Wednesday, September 28, 2005

Rootkits Make NSM More Relevant Than Ever



Federico Biancuzzi conducted an excellent interview with Greg Hoglund and Jamie Butler, authors of Rootkits: Subverting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Windows Kernel. I reviewed this book during publication for Addison-Wesley, but I don't plan to read it for personal education until I get deep into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 programming part of my reading list. This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sort of book that looks K-RAD on your bookshelf, telling those passing your cube that you've got m@d 31337 sk1llz. Doing something useful with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contents take some real mastery of Windows programming, especially device driver development and thorough knowledge of material in Microsoft® Windows® Internals, Fourth Edition.

The interview reminded me that network security monitoring is needed now more than ever. It is easy for host-centric security types to concentrate on defending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 desktop. In reality cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 battle for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 desktop PC has been lost. When intruders can completely control all aspects of a running system, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is almost no where else for defenders to go. The only places left are found in CPU microcode or outside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CPU itself, monitoring it via a hardware JTAG port as described in a recent Dr Dobbs Journal article.

If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 desktop cannot be trusted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n detection and prevention must be performed elsewhere, on a trusted platform outside of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder's, and more importantly, user's reaches. This can only be done at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network infrastructure. While cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network will not yield as rich a collection of evidence about host exploitation, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data collected via network platforms bears a higher degree of trust.

I foresee a few roads ahead for corporate PC users, some of which may be taken simultaneously. We may see this at .mil or .gov earlier. One day arbitrary Web browsing and email communication with non-business-related parties will be forbidden. Alternatively (or simultaneously) PCs will be replaced by true non-Windows thin clients like Sun Ray 170s. Organizations adopting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se practices will realize that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y must do something to reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 overall threat level (first option) and/or vulnerability level (second option).

6 comments:

Anonymous said...

Richard,
The Sun Rays were crap, at least cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ones 2-3 years ago. SMU Legacy at Plano ACEC has a classroom full of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 instructors loacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365d cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m due to unreliablity. It might be easier for corporations to make use of Live CDs. The technology is mature. WinPE shows that even Windows can run from a RAMDISK, but it's so crippled it's sad. Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r alternative is to redirect users folders to a server and reimage cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 workstation automatically every so often, or if some condition is met. Some Brazilians did this with Linux and Windows on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same platform. The computer ran Windows, but if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was a problem, it could be rebooted into Linux and a new Windows image installed.

Richard Bejtlich said...

John,

Ok, so you think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sun Rays from 2-3 years ago were bad. I am talking about Sun Ray 170s that were just released earlier this year and deployed at my last job. They are good, as far as I was able to judge cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

Years ago at BATC Bamm and I used even older Sun Ray technology without problems.

Anonymous said...

In reality cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 battle for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 desktop PC has been lost.

As sad as it sounds, Richard, you may very well be right. It may be b/c while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 good guys have stood around twiddling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir thumbs and patting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves (and each ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r) on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 back, ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs have subverted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 systems.

When I was doing research for my book, I located a KB article from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MS PSS Security team, stating that most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 compromised systems cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y dealt with were compromised as a result of weak or non-existent Admin/root passwords. At that point, is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor really to blame, or did cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Administrator give away cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 keys to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 kingdom at installation?

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Anonymous said...

Couple points. First of all, I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 current trend is towards mobility, and that means laptops in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enterprise. Eventually this will continue on down cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "smaller and faster" continuum until PDAs and cell phones take over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 office. Only after this mobility swing can we can back to grounded workers...and by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n I'll agree: thin is in.

Secondly, I agree that most Windows compromises are due to lack of administrative control and bad practices. However, I sympathize with anyone in an enterprise that does not give proper or full risk to security breaches. Unless you are regulated or your reputation will be damaged very badly, most companies go cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 easy and dangerous route of letting users run as admin, having little software installation protection, and overall poor desktop security. The perimeter is a strong point in most networks now, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 internal network is still getting attention, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 desktops...oooh those soft luscious desktops....

Combine both points 1 and 2, and you have a formula that explains why I don't sleep some nights. :) (We have many laptops and getting more every week...and we just can't get people to accept more security.)
-LonerVamp

Anonymous said...

Laptops are a huge liability and should only be given out to certain people in a company.

Anonymous said...

I concur with Richard, with this caveat. My experience is that signature based systems (host and network) fail too often with both false positives and negatives. I've been focusing on statistical network anomaly detection for a while now. IDS systems like Bro or Snort/Spade, armed with detailed asset risk information can be used to more quickly detect unathorized behavior.

So...cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 terminal is eternally compromisable. Okay. The custom trojan/rootkit that can't be detected by signature mechanisms will still show up in your network session data. Hmmm...why is this box that never talks out to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 internet all of a sudden transferring gigabytes at a time to a foreign IP address? Hmm...why has point-to-point DNS (or ICMP) traffic between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se two hosts skyrocketed? Etc.

Also from personal experience though, advanced detection doesn't always equate to intelligent incident response.

YMMV,

Random Analyst