Get Informed


Spybots, Man-in-the-Middle Attacks and Unified Threat Management

An interview with security expert Brian Chee on the latest network threats and what to do about them.

March 14th, 2007
By the Network Security Staff

What's hot in the firewall area right now? What are people talking about?

It depends on the market. If you're talking branch office/SMB/small- or medium-sized business, it's unified threat management, UTM. Those products are hot hot hot. In a corporate environment, anti-virus, anti-spam and anti-spybot are usually separate boxes managed by different teams. But in an SMB environment, companies just don't want to proliferate lots of boxes. So firewall vendors have collapsed all that down into what they're now calling a separate type of firewall called a UTM. The appliance is firewall, anti-spyware and gateway anti-virus, all combined.

And on the enterprise level?

Spybots! There are two classes of spybots. One type rides on a virus or worm, gets installed on machines and then goes and hijacks things. It might be a zombie-net, which slaves a whole lot of your machines, which then go and start attacking people. It can send hundreds of thousands of emails quickly.

The other type, just starting to emerge, is the "man-in-the-middle" attack, where the spyware installs a proxy — E*Trade, for example. Then it looks at all the Web requests and, say someone says, "I want to go and buy a share of AMD," it might change it to a share of Intel. I've seen demos where it can even get through those E*Trade dongles that change the password every 60 seconds. That's got a lot of people worried. Man-in-the-middle attacks are one of the greatest dangers to token-authentication.

Is there any defense?

There are a whole bunch of people developing things that will detect these kinds of hijacks before they hit. Then there's a bunch of anti-spyware detectors that will do something similar after the fact. Corporations like Trend Micro and Symantec are pouring big money into this, developing a new generation of anti-spyware appliances.

Given the ingenuity of Internet malefactors, how can firewall vendors keep up?

Well, they're participating in things like Def Con, the Computer Underground Hackers Convention, so they're seeing new threats as they appear. Also, corporations are hiring "black hats" and turning them into "white hats," so they've got developers working with them that used to develop spyware. Unfortunately, security appliances are always going to be a step or two behind, but it's a matter of trying to create algorithms or profiles of what these attacks will look like to handle zero-day attacks. Millions of dollars are being poured into trying to keep a step ahead of virus, worm and spyware authors.

Are the vendors being successful?

Yes, they are. I'm actually having a hard time collecting viruses, because they're not getting through my anti-virus stuff any more. I've got a sacrificial machine out on the net that's only there to collect viruses. Every company that does this kind of work has "honeypots" out there to collect viruses. A company called New Security has a box called the MU4000 that takes the CERT (Community Emergency Response Team) advisories and the Def Con stuff and creates an attack so you can study it, watch it as it mutates until it doesn't even look like the original attack any more. You can use that to attack the machines in the DMZ on the firewall, and see how well the firewalls can handle these mutated attacks.

Is it possible for a company to be totally confident that its network is safe?

That's like asking, "Can you guarantee you won't catch the flu?" There's a lot of things you can do, but "absolutely sure" is a pretty strong statement. I think you can be confident within reasonable parameters.

What kinds of technology would a company deploy for maximum protection?

You've got to have a device that monitors your net. In fact, you've got to monitor different segments differently. You might have a server farm segment, engineering, admin, sales and so forth. Sales, for instance, with people taking laptops out into the world and bringing them back and hooking them up to the network, is going to be much higher risk than the admin area where the machines stay static and protected. So you spend your money based on where your highest risks are.

One thing I see companies doing that I think is a very cool move is spending money on dedicated personnel just to handle internal security.

Spending money on people, not hardware?

Exactly. There are tools out there that will tell you all kinds of great things. Log files, for instance, will tell you a lot of things — but sorting through a million-line log is not a trivial task. There are tools, security event managers, that help you by correlating incidents. For instance, a person setting up a VPN tunnel from Germany is a legal act. That same person using his security card to enter the physical facility is also a legal act. However, if your security event manager notices that the same person is opening up a VPN tunnel from Germany at the same time he's using his security card to enter the physical facility, that is a risk.

The key is not just looking for events, but correlating events. There needs to be more attention given to designing correlation engines. We call this "risk assessment," and it's very important.

Security is 90 percent policy. If an event is detected, escalation should be automatic. Event management, event action, is moving closer to the edge—and the sooner you act on an event, the more effectively you limit the outbreak.

Brian J.S. Chee, CNE/CNI, is a researcher at the University of Hawaii School of Ocean and Earth Sciences and Technology ( and is a senior contributing editor to InfoWorld magazine. Chee founded the Advanced Network Computing Laboratory (ANCL) in 1986 as a venue for giving university students experience with emerging networking technology in balance with their "ivory tower" education. ANCL's program is designed to provide an immediate return on investment to those that hire ANCL Interns, while preserving the critical thinking and theoretical knowledge imparted by a university environment.

Related Articles:

The Fight Against Phishing: 44 Ways to Protect Yourself

Network Based Intrusion Detection

Heighten Security: Install a Firewall

Network Access Control: Securing the Perimeter

Article Tools:       


All fields are required. Your E-mail will not be published.