• United States



David Braue
Editor at Large

AusCERT 2013: Users, cats more likely hack culprits than cyber-espionage: Trustwave

May 22, 20134 mins
Data and Information SecurityMalwareSecurity

Organisations convinced they have been the victims of state-sponsored cyberattacks may want to take a deep breath and look at their employees first, one security expert has advised during his address at the AusCERT 2013 security conference.

Although many organisations were succumbing to legitimate penetrations due to the efforts of malicious outside hackers, Marc Bown ndash; Asia-Pacific managing consultant for TrustWaversquo;s SpiderLabs divisionndash;said many smart hackers had stopped trying to weave their way through perimeter defences and simply targeted the soft spot of any organisation: its users.

‘We spend a lot of time and effort in security the front door,’ Bown explained, ‘and in theory it should be pretty difficult for the bad guy to walk in that front door. But users are easy targets; they click on anything that might be a funny video of a cat dancing. And, as it happens, they already have access to the thing [hackers] are targeting anyway.’

Watering-hole attacks have been remarkably successful at infecting large numbers of users targeted because of the legitimate online sites they frequent. And, whether looking for credit-card details or working to build a DDoS botnet, hackers long ago realised that most usersrsquo; appalling security-updating practices meant the humble Web browser is the easiest target available.

‘Patch management is a real challenge,’ Bown said. ‘Every week you need to apply another patch to keep the browser up to date; if you have a home environment, each with different plug-ins, it’s a massive challenge to manage.’

ldquo;Hackers know this,rdquo; he continued. ldquo;They might be looking at a server with 10 vulnerabilities they can try to break in through ndash; or they can try to trick 1000 users that already have access to the data on the internal network. All it takes is one user to click the link, miss the patch, and allow the vulnerabilities.rdquo; It was in the aftermath of such successful hacks that many companies ventured into denial, Bown argued, noting that claims of attacks from foreign interests had become fashionable but that the real reason companies are breached is often simple carelessness.

‘I question whether everything they say is state sponsored, is actually state sponsored,’ he said. ‘It obviously exists – but I always ask customers which is the better story if they go in the paper as having been compromised: that they are so good at security but got compromised by state-sponsored attacks – or that they have pretty crummy security and someone clicked a link of a kitty dancing.’

TrustWave has worked to save users from themselves with what it calls a Malware Entrapment Engine, Trustwave security solutions architect Rahul Samant said, that uses dynamic code-analysis techniques to analyse embedded code in real time. Web pages with malicious payloads are picked based on analysis of the activity leading up to its introduction, not just on the payload itself.

This approach is designed to keep up with self-modifying malware that has proven remarkably adept at evading many anti-malware platforms. However, by dissembling the code of Web sites with malicious code; analysing the individual Flash, HTML, JavaScript and other components; excising the malware; and rebuilding the Web page before itrsquo;s delivered to users; the company is aiming to protect users from themselves ndash; and even the most tempting of cat videos.

‘Because we are working at the same level as the browser, we’re able to remove the bad stuff from Web pages and render it again,’ Samant explained. ‘Normally, protection techniques are looking for the eventual payload – but we are focusing on what leads up to the dropping of the payload, and what actually happens to trick the browser into dropping that payload. It’s focused on preventing the attacks from reaching the browser in the first place.’

AusCERT 2013 : Day 1 Coverage

AusCERT 2013: Users, cats more likely hack culprits than cyber-espionage: Trustwave

AusCERT 2013: Home-electronics gearrsquo;s UPnP as insecure in Australia as rest of world: Metasploit

AusCERT 2013: Big data skills help beat the bad guys, says HP

In pictures: AusCERT 2013 Day One

Dell targets ANZ security opportunities as SecureWorks debuts locally

AusCERT 2013: NBN users need security professionalsrsquo; help, says Google