Historically, “sensitive” networks have traditionally enjoyed a sense of security due to their total, and complete separation from publicly accessible networks.

In fact, most of us old-school “security wonks” have always joked about the fact that the “…only real security is a pair of wire cutters…” to humorously illustrate the fact that nothing is really secure that is exposed to uncertainty, or untrusted access.

This has always been true in my personal background, having worked in U.S. Military COMSEC disciplines over many years. And given the fact that I have also worked in the Internet security arena for almost 20 years, I figure this gives me some unique insight into some of these issues.

The same security postures which can be applied to COMSEC can, and should, be true of SCADA (Supervisory Control And Data Acquisition) systems.

When you think “SCADA”, think power, water, etc. The systems that allow civilization to function.

First and foremost, these systems should never — never — be connected in any way, shape, or form to the public Internet. Not even as VPNs, or overlay networks. This is simply wrong-headed.

Unfortunately, some business decisions over the course of the past 15 years have allowed the “public” and “private” networks to become dangerously close in proximity, due to “cost savings” and “operational efficiency” business decisions — by companies that control the very systems which deliver these life-sustaining services to the world’s population.

It’s one thing to steal passwords, perpetrate fraud, and other financial theft-based cyber crimes — but it is ominously more dangerous to shut down the electricity to a complete region of a power grid.

If there is anyone out there who thinks that this is only the storyline of blockbuster movies, think again.

There are certainly forces “out there” who wish to wreak havoc, cause damage, and claim victory.

And they are using the exact same methods to infiltrate SCADA infrastructure that they are using to steal unwitting victim’s checking account information.

“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research

Mac users beware: a rogue system cleaner calling itself “MacSweeper” has recently surfaced. Although it doesn’t really do anything malicious, once installed, it can be really difficult to remove.

MacSweeper claims to scan the system and report any privacy violations. It does find plenty of these “privacy violations,” but to remove these violations, one has to purchase the full version of the software.

If you’re a Windows user, a scenario such as this may sound all too familiar.

There is a legitimate Mac Sweeper (yes, two words). The sceenshot below from Softpedia shows a window from the real one:

The fake MacSweeper (one word here), on the other hand, has an interface like the one below:

Clicking the Purchase button takes the user to this page:

What’s even more suspicious is that a visit to the product’s Web site initiates an online scan and releases vulnerability reports in folders that exist only in Macs — even if you’re browsing using a Windows machine.

The Web site also gives an abstact of the company’s profile, which should actually be believable, if it wasn’t obviously copied and pasted straight out of Symantec’s site — and just more recently, out of Kaspersky’s site as well.

Trend Micro detects this rogue app as OSX_MACSWEEP.A.

The rising popularity of Macs may be luring malware authors to test profits on these platforms. Tides are turning and what many security experts have predicted are coming true: the days of malware-free Mac are numbered.

Being an old-school network engineering flunky, with a heavy dose of network security discipline, it somehow never ceases to amaze me that people just don’t seem learn from their mistakes — or other people’s mistakes, as the case may be.

Almost five (5) years ago, the SQL Slammer worm should have made people realize that having these types of critical infrastructure resources accessible from the The Internet is just a really, really bad idea.

But apparently people just don’t seem to learn from the past.

Very recently, we have seen thousands of webpages which have been compromised via (suspected) SQL Injection attack, which in turn lead to web threats which put hundreds of thousands of potential Internet users at risk of being compromised.

The end-game here is that these unwitting users could be victimized via identity theft, credit card credential theft, or worse.

Today, we learn about a tool floating around in the “underground” called sqlmap:

sqlmap is an automatic SQL injection tool entirely developed in Python. It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

This is very bad news for a lot of websites who continue to allow their back-end SQL systems to be exposed to The Internet.

This is just a bad, bad practice and should be discouraged at every opportunity.

Ryan Naraine wrote back in mid-November 2007 on ZDNet’s “Zero Day” Blog that:

A survey by renowned database hacker David Litchfield has found a whopping 492,000 Microsoft SQL and Oracle database servers directly accessible to the Internet without firewall protection.

Litchfield, co-founder of Next Generation Security Software, ran port scans against 1,160,000 random IP addresses — TCP port 1433 (SQL Server) and 1521 (Oracle) — and found about 368,000 Microsoft SQL Servers directly accessible on the Internet and around 124,000 unprotected Oracle database servers.

You do the math — it all adds up to some really bad numbers in my book.

If organizations do not do more to protect their back-end systems, they will be compromised, and their brand name and business may suffer as a result.

Did I mention this is bad?

Clarification added (11:35 PST, 18 Jan. 2008): It appears that this SQL Injection tool accomplishes it’s work by finding and exploiting SQL Injection flaws on public-facing webpages which might contain, for instance, CGI forms — so that the SQL database server itself does not have to be directly, publicly accessible.

While this, of course, doesn’t negate the fact that SQL database servers still should not be publicly accessible, this puts additional focus on the need to ensure that public-facing webpages are properly & securely implemented.

“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research

Valentine’s Day (February 14th) is a day originally named after the two Christian martyrs who died over 1700 years ago. Nowadays, of course, it is a day of love, happiness, and men frantically trying at the last minute to find a florist that still has roses in stock. Since the 19th century’s introduction of greeting cards, Valentine’s Day has become more commercialised, and — for many companies — a huge source of revenue. Not known for being slow on the uptake, the malware industry has for years taken advantage of this holiday to huge effect. With less than a month to go (and with the obvious culprits already jumping the gun), here is short look back down memory lane at the Valentine’s Day malware of the 21st century:

• 2007: WORM_NUWAR.AAI
  Storm again the culprit here, with an email containing a large set of subjects. This was before Storm really started to use links to sites with vulnerabilities, so attachments such as Greeting card.exe were the attack vector. An interesting trick used by the malware was to randomly generate the email address in the From field to come from one of the long list of girls’ names… everything from “Aldora” to “Zilya”. Maybe the authors thought that men would be the only ones foolish enough to open the attachment. Judging by the growth of the Storm botnet around that time, it appears they were right.
• 2006: WORM_BAGLE.EW
  Spread via email with subjects such as “Will You Be My Valentine?” and “Love you with all my heart!”, this threat also included one of three romantic poems and a background full of images of the classic Valentine’s Day heart to entice the user to open the attached love_me.exe.
• 2005: WORM_KIPIS.E
  Another mass-mailer with all the normal trimmings. Although they had normal attachments with names like Valentine.exe, other names such porno_03.exe were kind of missing the point of the holiday.
• 2003: TROJ_CUPIDCARD.A
  This was actually a piece of adware instead of a mass-mailing worm. In addition to the normal, it would launch a clean file called “VALSDAY.EXE” that showed the following ecard:
  
• 2002: VBS_NUMGAME.A
  Want to play a game? No, its not another awful SAW movie, but a good ol’ fashioned threat from the days before we even thought of the word “cybercrime”. Posing as a number-guessing game (hence the clever name) from your Valentine, this nasty little thing resets your system date…oh, and also deletes the contents of your hard drive.
• 2001: VBS_VALENTIN.A
  Another “old-style threat” with a payload that is triggered on February 14th. All files on an affected machine are overwritten by a Spanish love note written by the malware author who is supposedly professing his love for “Davinia, the most beautiful girl in the world”. The author assures the users not to worry, as their files have not been infected by a virus, but merely “sacrified for the love I feel for Davinia”. Not very comforting to be honest.

So remember folks, although the Storm crew have already got the show on the road, they won’t be the only ones. So if you receive a romantic email over the next couple of weeks from an address you don’t recognise (or from one that you do, for that matter), for your sake I really do hope it’s from the Brad Pitt/Angelina Jolie look-alike who just started last week in the desk opposite yours.

However, it might be a good idea to just play safe and delete that email. After all, if they really did want to be your Valentine, they would be down in the florists frantically trying to buy those last roses.

On January 15, Microsoft released Security Advisory (947563), which reports of a newly discovered vulnerability in Microsoft Excel. This vulnerability allows a remote user to execute code on the affected system once the victim opens a specially crafted Excel file with malformed headers.

This vulnerability affects the following software:

• Microsoft Office Excel 2003 Service Pack 2
• Microsoft Office Excel Viewer 2003
• Microsoft Office Excel 2002
• Microsoft Office Excel 2000
• Microsoft Excel 2004 for Mac

According to Microsoft, “At this time, we are aware only of targeted attacks that attempt to use this vulnerability.” Note that this vulnerability is still under investigation. Although the risk at this time seems to be limited, it is highly probable that malicious authors are already trying to exploit this vulnerability, knowing especially that Office documents can be effective vectors of infection for malicious attacks. Users should be extra vigilant of Office files that they receive from untrusted sources or that are received unexpectedly from trusted sources.

More information about this vulnerability can be found on this site:

• http://www.microsoft.com/technet/security/advisory/947563.mspx