April 1st, April Fools

With April 1 coming soon, there's plenty to worry about if you're a security administrator. First off there's plenty of articles already floating around the internet, worrying about what the Conflicker worm will do on April 1st. The experts still aren't quite certain what, if anything Conflicker might do when it activates its payload. With that uncertainty, and the usual glut of viruses and practical jokes that occur on April Fools Day, the typical security administrator should have no lack of things to worry about.

As a part-time administrator myself (I do still manage all my home systems, and the systems of family members, even if I don't currently manage a corporate network), it still amazes me when one of my end-users asks me why a web page is being blocked. I'm amazed because the software I have installed on their system (the free K9 software from Blue Coat), says specifically why (spyware or malware source, or illegal/questionable) they are being blocked, yet the typical end-user wants to go to that site anyway (since it came up in a search of what they were looking for). With April 1st coming around the corner, I'll have to redouble my resolve to keep blocking bad websites. The corporate admin should never lose their resolve to keep their security in place.

Melissa virus turning 10 ... (age of the stripper unknown)

We celebrate a notorious anniversary this week, it's the 10th anniversary of the Melissa virus, one of the more well-known email viruses. Some of the comments on the Network World article on the anniversary, include disbelief that it's been 10 years already since the outbreak of Melissa. It does seem like it was only yesterday that IT admins were cleaning up the mess left from Melissa. This anniversary is a good reminder for all admins to keep vigilant and review the current security measures in place for for any traffic that goes to or comes from the internet.

China becoming the world's malware factory

It's not a surprise to anyone already working in the security industry, but a lot of malware and viruses come from or are hosted in China. A new article in Network World this week highlighted this fact.

With China's economy cooling down, some of the country's IT professionals are turning to cybercrime, according to a Beijing-based security expert.

Speaking at the CanSecWest security conference last week, Wei Zhao, CEO of Knownsec, a Beijing security company, said that while many Chinese workers may be feeling hard times, business is still booming in the country's cybercrime industry. "As the stock market dropped like a stone, a lot of IT professionals lost lots of money on the stock market," he said. "So sometimes they sell 0days," he said, referring to previously unknown software bugs.

This increase in cybercrime should be a concern to any IT administrator. The job of security is difficult enough without the addition of more hackers intent on bringing malware to our end-users. And hackers are finding more ways to target end-users. Just look at this quote below from Network World.

Hackers have had a lot of success launching widespread 0 day attacks against programs like RealPlayer and Adobe Flash, but they have also hit local Chinese programs, including Xunlei, QQ and UUSee.

Need I say any more?

Today's Cloud: Garbage; Tomorrow's?: Insanely Great

Paul Murphy chose to highlight in his blog this week the topic of cloud computing. He's got a very negative view of it since the recent Gmail failures highlight that any cloud service, even run by a well-known and resourceful company can fail. It goes back to that fundamental belief that if you don't have control over the service, you're subject to random outages that can cause your organization significant dollars. The Gmail incident was sobering in that the outage was for a rather extended time period, making the incident all that more costly for anyone depending on it. It's a good reminder why we use appliances, and why IT departments tend to manage their own servers and services like proxies and web gateways.

There is one spectacular piece that Paul Murphy links to in his blog and that's this 8 minute video of a speech of some new technology that's being worked on at MIT. It's not really related to this blog (only peripherally), but it is phenomenal and well worth the time spent to view it.

Hacked page hauls estimated at $10,000 a day

A new study out from Finjan estimates that embedded URLs on compromised webpages is netting a huge haul of cash for hackers.

The attackers had compromised a series of pages which were then embedded with lists of popular search terms collected from services such as Google Trends or current news items. The same pages were then injected with obfuscated code that redirected to the attack page, which used fake alert boxes to convince the user to download and purchase the bogus security software for $50 (£34).

We've talked about compromised webpages on this blog before, and it's important to remember even well-known and trusted sites can be compromised. That's why it's important to make sure your end-users are browsing the web safely through a secure web gateway or proxy that has embedded URL blocking (that way they can get to the content they need without having to block the entire page), and scanning for malware and viruses. Equally important is real-time rating of URLs since risky sites are added daily to the world wide web.

The Gartner Phenomenon

It's not unusual for larger enterprises to use Gartner's opinions on IT products to help influence their purchasing decision. In the proxy world, Gartner publishes a Magic Quadrant for Secure Web Gateway, which covers web security devices, of which most are proxies.

For those unfamiliar with the Magic Quadrant, the idea is that each product/company gets put into one of four corners; "leaders", "challengers", "visionaries", and "niche players". In general most companies look to try to get into the "leaders" quadrant, and as far to the right and as far up as possible.

Typically if a company is in the "leaders" quadrant, that means they not only have significant market share, but they are also driving product direction and have a completeness of vision. If a company is in the "challengers" quadrant, they have market share, but typically it appears they don't have as much vision in driving new features in the product category. In the "visionaries" quadrant, the company tends not to have the market share, but has the vision and understanding of the product category. "Niche players" is the category for companies that don't have an overall market share or vision, and may play only in one small part of the market.

Companies change positions in the Magic Quadrant from year to year, so it's always interesting to see if they've gained market share and if they've somehow improved their vision. While the Magic Quadrant can help you make a decision on a product, it always pays to also make your own evaluation when choosing a product or solution.

Microsoft Security Update Fails

PandaLab's IT security laboratory has issued an advisory to users against Microsoft's MS09-008 update released recently, which is designed to fix vulnerabilities in the Windows DNS server and WINS server. According to the press statement, an unpatched flaw has been detected in the DNS server, specifically in WPAD (Web Proxy Autodiscovery Protocol) registration.

"If an attacker manages to redirect targeted users to a malicious proxy, they could obtain private information, redirect them to malicious pages in order to infect them with malware, or monitor their Internet movements," said Luis Corrons, technical director at PandaLabs.

This vulnerability could be used to launch "man-in-the-middle" attacks on Windows DNS servers. Clients have to download WPAD entries from the DNS server, and these entries could be affected by the attack. An attacker, who could exploit this vulnerability, may successfully redirect users' traffic through a malicious proxy.

However, the laboratory further advises the users who use these systems to be extra cautious and to keep an eye on new Microsoft updates to patch this vulnerability, to patch it as soon as possible.

The Crossover from Email to Web

It wasn't that long ago we thought of email when someone said the word virus or malware. Corporate IT budgets included line items for an email gateway and anti-virus software became so commonplace, that today, I doubt there are any organizations that don't have some form of protection on their incoming email. While we continue to hear about virus and malware outbreaks, for the most part they have moved from email to hybrid viruses, ones that use a combination of email, vulnerabilities, and/or web pages to deliver their payload.

Because email is so well protected today, much of the malware today is distributed on webpages, where there's less protection. Even if you are protected by a corporate web proxy, it's unlikely you have the same protection when browsing the web from home, and that leaves the web an inviting target for those intent on doing harm. It's also likely that you aren't protected by a corporate web proxy, or that your corporate web proxy doesn't do any anti-virus or anti-malware scanning. The reason of course is that most IT departments implemented the web proxy to implement corporate HR policy and not to protect the organization from malware and threats.

With the recent shift of attacks moving from email to hybrid and web, there's a real need for organizations to re-evaluate their web security, and start scanning for viruses and malware on webpages that their users are accessing from the corporate network. It's a tough decision to implement such a policy as there's less tolerance for slowdowns created by an added layer of scanning in web browsing as compared to email. With email you can get away with a slightly longer delay when scanning for viruses. Webpages are so interactive, your users demand real-time response when requesting information.

As an IT administrator, you need to make sure you're protecting your organization from web based threats, but at the same time, you need to make sure your solution doesn't add any unnecessary latency, or you'll find yourself subject to more helpdesk calls. In previous articles we've talked about ICAP as a protocol to offload anti-malware and anti-virus scanning to separate processor boxes to keep the latency created by scanning down to a minimum.

Online March Madness May Boost Morale at Work but Can Also Pose Risk

As hoops fans and businesses prepare for the March Madness season, Websense, Inc. (NASDAQ: WBSN), a leader in secure Web gateway technology, today reported double-digit increases in the number of sports and gambling Web sites from a year ago, as well as a trend among attackers to use major events like March Madness to spread information-stealing malware through the Web and email.

The quote above from the linked article should be enough to give any IT administrator pause and re-evaluate their web security to make sure it's up to date and blocking malware.

While blocking malware is important there's one other side-effect of March Madness that IT administrators need to fear as well. Whenever there's a major sporting event or any other widely broadcast event, there's a very real possibility that event watchers using their internet links at work will overwhelm the organization's internet link, making it impossible for other employees to get any work done.

In this instance a malware blocking web proxy isn't sufficient, you also need one that has a sophisticated cache engine capable of caching video from the web, so it's only requested once across the WAN link, and distributed from the proxy to anyone in the organization that's requesting that video. The other option of course is just to block access completely, which may have the unintended side-effect of forcing users to tactics like using anonymous proxies to bypass the corporate proxy.

Detect and destroy web proxy servers

A new article on why anonymous proxies are bad was just released on the Search Security website. It also covers defense mechanisms against anonymous proxies.

The obvious reason why anonymous proxies are bad, is of course they allow end-users in an organization to bypass any existing web security that may be in place, and gives the end-user an opportunity to bring malware into the organization.

The article specifically points out something many of your users may forget about the web security you've put in place for them:

The products also protect an enterprise from content on legitimate sites that are unknowingly hosting malware via third-party ads by trying to block malware that may be dispersed via the adds.

The article goes on to say that an important part of blocking access to anonymous proxies is having visibility in your network. If you don't understand what's leaving your network, you'll never know when your network is being compromised. Visibility isn't just capturing packets, but understanding data on an application level as well. Somehow this sounded strangely like Blue Coat's recent Application Delivery Network vision we talked about recently in this blog as well. Other vendors seem to be joining this bandwagon as well, and I'm sure we'll see more on this topic in the year to come.

12 Hot Web Security Products for the Mid-Market

CRN published a slideshow of the 12 Hot Web Security Products. It's a slide show of 12 of the top web security vendors, and there's no surprises in the list. The gamut of products, while described as "mid-market" really crosses from SOHO (small office/home office) all the way up to large enterprise.

What's interesting about this list is 10 of the products on the list are offered up as appliances, 2 as software-only, and one as Software as a Service (SaaS) [It adds up to 13, because one vendor is available as an appliance or software]. This list just goes to show that there's still an extreme bias towards appliances, especially ones that target a dedicated functionality. There's no revelation here, as appliances have been a particularly effective way to deploy security, allowing best of breed security applications to be put into the network with ease of use, high performance, and scalability.

E-mail and the Proxy

As someone with a long background in e-mail security (I was the postmaster and systems administrator for a very large semiconductor company), it always surprises me when someone asks for e-mail security features in a secure web gateway. It's not that these two devices aren't similar, they are very similar in the types of protection they offer, it's that I can't imagine why an IT administrator would want to possibly have their e-mail traffic impact their web traffic and vice-versa.

If you were a small organization, and you couldn't afford two separate devices you might be able to convince me that your argument for having an integrated device is sound, but in general even for small organizations I find it hard to rationalize the all-in-one device.

Organizations rely so heavily on both e-mail and the web for information and daily operations, that any interruption in one should not affect the other. If you use one system to secure e-mail, you shouldn't use the same to secure web. If for some reason there's a virus or malware outbreak (or a denial of service attack) that's using up the resources of your e-mail security device, you don't want that outbreak to slow down your web access and the same goes for a web attack.

The smart security move is to keep your e-mail security on separate devices from your web security.

Legitimate websites to feel Conficker worm's impact, Sophos reports

Sophos reported that Southwest Airlines amongst legitimate websites likely to be disrupted this month. Sophos has issued a warning computer users and website administrators to be vigilant this month as the Conficker worm is predicted to hit several legitimate sites, including Texan airline Southwest Airlines, potentially disrupting the service and leading websites to be effectively DDoSed in the process.

Experts at SophosLabs discovered that the Conficker worm - also known as 'Downadup' - will try to contact wnsux.com on Friday March 13 for further instructions. This URL, owned by Southwest Airlines, redirects visitors to the airline's primary southwest.com address, meaning that the company's operations may be compromised as the attack takes place.

"Every day each computer infected by Conficker visits different websites, trying to see if orders have been left by its hacker overlords. The worm generates a long list of different website names which it uses to check in its hunt for instructions - meaning that the authorities can't shut down a single site to stop the worm from activating its payload," explained Graham Cluley, senior technology consultant at Sophos. "The hackers' plan is to use a domain name that they know Conficker will query on a certain day, enabling them to plant instructions for the botnet - which might send spam or launch other malicious attacks."

"However, some of these domain names that Conficker-infected computers are scheduled to visit are already owned by legitimate organisations - like Southwest Airlines - meaning that on a given day these sites will be bombarded by traffic as an army of computers try to visit their site for commands," continued Cluley. "They won't receive any instructions, but havoc could be caused by the worm reaching out to the site. In Southwest Airlines's case, on Friday 13 March, this could mean that customers may not be able to check in online or even access the site."

Sophos has contacted the owners of the legitimate domains on Conficker's list for March, including Southwest Airlines, and has offered advice on how to reduce the impact of the unwanted traffic. In the meantime, Microsoft continues to offer a US $250,000 reward for information that leads to the capture and conviction of the authors of the Conficker worm that continues to wreak havoc.

This recent news from Sophos, just reminds us that if you are an IT administrator and you're worried about your end-users going to external sites that might get compromised, make sure your proxy is up to date with the latest URL filtering and malware and a/v scanning software to help prevent malware from getting on systems in your organization.