Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-07-12 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Botnet traffic using TOR

Published: 2006-07-12
Last Updated: 2006-07-13 04:51:39 UTC
by Jason Lam (Version: 2)
0 comment(s)
A reader (AnthraX101) recently wrote to us about seeing botnet traffic leaving TOR network towards Internet. We are not sure at this point whether the botnets itself uses TOR or just a specific machine configured to route everything through TOR. Either way, if malware start using TOR to report back centrally, it might make detecting them more difficult. From an incident handler perspective, it makes pinpointing the victims more difficult.

For the Enterprise security folks, it might be time for you to consider blocking the use of TOR.

Update:

After working with REN-ISAC on this, we have determined this specific instance is not a TOR enabled botnet, the traffic likely was configured to flow thru TOR on the host.


Keywords:
0 comment(s)

Recent Two factor authentication attacks

Published: 2006-07-12
Last Updated: 2006-07-12 23:04:15 UTC
by Jason Lam (Version: 1)
0 comment(s)
There has been recent report of two factor authentication protected websites getting attacked by the man-in-the-middle type of setup where the victim enter information (include the token code) into a look-alike website, this look-alike website immediate uses those credential to login to the actual financial site. Obviously, upon success login by the user, the attacker can immediately execute the fraudalent transaction.

While this might sound shocking to the financial industry since we haven't seen too many of these attacks, the theory of the attack and the risk have certainly been well understood within the security community. (I have written an article on this back in April)

Overall, two factor authentication will reduce the risk of attacks by raising the effort of the attacker to compromise the accounts, but it might not have the level of security enhancement that some people believed. In the man-in-the-middle attack, the flaw happens due to the lack of verification of the bank's website by the victim, the victim are simply tricked into yielding credentials to a web site without authentication. This is really outside of the protection zone of the extra authentication factor.

To futher extend this, two factor authentication also does NOT protect the end host security, a malware (such as keylogger, BHO) could be installed on the client's machine and effectively gather the credential and login on behalf of the victim instead of letting the victim login.

This is a classic problem of "you are only as secure as the weakest link". Two factor authentication is good for secure authentication but does not take care of mutual authentication or endpoint security. From the financial organization perspective, maybe further investment into mutual authentication and ensuring client's computer being free of malware would be necessary to protect the client's online transactions.


Keywords:
0 comment(s)

Debian development server compromised

Published: 2006-07-12
Last Updated: 2006-07-12 23:04:09 UTC
by Jason Lam (Version: 1)
0 comment(s)
Looks like the debian developement server (hosting the cvs amongst other services) has been compromised. The Debian folks are still investigating the incidents at this point. No words on whether the any source code were altered yet.

From stories like these, we can't stress the point of having a HIDS system. From experience, some server could be compromised over 6 months before someone even notice about it. Having some type of HIDS such as AIDE or Tripwire can hopefully reduce the detection time.
Keywords:
0 comment(s)
Diary Archives