Skype as the Attack Vector

It's often hard to actually measure the risk exposure to a threat, given how overhyped certain market segments/products' insecurities get with the time. Gartner, and the rest of the popular marketing research agencies seem to be obsessed with Skype as the major threat to enterprises, while Skype isn't really bad news, compliance is, in respect to VoIP, P2P, IM and Email communications retention or monitoring. From the article :

"The most recent bug in Skype is another clue to enterprises that they should steer clear of the VoIP service, research firm Gartner recently warned. Two weeks ago, Skype patched a critical vulnerability that could let an attacker send a file to another user without his or her consent, and potentially obtain access to the recipient's computer and data. This vulnerability follows three in 2005 (two high-risk, one low-risk) and highlights the risk of not establishing and implementing an enterprise policy for Skype," wrote Gartner research director Lawrence Orans in an online research note. "Because the Skype client is a free download, most businesses have no idea how many Skype clients are installed on their systems or how much Skype traffic passes over their networks."

There's a slight chance an enterprise isn't already blocking Skype, using both, commercial and public methods wherever applicable. Moreover, it would be much more feasible to consider the fact that, if the enterprise -- assuming a U.S one -- isn't blocking the use of Skype, it must somehow monitor/retain its use in order to comply with standard regulations. Skype poses the following problems :

- inability for the enterprise to retain the IM and VoIP sessions in accordence with regulations
- wasted bandwidth costing loss productivity and direct cash outflows, slowdown for critical network functions
- covert channels possibilities

Several months ago, Skype was also discussed as a command'n'control application for botnets, while steganography based communications and plain-simple encrypted/stripped IRCd sessions remain rather popular. Malware authors are actively looking for ways to avoid IRC given the popularity it has gained and the experience botnet hunters have these days.

Skype is the last problem to worry about, as in this very same way the recent vulnerabilities in major market leading AVs would have had a higher risk exposure factor as there's a greater chance of occurrence of malware, than a Skype vulnerability. It's the vulnerabilities in software in principle you have to learn how to deal with, and third-party applications that somehow make it on your company's network.

More resources :
Skype Security Evaluation
Silver Needle in the Skype
Skype Security and Privacy Concerns
Impact of Skype on Telecom Service Providers Continue reading →

"IM me" a strike order

In my previous post "What's the potential of the IM security market? Symantec thinks big" I commented on various IM market security trends, namely Symantec's acquisition of IMLogic. It's also worth mentioning how a market leader security vendor was able to quickly capitalize on the growing IM market, and turn the acquisition into a valuable solution on the giant's portfolio of solutions. What's also worth mentioning is the military interest in instant communications in today's network centric warfare powered battlefield. Today I across an interesting recent development, namely that :



"The US Army, Navy, and Air Force have deployed protected interoperable instant messaging (IM) systems among the threebranches. Army Knowledge Online, Navy Knowledge Online, and theAir Force’s Knowledge Management Portal built the IM systems for 3.5 million users from Bantu's Inter-domain Messaging (IDM)gateway, a policy-driven with role-based access controls. The system will carry messages over sensitive and secret networks, and can populate a user's contact list with appropriate officials in the chain of command. Intelligence agencies will hook into the system to work with the military, and the Department of Homeland Security is also interested in the IM system."



Flexible military communications have always been of great importance, and flexibility here stands for securely communicating over insecure channels -- IP based communications. While you might have not heard of Bantu before, to me their real-time network for interagency communication sounds more like a security through obscurity approach -- temporary gain and possible long term disaster.

Could the instant communication finally solve the Intelligence Community's information sharing troubles?


In a relatively recent report I came across, "a survey was hosted on the Secret Internet Protocol Router Network (SIPRNET) so that personnel could respond to the survey from the convenience and privacy of their own workstations." in order to measure the communication requirements of various staff members, some of the findings worth mentioning :



MS Chat was used by at least 50% of all command groups
- 100% of Afloat Staffs, 86% of Carriers, 78% of Cruisers & Destroyers, 50% of Support
XIRCON was used by 28% - 50% of command groups
- 50% of Support, 41% of Carriers, 32% of Cruisers & Destroyers, 28% of Afloat Staffs
Lotus Sametime was used by 0 – 44% of command groups
- 44% of Afloat Staffs, 16% of Cruisers & Destroyers, 10% of Carriers, 0% of Support
mIRC was used by 13 – 33% of command groups
- 33% of Support, 23% of Carriers, 22% of Cruisers & Destroyers, 13% of Afloat Staffs



Lotus Sametime and mIRC seem to be only survirors, still the implications of using the above in respect to the powerful execution of various network centric warfare events, would definitely raise not just my eyebrows for sure. Two years ago, led by IMLogic a consortium on IM threats was established, the IM Threat Center, an indispensable early warning system for anything related to IM malware.



Would age-old IM threats re-introduce themselves on military networks like never before? Whatever the outcome, information overload wouldn't necessarily be solved through instant communications, but in a combination with powerful visualization concepts as well.



The post recently appeared at LinuxSecurity.com "IM me" a strike order"



Technorati tags:
Security, Military, IM, Technology, Symantec, Bantu Continue reading →

The end of passwords - for sure, but when?

My first blog post "How to create better passwords - why bother?!" back in December, 2005, tried to briefly summarize my thoughts and comments I've been making on the most commonly accepted way of identifying yourself - passwords.

Bill Gates did a commentary on the issue, note where, at the RSA Conference, perhaps the company that's most actively building awareness on the potential/need for two-factor authentication, or anything else but using static passwords for various access control purposes. Moreover, it was again Bill Gates who wanted to integrate the Belgian eID card with MSN Messenger (Anonymity or Privacy on the Internet?) Microsoft are always reinventing the wheel, be it with antivirus, or their Passport service, and while they have the financial obligations to any of their stakeholders, I feel it's a wrong approach on the majority of occasions.

What I wonder is, are they forgetting the fact that over 95% of the PCs out there, run Microsoft Windows, and not Vista, and how many would continue to do so polluting the Internet at the bottom line. My point is that MS's constant rush towards "the next big thing" doesn't actually provides them with the resources to tackle some of the current problems, at least in a timely manner. What do you think? What could Microsoft do to actually influence the acceptance of two-factor authentication, and moreover, how feasible is the concept at the bottom line?

Technorati tags :
security, microsoft, authentication, passwords Continue reading →

Skype to control botnets?!

I just read an article from CNET on how "Skype could provide botnet controls", with which I totally disagree. Skype and VoIP communications can actually provide botner herders with the opportunity to communicate, compared to acting as a platform for malicious attacks. 

And old fashioned DDoS attacks the way we know them work damn well as a concept. Years ago, quite some :) linux boxes worming was on the rise the Honeynet Project was conducting outstanding research to build awareness on this fact. These days, with the penetration of broadband, and the thousands of users with ISP like bandwidth make the need to look for bandwidht irrelevant. Instead of breaching into core routers and looking for bandwidth, that DDoS attack power is gathered through the collective breaching of thousands of hundreds unprotected, unaware or naive end users. 

Botnet communications are evolving each time a new disrupting technology pops up, on the other hand, botnet herders are having trouble in finding out the exact number of their botnet due to lack of server capacity, and as I've once mentioned in my Malware - future trends research, encryption seems to be the logical move. 

And the trade off would eventually be the delays of communication given the size of the botnet and the encryption approaches of course. Bots that lack the weakness of idleness on public IRC servers are already "talking" and trying to act as legit as possible, my point is that the bigger a botnet gets, the harder is to maintain it, that's logical, and it's good news for everyone, until someone standardize a possible communication protocol. 

Scary thoughts, but a simple botnet/malware communication protocol could for instance cause a lot of troubles for everyone. Is centralization of botnets a good thing for the industry in respect to tracking them, and how would things evolve? Skype is totally out of the question from my point of view, or is it not?

Some nice insights on botnet communications can be found at :
The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets

Technorati tags :
security,information security,malware,botnets,skype

Continue reading →

What's the potential of the IM security market? Symantec thinks big

Yesterday, Symantec, one of the world's leading security, and of course, storage providers aquired IMlogic, a leading provide of Instant Messaging security solutions. How sound is this move anyway? Doesn't Symantec already have the necessary experience in this field?

IMlogic has never been a build-to-flip company. Dating back to 2002, it has managed to secure important customers, Fortune 1000 companies as a matter of fact, and acts as a prefered choice for many of them. And given that enterprise IM is exploding, and so it home use, the real-time nature of this type of communication has always been acting as a hit-list in my mind. Client based vulnerabilities, social engineering attacks, auto-responding malware, and many other issues are among the current trends. How huge is the potential of IM security, or is it me just trying to think big in here, compared to Symantec's simple product line extension ambition?

Besides acting as another propagation vector for future malware releases, IM usege worldwide is already outpacing the most common form of Internet communication -- the email. A Radicati Group's research report entitled "Instant Messaging and Presence Market Trends, 2003-2007" indicates the same. The group predicts that :

- 1,439 million IM accounts in existence by 2007
- a very significant increase in corporate imlpementation of IM, from 60 million accounts today to 349 million in 2007.
- that's a degree of monopoly, as always!

Lucky you, Symantec!

With fear of being a pessimist, I have though witnessed how unique organizations and teams got eventually swallowed by the corporate world. And it's their know-how that I truly miss these days. You can though, still go through Symantec's constantly updating list of acquired companies, and it's evident they are fully committed to continue being a market and knowledge leader. I also recommend you read a great aricle at eWeek entitled IM Threats : The Dark Side of Innovation to find out more about the current trends. What's your attitude about them?!

Technorati tags :
Symantec, IM, security, information security Continue reading →

What's the potential of the IM security market? Symantec thinks big

Yesterday, Symantec, one of the world's leading security, and of course, storage providers aquired IMlogic, a leading provide of Instant Messaging security solutions. How sound is this move anyway? Doesn't Symantec already have the necessary experience in this field?



IMlogic has never been a build-to-flip company. Dating back to 2002, it has managed to secure important customers, Fortune 1000 companies as a matter of fact, and acts as a prefered choice for many of them. And given that enterprise IM is exploding, and so it home use, the real-time nature of this type of communication has always been acting as a hit-list in my mind. Client based vulnerabilities, social engineering attacks, auto-responding malware, and many other issues are among the current trends.


How huge is the potential of IM security, or is it me just trying to think big in here, compared to Symantec's simple product line extension ambition? Besides acting as another propagation vector for future malware releases, IM usege worldwide is already outpacing the most common form of Internet communication -- the email. A Radicati Group's research report entitled "Instant Messaging and Presence Market Trends, 2003-2007" indicates the same.


The group predicts that :

 - 1,439 million IM accounts in existence by 2007
- a very significant increase in corporate imlpementation of IM, from 60 million accounts today to 349 million in 2007.
- that's a degree of monopoly, as always!



Lucky you, Symantec!



With fear of being a pessimist, I have though witnessed how unique organizatons and teams got eventually swallowed by the corporate world. And it's their know-how that I truly miss these days.
You can though, still go through Symantec's constantly updating list of acquired companies, and it's evident they are fully committed to continue being a market and knowledge leader. I also recommend you read a great aricle at eWeek entitled IM Threats : The Dark Side of Innovation to find out more about the current trends. What's your attitude about them?!



Technorati tags :
Symantec, IM, security, information security

Continue reading →