How to protect against Flame Malware

Till now no security vendor has been able to come up with an anti-dote for the dreaded "Flame" virus. Iran has claimed to have devised a fix for the same but, has not publicly released it. And come to think of the complexity of this Malware, it will take a long time before the virus and it's affects are thoroughly checked and the fix publicly released. 

However, we can take precautionary measures to keep ourselves safe. The basis of a secure environment is to have the layered approach to security- Secure the Perimeter, the Core and the Endpoints. 
Your perimeter is usually secured by a firewall and we need to make sure that the policies are robust enough to check any brute force attacks from the Net, make sure if it is a UTM to deploy the security features like IPS, GAV, Anti Spam, Application security control, DLP, etc; What you really need to worry about is securing your application environment and the server farm because the Flame virus once infects an entity will eventually wipe out all your data and make the storage inaccessible and irretrievable. For this, the best bet is to have a Web Application firewall reside just outside your server farm, it might not detect the flame virus but, will be able to catch the behavior as it would be intrusive in nature and pretty similar to any bot mechanism. We also need to keep in mind that the reason why this virus is complex is due to it's usage of a wide array of stealth mechanisms and the diversity in the scope of it's attack. Also, this virus typically resides on your endpoints and does the maximum damage from your internal resources by spying, collecting data and sending to rogue elements on the internet. Hence, it would be best to deploy a DLP solution so that unauthorized access to your file system or database can be prevented. Secondly, deploy a host AV/spyware solution to atleast mitigate any rogue connections and transfers to the internet and LAN. Thirdly, educate your users on desisting from accessing any dubious websites on the net. Create awareness on healthy usage on their resources. Make sure that any suspected automated actions performed on their PC/Laptop or server is notified immediately, these can be monitored under event manager or by digging deeper with applications like Wireshark.

"Flame" virus strikes!!

The biggest cyber espionage has been detected hitting the Middle East and Iran yesterday. Kaspersky has termed it to be one of the most sophisticated data stealing cyber weapon lurking today. It has been termed as an even greater decapitator than the feared “Stuxnet” and “Duqu” viruses. The Flame virus is much advanced in complexity and in terms of size, it is over 20 Megabytes and it will ideally take over a year for a complete analysis of this malware program.

It’s also quite unique in the way it steals information. It’s possible to steal different types of information with the help of this spyware tool. It can record audio if a microphone is attached to the infected system (It activates the microphone automatically), it can do screen captures and transmit visual data.

 It can steal information from the input boxes when they are hidden behind asterisks, password fields; it can get information from there. Also it can scan for locally visible Bluetooth devices if there is a Bluetooth adapter attached to the local system. Flame is the third major cyber weapon discovered in the past two years, and Kaspersky's conclusion that it was crafted at the behest of a national government fueled speculation that the virus could be part of an Israeli-backed campaign of electronic sabotage aimed at arch rival Iran.

Although their coding is different, Kaspersky states there was some evidence to suggest that the people behind Flame also helped craft Stuxnet, a notorious virus that disrupted controls of some nuclear centrifuges in Iran in 2010. Flame has so far, attacked hundreds of computers and wiped their hard drives, making the systems unbootable after that. Kaspersky chanced upon the Flame virus when they were investigating the dubious Malware attacks in the Middle East region at the behest of the UN. Although, Kaspersky has confirmed that this virus may be stealing data and wreaking havoc for almost a year now.

OWASP...who? and the top 10

  

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.

What are application security risks?

Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention.

Sometimes, these paths are trivial to find and exploit and sometimes they are extremely difficult. Similarly, the harm that is caused may range from nothing, all the way through putting you out of business. To determine the risk to your organization, you can evaluate the likelihood associated with each threat agent, attack vector, and security weakness and combine it with an estimate of the technical and business impact to your organization. Together, these factors determine the overall risk.

 

 OWASP Top 10 Application Security Risks

 

OWASP provides a risk focused list of the Top 10 Most Critical Web Application Security Risks. The OWASP Top 10 has always been about risk, the primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas –and also provides guidance on where to go from here.

 

 

 What do they mean?

 

A1 -Injection:  Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.

A2 –Cross-Site Scripting (XSS): XSS flaws occur whenever an application takes untrusteddata and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

A3 –Broken Authentication and Session Management: Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.

A4 –Insecure Direct Object References: A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

A5 –Cross-Site Request Forgery (CSRF): A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

A6 –Security Misconfiguration: Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.

A7 –Insecure Cryptographic Storage: Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.

A8 -Failure to Restrict URL Access: Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.

A9 -Insufficient Transport Layer Protection: Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly. 

A10 –Unvalidated Redirects and Forwards: Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.