|
|
Whitepapers
This site,
www.technicalinfo.net, was originally created back in 2001 to
act as the home of whitepapers and articles written by Gunter
Ollmann. Right from the beginning, Gunter strove to dissect the
techno-babble of Internet security and to carefully explain what it
was actually all about in as simple manner as possible - while still
keeping the content educational.
In this section of the site you will find copies of all the major
whitepapers produced by Gunter. Given the different security
roles and companies he has worked for since 2000, the papers tend to
reflect the emphasis of his work at that period in history - so, the
topics tend to be a little varied.
|
|
|
Botnet
Communication Topologies
Understanding the intricacies of botnet
Command-and-control
A clear distinction between a bot agent and a common piece
of malware lies within a bot’s ability to communicate with a
Command-and-Control (CnC) infrastructure. CnC allows a bot
agent to receive new instructions and malicious
capabilities, as dictated by a remote criminal entity. This
compromised host then can be used as an unwilling
participant in Internet crime as soon as it is linked into a
botnet via that same CnC.
The criminals actively controlling botnets must ensure that
their CnC infrastructure is sufficiently robust to manage
tens-of-thousands of globally scattered bot agents, as well
as resist attempts to hijack or shutdown the botnet. Botnet
operators have consequently developed a range of
technologies and tactics to protect their CnC investment.
This paper reviews the tactics commonly employed by botnet
operators to maintain control of their botnets and the
impact of these tactics on standard network-blocking
protection stratagems. |
 |
 |
The Botnet vs.
Malware Relationship
The one-to-one botnet myth
A common misperception of cyber-crime botnets is that a
one-to-one relationship exists between a malware bot agent
and an individual botnet. Even if this had been a true
statement back when botnets first began to appear, it is not
true today. The key is the development of commercial
build-it-yourself malware kits. These professional-grade
tools lower the entry-level requirements for creating a
malware bot agent, constructing a Command-and-Control (CnC)
structure, and controlling the resultant botnet.
As a result, sophisticated botnets are well within the grasp
of any technically-savvy user who knows how to use an
Internet search engine and build a Web site. Enterprise
organizations must change their focus from identifying
malware by name to identifying the criminals behind
individual botnets in order to keep up with this evolving
threat.
|
Anti-Fraud Image
Solutions
The Use of Distribution Tracing Within Web Content to
Identify Counterfeiting Sources
Many of today’s more successful Internet-based fraud tactics
require the counterfeiting of popular transactional Web
sites such as financial portals, stock-trading platforms and
online retail sites. For the fraud to be successful, the
cyber-criminal must typically clone most, if not all, of the
targeted site’s content and host the counterfeit site on a
Web server under their control. With some minor
modifications to the underlying HTML code and changes to the
application logic, the cyber-criminal will seek to steal the
personal authentication or authorization credentials of
unlucky victims who fall to the counterfeit site. Armed with
these credentials, the cyber-criminal will subsequently
attempt to defraud the accounts of their victim.
This whitepaper provides an overview of the techniques
available to organizations that wish to undertake such
identification activities – evaluating the pro’s and con’s
of the various mechanisms and providing advice on how to
employ this class of investigative technology. |
 |
 |
Continuing Business
with Malware Infected Customers
Best Practices and the Security Ergonomics of Web
Application Design for Compromised Customer Hosts
Today’s media is full of statistics and stories detailing
how the Internet has become an increasingly dangerous place
for all concerned. Figures of tens of millions and hundreds
of millions of bot-infected computers are regularly
discussed, along with approximations that between
one-quarter and one-third of all home computer systems are
already infected with some form of malware. With a
conservative estimate of 1.4 billion computers browsing the
Internet on a daily basis (mid-2008 figures), that could
equate to upwards of 420 million computers that can’t be
trusted – and the numbers could be higher as criminals
increasingly target Web browser technologies with malicious
Web content – infecting hundreds of millions more along the
way.
Despite these kinds of warnings and their backing
statistics, online businesses have yet to fully grasp the
significance of the threat. Most of the advice about dealing
with the problem has focused on attempting to correct the
client-side infection and yet, despite the education
campaigns and ubiquity of desktop anti-virus solutions, the
number of infected computers has continued to rise. The
problem facing online businesses going forward is, if
upwards of one-third of their customers are likely to be
using computers infected with malware to conduct business
transactions with them, how should they continue to do
business with an infected customer base?
This paper discusses many of the best practices businesses
can adopt for their Web application design and back-office
support processes in order to minimize this growing threat,
along with helping to reduce several of the risks posed with
continuing to do business customers likely to be operating
infected computers. |
SEO Code Injection
Search Engine Optimization Poisoning
Search Engine Optimization (SEO) is a critical component in
an organizations ability to be discovered by prospective
customers and clients as they conduct online searches for
information and products. It is a technique commonly
employed by the largest and most sophisticated Internet
businesses, and a key component of their online business
strategy.
Unfortunately the nature of the SEO algorithms, and the
subsequent modification of dynamic site content that they
promote, means that they can often be manipulated by an
attacker. Vulnerable Web applications can be used to
propagate infectious code capable of compromising the
organizations prospective customers and clients. This brief
paper explains the technique referred to as SEO Code
Injection or Poisoning, and the steps that may be taken to
detect and mitigate the vulnerability. |
 |
 |
Understanding the Web browser
threat
Examination of vulnerable online Web browser
populations and the "insecurity iceberg"
In recent years the Web browser has increasingly become
targeted as an infection vector for vulnerable hosts.
Classic service-centric vulnerability exploitation required
attackers to scan for and remotely connect to vulnerable
hosts (typically servers) in order to exploit them. Unlike
these, Web browser vulnerabilities are commonly exploited
when the user of the vulnerable host visits a malicious Web
site.
Attacks against Web browsers depend upon malicious content
being rendered by the appropriate built-in interpreter
(e.g., HTML, JavaScript, CSS, etc.) or vulnerable plug-in
technology (e.g., Flash, QuickTime, Java, etc.).
Vulnerabilities lying within these rendering technologies
are then exposed to any exploit techniques or malicious code
developed by the attacker. Vulnerability trend reports have
indicated that remotely exploitable vulnerabilities have
been increasing since the year 2000 and reached 89.4% of
vulnerabilities reported in 2007. A growing percentage of
these remotely exploitable vulnerabilities are associated
with Web browsers.
Profit motivated cyber-criminals have rapidly adopted Web
browser exploitation as a key vector for malware
installation. Due to the methodology of exploiting Web
browser vulnerabilities and the unpredictable browsing
patterns of typical users, for widespread infection of
vulnerable hosts the criminals must seed a mix of popular
and high-traffic websites, or incentivize users through
email spam, with URLs directing potential victims to Web
servers hosting their malicious content. The former method
is commonly known as drive-by download, where drive-by
refers to the fact that Web browsers must initially navigate
to a malicious page and download refers to the covertly
downloaded and executed malware - typically Trojans. |
Old Threats Never Die
Why Protection for Old Vulnerabilities can never be
Retired
With year-on-year increases in vulnerabilities, malware and
new threat vectors, businesses must deal with an expanding
barrage of attacks. As threats mount, businesses place
greater pressure on alerting and protection technologies
designed to identify and block threats before they cause
damage. Under pressure, protection performance and defense
robustness can visibly weaken. In the physical world, when
pressures mount, civil engineers consider their options.
Unfortunately, many organizations have mistakenly opened
spillways in their IT security defenses, allowing entire
classes of attack to penetrate the network. The misguided
decision to allow certain malicious traffic stems from
underestimating the duration of a particular threat, or
investing in protection technologies unable to cope with
mounting pressure— technologies now rendered obsolete in
the face of advanced threats.
Businesses must understand basic aspects of the lifecycle of
Internet threats in order to apply the proper security
strategy. In particular, organizations need to be aware that
old threats never actually retire from the digital
landscape. Rather, they tend to become background noise on
the Internet— – ready to burst into life with each new
software update, host recovery, device deployment or
embedded system release. |
 |
 |
X-morphic Exploitation
One-of-a-kind Exploit Delivery Systems and Services
Traditionally, Web browser attacks have relied on fairly
simple exploit code, typically written as scripts within
HTML documents. Consequently, Web browser exploits are easy
to block. Using standard regular-expression and
heuristic-based signature engines, exploit patterns are
easily identified, and the attack can be thwarted over the
network or at the host.
Unlike self-replicating malware, which must carry with it
the means of altering itself, Web exploit developers can
host their morphing algorithms and code on the Web server
itself and do not need to make that code visible to the
victim. Consequently, unlike morphing malware, morphed Web
browser exploits do not contain superfluous morphing code,
which makes these attacks considerably more difficult to
detect.
Welcome to the world of personalized, one-of-a-kind Web
browser exploits and the dawn of x-morphic exploitation. |
The Vishing Guide
A close look at voice phishing
Many of today’s widespread threats rely heavily on social
engineering—techniques used to manipulate people into
performing actions or divulging confidential information—to
leverage and exploit technology weaknesses. For example,
“phishing” is perhaps the most commonly exploited threat
currently plaguing the Internet and its users. At one point,
phishing referred exclusively to the use of e-mail to
deliver messages whose purpose was to persuade recipients to
visit a fake Web site designed to steal authentication
details.
Phishing has increasingly developed into a broader category
of threats that rely on social engineering to cause a
message recipient to perform auxiliary activities that
enable the phisher to conduct the second phase of the
attack. Phishers rely on numerous Internet messaging systems
to propagate their attacks. As such, many similar-sounding
threats have been named based on the messaging system being
used—each with its own nuances and target audiences. |
 |
 |
The Pharming Guide
Exploiting well known flaws in DNS services and the
way in which host names are resolved to IP addresses,
Phishers have upped the ante in the cyber war for control of
a customer’s online identity for financial gain.
A grouping of attack vectors now referred to as “Pharming”,
affects the fundamental way in which a customer’s computer
locates and connects to an organisations online offering.
Enabling the Pharmer to reach wider audiences with less
probability of detection than their Phishing counterparts,
pharming attacks are capable of defeating many of the latest
defensive strategies used customer and online retailer
alike.
This paper, extending the original material of “The Phishing
Guide”, examines in depth the workings of the name services
of which Internet-based customers are dependant upon, and
how they can be exploited by Pharmers to conduct identity
theft and financial fraud on a massive scale.
Part (1) - How DNS works and what is
"Pharming"
Part (2) - The attacks and the
protection |
The Phishing Guide
Understanding and Preventing Phishing Attacks
Phishing is the new 21st century crime. The global media
runs stories on an almost daily basis covering the latest
organisation to have their customers targeted and how many
victims succumbed to the attack. While the Phishers develop
evermore sophisticated attack vectors, businesses flounder
to protect their customers’ personal data and look to
external experts for improving email security. Customers too
have become wary of “official” email, and organisations
struggle to install confidence in their communications.
While various governments and industry groups battle their
way in preventing Spam, organisations can in the meantime
take a proactive approach in combating the phishing threat.
By understanding the tools and techniques used by
professional criminals, and analysing flaws in their own
perimeter security or applications, organisations can
prevent many of the most popular and successful phishing
attack vectors.
This paper covers the technologies and security flaws
Phishers exploit to conduct their attacks, and provides
detailed vendor-neutral advice on what organisations can do
to prevent future attacks. Security professionals and
customers can use this comprehensive analysis to arm
themselves against the next phishing scam to reach their
in-tray. [Part 1] & [Part
2] |
 |
 |
Stopping
Automated Attack Tools
An analysis of web-based application techniques
capable of defending against current and future automated
attack tools
For an increasing number of organisations, their web-based
applications and content delivery platforms represent some
of their most prized and publicly visible business assets.
Whether they are used to provide interactive customer
services, vital client-server operations, or just to act as
informational references, these assets are vulnerable to an
increasing number of automated attack vectors – largely due
to limitations within the core protocols and insecure
application development techniques.
As these web-based applications become larger and more
sophisticated, the probability of security flaws or
vulnerabilities being incorporated into new developments has
increased substantially. In fact, most security conscious
organisations now realise that their web-based applications
are the largest single source of exploitable
vulnerabilities. |
Anti Brute
Force Resource Metering
Helping to Restrict Web-based Application Brute
Force Guessing Attacks through Resource Metering
For most web-based applications that require customers to
uniquely identify themselves prior to granting access to key
functional aspects of the online system, a solid and
reliable authentication process is the primary security
barrier. When these applications are providing online
services to a large and/or diverse customer base, the
authentication process must be able to withstand an
increasing number of malicious attack vectors. Poorly
designed or implemented authentication processes are easily
exposed and as a consequence are likely to result in
subsequent exploitation resulting in an increase in adverse
public scrutiny and a concomitant decrease in customer
confidence. |
 |
 |
Security Best Practice -
Host Naming and URL Conventions Security
Considerations for Web-based Applications
From an attacker’s perspective, the method by which an
organisation names their Internet visible hosts or
references web-application URL’s can often be abused to make
for a more successful attack. Due to a lack of insight or
understanding of current attack vectors, many organisations
are failing to follow best security practices in their host
naming and linking conventions – thereby unwittingly aiding
their attackers.
In the last 5 years, organisations have seen a phenomenal
year-on-year increase in the number and sophistication of
the vectors used by malicious attackers to target their
customers or clients. Ranging from social engineering
through to URL obfuscation and domain hijacking, attackers
are abusing poorly thought out and implemented host naming
and URL referencing conventions. For example, attacks such
as Phishing often make use of confusing host names to dupe
customers by directing them to web applications designed to
impersonate a legitimate site – once the customer hits the
fake site their authentication credentials are recorded for
later use in financial fraud or identity theft.
By following a few simple best practices, organisations can
easily strengthen the security of their environments against
many of these attacks and make it much more difficult for an
attacker to confuse customers or clients. |
Second-order Code
Injection
Advanced Code Injection Techniques and Testing
Procedures
Many forms of code injection (for instance cross-site
scripting and SQL injection) rely upon the instantaneous
execution of the embedded code to carry out the attack (e.g.
stealing a user’s current session information or executing a
modified SQL query). In some cases it may be possible for an
attacker to inject their malicious code into a data storage
area that may be executed at a later date or time. Depending
upon the nature of the application and the way the malicious
data is stored or rendered, the attacker may be able to
conduct a second-order code injection attack. A second-order
code injection attack can be classified as the process in
which malicious code is injected into an application and not
immediately executed, but instead is stored by the
application (e.g. temporarily cached, logged, stored in a
database) and then later retrieved, rendered and executed by
the victim. |
 |
 |
Mail Non-delivery
Notice Attacks
Analysis of e-mail non-delivery receipt handling by live
Internet bound e-mail servers has revealed a common
implementation fault that could form the basis of a new
range of DoS attacks. Our research in the field of email
delivery revealed that mail servers may respond to mail
delivery failure with as many non-delivery reports as there
are undeliverable Cc: and Bcc: addresses contained in the
original e-mail. Non-delivery notification e-mails generated
by these systems often include a full copy of the original
e-mail sent in addition to any original file attachments.
This behaviour allows malicious users to leverage these mail
server implementations as force multipliers and flood any
target e-mail system or account. |
Instant Messenger Security
Securing against the "threat" of instant messengers
Digital communications within business are currently
undergoing a change similar to those of the early 1990’s as
organisations moved en-masse to relying upon email services
as the primary communications medium. Just a decade later,
organisations are now facing the necessity of implementing
and managing real-time digital communication between both
their staff and their customers. Business now demands the
ability to communicate through brief messages to people who
are online at the same time. Instant Messenger (IM) services
fill the niche between a phone call and an email. While
email is ideal for non-synchronised communications, IM
offers the ability to identify people who are online at the
same time and exchange information in near real-time. |
 |
 |
Passive Information
Gathering
The Analysis of Leaked Network Security Information
Most organisations are familiar with Penetration Testing
(often abbreviated to, “pentesting”) and other ethical
hacking techniques as a means to understanding the current
security status of their information system assets.
Consequently, much of the focus of research, discussion, and
practice, has traditionally been placed upon active probing
and exploitation of security vulnerabilities. Since this
type of active probing involves interacting with the target,
it is often easily identifiable with the analysis of
firewall and intrusion detection/prevention device (IDS or
IPS) log files.
Very little information has been publicly discussed about
arguably one of the least understood, and most significant
stages of penetration testing – the process of Passive
Information Gathering. This technical paper reviews the
processes and techniques related to the discovery of leaked
information. It also includes details on both the
significance of the leaked information, and steps
organisations should take to halt or limit their exposure to
this threat. |
Application Assessment
Questioning
What should a consultant be looking for when
conducting an application assessment?
Custom Application Assessment Application security
assessment is a unique area of assessment and penetration
testing. Unlike infrastructure based assessments, the
methodology utilised by a security professional for
identifying security vulnerabilities and significant issues
is highly dependant upon the type of application being
assessed. Although several high-level methodologies do exist
(and some guides can indeed be quite comprehensive), they
are often not generic or versatile enough to cope with the
wide variety of custom applications commonly encountered.
Many methodologies used by professional security assessment
organisations are in fact highly guarded. |
 |
 |
Web Based Session
Management
Best practices in managing HTTP-based client
sessions
The stateless nature of HTTP requires organisations and
solution developers to find other methods of uniquely
tracking a visitor through a web-base application. Various
methods of managing a visitor’s session have been proposed
and used, but the most popular method is through the use of
unique session IDs. Unfortunately, in too many cases
organisations have incorrectly applied session ID management
techniques that have left their “secure” application open to
abuse and possible hijacking. This document reviews the
common assumptions and flaws organisations have made and
proposes methods to make their session management more
secure and robust. |
HTML Code Injection and Cross-site
Scripting
Understanding the cause and effect of CSS (XSS)
Vulnerabilities
As web-based applications have become more sophisticated,
the types of vulnerabilities are capable of exploiting has
rapidly increased. A particular class of attacks commonly
referred to as “code insertion” and often “Cross-Site
Scripting” has become increasingly popular. Unfortunately,
the number of applications vulnerable to these attacks is
staggering, and the varieties of ways attackers are finding
to successfully exploit them is on the increase. Analysis of
many sites has indicated that not only are the majority of
sites vulnerable, but they are vulnerable to many different
methods and much of their content is affected. |
 |
 |
Securing WLAN
Technologies
Secure Configuration Advice on Wireless Network
Setup
In recent years, there have been a number of substantial
developments in the acceptance and functionality of wireless
networks. Contemporary organisations are finding their
workforce increasingly more mobile, often equipped with
notebook computers and spend more of their productive time
working away from the standard office-desk or
personal-computer environment. Wireless networks support
mobile workers by providing the required freedom in their
network access. Workers can thus access networked resources
from any point within range of a wireless access point. For
IT managers, the combination of lowering wireless hardware
costs and the ease of implementation in to diverse office
environments means that wireless deployment is actively
promoted, for it provides the combination of wired network
throughput with mobile access and configuration flexibility. |
Custom HTML
Authentication
Best Practices on Securing Custom HTML
Authentication Procedures
Interactive web-based applications now form an important
part of the e-business world. There is great pressure on
organisations to make available many of their services
through the Internet to their end clients, business
partners, and own employees. Many of these new online
services require end users to positively identify themselves
to the application and actively work to ensure the
information and level of access is appropriate for the
authenticated user. While many methods are available to an
organisation seeking to implement an authentication method
for their Internet service, the majority have chosen to do
so through HTML form submission over HTTP. Although they
tend to understand the threats to their hosting environment
from attackers, and actively test and patch the hosts
against publicly disclosed vulnerabilities, very often the
security fails at the implementation of their custom
authentication procedure. Organisations must now ensure that
adequate secure procedures are implemented within the custom
application, particularly the authentication process and the
associated management of session state. |
 |
 |
Assessing Your Security
Advice on Assessing your IT Security Posture
Most people will agree that Information Technology (IT) is
changing or altering business processes and work
environments at a dizzying pace. Unfortunately for those
responsible for maintaining the security posture of these
processes and environments, security changes faster.
Organisations often fail to realise that even if the
technologies, operating systems and environments were to
remain static, the mechanisms required to secure those
systems against the latest threats would continue adapt and
force change. It doesn’t take too much effort to find news
articles of the latest computer virus to circulate the
world, the number of new vulnerabilities discovered last
month, or the critical fixes for your operating systems that
need applying today. However, it does take a substantial
amount of time for an organisation to develop the security
mechanisms to help protect against both last month’s and
next month’s threat. |
Application
Security Assessments
Advice on Assessing your Custom Application
For many organisations, their internal security
professionals are adept at finding and responding to
information about the latest vulnerabilities and threats to
the software employed within business critical systems under
their supervision. There are a great many security resources
available, online and printed, ready to help explain and
address potential vulnerabilities with the most common
commercial software products. However, there exist two
problems for those responsible for the security and
integrity of your systems. Firstly, the “hit or miss”
disclosure of vulnerabilities in commercial software, and
secondly, how do you identify or address potential
vulnerabilities in the custom (in-house developed)
application that connects and runs atop the commercial
software? |
 |
 |
URL Embedded Attacks
Attacks Using the common web browser
A popular misconception is that web hacking and defacement
is difficult, often requiring detailed technical knowledge
and specialist tools. Unfortunately, one of the best tools
in a hacker’s arsenal is the common web browser. Using
Microsoft’s Internet Explorer or Netscape’s Communicator, it
is possible to identify and exploit many common
vulnerability’s in both the remote web server’s hosting
software and the site content, through simple URL editing.
Over the last few years, the numbers of vulnerabilities and
security flaws directly exploitable through this type of
attack have increased phenomenally, primarily due to
application developers failing to adequately check and
decode the received client data. |
|