|
Tuesday, 24 March 2009 |
 Conficker is back in the news as there are reports of new variants popping up. I'm sure that you've all heard the news and hype about how many endpoints Conficker has infected, and even more speculation on what the bot herder will do with the massive botnet. Here's some background info on Conficker and what we can do to stop it:
Conficker (aka Downadup), is a computer worm that targets the Microsoft Windows operating system. The worm exploits a known vulnerability (MS08-067) in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and the Windows 7 Beta. Conficker spreads via this buffer overflow vulnerability in the Server Service on Windows machines. The worm employs a specially crafted RPC request to execute code on the target computer.
When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. It receives further instructions by connecting to a server. The instructions it receives may include to propagate, gather personal information and to download and install additional malware onto the victim's computer. The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe.
Palo Alto Networks devices can stop the worm via:
- Antivirus download signatures
- Vulnerability protection for MS08-067
- Phone home signature for infected hosts
Here are some other interesting articles about Conficker:
|
| Tags : threats conficker |
|
|
Wednesday, 18 March 2009 |
The official 2009 NCAA basketball tournament bracket is out and office, friends, and family pools are forming all over the nation. End users everywhere are scoping out what apps and sites they can use to facilitate their need/desire to watch live streaming tourney games at work. The NCAA is again streaming every single tourney game live, and even has a High Quality (“HQ”) option this year that consumes even MORE bandwidth. They even have a March Madness on Demand (MMOD) iphone app that allows for live streaming games directly to the iPhone.
Both the normal and HQ streaming options make use of Silverlight and asf streaming – which is a new technique for the 2009 tourney.
Most enterprises are familiar with this time of year and the tourney's impact on their networks. Many organizations will again implement URL filtering policies limiting or banning http://mmod.ncaa.com – which will block traffic to the March Madness on Demand streaming site. The problem that organizations face this year is that users are more savvy than ever, and options to circumvent simple URL filtering policies are legion.
Assuming a simple URL filtering policy to block the http://mmod.ncaa.com URL, users can still watch NCAA tournament games at work using a number of applications that easily bypass enterprise controls:
- Public proxies (e.g., Hopster, Kproxy)
- Private proxies (e.g., CGIproxy set up on a broadband connection at home)
- Tunneling or circumvention applications (e.g., UltraSurf, TOR)
- Slingbox (connected to the television at home)
If enterprises really do want to get control of this potentially damaging use of bandwidth, in addition to a simple URL filtering block, they should also look at getting control over Silverlight, proxies (both public and private), circumvention applications, and Slingbox traffic. The problem is that enterprises can't do this with traditional security infrastructure.
Palo Alto Networks, with its innovative App-ID technology, can see and control all of the above-mentioned applications and techniques for getting around URL filtering – including proxies, circumvention applications, Slingbox, and Silverlight – by user and or group. Palo Alto Networks next-generation firewalls also provide URL filtering, integrated into the same application- and user-based policies. |
| Tags : apps streaming |
|
|
Marine One Blueprints found on P2P network |
|
Tuesday, 03 March 2009 |
What's next -- the missile launch codes? While the record industry has targeted the universities and student populations in their battle against piracy, P2P use has enjoyed continued success in the business world with the most recent example being the discovery of the blue prints for Marine One, President Obama's helicopter being found "in-the-wild".
This MSNBC article, talks about how Marine One helicopter blueprints along with the maintenance schedule were discovered on a P2P network at an Iranian IP address. Apparently the files were exposed by a defense contractor using P2P on their work PC. The blueprint discovery will no doubt garner some very visible press but it is no less serious than the discovery of many thousands of medical records on P2P networks.
In the case of the health care records discovery, one treasure trove of data included data on 20,000 patients, including names, Social Security numbers, insurance carriers and codes for diagnoses. The codes identified by name four patients infected with AIDS, the mental illnesses that 201 others were diagnosed as having and cancer findings for 326 patients. Data also included links to four major hospitals and 355 insurance carriers that provided health coverage to 4,029 employers and 266 doctors.
The unapproved use of P2P in enterprise and services organizations is common. Palo Alto Networks‘ own analysis of the traffic flowing across sixty different customer’s networks shows that 92% of them have at least one instance of P2P filesharing. In some cases, there were as many as 12 different variants of P2P filesharing found. In all cases, when asked if P2P was allowed, the answer was no.
One of the big reasons that P2P continues to enjoy high usage is because it is capable of evading detection by today’s security infrastructure. P2P can bypass security using a number of evasion techniques such as hopping ports, tunneling HTTP and using encryption. The issue is not whether the IT department wants to block P2P – it is more the fact that their tools are incapable of doing so.
Can Palo Alto Networks help these organizations regain control over the use of P2P? Without a doubt the answer is yes, along with all their other application traffic. Here’s how.
- Say no to P2P: Palo Alto Networks is the only firewall on the market that is capable of identifying and blocking 42 different P2P networks which translates to well over 100 P2P clients. By identifying the P2P network, as opposed to the clients, broader coverage is achieved in the effort to control P2P usage. If User-ID is enabled, the offending users can be notified that they are in violation of policy and appropriate actions taken.
- Isolate servers that contain sensitive data: Use network segmentation to isolate servers that contain data, applying policies to control both who (users) and what (applications and content) has access to those servers. No firewall can deliver the level of policy-based application visibility and control that we can deliver.
- Watch for sensitive data: Leveraging our in-depth traffic analysis, we can detect file types and data patterns including CC# and SSN traversing the network. If detected, alert can be sent to an administrator of traffic can be blocked altogether. So in the medical records cases, we could look for SSN or patient ID number. In the case of Marine One, we could look for custom data patterns such as "Confidential" or "Marine One" and alert or block the traffic.
These are just a few of the things we can do to help businesses regain control over all the applications traversing their networks – including P2P. This is not the first exposure of this type (P2P exposing confidential files) and because of the evasive nature of P2P and its popularity, it certainly won’t be the last. It's time to fix the firewall. |
| Tags : breach p2p |
|
|
We're Gonna Need A Bigger Boat… |
|
Monday, 02 March 2009 |
Remember the movie Jaws where sheriff Browdy(Roy Schieder) sees the shark and says "We're gonna need a bigger boat?" Enterprise IT managers might say the same thing when they see move networks or hulu networks on their network – if in fact they could see them. Problem is, many of these applications use port 80, and possibly HTTP-video – which means that they will flow right through every firewall on the market. And they will wave hello and goodbye as they scream past the URL filtering.
These are just a few of the applications that are streaming high definition video nowadays. And other services like YouTube are not far behind. And we all know what that means – the threat community will quickly figure out how to deliver the clearest, sharpest highest quality malware to your network, complete with penetrating Dolby 6.1 surround sound. Are you ready for it?
Click
here to view the TechCrunch article.
|
| Tags : apps |
|
|
