Cybercrime Spreads on Facebook

In an article that should be no surprise to anyone in the security industry, Reuters reported this week that Cybercrime is spreading rapidly on social networking sites, specifically, Facebook. With the spread of malware from Facebook, it's unlikely any IT administrator hasn't had to clean up after one Facebook virus or another.

Reuters reports:

Cybercrime, which costs U.S. companies and individuals billions of dollars a year, is spreading fast on Facebook because such scams target and exploit those naive to the dark side of social networking, security experts say.

While News Corp's (NWSA.O) MySpace was the most-popular hangout for cyber criminals two years ago, experts say hackers are now entrenched on Facebook, whose membership has soared from 120 million in December to more than 200 million today.

I've personally seen plenty of my friends on Facebook get infected and offer me videos that were infected. As Reuters explains:

Scammers break into accounts posing as friends of users, sending spam that directs them to websites that steal personal information and spread viruses. Hackers tend to take control of infected PCs for identity theft, spamming and other mischief.

Facebook is of course trying to stem the malware themselves, but as they report:

"Security is an arms race, and we're always updating these systems and building new ones to respond to new and evolving threats," Axten said.

When criminal activity is detected on one account, the site quickly looks for similar patterns in others and either deletes bad emails or resets passwords to compromised accounts, he said. Facebook is hiring a fraud investigator and a fraud analyst, according to the careers section of its website.

But ultimately Facebook says its members are responsible for their own security.

"We do our best to keep Facebook safe, but we cannot guarantee it," Facebook says in a warning in a section of the site on the terms and conditions of use, which members may not bother to read. (www.facebook.com/terms.php)

There are plenty of examples of malware spreading on Facebook, including these common examples:

Amy Benoit, a human resources manager in Oceanside, California, said she may stop using Facebook altogether after she became entangled in a popular scam: A fraudster sent instant messages to a friend saying that Benoit had been attacked in London and needed $600 to get home.

Yale University last week warned its business school students to be careful when using Facebook after several of them turned in infected laptops.

One of the most insidious threats is Koobface, a virus that takes over PCs when users click on links in spam messages. The virus turned up on MySpace about a year ago, but its unknown authors now focus on spreading it through Facebook, which is struggling to wipe it out.

The increase in cybercrime in Social Networking should keep any administrator on their toes, and reminds us of the importance of virus scanning not only in e-mail but for web browsing as well.

WAN Optimization Grows Up

We've talked in the past on this blog about WAN Optimization, and recently Enterprise Storage Forum ran article called "WAN Optimization Grows Up", so I thought it'd be interesting to cover the article and see how it's changed and what's new about WAN Optimization.

Paul Rubens, the author starts the article by talking about how the market for WAN Optimization has evolved and is now mature, with most vendors offering about equal acceleration capabilities, so the need to differentiate products with something other than acceleration capabilities is becoming important.

Rubens describes some of the evolution of WAN Optimization Controllers (WOCs) below:

Two areas where WOCs are becoming increasingly common are at the very high end, connecting multiple data centers together for backup and redundancy purposes, and at the very low end, connecting mobile users and teleworkers to corporate servers to improve the performance of the applications they run.

As a result, the form that WOCS are taking is beginning to change. Data center to data center WOCs responsible for high-bandwidth links are increasingly powerful hardware appliances, while branch office WOCs may be hardware appliances, or virtual appliances running on general purpose computers. Eventually it's possible that WOC functionality will be moved to the branch office router.

In addition in the remote office Rubens talks about the trend towards running software based WOCs directly on the end-user's workstation or laptop.

At the bottom end there is a trend toward software WOCs running on end-user machines, often with a more limited functionality than dedicated hardware WOCS. "There is definitely a need for soft WOCs," said Rolfe. "If an organization has centralized its file servers, then even an 8-meg DSL line will be slow at bringing data across, and a high bandwidth line doesn't really help reduce latency in protocols like CIFS anyway. The availability of soft WOCs is becoming an increasingly important part of the selection process for many companies looking to implement a system."

Rubens talks about what customers are looking for in the WOCs as well:

Another important selection criterion is the specific accelerations that are available for particular applications. Most WOCs provide CIFS and HTTP acceleration, and acceleration for applications such as SQL and Oracle, and to a lesser extent SSL encryption is also commonplace. "Vendors are moving up the stack," said Rolfe. "People are interested in VDI, and we often get inquiries about a particular app like AutoCAD."

Finally Rubens looks at the trends in the WOC players themselves:

One trend that is emerging is a resurgence of interest in QoS and traffic management, reporting and control. Interest in this was high a decade or more ago, but that subsided as many organizations became more interested in data compression and caching.

...

As part of this trend, Blue Coat Systems (NASDAQ: BCSI), a market-leading acceleration company, bought Packeteer, a leading traffic management vendor, in mid-2008, while Riverbed Technology (NASDAQ: RVBD), another market leader in the acceleration space, bought Mazu Networks, another leading name in the network and application monitoring and control market, in January of this year. Just about all the other major acceleration vendors now offer traffic management functionality of some sort too.

It's obvious WAN Optimization is evolving. Features and functionality will continue to increase, and it's more than just a proxy with some WAN acceleration built in that we talked about in our first articles on WAN Optimization.

Recent Events Trigger New Malware Sites

As Sophos reported this week, the death of Michael Jackson and Farah Fawcett triggered new fake reporting websites on those stories complete with malware.

Sophos ran a test and here's what they came up with:

Looking at the Google Trends data we can see that nearly a dozen of the top 100 searched terms today have involved the words “Farrah Fawcett”. What this translates to in the eyes of scammers is a better opportunity to have you click one of their sites which redirects you to their own FakeAV site in an attempt to get your money.

Doing a quick Google search for the words “Farrah Fawcett Dead” turns up the following link on the first page of results.

Visiting the link with a FireFox addon such as NoScript allows us to prevent the immediate redirection to the FakeAV site, and instead we’re greeted with a page that looks like this.

Anyone who tries making sense of the text will quickly realize that it’s a list of random dictionary words strung together to make it seem like it’s a real site. Of course, they never actually intend for you to see the page since there’s some script code that redirects you to the common FakeAV page seen all over the web. If you weren’t running an addon such as NoScript, you’d see the following page.

All this is a good reminder that whenever a hot news topic pops up, there are people out there trying to take advantage of the situation. Stick to known news sites you are familiar with and be sure to keep your proxy, URL database, and anti-virus software up to date.

The Good and Evil of Proxy Servers

David Strom, former editor-in-chief at Network World wrote an article on the Good and Evil of Proxy servers this week and I thought it would be a good chance to highlight what most of us already know about proxies, that they have their uses in helping the security and bandwidth utilization of a network, and they can be used for malicious intent as well.

First, Strom reminds us how enterprises use proxies:

... Enterprises that want to cut down on their bandwidth usage, improve performance and security, and have control over what their users see use [proxies] all the time. Each browser first checks and sees if the Web page that is being requested is on the proxy's cache, or memory, and if so, it saves a few milliseconds or more by grabbing the page directly, without having to traverse the Internet at all.

So proxies are often combined with caching servers to deliver the best combination of features and management. As far as the browsing user is concerned, all this happens without any notification, other than the pages seem to load quicker on their PCs. About the only configuration option is the IP address of the server, which is placed inside the browser options or network settings. And proxies are available for more than just Web protocols, although that is their most popular use case.

Strom then goes on to talk about when proxies can be used for malicious purposes.

Proxies are supposed to be for internal users of an enterprise, but if a hacker can find out the IP address of an internal proxy, they can gain access to lots of network resources.

This was a common MO for the hacker Adrian Lamo, among others, and you still find corporations that haven't locked their proxies down with the appropriate security. It is also possible for proxies to operate on a user's PC without their knowledge, which is a common way botnets are created.

The third type of proxy, Strom discusses is one of the most common uses of proxies, the anonymizing proxy which hides your tracks when you browse the internet. These can be of course used for either good or evil.

Finally Strom talks about some proxies that made the news this week:

Now to the news. Microsoft filed suit in federal court yesterday against three people it claims were defrauding Internet advertisers by having automated programs mimic users clickstreams. They found the fraudulent activities by tracing the actions to two proxy servers. And once they blocked the particular IP addresses of the proxies, the fraudsters would simply alter them in a continual game of cat and mouse. The fraud involved is significant, and ClickForensics estimates that 14% of the total ad clickstream is faked.

When the Iranian government wanted to block Internet access, several private individuals from around the globe took it upon themselves to set up the open source proxy Squid (squid-cache.org) and other tools on their own networks to get around these blocks. They then publicized (via Twitter) the IP address of their Squid PCs so that anyone could connect to the open Internet, rather than be blocked. Of course, as the government learns of these addresses, they add them to their block list, so another cat and mouse game ensues.

All this is a good overview of our proxy world, and a good reminder to keep our corporate proxies up to date, to ensure hackers don't gain access to our internal resources.

Survey highlights SAP performance problems

Proxies are well known for being web gateways in many organizations, but as we've discussed here on this blog, there's a shift of proxies moving towards Application Delivery. In that vein, I'm highlighting a survey done by Network World today on SAP performance in the enterprise. SAP is a critical application in many of the largest companies.

In Network World's survey 90% of firms queried, reported they had monthly SAP performance issues. Dimensional Research surveyed 695 professionals at SAP’s Sapphire 09 user conference in Orlando, Fla.

From the Network World article:

While 10% of respondents said they never have performance issues, the rest aren’t so fortunate. One-third said they have one or two incidents with SAP performance per month, and 35% reported three to five incidents per month. Another 14% said they experience between five and 15 incidents per month, and for 8% of respondents, performance incidents occur almost daily.

Such incidents take a toll on operations, respondents say. Among the ways that performance problems impact that business are: deterioration in customer satisfaction (cited by 46% of respondents), loss of productivity within corporate IT (38%), loss of non-IT employee productivity (33%), lost revenue (22%), and penalties for missing SLAs (12%).

Getting to the bottom of a bottleneck isn’t easy. Asked how long it takes the IT team to identify the cause of a typical SAP performance issue, the majority of survey respondents reported it can take hours (cited by 46% of respondents), days (22%) or weeks (8%). Those able to identify a problem in just minutes (22%) or seconds (2%) were the enviable exceptions.

All this points to some of the requirements around Application Delivery Networks (ADN). In addition to the traditional idea of proxying an application, there's also a need for visibility (to help determine the cause of the performance problem), as well as a need for optimization across the corporate WAN links to reduce not only bandwidth consumption, but round-trip times for applications across the WAN. The results of this survey, point to the buzzwords ADN is using. Maybe ADN is worth a second look.

Bing modified to enable porn filtering

Cnet reported last week that Microsoft has added porn filtering to their new search engine Bing. This comes after coverage about how its Bing search engine makes it all too easy for kids to find and view porn. The changes will make it easier for parents to block or monitor what their kids are viewing on the site.

As part of this change, Microsoft announced "explicit images and video content will now be coming from a separate single domain, explicit.bing.net. This is invisible to the end customer, but allows for filtering of that content by domain, which makes it much easier for customers at all levels to block this content regardless of what the SafeSearch settings might be."

This change allows parents to use parental control tools to block that domain and therefore block the images and videos. This also makes it easier for corporate proxy administrators to block explicit images in their proxy. But if you were using a proxy that already had a safe search feature, you probably didn't need this fix from Microsoft. A good reminder, why the state of the art proxies are an admin's friend, especially when new sites like Bing come around.

IPv6 Proxy

Blue Coat Systems, the technology leader in Application Delivery Networking, today announced that it will demonstrate a secure migration path for applications and services from IPv4 to IPv6 during Interop Tokyo, 10-12 June, 2009. The technology demonstration will be part of ShowNet, Interop Tokyo’s network that will showcase the interoperability of emerging technologies and service architectures, such as virtualization, cloud computing and IPv6.

In the early design stages of the Internet, IPv4 (Internet Protocol Version 4) was created to enable devices to communicate with one another and supported roughly 4 billion IP addresses. However, the exponential growth in the number of communications devices using IP addresses is exhausting the available supply, which is expected to last through the next 12 to 24 months. At that time, only IPv6 addresses or existing IPv4 addresses will be available for use by new communications devices, and as a result, organizations will need to be able to transparently resolve IPv6 address requests, a problem that has been magnified by the growing adoption of Web-based services.

“While some organizations, particularly service providers and governments, have been preparing their networks for the transition to IPv6, the same attention hasn’t yet been paid to applications, creating potential security and services continuity challenges for businesses,” said Qing Li, Blue Coat Systems senior technologist and co-author of a two-volume reference series on IPv6. “The lack of true IPv6 application-oriented solutions, coupled with an economic climate of constrained IT budgets, will force organizations to investigate migration strategies in contrast to full-scale upgrades.”

With an intelligent IPv6 proxy appliance acting as an intermediary, the retrieval of applications, services and data in either an IPv4 or IPv6 environment is transparent to the users. This migration strategy ensures business process continuity without the complications associated with address translations, rewriting applications or upgrading the underlying network infrastructure. Additionally, secure proxy appliances are already an integral part of networks, so this migration path represents the least intrusive transition, enabling organizations to maximize return on existing and new network infrastructure investments and to scale networks in line with changing business requirements.

“To successfully navigate the transition to IPv6, organizations need a strategy that enables the secure migration of business applications and services without the need to rewrite them for an IPv6 environment,” continued Qing. “By utilizing an intelligent IPv6 proxy appliance to bridge IPv4 and IPv6 networks at the application layer, organizations can maintain their existing network and application configuration while enforcing compliance with corporate IT policies.”

More Mac OS X malware discovered

For those of us in the security business, we tend to ignore those under our care that use Macs. Macs are less likely to be targeted, and they don't generate anywhere near the number of problems the Windows machines do in terms of viruses and malware.

But if there's one thing you can be sure of in the security world, it's that nothing is absolutely safe. Sophos just reported on some Mac OS X malware in their blog.

Last night, SophosLabs was sent a message containing what claimed to be the “SRC CoDE of new Macintosh Worm” and so our Canadian labs released OSX/Tored-Fam, a generic way for us to detect future variants of the Tored family of malware.

One of the files was called ReadIt.txt and contained the following text:

RESPECT about what are you talking about me (cybercriminal..)
Dont say what you ignore !!!!!!!!

Then, this morning, Graham pointed me in the direction of the ParetoLogic blog which detailed a new piece of malware (which Sophos detects as OSX/Jahlav-C) hiding out on what presents itself as a hardcore porn website.

Two pieces of Mac OS X malware released in one week. A good reminder for all of us that Macs need to be behind a proxy and protected as well.

McAfee announces new whitepaper on browser attacks

Last week, security company McAfee announced the availability of a new whitepaper on browser attacks. McAfee discusses the evolution of the browser from a simple tool to the fully functional software platform it is today. With corporate users, now using browsers to perform a significant amount of their daily work on the web, it's more important now than ever to secure the safety of the browser against more frequent, and more dangerous attacks.

These security observations should be no surprise to any proxy administrator, who's been battling the threats on browsers and their end-users browsing the web for some time now. But the paper is good reminder and a good overview of the new threats that do exist in the web world, and should help justify the dollars we're spending on our proxy implementation, regardless of the vendor we're using.

Other areas the paper covers include:

• The shift in spam to mainly malicious web link usage

• “Web 2.0” sites—whether weblogs, social networking or portal sites—are increasingly spammed with links to malicious sites

• Legitimate sites are compromised and misused to either host malicious code or link to a malicious website

• Use of malicious video banners placed in advertisement networks

• Use of popular search terms to advertise and drive (search query) traffic to a malicious website. In a recent case in Germany, attackers used Google AdWords to attract users who searched for “flash player” to the attacker’s fake Adobe-look-alike site

How scared should you be about security statistics?

Every day we hear about a new piece of malware, some new threat making its way through the Internet. As a security administrator, it certainly makes one wonder if their environment is secure enough. Network World tackled the question about how scared administrators should be about security statistics, given the abundance of information we see every day regarding security threats.

The article starts by trying to scare us with some pretty impressive statistics:

Did you know the number of crimeware-spreading Web sites infecting PCs with password-stealing crimeware reached an all-time high of 31,173 in December, according to the APWG (formerly Anti-Phishing Working Group) coalition?

Or that data breach costs rose to $6.6 million per breach last year, up from $6.3 million in 2007, according to the Ponemon Institute. Or that 3% to 5% of enterprise desktops and servers, mainly Windows, are apt to be infected with botnet code, according to security firm Damballa, based on an analysis of its customers' network traffic?

The answer? It depends. Each environment is different, and the administrator needs to be comfortable with their level of security they already have implemented in their environment. If you know you're running without a proxy for security for example, you probably have good reason to be scared. But if you've already implemented a best of breed solution, you probably sleep pretty good at night.

The article also notes, that how security statistics are viewed differs widely by country as well:

"It's fascinating to see how different the results are by country and demographics," says Tim Kelleher, vice president and general manager of managed security services at Unisys. "The world isn't homogenous. In France, no one is very worried about this stuff at all. But in Brazil and some of the Asian countries, people are feeling very insecure online. The U.S. is sort of in the middle."In general, Kelleher thinks statistical trends are more significant than the numbers bandied about at the moment.

Empty PDF delivers nothing but pain

Sophos reported on their blog this week on the new exploits in PDF files that seem to be the latest fad among hackers.

From their blog:

... the Adobe PDF format allows for simple documents to be constructed with as little as a text editor and some off-the-shelf tools. When packaged up with stock heap-spraying javascript to trigger a known vulnerability in a particular flavor of PDF Reader a ready-made malware delivery mechanism results.
...
Opening the document renders an innocent blank page however the embedded JavaScript (if enabled) begins to execute, first decoding itself and then spraying the heap with shellcode in order to gain control of execution, or alternatively, visiting a site which determines the best exploit to server to continue the infection.

You'll notice in Sophos' description one key to this malware is visiting an external site. We've talked about this in the past, but this post is a good reminder about keeping URL databases on the proxy up to date, as well as having real time rating systems for new unclassified websites.

Sophos also offers one other recommendation for helping prevent this type of malware from infecting your site:

Disabling JavaScript handling in your favourite PDF reader is also an excellent way to avoid this particular malware deployment.

And of course anti-virus/malware at the proxy and the desktop doesn't hurt either.

Websense announces 20,000 websites compromised

Websense sent out a news announcement on May 29, 2009, stating that over 20,000 legitimate websites were compromised with an injection of malicious javascript pointing to an exploit site.

While this announcement sounds threatening, it should have been little concern to most proxy administrators if they were running an up to date proxy that knows how to block malicious websites that are embedded in webpages. This feature is available on high end proxies (like the Blue Coat ProxySG) and allows the end-user to view the content of legitimate websites while at the same time blocking the embedded malicious website.

If you're not sure if your proxy supports blocking of embedded websites, check with your vendor soon, especially if you're at risk of hitting one of these 20,000 websites.