Data Cube Systems

The NSW Department of Education is using asset-tracking software, RFID tags, and BIOS-embedded filtering smarts to roll out 240,000 netbook computers into what CIO Stephen Wilson calls “the most hostile environment you can roll computers into” - the local high school.

The rollout of Lenovo netbooks, funded under the Federal Government’s Digital Education Revolution initiative, is a massive logistical and IT security challenge, and the solution Wilson and his team has put together to fix these issues could well be applicable to any corporate IT department.

Over four years, some 240,000 Lenovo netbooks will be offered to students in year nine. The netbooks can be kept until year 12, or permanently should the student finish his or her studies at the school. Netbooks are also being offered to teachers.

To take receipt of the netbooks, students and parents are asked to sign forms in which they acknowledge their responsibility to take care of the machines and use them appropriately.

They are armed with an enterprise version of the new Windows 7 operating system, Microsoft Office, the Adobe CS4 creative suite, Apple iTunes, and content geared to students. Although the netbooks are loaded with many hundreds of dollars of software, 2GB RAM and a six-hour battery, the cost to the NSW Department of Education is less than $500 a unit.

Underneath the covers of the netbooks - and within the network that controls them - lies a great deal more smarts to ensure that the total cost of ownership of each machine does not blow out.

Wilson said that while private schools and other states have taken a “carte blanche” approach to handing out laptops as part of the Digital Education Revolution, the DET rollout is “among the more systematic, automated and paperless” projects ever embarked upon.

Security smarts

At the physical layer, each netbook is password-protected and embedded with tracking software at the BIOS level of the machine.

That is administered through an enterprise services bus, which also connects the Remedy suite for asset management, Active Directory for authentication and Aruba’s Airwave for wireless network management.

If a netbook were to be stolen or sold, the department can remotely disable it over the network. Even if the hard drive of the machine was swapped out or the operating system wiped, it would be useless to unauthorised users.

Already, it has noted the loss or damage of just six netbooks out of the 20,000 rolled out since August - and have tracked a teacher using their device on a field trip in New Zealand.

While there is a serial number and barcode on each computer, the department said that thieves or students might be able to remove them. To combat this, it is using passive RFID chips on every machine that will enable them to be identified “even if they were dropped in a bathtub”.

Being passive, an RFID reader needs to be within close proximity of the device to read it. (Active RFID transmitted a signal back to base.)

The department used the AppLocker functionality within Windows 7 to dictate which applications are installed.

Web access on the netbooks is filtered according to a corporate security policy (using McAfee’s SmartFilter technology) plus an additional SOCKS-based proxy client, which provides web filtering at the network layer.

The devices also use Microsoft’s Forefront Antivirus technology.

Upgrades

With such a huge fleet of computers in the hands of students, Wilson said it would be “unrealistic” for the department to offer technical support for software applications.

The netbooks were built so that the department can remotely upgrade and patch the devices over a wireless network.

It used Microsoft’s System Centre Configuration Manager tool to distribute software down to devices.

The update service switches off once a student finishes year 12.

Wilson said there was no way such a large fleet of machines could be managed at such low cost without the smarts embedded within Microsoft’s new operating system.

“There was no way we could do any of this on XP,” he said. “Windows 7 nailed it for us.”

Few doubt that the smart grid — the plan to upgrade the nation’s electrical networks, backed by supporters including politicians, environmental groups and tech industry leaders — is anything less than an ambitious undertaking.

But it’s also an opportunity to improve the nation’s IPv6 adoption, according to Cisco (NASDAQ: CSCO). That’s because the networking giant sees a successful smart grid requiring end-to-end security and Internet Protocol as its common transport.

Cisco today unveiled plans to expand its own smart grid push, with new efforts to help standardize technologies and build a vendor ecosystem for solution delivery. In combination with the enablement technologies, Cisco is now also gearing up smart grid security services and solutions in an effort to help secure the electrical system.

There’s a lot at stake in the market for smart grid solutions. Cisco has estimated the market to be worth as much as $20 billion a year. Security is also now top of mind as the Department of Homeland Security (DHS) is now investigating a report into potential threats to the West Coast power grid.

“As utilities are looking to build out smart grid, it’s more effective to agree on a common protocol across the board as opposed to trying intermix different ones,” Marie Hattar, Cisco’s vice president of network systems and security solutions marketing. “In many ways, this is like the early days of the Internet where we ultimately settled on IP. We see IP as the scalable protocol for smart grid and we’re working with a variety of vendors to advocate this and make this the key protocol of choice.”

And there’s likely to be subsidiary benefits to the smart grid, like furthering the cause of IPv6 since since tens of millions of users and new devices around the world will require connectivity.

Today, most Internet users have an IPv4 address through which they are connected to the Internet. IPv4 has a 32-bit address size, allowing for only 4.3 billion addresses and is currently nearing address space exhaustion. The American Registry for Internet Numbers (ARIN), the organization that assigns IP address space in North and South America, has publicly stated that it expects to run out of IPv4 addresses inside of the next two years.

IPv6, the successor technology to IPv4, has a 128-bit address space, enabling it to handle far more addresses — though, to date, adoption has been slow.

As Cisco sees it, the smart grid could well prove to be a solid use case and a driver for IPv6 adoption.

For example, with utilities adopting IP-enabled metering for thousands of homes connected to the network, there could be an issue with addressing over IPv4. On IPv6, thanks to its plentiful address availability, there are no addressing issues.

“IPv6 is an interesting discussion and one that occupies a lot of bandwidth at Cisco,” Hattar said. “Some people say that for smaller deployments, we could get away with IPv4, but the smart grid has a number of parts.”

“The point is that if you’re looking to build this [smart grid] out, why not build it out on the scalable protocol from the get-go?”

Security

Building a scalable IP-based addressing system into the smart grid isn’t Cisco’s only focus at the moment.

Instead, security of the smart grid is another topic that has been top of mind lately. At the Black Hat security conference in July, a security researcher detailed security vulnerabilities in smart grid meters.

“If you think about hacking into a smart meter, it’s like hacking into your TV’s remote control — you still get your TV,” Hattar said. “The meters are a reporting mechanism but it’s not going to affect the electrical system.”

Still, Hattar added that smart meter vendors are concerned about security and Cisco will work with them.

“A key part is to build out an end-to-end framework that is secure,” Hattar said. “A lot has to do with isolation and not exposing the grid to points of entry that are hackable.”

By Sept. 11, it’s probable that the 802.11n standard will finally be approved. 

On Friday, Bob Heile, the chairman of the IEEE 802.15 working group on Personal Area Networks, sent an email confirming that the IEEE 802.11n draft standard had been sent on to the Standards Review Committee, or RevCom, which formally recommends standards for approval.

“On other fronts, 802.11 was granted unconditional approval to forward 11n to RevCom,” Heile wrote. ” After a bit of a rocky period on getting acceptable coexistence language included in the draft, I was pleased to support this approval. Congratulations to Bruce for his patience and perseverance in getting this done. This was an extremely complex project.”

RevCom is scheduled to meet in Piscataway, New Jersey, from Sept 9 through Sept. 11. The committee meets on a quarterly basis.

For the 802.11n standard, the standards process has been an agonizingly slow process, dating back almost five years to 2004, when 802.11g held sway. But the standard struggled throughout 2005 and 2006, when members supposedly settled on the TGnSync standard, then formed the Enhanced Wireless Consortium in 2006 to speed the process along. A a draft version of 802.11n was approved in January 2006, prompting the first wave of routers based on the so-called draft-n standard shortly thereafter.

The wireless industry plowed into a major roadblock in May of that year, however, when the draft 802.11n standard failed to pass. In May 2007, the Wi-Fi Alliance agreed to certify the draft-n products to kickstart the market.

The September meeting might also cement the future of so-called 60-GHz or millimeter-wave technology being developed by SiBEAM and its rivals, also known as 802.15.3c.

“We had one item on the closing Executive Committee meeting agenda,” Heile wrote. “We sought and were granted conditional approval to forward 802.15.3c latest draft to RevCom for its consideration at its Sept. 2009 meeting. A third and, we hope final, recirculation is in process.”

The 802.11 committee, meanwhile, has reportedly exhausted the single-letter alphabet, so initiatives like the so-called 802.11 very-high-throughput technology under development is now known as 802.11ac.

Security experts have sounded the alarm - and many others are just as loudly trying to quell the furor - over fears the Conficker computer worm could trigger Internet havoc on April 1.

Some security researchers have warned that Conficker could unleash the equivalent of a “digital Pearl Harbor,” while others have suggested it could be world’s biggest April Fool’s joke. No one knows for sure what will happen on Wednesday when as many as 10 million computers infected by Conficker start ” phoning home” for new instructions from the worm’s creators.

Multiple versions of the worm, which first appeared late last year, have spread in a variety of ways and take advantage of several weaknesses in Microsoft Corp.’s (MSFT) Windows operating system. The software giant fixed those weaknesses in October, but many people didn’t download the patch or they run bootleg copies of Windows that don’t get the updates.

Once Conficker infiltrates a machine, it tries to crack administrators’ passwords, hijack security software, disable commercial antivirus software, and opens the PCs to further infections. Internet security experts were so struck by the authors’ skills that they formed the “Conficker Cabal” to fight back against the worm.

Their challenge is apt to get a whole lot bigger on Wednesday when Conficker is set to generate 50,000 new Internet domain names, any of which could be used to take control of the millions of infected PCs. The vast number of potential control centers will make it extremely difficult to preemptively cut off communication between the infected computers and Conficker’s authors.

Some researchers - and many media outlets, including CBS’ “60 Minutes” - have speculated that the worm’s authors could then trigger the program to send spam, spread more infections, or start an all-out attack on Web sites run by major Internet companies such as Google Inc. (GOOG), Yahoo Inc. (YHOO) or Amazon.com Inc. (AMZN)

But others who have been following the worm say the date will probably come and go without event. Luis Corron, a director at Panda Security, played down the threat Friday in a blog post entitled “Don’t get taken in by the Conficker Panic.”

Corron noted that criminals and hackers typically unleash Internet worms to surreptitiously build huge networks of “zombie” computers that can then be harnessed to send spam, or increasingly to steal vast amounts of personal and financial data available online. That would augur against at crippling Internet attack.

Rick Howard, intelligence director at Verisign Inc.’s (VRSN) iDefense Labs, said researchers scouring the Internet have discovered copies of the updated worm lying in wait to be activated on April 1. He said that while those copies point to a more sophisticated version of the worm, they don’t contain a payload that would launch an attack on Wednesday.

“It’s unclear what it’s for right now,” he said of Conficker. “It could be used for lots of things, but there’s not going to be a catastrophe on April 1.”

Summarizing the lifecycle of a trojan horse as “configuration, infection, action, deletion” would be too brief and you would miss a lot of important and valuable information that makes you understand how they are constructed, how the internal structure looks like and how to breathe life into them. I want to give you the whole, big picture of the trojan horse lifecycle, beginning from the stage of configuration over to its deletion and all the steps in between.

Configure and bind

What a trojan horse needs first are its configuration settings. The information it knows what to do once it is executed on the target system. At this point we have to know the trojan horse is divided into two different parts: the client and the server. The server is the part that is installed on the victims systems, the client is the controlling component on at the attackers side.

The names server and client in this context are a little confusing because normally a client is the one that connects to a server and sends commands to it. This is the way the setup was in use some years ago. The attackers on the client machines connected to the servers on the infected victim machines. But nowadays it works exactly the opposite. The infected victim systems establish a reverse connection to the controlling master system. The reason why it works today like this lies in the history; since the Internet access providers and the hardware vendors began selling only NAT routers with integrated firewall functionality and the computers were equipped with desktop firewalls. From then on it was impossible to an attacker to connect to their servers on the victim systems. A new technique was needed and so the malware developers decided to let the infected systems establish a reverse connection to their controlling system. But instead of changing the notation of client and server that way it makes sense again (in networking terminology a client normally connects to the server) they kept it as it was and changed the notation how the connection is established, namely in reverse, a reverse connection.

1. Normally, integrated into the client, you find a tool with which an attacker builds and configures a new trojan packet. Settings like the clients hostname to which the server has to connect back, the servers ID to recognize it after it was installed on the system, whether to install it on the target system at all or execute it only and let it disappear after the reboot, how to start it automatically after a reboot (via registry, as a service etc.) amongst other things. So first the configuration GUI on the client takes a raw, unconfigured damage routine and customizes it according the attackers settings.

2. The second component that is configured by the configuration GUI is the dropper. The dropper is the part in a trojanized packet that installs the damage routine on the target system. It saves it in a safe place on the targets file system, it ignites it and also makes sure it gets started automatically after a system reboot.

3. The last step the configuration GUI performs is to join/bind the previously configured damage routine, the dropper and the last piece I didn’t mention so far: the entertainer file which the victim is expecting to see when double clicking the trojanized file.

Propagate and drop the malware

Once the trojan horse is configured and all the components are merged and glued together to one package the next step is to propagate it. It depends on the creativity of an attacker how to release the package into the wild and how to convince the big mass of victim(s) to execute it. Some common ways are …

• Sending it via email and pretending to be a familiar person
• Sending a victim an email with a link to a homepage containing malicious content that installs the trojan automatically
• Spread it in file sharing networks to install it on random victims computer

This are only some few examples to show which ways exist at all but I will go into the details later in an other article/chapter dedicated especially to this subject.

Executing the dropper

1. After the package reaches the victims machine and was executed the dropper component becomes active first. The dropper extracts the damage routine and the entertainer to the victims harddrive.

2. After extracting them it has to decide what happens with the damage routine, i.e. where to put it exactly. Has it to be copied to a specific directory and do we have to execute it? For example, we don’t have to execute a simple hosts file (with our new bogus host name entries) that contains only text data. A password recovery routine instead we have to execute.

3. The dropper has to decide whether it is necessary to start the damage routine automatically after a reboot. If the dropper was configured to do so there are several ways to do it as for example using the Windows ini files, the system registry etc. I don’t go deeper into this subject here because it would be to much information and has to be covered in a separate chapter/article.

4. If everything is installed and configured according the attackers wishes the last thing the dropper has to do before deleting itself is to start the entertainer file. This is necessary so everything behaves as expected and the victim doesn’t become suspicious.

Executing the damage routine

After the dropper has finished the installation it is up to the damage routine to do its job. Silently, in the background, without attracting the victims attention, collecting sensitive information as account information, documents, emails, the browser history file, modifying system settings, etc. But also here I don’t go into the details what the damage routine does exactly and how it does it. I will cover this subject later in an other chapter/article.

Removing the malware

At the end of any lifecycle there is normally the death of the object. There are two ways the life of a trojan horse will finish :

1. The trojan horse has finished its work and removes all the files it generated over time it was running on a target system, cleans the system log file entries and just making sure no traces are left after removal. At the very end it deletes itself from the system. The trojan horse commits suicide.

2. The trojan horse was not able to avoid detection on a target system and a copy of the damage routine was sent to a AV (Anti Virus) company to analyze its behaviour and subsequently create a fingerprint. The fingerprint pattern is sent to the AV company customers and the trojan horse will finally be detected, stopped and removed from the system. The trojan horse gets murdered.