer as his web browser “a lambda person”,Now there’s Vladimir who lives in Russia or Felix who lives in Brazil or Y who lives in Z that recently wanted to make some money the fast way do some recon on the internet and found that Bob works in KPFC he sends an Email to Bob using a simple Mailer in the Email there’s an attachment or just a link and the Email is from Bob’s boss John,Bob will open the email either download and open the .doc attachment or open a link then KAABOOM ,poor Bob is now a victim and a entry in Y’s database of victims .”

This is of course the lambda scenario where Bob has no AV now Bob has given access to someone where talking clients accounts,passwords,emails… now if Bob puts an USB in his work office and then in his home office his home PC is now another entry and bob will have his accounts cleaned,credit cards used,his identity sold into a underground market ,basically Bob is now a product being dealt in a market .

If Bob had an AV the .doc file will be detected before it sets foot in his Downloads folder and that’s it .

Somehow we understand now why AV’s are important and why you probably need one in your computer it’s not about either being a target or no,cyber-attacks are something ongoing 24/7 everywhere it can be an email or a simple link.

Why AV’s don’t stop everything,you hear on the news that X company has suffered a data breach,or Y clients had their funds stolen but let’s face the truth media has no technical expertise to define what really happened in fact many people don’t update their systems which make them a sweet target for anybody out there ,AV’s can’t do the whole job technical documentation need to be done as well .

By The Numbers

This numbers were taken from KrebsOnSecurity (the journalist who broke the target breach and found the man behind it):40 million — The number of credit and debit cards thieves stole from Target between Nov. 27 and Dec. 15, 2013.

70 million — The number of records stolen that included the name, address, email address and phone number of Target shoppers.

46 — The percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before.

200 million — Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards — about half of the total stolen in the Target breach.

100 million — The number of dollars Target says it will spend upgrading their payment terminals to support Chip-and-PIN enabled cards.

0 — The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions).

0 — The number of people in Chief Information Security Officer (CISO) or Chief Security Officer (CSO) jobs at Target (according to the AP).

18.00–35.70 — The median price range (in dollars) per card stolen from Target and resold on the black market (range covers median card price on Feb. 19, 2014 vs. Dec. 19, 2013, respectively).

1 million — 3 million — The estimated number of cards stolen from Target that were successfully sold on the black market and used for fraud before issuing banks got around to canceling the rest (based on interviews with three different banks, which found that between 3–7 percent of all cards they were told by Visa/MasterCard were compromised actually ended up experiencing fraud).

53.7 million — The income that hackers likely generated from the sale of 2 million cards stolen from Target and sold at the mid-range price of $26.85 (the median price between $18.00 and $35.70).

55 million — The number of dollars outgoing CEO Gregg Steinhafel stands to reap in executive compensation and other benefits on his departure as Target’s chief executive.

Let’s go back now to our famous article,John Prisco there talks about major cyber attacks,major breaches like Target or HomeDepot for example or more recently Ashley Madison are more the mistake of some no tech savvy employee like the Sally Beauty breach proves it,Sally Beauty uses a Products from TripWire security it flagged that the intruders planted a new file on point-of-sale systems within Sally Beauty’s vast network of cash registers and fired the alarm ,you will ask me how they were there in first place,well they used a district manager who according to an IT at Sally Beauty had the credentials written on his laptop in plain sight,so now we have a proof that Security Products are necessary indeed .Of course the attacks weren’t complex it was just a POS malware running into some Windows XP cash register machines and siphoning all credit cards that goes trough .

Now let’s go a little deeper in the rabbit hole let’s talk about APT attacks the real deal that has intrigued cyber security experts from all the globe .

APT attacks runs against many things there’s StuxNet against Natanz Nuclear Center in IRAN (They basically hacked the unit used to control the centrifuges speed),Duqu again in IRAN and was used to snoop on P5+1 talks about IRAN nuclear program,Duke and it’s variants,Flame,more recently The Mask and Equation group we can also mention Regin,of course detecting these attacks is no easy task but still many AV companies try hard to fight against them but why ?

Often attacks like these are complex on the development level and how they work,for example the 2015 Duqu attack installed a driver on one of the least used computers on the local network the one less like to restart so when other computers are restarted the driver sends a request that download and install the file once again,most of these APT attacks are discovered after the infection,sometime after the damage is done,why ? because they’re capable of bypassing most mitigation,protection and security methods that are put in first place to protect the Natanz security system was off the grid a USB key has installed the malware that used 4 0 days and 2 stolen certificate to beat all the security ,Sally Beauty was using Tripwire security product that monitor every transaction every action it didn’t keep them secure neither,while we focus on many things we forget that there are 0 days that aren’t detected by the manufacturer or the software company in first place ,so what kind of protection do we really need ? According to John Prisco we need to predict those attacks using Big Data (the buzz tech-word of 2015) by having large chunks of data analysed we can predict those attacks,but certain point of views many institutions attacked were using some of the most advanced security products if not a Triumfant product :),why it’s not working then ?

The Human Exploit

Well we forget that the best vulnerability is the human mind,social engineering helped Kevin Mitnick do some crazy things right ? Plus we as persons are more likely to be exploited than a machine,think about it imagine an innocent looking and cute person giving you an USB key and while playing with her hair she ask you to see what’s wrong with it you plug and there you go you given access to your network to someone somewhere,the greatest hack of all time is trust each day we like people’s status,we check their pictures we click on the links they share we open attachement in emails they send …A good techy documentation need to be teached to everyone I’m confident that a cybersecurity class will be in high school in the future,like self-defense class we need people to tutor the young eager minds of millenial how to be secure and how to secure themselves .

So, should you drop your anti-virus ? NO you shouldn’t while it offers a very thick layer of security you as an individual need proper documentation and need to know how to use the internet ,while you may be attracted to that sexy girl on the banner don’t forget that the sexy girl can make you bankrupt .

P.S:Mr Prisco I have searched everywhere for a proper bio of you and I didn’t find anything related to cyber-security or even CS you did run a help-desk in a telecom company and created many companies but what you really need to do is to talk to real experts people who deal with cyber security everyday and learn a little more about the subject before claiming some billion dollar con .

Conclusion,I didn’t talk about everything I wanted to say in first place because I don’t want you to be bored so I did reserve a third part article maybe I’ll make it a serie,till then see you next time fellow internet user .

Credits goes to the InfoSec community, and everyone cheers.