Illuminations

Our own Nevis Labs organization has published their prognosis for the top vulnerability trends for 2008. Get the document here. This is pretty typical for security research teams that track threats on a daily basis by both looking for new vulnerabilities and analyzing emerging threats around the clock, as our Nevis Labs team does. Some of the areas they expect to see increasing vulnerabilities include in Anti-Virus software, instant messaging applications, VoIP, and VM software.

I was asked recently by some prospective customers how our 24/7 global support coverage works?  The inference being that they expect that we log calls and then wait 5 or 6 hours to start Engineering working on it.

Since a zero-day Apple QuickTime vulnerability was published on Thanksgiving day with associated exploit code, I thought that would make a good example of the benefits a truly global engineering team can have.

Apple QuickTime RTSP Response Header Remote Stack Based Buffer Overflow Vulnerability

Apple QuickTime RTSP Response Header Content-Length Remote Buffer Overflow Vulnerability

Apple has not released any patches/updates so far. However, the exploit code is publicly available, which puts users at risk.

This vulnerability, if successfully exploited by the attacker, would allow full control of the victim's computer. The attack can be as easy as convincing the user to browse a website.  Nevis Labs has tested the exploit and it works pretty consistently, and, as per the reports, it also works for Windows Vista.  I'm happy to report that our customers are well protected because our Nevis Labs offices are global and work 24/7, so we developed a threat protection signature to cover this threat while everyone else in the US was enjoying their Apple pie.

//Dom

Think of a botnet as a terrorist sleeper cell. A terrorist sleeper cell consists of a group of terrorists that blend themselves into the society without attracting the attention of organizations such as the FBI. When they get commands to strike, they go blow up planes, disrupt power plants, detonate dirty bombs, etc. Similarly, a botnet sleeper cell sneaks silently into computers; stays inactivated and undetected, until the botnet owner issues orders to attack. These orders can be anything including sending spam, performing a DDoS attack, or recruiting more bots.

Terrorist sleeper cells can lead directly to the loss of life as well as great physical and physiological damage, while botnet sleeper cells could cripple network infrastructure and inflict economic losses, or worse. Early this summer, Estonia was pounded by a DDoS. This displayed a tremendous amount of coordination and the destructive power of sleeper cell bots. Today, Storm worm is becoming more powerful by the day, and can easily overpower the world’s top supercomputers. Terrorism prevails when both types of sleeper cells work together. With the rumors of Al Qaeda announcing Cyber Warfare starting this Sunday, and with availability of electronic Jihad 2.0, we have yet to see the impact, but might soon.

Detection of both types of sleeper cells can be done using behavior profiling. In both cases the steps are to understand normal behavior, look for suspicious triggers, narrow down the watch-list, and continue to observe the suspect more closely until the suspect is proven to be guilty or innocent. On the other hand, there are important differences that make detecting terrorist sleeper cells a harder problem than detecting sleeper cell bots.

Total surveillance is the first key component of sleeper cell detection. It is possible to have all the hosts under total surveillance in an enterprise (Nevis does it), however, it is hard to watch every person in a nation 24/7 (even though it is attempted). The FBI has a watch-list and as of today there are about half a million people in there. Watching half a million computers is much easier than watching half a million people. (Perhaps the half a million people are best watched by primarily watching their computers.)

Characterization of behavior is the second key component of sleeper cell detection. The more characteristics you look for, the better the detection mechanism gets. Instead of going after every Muslim-like name (such as mine, but that is another and ongoing story), adding more information such as background, religion, bank and phone records, degree, age, sex, etc. would make the profile stronger and hence less false alarms. But the list of possible characteristics to include is nearly endless. On the other hand, while a few of us use computers in a diverse way, the huge majority do so in ways that are far easier to characterize than a person, even a mundane blog-writing cubical worker.

Correlation across suspected bots is more fruitful than correlation across suspected terrorists. The detection of a single bot in the botnet sleeper cell can often result in the capture of the entire botnet. However, the capture of a single terrorist may not necessarily lead to the capture of the entire terrorist network (even with waterboarding).

The impact of false alarms varies in both cases. False positives in terrorist sleeper cell detection can have a wide range of damage from a cop showing up at your doorstep to a person ending up in Guantanamo. False positives in sleeper cell bot detection can range from a guest user being cut-off from a network for a few minutes to extra work for a sys-admin, or even taking down a large chunk of the network and damaging the enterprise financially. Arguably, false negatives in the case of terrorists are worse than they are in the case of bots; even a single terrorist can lead to substantial loss of life.

While the fundamental theory behind detecting sleeper cells remains the same, the FBI’s job is much more difficult than mine. So, I’ll keep my job as well as cube life which the FBI secretly classifies as: D8DBQFHM6/RERAJ9O7woT0QB7xmpMACbBxfq4pLMkwyUxbOMFglno1gA4ÇGÊPœ/td^ÖÐÚÒÅ%iõÜ/'NO7*‰o{¶ˆ0öp%‑ÎUPuŠ4'ÅÞ©(8¹

//Khushboo Shah, Ph.D.