Predictable Response - SANS Internet Storm Center

Predictable Response
Incident handling and management calls for developing well understood and predictable responses to emergencies or damaging events as they occur. Frequent rehearsal of the response steps makes recovery from an incident faster and usually more successful. But predictive behavior can also be used against us, if an adversary knows (or can predict) what you will do when faced with a series of unfolding events. Some examples from the recent past include Y2K, the various terrorist attacks this decade, and natural disasters like Hurricane Katrina, the Indonesian tsunami, and the recent earthquakes in China. With Y2K, do you remember the wild panic of trying to find Cobol programmers at the last minute who could fix the two-digit date fields? Predictably, a lot of that programming got contracted to outside organizations - a well-trained adversary could have established multiple software companies that could have been used to insert malicious backdoors and booby traps into mainframes, control networks, and other critical computer systems. In the days following Hurricane Katrina's landfall, we predictably saw over a thousand websites get established that offered a mechanism for getting donations to the affected families. All they needed was your credit card number. Yeah, right. Most readers of the SANS Internet Storm Center's diaries know that we've followed nearly all of these events and sometimes we even predicted a few of them ourselves. So now it's time to go out on a limb again. Everybody is aware of the rapid rise in oil futures (the cost per barrel for crude oil), and if you drive a car you feel the result every time you fill up. This morning I saw that the local station near my house had crossed the $4 per gallon threshold overnight. I know that in Europe and Asia, $4 per gallon (that's about 0.67 Euros/Liter) is VERY cheap but it's about twice what we were paying for it this time last year. If gas prices continue to climb at the current rate, they could well double by the end of the year. So, here's the predictable behavior. With gas prices that high, many people will prefer to work from home rather than driving or taking public transportation, thus putting a heavy load on ISPs and the Internet in general due to telecommuting. So, if you were a Bad Guy, how would you take advantage of this predictable behavior? Some ideas some to mind, such as establishing web portals for work collaboration or marketing a new anti-virus solution for protecting home computers used for doing office work. Either of those capabilities would of course include a "value added feature" designed to syphon off sensitive information for criminal or espionage purposes. I'm sure there are many more evil ideas, so if you have any send them this way and we'll add them to the bottom of this diary. UPDATE 1 - Here are a few ideas submitted by readers. Feel free to use the "comment" capability or to send us your ideas via our contact page. Either is fine. Boris offered these thoughts: If I was a bad guy and I wanted to take advantage of then increasing number of people working from home, I would increase the amount of key-logging and screen capture software that I was sending out. Not only would this allow me to gain even deeper access into the compromised local machine through passwords but it would also allow me a unrestricted form of entry into the company's servers and data centres since I would have appropriate passwords and no brute force hacking required. Screen capture software would also allow me to gain access to all kinds of sensitive documents and network plans, all useful for deeper attacks against the main servers of the company. A reader wanting to remain anonymous said: There is already no shortage of people who will nav to a URL that they saw on TV in order to rid their computer of performance robbing mal-crap, without a single thought as to who's "free" scripted ActiveX is being driven down upon them as auto-magical quicksilver. Just who vouches for the ongoing security and iron clad compartmentalization of GoToMyPC and its ilk? I could care less that Citrix is the backend and/or even a financial stake holder. Citrix, in and of itself, is not hack proof. Yet there are plenty of companies whose employees are already using G2MPC, whether or not the company actually knows about it and has officially sanctioned such whiz-bangy remote access "convenience." How many telecommute/work-from-home computers are going to be restricted only for official business use and quarantined from any/all personal use shenanigans??? Major corporations, who are already actively working on pandemic flu business continuity contingencies, may already have a vouched for infrastructure in place, that can sanely deal with any gas price related up tick in telecommuting/work-from-home. How far these measures happen to trickle down to critical suppliers and business partners, who knows??? Iain wrote to say: Here in the UK, GoToMyPC has recently been advertised on TV as a solution to accessing your office PC when at a remote meeting/presentation. Your suggested scenario of more home-working could also be driving this (unusual for the UK) advertising. As a Sysadmin at a SMB, I use variations of VNC (specifically TightVNC) extensively within out network for support purposes. When working from home, I have to use a VPN to get past the firewall before using VNC to access specific machines. A free version of VNC that can connect 2 machines behind different firewalls (in a similar way to Windows Remote Support) would be useful to me. It would probably be usefule to someone planning to work from home as well. Since VNC is open-source, it would be relatively easy for a malicious company to produce such a version containing monitoring components, then advertise it as a free alternative to GoToMyPC. VPNs are another target. My company network hides behind an Exoserver (proprietary FreeBSD firewall device) and a Smoothwall (Linux firewall device). Both of these devices provide VPN solutions allowing me to connect to the company network from home. Smaller business may have nothing more complex than a firewall/router connected to ADSL with no VPN capability. A relatively cheap router could be flashed with new software to provide simple VPN capability, with a side order of backdoor and information siphoning, then marketed as a simple connection solution. This scenario is DEFINITELY possible. I have signed up to a project from Samknows.com to independently monitor UK ADSL ISPs. They provide a Linksys WRT54 variant with custom software that constantly monitors and tests my home ADSL connection. It sits between my ISPs router and the rest of my home network, so it has access to everything that happens on my ADSL connection. I had to decide whether I trusted these people - in the end, participating in this trial is a way to give something back to the community - just like writing this response. Marcus H. Sachs Director, SANS Internet Storm Center	Marcus 301 Posts ISC Handler May 26th 2008
Thread locked Subscribe	May 26th 2008 1 decade ago
Okay, off topic, but in Norway it's $10 per gallon these days. On topic: it provides a rather large attack vector for targeted attacks. Not only of exposed services, but also the fact that home computers aren't as protected nor as controlled as those located at your office. Also, access to systems after midnight will greatly increase the chance of chaos due to a drunk worker logging in (or a just plain tired worker prone to make mistakes).	tyldis 5 Posts
Quote	May 26th 2008 1 decade ago
It's worth noting that split-tunnel VPNs (wherein only corporate address space is routed through the VPN tunnel, and the rest traverses the Internet as usual) pose a subtle but very significant threat. Many teleworkers may be tempted to work and play, so to speak, from the same PC. If compromised, this PC would likely provide a more favorable entry point (via VPN) to the corporate network than would a direct public connection. While it's certainly possible to position teleworker connectivity in parallel with other "outside" connections in a DMZ, probably the most effective solution is to designate a work-only machine, configured to send all traffic through the VPN only.	Anonymous
Quote	May 26th 2008 1 decade ago
For what it's worth, GoToMyPC usage can be blocked by contacting Citrix: https://www.gotomypc.com/pro/help2.tmpl#ys8 The last time I read this, there was a nice form you could fill out with your IP, but perhaps someone realized the potential damage that could be done. Still, at least this particular service can be blocked, as it's really an impolite thing to completely bypass network security. I'm rather skeptical about 'free' services like logmein, especially given that users rarely think about the implications.	Anonymous
Quote	May 28th 2008 1 decade ago

Incident handling and management calls for developing well understood and predictable responses to emergencies or damaging events as they occur. Frequent rehearsal of the response steps makes recovery from an incident faster and usually more successful. But predictive behavior can also be used against us, if an adversary knows (or can predict) what you will do when faced with a series of unfolding events.

Some examples from the recent past include Y2K, the various terrorist attacks this decade, and natural disasters like Hurricane Katrina, the Indonesian tsunami, and the recent earthquakes in China. With Y2K, do you remember the wild panic of trying to find Cobol programmers at the last minute who could fix the two-digit date fields? Predictably, a lot of that programming got contracted to outside organizations - a well-trained adversary could have established multiple software companies that could have been used to insert malicious backdoors and booby traps into mainframes, control networks, and other critical computer systems. In the days following Hurricane Katrina's landfall, we predictably saw over a thousand websites get established that offered a mechanism for getting donations to the affected families. All they needed was your credit card number. Yeah, right.

Most readers of the SANS Internet Storm Center's diaries know that we've followed nearly all of these events and sometimes we even predicted a few of them ourselves. So now it's time to go out on a limb again. Everybody is aware of the rapid rise in oil futures (the cost per barrel for crude oil), and if you drive a car you feel the result every time you fill up. This morning I saw that the local station near my house had crossed the $4 per gallon threshold overnight. I know that in Europe and Asia, $4 per gallon (that's about 0.67 Euros/Liter) is VERY cheap but it's about twice what we were paying for it this time last year. If gas prices continue to climb at the current rate, they could well double by the end of the year. So, here's the predictable behavior. With gas prices that high, many people will prefer to work from home rather than driving or taking public transportation, thus putting a heavy load on ISPs and the Internet in general due to telecommuting. So, if you were a Bad Guy, how would you take advantage of this predictable behavior?

Some ideas some to mind, such as establishing web portals for work collaboration or marketing a new anti-virus solution for protecting home computers used for doing office work. Either of those capabilities would of course include a "value added feature" designed to syphon off sensitive information for criminal or espionage purposes. I'm sure there are many more evil ideas, so if you have any send them this way and we'll add them to the bottom of this diary.

UPDATE 1 - Here are a few ideas submitted by readers. Feel free to use the "comment" capability or to send us your ideas via our contact page. Either is fine.

Boris offered these thoughts:

If I was a bad guy and I wanted to take advantage of then increasing number of people working from home, I would increase the amount of key-logging and screen capture software that I was sending out.

Not only would this allow me to gain even deeper access into the compromised local machine through passwords but it would also allow me a unrestricted form of entry into the company's servers and data centres since I would have appropriate passwords and no brute force hacking required.

Screen capture software would also allow me to gain access to all kinds of sensitive documents and network plans, all useful for deeper attacks against the main servers of the company.

A reader wanting to remain anonymous said:

There is already no shortage of people who will nav to a URL that they saw on *TV* in order to rid their computer of performance robbing mal-crap, without a single thought as to who's "free" scripted ActiveX is being driven down upon them as auto-magical quicksilver.

Just who vouches for the ongoing security and iron clad compartmentalization of GoToMyPC and its ilk? I could care less that Citrix is the backend and/or even a financial stake holder. Citrix, in and of itself, is not hack proof. Yet there are plenty of companies whose employees are already using G2MPC, whether or not the company actually knows about it and has officially sanctioned such whiz-bangy remote access "convenience."

How many telecommute/work-from-home computers are going to be restricted only for official business use and quarantined from any/all personal use shenanigans???

Major corporations, who are already actively working on pandemic flu business continuity contingencies, may already have a vouched for infrastructure in place, that can sanely deal with any gas price related up tick in telecommuting/work-from-home. How far these measures happen to trickle down to critical suppliers and business partners, who knows???

Iain wrote to say:

Here in the UK, GoToMyPC has recently been advertised on TV as a solution to accessing your office PC when at a remote meeting/presentation. Your suggested scenario of more home-working could also be driving this (unusual for the UK) advertising.

As a Sysadmin at a SMB, I use variations of VNC (specifically TightVNC) extensively within out network for support purposes. When working from home, I have to use a VPN to get past the firewall before using VNC to access specific machines. A free version of VNC that can connect 2 machines behind different firewalls (in a similar way to Windows Remote Support) would be useful to me. It would probably be usefule to someone planning to work from home as well. Since VNC is open-source, it would be relatively easy for a malicious company to produce such a version containing monitoring components, then advertise it as a free alternative to GoToMyPC.

VPNs are another target. My company network hides behind an Exoserver (proprietary FreeBSD firewall device) and a Smoothwall (Linux firewall device). Both of these devices provide VPN solutions allowing me to connect to the company network from home. Smaller business may have nothing more complex than a firewall/router connected to ADSL with no VPN capability. A relatively cheap router could be flashed with new software to provide simple VPN capability, with a side order of backdoor and information siphoning, then marketed as a simple connection solution.

This scenario is DEFINITELY possible. I have signed up to a project from Samknows.com to independently monitor UK ADSL ISPs. They provide a Linksys WRT54 variant with custom software that constantly monitors and tests my home ADSL connection. It sits between my ISPs router and the rest of my home network, so it has access to everything that happens on my ADSL connection. I had to decide whether I trusted these people - in the end, participating in this trial is a way to give something back to the community - just like writing this response.

Marcus H. Sachs
Director, SANS Internet Storm Center

Marcus

301 Posts
ISC Handler

May 26th 2008

Okay, off topic, but in Norway it's $10 per gallon these days.

On topic: it provides a rather large attack vector for targeted attacks. Not only of exposed services, but also the fact that home computers aren't as protected nor as controlled as those located at your office.

Also, access to systems after midnight will greatly increase the chance of chaos due to a drunk worker logging in (or a just plain tired worker prone to make mistakes).

tyldis

5 Posts

It's worth noting that split-tunnel VPNs (wherein only corporate address space is routed through the VPN tunnel, and the rest traverses the Internet as usual) pose a subtle but very significant threat. Many teleworkers may be tempted to work and play, so to speak, from the same PC. If compromised, this PC would likely provide a more favorable entry point (via VPN) to the corporate network than would a direct public connection.

While it's certainly possible to position teleworker connectivity in parallel with other "outside" connections in a DMZ, probably the most effective solution is to designate a work-only machine, configured to send all traffic through the VPN only.

Anonymous

For what it's worth, GoToMyPC usage can be blocked by contacting Citrix:
https://www.gotomypc.com/pro/help2.tmpl#ys8

The last time I read this, there was a nice form you could fill out with your IP, but perhaps someone realized the potential damage that could be done. Still, at least this particular service can be blocked, as it's really an impolite thing to completely bypass network security. I'm rather skeptical about 'free' services like logmein, especially given that users rarely think about the implications.

Anonymous