Short Hiatus

Apologies for the short hiatus from updates, but even bloggers have to take vacation. Now that I'm back from Southern California and Disneyland, I'll continue pointing out interesting articles and discussing Proxies. Meanwhile if anyone has any interesting topic ideas they'd like to see articles on, please leave me a message in the comment area, and I'll be happy to see what I can do.

Swine Flu - Malware Fever

Sophos Lab has been talking about all the spam pointing people to Swine Flu (H1N1) information, that has instead been taking people to fake Viagra websites, fake Tamiflu websites and other sources of malware. There's even one update that opens an infected Word document that provides information on the spread of the virus, at the same time infecting your computer.

This is a good reminder to proxy administrators to make sure you've got up to date URL lists, and malware and virus scanning set up on your proxy to prevent your users from getting to these malware sources. Sophos also has a good reminder for us, which is to visit the CDC if you need the real info on Swine Flu.

Running Blind

We've talked in previous blog posts about the importance of visibility into the traffic that's running across our proxy environments. This is especially important with the different applications that can run over our port 80, the port that most organizations tend to allow traffic through regardless of the application.

Network World reminded us this week, that too many of us run blind with our applications and discussed a panel at InterOp this past May on Application Performance Management. The topic talked about how it was impossible to manage application performance without visibility into the traffic that traverses the WAN.

Blue Coat Systems, one of the proxy vendors we've talked about on this blog also has seen the need for visibility, and that was one of their driving factors in acquiring Packeteer last year. Since buying Packeteer, Blue Coat has been pitching the Application Delivery Network and the importance of visibility in application delivery.

Network World is seeking out reader opinion on this subject and whether they (the readers) have been able to find tools to provide visibility into their WAN traffic. It'll be interesting to see the results of their request.

Social Networking Users Have Risky Behavior

Following my post yesterday about Social Networking in the Workplace I thought it made sense to follow it up with how most users of Social Networking engage in some pretty risky behavior. Webroot recently released some statistics around how risky users tend to be when interacting on social networking sites.

From their press release:

Surveying over 1,100 members of Facebook, LinkedIn, MySpace, Twitter and other popular social networks, Webroot uncovered numerous behaviors that put social networkers’ identities and wallets at risk. Among the highlights:

Two-thirds of respondents don’t restrict any details of their personal profile from being visible through a public search engine like Google;

Over half aren’t sure who can see their profile;

About one third include at least three pieces of personally identifiable information;

Over one third use the same password across multiple sites; and

One quarter accept “friend requests” from strangers

With statistics like these, if your organization allows access to social networking sites from the office, you'll want to make sure your end-users are protected with up to date URL filtering and malware scanning on your corporate proxy.

Social networking in the workplace

Network World revisits the issue of social networking in the workplace this week. Social networks, such as Facebook, LinkedIn, and Twitter, are rapidly becoming the latest form of communications in social communications, but there's still the lingering question of whether they fit in to the business world.

Network World sees many similarities in the discussion around social networking in the enterprise with the controversy around instant messaging (IM) in the workplace a few years ago. IM started as a social medium and eventually gained acceptance as part of the unified communications strategy of many enterprises.

Network World explains:

And today's social networks are a simple extension/enhancement of IM and other essential communications tools.

One way that Twitter is most useful, for example, is in staying in touch with a large workgroup and communicating with that group to an extent that would otherwise be impossible. For instance, in an April 22 interview at "Marketplace", Cisco CTO Padmasree Warrior noted that "[Twitter] does things indirectly to support some of the top leadership, some of the innovative ideas that Cisco is considering. I propose questions, I ask people for their input. And I get a lot of ideas back from people."

And the more personal side of networking with services like Facebook allow a distributed workforce to stay connected. In many ways, the "conversations" on Facebook can be considered the "virtual water-cooler" of the 21st century. We are moving increasingly to telecommuters for reasons from business continuity to green initiatives to employee satisfaction. Social networks allow the workforce to stay connected as a community.

And there's the outreach to colleagues and customers who are not a part of day-to-day personal interaction. The relationships that can be maintained to a certain extent in an era of fewer and fewer personal interactions can keep you "Linked In."

This increasing acceptance of social networking means better monitoring of web usage for malware and viruses by IT administrators, especially with the amount of viruses and malware that are targeting social networking sites. Proxies will gain a more important place in the network as social networking use rises.

McAfee Update Brings Headache for Enterprises with Old Software

Eweek reported this week that McAfee customers around the world running older, unsupported versions of its security software fell victim to false positives on July 3 that disrupted operations for some. McAfee officials claimed users running the most current version of McAfee VirusScan Enterprise were not impacted.

From the Eweek article:

On July 3, McAfee users running old versions of the VirusScan engine found themselves facing false positives after downloading a DAT file that labeled legitimate programs as malware. According to McAfee support forums, the glitch led to authorized programs being quarantined, and in some cases brought about the infamous "blue screen of death."

A McAfee spokesperson said the incorrect identification was resolved in the daily release, and stressed that customers running the most current software were not affected. Before it was resolved however, the issue affected users all over the world, judging by comments left in McAfee support forums. One poster relayed that his or her business was forced to temporarily disable anti-virus protection to stop the alerts and determine what was going on.

"We found that the Compaq system drivers had been quarantined, which meant that if the servers were to crash the missing drivers would almost certainly have prevented the servers from coming back up and our user service would be at a standstill," the user wrote in the forum. "With this potentially happening at all sites it would have been chaos. The vast majority of our users were unaware of the problems—some applications didn't work and the service was slow but most users could work."

According to McAfee, customers running Version 5200 or newer were not impacted by the problem. The most current versions are VirusScan Enterprise 8.7 and scanning engine 5301.

"Customers reporting this issue have been confirmed to be running VirusScan Enterprise 7.1 or 8.0i specifically with the 5100 scanning engine, which has not been supported for 18 months," the McAfee spokesperson said.

A good reminder to make sure we're up to date on our anti-virus and anti-malware software and subscriptions.

The one essential truth of computer security

Infoworld recently ran an article titled "The one essential truth of computer security". The truth they were talking about?

Unless you solve the all-important problem of locking down end-user PCs, all of your other security defenses will fail you

While that was their one essential truth, they also shared some other "inconvenient truths:

* Most of today's security risk in the average computing environment comes from "drive-by downloads" -- that is, trusted insiders get infected by Trojan software that they were tricked into installing.
* If you allow your end-users to install any software they want, then your risk of security exploitation is high.
* Even if you are fully patched and the software you run contains zero bugs (this is never true), it barely decreases the risk from drive-by downloads.
* Most malware and malicious hackers are criminally motivated and seek monetary gain.
* End-user education is highly overrated and will fail.
* Your firewall, your anti-malware software, and your IDS will fail.

The key to a successful defense? Locking down end-user PC's so they can't install additional software. While that sounds like a great defense, unfortunately it's not too feasible in most environments. End-users always find they need an additional application, and the number of requests to install software would exceed the capability of most helpdesks if end-users didn't get to install the software themselves. It may work for some environments, and if works for yours, then more power to you.

That leaves the rest of us looking at defenses such as proxies to prevent the drive-by malware. The good news here is most proxies have the ability to block embedded URLs which are the source of most of this drive-by malware. Unfortunately, this doesn't take care of end-users purposely installing malware thinking it's anti-malware software, a friend's video or some other innocuous program.

New Attacks Against Internet Explorer

McAfee's Trusted Source blog reported this week on some new attacks against Internet Explorer over the July 4th weekend. An exploit targeting a 0-day vulnerability in the Microsoft Microsoft DirectShow ActiveX object was widely discovered on many Chinese websites.

At the time of the writing of the article, over a hundred hijacked sites were found to be injected with malicious links that were still actively hosting the trojan. Some of the infected sites included school websites or the local community club’s website that had been hijacked or infected.

Information from McAfee on the attack:

When browsing upon these sites (hijacked site #1), the victim is hyperlinked to another hijacked site #2, which seem to act as a proxy. In this case, if someone were to audit the source code of hijacked site #1, he or she would see that the links are connected to sites that look legitimate. Hijacked site #2 is , subsequently, hyperlinked to a malicious site hosting a web exploit toolkit.

During research, one of the things we found interesting was the web exploit toolkit explicitly checks that the origin of the hyperlinked references do not come from the “.gov.cn” and “.edu.cn” domains, which are used by Chinese government and education sites. If the references are not coming from any of these domains, it starts sending a cocktail of exploits including:

* Exploit-MSDirectShow.b (0-day)
* Exploit-XMLhttp.d
* Exploit-RealPlay.a
* JS/Exploit-BBar
* Exploit-MS06-014

Each of these exploits targets a different application that could be vulnerable - Internet Explorer 6 and 7, DirectShow ActiveX, RealPlayer, Baidu Toolbar, that can be accessed via the Internet Explorer browser.

From past investigation, this toolkit had been widely used on many Chinese hijacked sites this year. The attackers may be trying to avoid or delay attention from the Chinese government.

When successful, the attackers installs a downloader trojan which could download other malware.

This 0-day vulnerability has been verified to affect at least the Windows XP system with Internet Explorer (IE) 6.x and 7.x. However, on IE7 which is default on Windows Vista systems, risky ActiveX objects are blocked by default which may mitigate this 0-day attack. Users should ensure that their systems are always kept up-to-date against the older exploits.

The 0-day exploit will be detected as Exploit-MSDirectShow.b by McAfee VirusScan in today’s 5668 DATs. The downloader trojan installed by this exploit can be proactively detected as Generic.dx since the 5567 DATs (Mar 28th, 2009).

This article reminds us of two important security features we need to make sure our proxies are running, the first and obvious one is anti-malware and anti-virus scanning on browsed web pages. The second is the blocking of embedded and linked URL's. The second feature alone should have been enough to prevent this attack from affecting an organization utilizing a proxy for web security.