http://www.networkworld.com/news/2006/041006-infosec.ht
ml
By Ellen Messmer
Network World
04/10/06
ORLANDO - If your system gets infiltrated by a rootkit, you
might as
well just "waste the system entirely," a
Microsoft official told
fellow security professionals last week at the annual
InfoSec
Conference here.
Microsoft's Mike Danseglio, program manager in the
company's security
solutions group, was among a host of security experts from
big-name
companies who swapped advice about protecting networks with
1,700
showgoers.
According to Danseglio, the hacker rootkit is
"probably the nastiest
piece of malware you'll get," because it is designed
to hide unwanted
files - or any sign a computer has been compromised -
stealthily.
Microsoft dedicates four staffers to analyze rootkit samples
found in
customer computers or on the Internet. In his presentation,
Danseglio
offered a list of the most-wanted rootkits (see graphic),
adding that
90% of what Microsoft finds relates to Hacker Defender, a
rootkit from
the Czech Republic-based programmer who calls himself Holy
Father. The
programmer charges several hundred dollars to make Gold
versions of
his basic rootkit.
Writing rootkits isn't a crime, but using them to hide code
in a
computer that's been hacked by other means is, Danseglio
said. Holy
Father last month indicated he's retiring from his Web site
business,
leading some to speculate that he's been hired for some
purpose
somewhere.
According to Danseglio, rootkits have been embedded in many
networks,
with college campuses especially hard-hit. The University of
Washington has become notorious for its students using
rootkits to
hide pornography and music on the university's servers, he
said.
Danseglio offered a list of tools, including a few from
Microsoft,
that can detect rootkits. But he said there are no simple
ways to
address the menace. "There are no rootkit-resistant
operating
systems," Danseglio said.
Lessons shared
Kerry Anderson, a Fidelity Investment Brokerage vice
president in the
information security group, spoke on the topic of setting up
a
computer forensics program to tackle crime, including child
pornography, terrorism and financial fraud.
A company's first priority should be establishing a policy
and
internal training for auditing and investigating suspected
computer
crime, coordinating among the legal, human resources and IT
departments, she said.
She advised extending that policy to include working with
outsourcing
providers, vendors and business partners to ascertain their
computer-investigation procedures and get the right to audit
and
monitor their computers if necessary. "Our contracts
today are
requiring the right to do risk assessment and visitation
audits," she
pointed out.
The insider threat is a top concern at State Street, which
manages
more than $10 trillion in assets. State Street Senior
Technology
Officer Doug Sweetman said securities laws require the firm
to conduct
background checks on employees and prospective employees.
But these days, that might go beyond a criminal-history
check and
include scouring the Web to find blogs an applicant has
written or
evidence of a gambling habit or visiting hacker sites - all
of which
might raise a red flag. "I don't feel any
restrictions going after
your blog or pulling all these data together," he
said.
One headache at State Street is the freeware that employees
download
and the company wants to remove as a potential security
risk. Google
Desktop 3.0 search software is among the programs State
Street watches
out for: "It allows for file-sharing and takes the
file up to the
Google complex," Sweetman said.
"You've got to think about where that file is when
Google indexes
content," he said.
-=-
Sidebar
Microsoft's most-wanted list
Rootkits that hide in Windows:
* Hacker Defender
* FU
* HE4Hook
* Vanquish
* AFX
* NT Rootkit
Tools that can detect rootkits:
* PatchFinder2 and Klister/Flister, proof-of-concept tools
from Polish
researcher Joanna Rutkoska
* RootkitRevealer from Sysinternals
* Blacklight from F-Secure
* Microsoft File Checksum Integrity Environment
* Bootable Antivirus & Recovery Tools from Alwil
Software
* Knoppix Security Tools Distribution (open source)
_________________________________
LayerOne 2006 : Pasadena Hilton : Pasadena, CA
Infomation Security and Technology Conference
http://layerone.info
|