No trust without independent control

it is not new software or code but an older version, but as the code of the zeus botnet is freely available online, you can imagine that it is just another try-out by some guys. With 100.000 infections, they should be quite happy but they forgot to register the domainnames for the command and controlservers that they had hardencoded  in the virus, so a securityfirm did it and intercepted all the traffic from all those infected posts worldwide awaiting instructions. Shadowserver is now coordinating the distribution of the lilsts of IP addresses to the people responsable for security worldwide.

You can check already for yourself if some of your posts were infected by blocking traffic to the following domains. If you have traffic to those domains, those posts are infected - and you should start thinking about another layer of defense (proxy, webfiltering, botnetblockers for more important networks,....) and closing down more ports and destinations for your internettraffic.

Zeus will intercept all your credentials and private information and send them to the botnet controllers who will sell them or use them.

The domains are

• eitaepiephohthieleibesha.com
• llakjshbeyrv3421jbs88xc.com
• nmbnxcbjbh3hbhbdhjb3l4kjbn.com
• nzytgero34xbhsbc8484kk.com

It seems that it used malvertising (those infected or fake advertising banners in websites) coming from

damagecontrol.in.

and this leads to infections with rogue securitysoftware from

domainpricingdetails.com

which redirects to the exploit attack pages at

www.premiumsoftware.ru

where you are attacked with a PDF file called asshole.pdf (I am not making this up)

Antivirus detection is not good at all but who said that an antivirus would protect you perfectly, it is only a basic start. Just as with a car it depends on what you do, not what you have (although that may limit the risks a bit).

One of the reasons that Cyberwar is being used is out of desperation. Activists and decisionmakers are sometimes desperate about the nearly total incomprehension and realisation or attention for the risks that come with a digitalized economy and society (and army). You can see that desperation when those associations, big digital corporations and activists are jumping on whatever subject that is for some time in the media and that could be used to get more funding and attention. Once it is about online pedophiles and the dangers for our kids, than it is about cyberespionage if some case is effectively publicized and another time it is about the dangers of being too dependent on the internet for social relationships.

Cyberwar is just one of these subjects but like the other subjects that were mentioned cyberwar is not a good basis for an ideology about cybersecurity. An ideology needs more and war as an ideology is very dangerous, even if you think that in the short run you may get more funds for some time. It is dangerous because you are supporting an ideology that is in fact militaristic. Not to say that any military action is bad and not to say that I am against an effective military infrastructure that can be used to defend our democracy and protect against its external enemies and also - to be totally clear - if a democracy decides to send its armies to a faraway country it should do so openly and strongly. We should never send our soldiers somewhere to be slaughtered because  their operational freedom is too limited for the war theater they are finding themselves in - and conditions can change over time. So this means that the army should have all the powers it needs to defend its networks and cyberinfrastructure just the same way it defends its bases and infrastructure in their country.

But this does not mean that the army should take over the securisation of the national internet beyond the defense of the critical infrastructure and without the necessary democratic oversight. This does not mean that by starting a turf war with the intelligence services for those cybersecurity funds the result will be that neither can do a good job because both are getting too little for all the tasks they think they should be doing while affecting too much to those jobs they shouldn't be doing. Intelligence is something different from national military defense and is as important. Because both jobs are so important they should be clearly limited and defined and they should have the appropriate institutions, funding and oversight and should cooperate without trying to outsmart each other. If all the funding for cybersecurity that the US is now preparing to invest would be invested wisely and without overlapping projects or infrastructure the US would have no problem defending its national critical infrastructure and its international military digital networks. The series in the Washington Post show otherwise. The problem with big countries is that they can spend so much money in defense and intelligence that it sometimes doesn't seem to matter. In Belgium we will have to define clearly the different roles and responsabilities so we can spend the limited resources more wisely.

Having said all that - to make clear that I am not against the army or intelligence services and the role they are playing in our democratic societies if they follow the democratic rules and accept the democratic debate. And that I don't want to limit their responsabilities and resources for the cyberdefense of the infrastructure they are to be held responsable for. And as a last thing - I also think that some military form of organisation, structuring and command of the cyberdefense of a country can make it easier to respond fast and effectively against attacks and follow up faster against vulnerabilities (even if the army in its history hasn't always been a good example of taken adequately risks and vulnerabilities into account). But this doesn't mean that the army has to take over the cyberdefense of a country as a whole.

Cyberwar is not the right ideology for cybersecurity because war is an extreme situation in which real destruction and chaos is around us and the army is in fact the only institution capable of keeping up the appearance of organisation and decisionmaking. It means that in wartime the whole society becomes militarized and democratic oversight is just very limited.

Cybersecurity should in fact be the defense of our democracy, free speech and freedom of organisation and creativity. We should be using internet like we use electricity, gas or water. Somewhere there will be organisations controlled and funded by society who will do everything to keep it as clean and safe as possible. They will not control how much we use and for what reason.

to be continued

they have been informed

Sandboxing is a technique or architecture in which a file or operation can only do things in its proper environment and can't place things on the computer itself (ex temporary files) or make changes to it (registry, dns, ....). It is the next level of security and will complement the firewall because it will close all the backdoors and tricks that internetbased infections use to bypass the firewall and infect your machine.

PDF was before a fileformat that was easy to trust because it did nothing while the Office files were full of scripts (and infections) and had access to the rest of the system (they infected). When the PDF files became smart (with scripts and functions and integration with other files) without incorporating enough security checks if took only a year for the PDF fileformat to become the main distributor of viruses. The last year it also became clear that it was impossible to win that tit-for-tat war. Every time Adobe found a solution for a securityproblem or bug there were new techniques that made it even harder to discover or neutralise the threats. This was even becoming more dangerous to the format (and the business) itself as it also became the format by preference for targeted attacks against governmental agencies and businesses. As PDF was before the format by excellence to distribute information independently of the version of the Office package or other wordprocessor a business or governmental agency was using, there were enough incidents to make security officials look desperately for solutions.

The only solution was blocking all PDF files on the outside of  the network and cleaning them of all codes and functionality and resending them as stupid read-and-print only files. Such a product does not exist yet, but I wouldn't be surprised if it would be incorporated as a function or launched as a box soon. Especially in environments were Data Leakage Prevention is essential.

THe securityteam of Adobe seems to be working along the same way of thinking and has announced that the new Adobe Reader will open PDF files in a strictly controlled Sandbox. It has worked with other sandbox developers (for example from Microsoft who uses it for its new Office Files) to integrate this in the reader itself. You can expect that it will take a while before all the different possibilities of bypass have been closed (as the EID has learned us) but in the end this will be an essential functionality that will re-establish the trust we had in PDF files. It will also stop stupidly simple attacks while such files in very limited and strict environments will be handled anyway with much more strict controls.

The next update of Adobe will be an essential one you will have to implement as fast as possible.

This WILL NOT WORK FOR WINDOWS2000. You should throw out these machines. They are defunct, dead and dangerous (because they put the rest of the network and its data and your business in danger).

"With Adobe Reader Protected Mode enabled (it will be by default), all operations required by Adobe Reader to display the PDF file to the user are run in a very restricted manner inside a confined environment, the “sandbox.” Should Adobe Reader need to perform an action that is not permitted in the sandboxed environment, such as writing to the user’s temporary folder or launching an attachment inside a PDF file using an external application (e.g. Microsoft Word), those requests are funneled through a “broker process,” which has a strict set of policies for what is allowed and disallowed to prevent access to dangerous functionality.

The initial release of Adobe Reader Protected Mode will be the first phase in the implementation of the sandboxing technology. This first release will sandbox all “write” calls on Windows 7, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003. This will mitigate the risk of exploits seeking to install malware on the user’s computer or otherwise change the computer’s file system or registry. In future releases of Adobe Reader, we plan to extend the sandbox to include read-only activities to protect against attackers seeking to read sensitive information on the user’s computer. http://blogs.adobe.com/asset/2010/07/%20introducing-adobe-reader-protected-mode.html"