THE DARK SIDE OF IT

Believe it or not, security threats have contributed considerably to the evolution of IT. Here we look at some of the events of the past that redefined network security and others that could hurt us in future

Thursday, January 03, 2008

Day and night, good and evil, angel and devil-there are two sides to everything. Even IT has a positive and a negative side, and ironically the first traces of this negative side appeared long before computers and for a totally different set of reasons. Many consider that the theory behind the first virus came from mathematician John von Neumann's theory of Cellular Automata or self-replication. Neumann devised this theory before computers, on pen and paper. Later, other mathematicians presented their views on automated self-replication, and finally , Frederick Stahl reproduced the theory in machine code on an IBM machine. Rest as they say is history. While these scientists tried to come up with such theories for the good of mankind, there were others who used it for malicious intent, thus forming the dark side of IT. Presented here is that dark side, which has prevailed for many decades, and continues to grow with the positive side of IT. We follow it up with where this dark side is heading in the future.

Today there are many facets to the dark side of IT. Life has gone far beyond viruses and worms, and into many other forms of attacks, which are far more dreadful. Presented here are some of the most dreaded attacks of the past, followed by what's brewing for the future.

Buffer Overflow attacks
These have been around since 1972, and the first exploitation of buffer overflows was done by the Morris worm. According to U.S. Government Accountability office, the damages done by the Morris worm were anywhere from $10M-100M. Its creator, Robert Tappan Morris, was a student of Cornell University then , and created this worm to gauge the size of the Internet.

Whatever the case, it gave way to many other worms that utilized buffer overflow vulnerabilities in programs. Two notable names worth remembering for having caused the maximum damage were Code Red and SQL Slammer.

Bruteforce attacks
Initially Bruteforce attack was a method of decrypting a cryptographic scheme by randomly trying large number of combinations till the scheme is broken. Bruteforce attacks also include dictionary attacks. Other than Crypto Analysis, Bruteforce attacks were also used to break passwords.

Botnets
These are software bots spread across remotely controlled zombie systems. Botnets can perform various attacks ranging from DoS, Spamming, Spyware, Click frauds, etc. Most Botnets use IRC as a way of communication with their owners. The most recent Botnet attack is Storm Botnet which was introduced in Jan 2007 and infected at least 1,000,000 machines. Botnets have also resulted in the rise of Honeypots and Honeynets. Honeypot is a technique to monitor attackers running Botnets and other similar malicious tools.

Denial of Service
It's hard to say when the first DoS attack took place. Some say DoS attacks like Ping flood, UDP flood, etc on IRC have been there since 1988, but it was not until July 1999 when the Trinoo attack tool launched a Distributed Denial of Service (DDoS) attack on a University of Minnesota system. Then in Feb 2000 came the ever popular week of DDoS attacks, when Yahoo, CNN, E-bay and many others felt the heat of these attacks. After that we saw worms such as Blaster, etc which launched DDoS attacks; but seven years later in Feb 2007, a DNS Backbone DDoS attack was back in news. In DNS Backbone DDoS Attack, DNS root servers are targeted as these servers are responsible for resolving domain names' IP addresses. So bringing down a name server can result in inaccessibility of many websites as compared to a DDoS attack that brings down a single website.

Man in the Middle (MITM) attacks
One of the oldest kind of attacks that is still very popular. In MITM, the attacker captures information exchanged between two parties and sometimes even modifies it. The most popular form of this attack is packet sniffing which, interestingly, was meant for network trouble shooting. To counter MITM attacks various sorts of encryption solutions were launched to ensure secure communication.

Reverse Engineering
Originally Reverse Engineering was devised to find out how software performs under particular conditions and how to improve its performance by understanding the program's logic. But soon it became a way of breaking software and using it without having to pay for it, and became one of the main contributors to the piracy industry. To stop this, techniques like encrypting the source code of programs appeared, but weren't able to make much of an impact and piracy still remains one of the major problems for vendors.

Social Engineering
This technique has been in use even before computers came into existence, but in terms of computing, it is a collection of techniques used to trick people to perform certain actions or retrieve critical information from them. Also known as socio-technical attacks, they describe humans as the weakest link in security. Pretexting is the most widely used social engineering technique which is mostly performed over phone. Other social engineering techniques include Dumpster Diving, Shoulder Surfing, etc.

Phishing
Phishing was first talked about in 1987 and almost 9 years later the first phishing attack was detected in Jan 1996 on Usenet newsgroups. But it was not before 2004-2005 that it caused maximum damages, estimated to be to the tune of $929 million.

Open Source malware
Not to be confused with Malware for Open Source, these malware are created the Open Source way, ie source code of malware is made publically available. Most of you would remember Agbot/Sdbot, which were released under GPL license and developed in modules. Open Source malware gives anonymity to original malware authors, as a lot of developers contribute to its code. It also became the first choice for script kiddies, who could easily add new features to malware, without having to write them from scratch.

Zero Day attacks
Whenever the underground hacker community comes to know about a flaw in any application, they start creating an exploit for it. The time between the creation of the exploit and the public availability of a patch for it is called the Zero Day Period, and any attack, during this period is called a Zero Day Attack or ZDA.

With so many different types of attacks having been created, it's not difficult to predict the future. Expect many more different and even more malicious forms of attacks in the future.

In fact, the days of unintentional or 'just-for-fun-and-curiosity' attacks are numbered. In the future, expect most of the attacks to happen with a malicious intent.

Most of you might remember the news of Paris Hilton's missing phone and the posting of its address book online. That is not an amusing thought, because with the exponential growth in cellphones and laptops, the number of thefts of these devices is also growing.

If a petty thief steals a phone or laptop and sells it for a paltry amount, the owner can be considered lucky. But what if the thief threatens to give away important

information from it to others (maybe competition)? Just the thought of such a thing happening is enough to give anyone nightmares.

There's no IT involved in equipment theft, but they do affect the IT community, and we must be careful about them.

Increase in mobile malware
The fact that smart phones are getting cheaper and people save critical data on them is good enough reason for crackers to exploit these devices. According to a report, there are at least 370 samples where malware has been detected for smart phones. And already anti-virus vendors are coming up with anti-viruses for mobile phones, so we might see a serious Mobile malware soon.

There are various ways in which smart phones can be infected; and one of the most common modes is Internet, just like PCs.

Smart phones can also catch infections if they are synchronized with an infected computer. A compromised smart phone can further infect other smart phones through wireless personal area networks.

An example of such kind of an attack is the Cabir prototype worm, which used Bluetooth as a medium to infect other smart phones. A concept of mobile botnets was also presented some time ago in a black hat conference but is yet to turn into reality.

Another demo attack showed by a security researcher was buffer overflows, exploited through an MMS that contained malicious software. In future we are likely to see more attacks of this kind.

VoIP attacks
Almost everybody is aware of sniffing attacks on VoIP traffic. While many steps have been taken to reduce such man in the middle attacks on VoIP, many other threats are emerging. Another VoIP threat that's doing the rounds is VoIP Spam, also known as vamming or SPIT (Spam over Internet Telephony).

Vendors are gearing up to deal with VoIP Spam. NEC has announced its anti-spam VoIP software called VoIP Seal which is scheduled for release in 2008.

Another similar threat is VoIP phishing. These attacks can be more convincing and harder to detect as compared to email phishing. So far they originate only through emails that contain a number to call instead of conventional links. The number usually belongs to a PBX with auto-attendant so that it would appear as if the number belongs to a legitimate company, thereby tricking users to enter private information.

Another VoIP phishing attack is where you get a call from a bot and number spoofed to appear from a known source. Here again the bot pretends to be authentic and asks users to provide confidential information.

Virtual world threats
Over the past few years, MMOGs (massively multiplayer online games) have gained considerable popularity. One of the first threats to the persistent virtual worlds came in the form of Copybot, which replicated objects and avtars in second life without permission.

One of the threats to such PVWs are software which claim to improve the performance of the virtual worlds or perform automated tasks and stealthily run some malicious code which can steal information from players. Other possibilities include PVW, spamming and phishing attacks on virtual world users.

Virtualization threats
Advantages of virtualization are many and as more companies deploy virtualization, attackers are going to look for ways to exploit them.

One of the most talked about security threats in virtualization has been dangers to hypervisor. There have been claims that if hypervisor can be compromised, attackers can gain access to virtual machines. There are also talks of hypervisor root kits and malware.

One example of such an attack, is Blue Pill, where complete control of the virtual machine was taken by manipulating kernel mode paging and related instructions, used for controlling communication between hypervisor and the virtual machine. You can find more details about this attack on the researchers' website at http://www.invisiblethings.org/.

Page(s)   1