Click here for reuse options! So You Think You Are Secure? You Might Not Be
Jim Libersky, VP Sales & Marketing
The Barrier Group/Barrier1

Everyone has a Firewall, anti-virus, anti-spam, encryption, VPN, and other individual network security solutions in place. In fact, business spends $5+ billion dollars a year protecting computer networks. So, with all of that money spent why are hackers still getting in?

The business of protecting our digital assets, or even our general communication, from some unintended individual or group continues to evolve. At one time hackers motives were simple, they just wanted to see if they could do it. Then as money grew for such activities so did the sophistication and methods. Cyber criminals have continued to find vulnerabilities in all seven of the OSI layers. The attacks then focused on that single vulnerability. Now they exploit those vulnerabilities beyond what one could imagine just a couple of years ago. So, one has to inspect all seven OSI Layers in real time in order to stay secure.

Today’s world of communication has now become the world of IP (Internet Protocol). IP has long been part of the data communication world. However, now you are witnessing VOIP (voice over IP) and IP/TV or video, even IPhones embracing IP. Each of these three cores platforms, voice, video, and data, has vulnerabities and value to cyber criminals. So, cyber attacks will not stop but continue to evolve in complexity.
The roots of these vulnerabilities are IP itself, OSI layers and mutation. IP is based on the seven layers of the OSI. Each layer has its function and role in providing communication. The underlying assumption in IP is as the communication or data flows from one layer to another, it is assumed that the layer above or below receives the stream that everything is fine. There are no or very little checks for changes or alteration from the request and what is delivered. In fact, the vast majorities of the processors don’t have checking functions built in or are limited.

Cyber attacks have grown from the simplest form to what is now known as “blended threats”. All attacks look for vulnerabilities. That means they look for vulnerabilities in functions that reside in key layers of the OSI. For example, MAC addresses have vulnerability. It is known as “MAC address spoofing”. MAC address is a layer 2 function. Route spoofing is vulnerability at layer 3. Mishandling or changing port numbers is a layer 4 function. You can continue up the ladder to layer 7 which is the application layer. There you will find flaws and vulnerabilities that relate to the application and how the application communicates to HTTP or HTML. Again, each has its own set of specific vulnerabilities and behaviors. These attacks include SQL injection, interruption of the application logic flow and inserting malicious code in hidden field located on a company web site. Today, these individual OSI Layer attacks are then used in a process that that together exploit the computer networks and applications. Thus, the term blended threats. To be secure against today’s attacks one has to have the ability to inspect all seven layers simultaneously and in near real time.

As I discussed earlier, many of today’s attacks result from the ability of the attacker to change or alter the request then deliver an altered data stream. Attackers have figured out that a disruption or change in key areas of code will bring different outcomes than what is expected. For example an insertion of “%20”, or a ” >?” request, or ”!” a in a certain lines of code will have different results. Remember IP assumes that if it passes the data stream from one layer to another it is OK. Thus, hackers get in and are in control.
Mutation, attackers craft attack plans based on known vulnerabities and then add process. The cyber criminals know full well that they soon will be discovered and a fix or block will be implemented. The vast majority of the Security Solution vendors only deal with known attack styles. So, Cyber Criminals change some part of the process, key strokes, source, etc. that all of the censors have not seen before. So, the cyber criminals continue to exploit with a different mutation or variant from the original.

A good example of this is the latest virus known as the Conficker Worm. Here is how the Conficker virus worked.
• The Confiker program exploits a Microsoft vulnerability MS 08-067 Server Service Patch
• It Spreads over LAN, USB Memory Sticks, and PC ‘s.
• It copies itself in the AMIN$\system32 folder
• There are 297 Subroutines and they Propagated as a DLL
• PC’s are turned to drones on a Botnets programmed to seek updates through a list of domains
• 7750 Domains are on the list. Half are active or (3861- 3889 domains)
• The Domains resolve to only 42 unique IP’s
• 28 domains are the most active and most of them are up for sale by registrar
• It then obtains a second list of names on the user account using a series of weak passwords
• A crafted RPC request checks for Windows version and then disables various features. These include Windows auto update features, Windows Security Center, Windows Defender and Windows Error Reporting.
• Then it sends UPNP message to open local random high order ports (back door)
• It will create a variant of HTTP server and opens a random port 1024-10,000
• It will go out to site for external facing IP address
• It searches in blocks of 250 domain names
• Operating systems can handle only 256 request at one time
• Then it goes to sleep but checks for the those 250 blocks every 30 seconds
• Using the same UTC clock everyone converges on the registered domains at the exact same time and asks if an executable is available.
• It nest sends URL request for port 80 and a Windows binary is returned and validated with a locally stored public key. If not connected it will try every 60 seconds for a Http request

Now we add the Mutations. There have been at least five mutations since 2008. Barrier1 has stopped the Confiker virus and other similar version known as 2009 Malware, Downup, Downadup and Kido.

Another Example is Null Byte Poising. What is Null Byte Poising? Null Byte Poising has two key components.
• First, once the command lines or Strings are known by the attacker, the attacker can alter the command line.
• Second, by replacing key areas of the string with null bytes, the program behavior is changed. The Null Byte forces the string to end at that point of insertion and allow cyber criminals to take over. Now, add the ability to change the scripts and the attacker can redirect the intended outcome. These attacks get through the vast majority of network security appliances.

Examples of where Null Byte Poising is used are Connect and SQL statement with a Dynamic Execution, i.e. Oracle “execute immediately” and it can be used to remove a mandatory file extension.

So why don’t traditional security appliances and individual point solutions work?
• Firewalls alone do not work because all Firewalls including Stateful Firewall look at only five things. (source, destination, port, protoco and state) therefore, will not detect this attack. IDS/IDP alone look for only patterns that are known or previously been spotted. If this is a new configuration or series that is not known, IDS pattern recognition will not stop it.

An anti-virus alone only looks for known patterns in email and sometimes elsewhere. Meanwhile web application firewalls alone look at certain fields in the data stream. It looks at the outgoing HTTP, HTML and layer 7 of the OSI request and compares them to the return.
You can see why so many people were compromised. Each aspect of this blended threat played on the vulnerabilities found in all seven OSI layers. So, it is the unknown data strings or behaviors that continue to allow attacks to occur.

Speed is a large consideration. Real - time inspection will become the norm. Internet users demand speed and speed allows for new and integrated applications. User expectations are that accessing information via the internet should be at the same speed as searching your hardrive on your computer. Even with the deep and inclusive inspection taking place, users demand instantaneous and flawless application execution. Now, add VOIP and IP/video. VOIP and IP/video will not tolerate latency. In the IP world, voice and video are just another set of rules to align the 1’s and 0’s. Real-time application like voice and video will have to be secured as well.

Voice brings a special challenge, it is a real-time transmission. If the packets are lost or there is a delay, voice quality suffers and users will loose confidence and not accept such service. Tradional Firewalls are not only to slow but only look at 5 elements. That would be no match for a cleverly designed Blended Threats”. Many of the same “Blended Threats” are the same type or styles of attacks as in a data world. VOIP Phishing scams, Denial of Service Attacks (DDOS), Denial of Service attacks (DOS), man-in- the middle attacks, eavesdropping, identity management, viruses, SPIT (Spam over Internet Security), unwanted access (call records, stored messages, etc), deregistering users, point and click wire tapping, cross over (data virus cross over to voice on un segmented networks), application flood attacks, and etc. All of these attacks are just a costly.

Again, all seven OSI layers will be utilized by cyber criminals to launch attacks and networks will have to be inspected.
IP/video or IP/TV has several vulnerable areas to consider. First, like voice, it is a real- time transmission. A delay of any kind will cause a lack of quality and will be unacceptable. Second, cyber vandals can enter via set-top boxes, or large VOD servers that stream video, and servers that are part of your IP Security Cameras. As soon as one begins to talk about application servers you enter in to layer 7 of the OSI. Next, an attack against the IP Security cameras that surround a electric power facility, water system, could be devastating to the facility as well as the population.

Like VOIP many of the same style of attacks are appearing. Operators will have to go beyond just Stateful firewalls and inspect all seven Layers of the OSI model.

Cyber Criminals will continue to uncover weakness and the process to exploit both computer code and human interaction. In order to stay secure, our systems will have to inspect all seven layers of the OSI model in near real time for data, voice and video.

For more information please visit www.thebarriergroup.com
Hear the Barrier Group speaker at Remote 2009 Conference & Expo.
Visit www.RemoteExpo.com for more information.

Click here for reuse options!
Copyright 2009 WebCom Communications Corp.