Crimeware defense strategies: how to protect your network (and yourself)

Internationally acclaimed security scientists Markus Jakobsson (pictured left) and Zulfikar Ramzan (pictured right) were recently guests for a live Network World chat. The two are co-authors of the new book Crimeware: understanding new attacks and defenses. They discussed defenses against financially motivated attacks, otherwise known as crimeware and offered suggestions on how to protect your network (and yourself) against drive-by pharming or phishing, identity theft, wireless network vulnerabilities and more.

Moderator-Julie: So, how did you guys meet and why did you decide to write this book?

Markus_Jakobsson: We have known each other for quite a while. We both have a background in theoretical cryptography, and used to hang out at crypto conferences all over the world. When we both got interested in online fraud and how to stop it, it was natural for us to work on this together.

MarkJ: Although every network is assailable, are there cryptographic tools and methods that can be employed by end users to defend against cybercrime attacks? This question assumes that firewalls, anti-virus, anti-spam and anti-spyware measures are all in place and current with patches. It also assumes that social engineering efforts have failed to provide an opening for the cybercriminal. What cryptographic tools and methods would you suggest?

Zulfikar_Ramzan: There are a variety of cryptographic tools that can certainly help -- e.g., proper encryption, authentication, key management, etc. However, one challenge with crimeware and modern attacks is that they blend many different aspects -- so there is no one-size fits all solution. Instead it helps to take a holistic approach that looks at all aspects of the problem.

MarkJ: As threats become more advanced, why should the infrastructure in a country not add a posture of ensuring trusted computing via the service provider or Internet gateway by a form of legislation? If the hidden attack source IP is known, should the government not help via diplomatic channels in capturing the culprits? Do you know any country that is moving in this direction, if not, why?

Markus_Jakobsson: This is a difficult thing to do. What makes an IP address bad? That it is in Nigeria? But what if my computer is corrupted? Blocking based on IP address might just change the problem. But of course, security software of different kinds use IP addresses.

vidaliaga: My biggest concern when deploying or using a program to help me determine or prevent attack, is that many times these programs themselves open up your network to hackers. Which is the bigger evil and how do we overcome that as IT managers?

Zulfikar_Ramzan: I think the main thing is to start with the low-hanging fruit. There are some tried-and-tested technologies and approaches, and even beginning there can help keep attackers at bay (or at least interested in going after other targets). I find that many times people don't deploy even basic countermeasures, and generally speaking attackers like going after the lowest-hanging fruit.

yolynda: Can you suggest some of the tried and tested technologies you mentioned? Are you referring to anti-virus, anti-spyware?

Zulfikar_Ramzan: From a technology standpoint, having a comprehensive client-side Internet security software goes a long way (e.g., including anti-virus/anti-spyware, intrusion protection, and the like). If you have a wireless network, making sure it's protected with an appropriate security protocol (e.g., WPA2) is helpful. Often times people don't do these basic things and this is how most attackers get through.

gar: What is your opinion on the state of wireless security (as compared to non-wireless)? I choose to use a wired router at home to avoid dealing with wireless hackers.

Markus_Jakobsson: That is a good idea, but not a panacea. See Zulfikar's and my work with my PhD student Sid Stamm - "drive-by pharming." If you go to a bad Web site, that site can make your computer move your router (wireless or not) into the DMZ, then it is accessible from the outside.

MarkJ: What's the scariest attack that you've come across? (scariest in terms of, "Wow, even I would fall for that")

Zulfikar_Ramzan: Drive-by pharming is up there just because it can be mounted without requiring the user to explicitly install software. Fortunately, my router password was changed, so I wouldn't have fallen for it specifically, but I know quite a few very security savvy individuals who would have. The other area that scares me is Web browser vulnerabilities, since a well-designed exploit can infect your machine without requiring explicit user permission. And we are seeing more and more well-trafficked Web sites that become compromised and used as a launch pad for such attacks.

ckstopford: Can you describe a typical drive-by pharming attack - how it works?

Zulfikar_Ramzan: It works as follows. First, a user is exposed to malicious HTML code (either because he looked at a Web site or at an e-mail he received that contained it). The HTML code will attempt to surreptitiously connect to the user's home broadband router (wireless or wired), and will attempt to change its DNS settings. For this to work, the router has to be susceptible to a cross-site request forgery vulnerability - and many routers are, especially in cases where the user fails to change their default administrative password for the router. Once the DNS settings are changed, the attacker effectively "owns" the victim's Internet connection because the attacker can send the user to sites of the attacker's choice no matter what domain the victim thinks he is receiving data from or transacting with.