ICSA Labs Study Finds Majority of Security Products Do Not Perform as Intended

ICSA labs released the Product Assurance Report white paper (pdf) earlier this week and sparked a wave of blog posts and comments about the quality of security products. There were some rather eye-opening results included in the paper. The report findings indicated that some vendors and enterprise users consider logging a nuisance and merely a “box to check.” According to the report, logging is a particular challenge for firewalls. Almost every network firewall (97 percent) or Web application firewall (80 percent) tested experienced at least one logging problem.

Dozens of vendors have certified network and Web Application firewall products. In order to attain ICSA Labs Certified status, web application firewall products must pass a rigorous set of functional, performance and platform security requirements. Candidate web application firewall products must completely satisfy the entire set of baseline requirements. Only products that passed all the tests are certified.

The list of comprehensive specification is created by a consortium of vendors and the ICSA. Here's what ICSA advised enterprise companies before purchasing and using security products:

* Demand quality.
* Be suspicious of performance claims and numbers. Vet them. Question them. Be an educated, cautious buyer.
* Choose more established products over new.
* Choose simplicity over complexity.
* Use certified products!
* Prefer vendors that certify their products, and that participate in industry and ICSA Labs consortia and other standards bodies.

This report helps to prove that certified products have higher quality and also shows the importance of certified products for the enterprise. It's a good reason to make sure your proxy is ICSA Lab certified.

Crime breaks barriers

We've talked about the fact that the motivation behind hackers has changed in recent years. Hackers do it for the money nowadays. Crime on the internet pays.

From a news article on the topic:

A recent study by TrendMicro reveals that Google Trends, a public web facility of Google, which shows how a particular search term is relative to the total search volume has been used by cyber criminals to find the most popular search terms. They then use these terms to point to links to their malicious sites, allowing them to victimize more people. Clearly, cyber crooks seem to be keeping up with the most recent technological advancements, using newly released applications to profit as much as possible.

Apart from poisoning the top search results, cyber criminals have been found to use GeoIP tracking as a social engineering tactic. This helps the bad guys to identify the geographical location of an internet-connected computer, mobile device, or website visitor. Geolocation data can include information such as country, region, city, postal/zip code, latitude, longitude and time zone.

Using geolocation data, cyber criminals can customize spammed emails and URLs to fool users into thinking that these are from non-malicious sources. This increases the possibility of malicious emails spreading, even while users unsuspectingly click on these links.

Says Abhinav Karnwal, product marketing manager, Trend Micro: “Malicious websites are making around $10,000 every day. It all starts with a pop-up showing a problem in your computer. The user would go to the internet and look for an anti-virus (AV) software. These malicious sites feign the look and feel of an authentic anti-virus company. The site would run a scan on your computer and show multiple errors, which doesn’t actually exist in reality. It would ask the user to pay a certain amount and download the AV file. After payment, the fake AV programme would indicate that your computer is free from errors, which never existed anyway.”

While these scams and the money aspect isn't new news, it's a good reminder why we have proxies in place to secure our access to the internet from our organizations. The article also provides some good reminders:

The team says, “Although ‘classic’ techniques are relatively well-known, cyber criminals are becoming cleverer. Users need to be educated to stop clicking on links in emails from unknown senders. If it is sent from a friend or colleague, it should be double-checked with the sender. Users should always be suspicious of any site with an unknown domain that contains the name of a well-known site in the latter part of the web address.”

The biggest threat now facing users may no longer be phishing—or accessing passwords. At least three quarters of malicious content is contained in legitimate sites. ... Almost 70 per cent of the top 100 most popular websites either hosted malicious content or contained a ‘masked redirect’ to lure unsuspecting victims from legitimate sites to malicious sites.

“In essence, the only way to be secure against the threat landscape is to ensure that a powerful security solution is in place which can provide real-time protection,” the UK team said. It is still a cops and robbers game. And there are too many robbers out there.

We've talked in the past here about real-time protection on your proxy. Since user education can only go so far, making sure your proxy has the capability to do real-time rating is more important than ever coupled with malware scanning capability.

Top 10 issues overloading IT managers

It only gets an honorable mention but Web management was talked about on this recent list of top 10 issues that are overloading IT managers. Web management refers to watching what employees are doing on the internet. It is one of those tasks that IT managers are increasingly being called on to do, but a job that most dislike doing.

IT Managers are increasingly overloaded these days and the common view is that they have more than enough on their plate without playing censor to an entire company. Yes, if someone's spending all their time looking at porn on the internet that's an issue for a company, but the prevailing view is that it's a problem in management, not in IT.

The only time the IT department should get involved is after a complaint, either from someone on the floor who's spotted what's going on or from a manager who's concerned about lost productivity.

As the article says:

The tasks of monitoring and managing web access has only become more difficult as interest in new web services has grown. Now, sites such as Twitter and Facebook aren't purely for consumers, and many companies also make use of them for promotion and customer relations.

This means that simply blocking everyone from these services is no longer possible, as they have become work tools.

At the same time, more and more new sites are popping up, more blogging platforms, social networks and casual gaming portals are emerging every day, making it far more difficult to keep up with what can and can't be blocked.

Then, on top of it all, there are the ever-growing ranks of malware infections and phishing scams connected to web applications and tools, making the risk of security breaches through the browser stronger than ever.

As such, the task of web management at the corporate level is becoming more complex and crucial at a most inopportune time.

There's definitely a need for tools like proxies to help in this new/old IT task.

Are companies blocking more social networking site?

There's a lot more articles and discussion about social networking lately, and it's prevalence and use in the workplace. A couple of years ago it would have been easy to say that social networking, such as Facebook, MySpace and Twitter had no place in the workplace, the decision was easy for IT administrators to block access to these sites from the corporate network.

The Guardian, last week, has even said that after-work life is rapidly disappearing and being replaced by non-working life. Because of this there's a belief that the transparency regarding people’s private lives because of new media such as Twitter and Facebook will make employers more tolerant of social networking — or make employees better behaved on these sites.

“The business use case in Twitter is turning out to be very important,” Twitter co-founder Biz Stone said last week as the company announced the possibility of cross-posting tweets to the professional network LinkedIn.

But you should still be concerned about crossing the line between business and personal use of social networking. For example, you'll probably want to think twice about tweeting that you hate your new job but are grateful for the fat pay check.

While some companies still allow social networking use in the workplace, a recent analysis of more than a billion Web requests processed by ScanSafe each month showed a 20 per cent increase in the number of customers blocking social networking sites in the last six months.

Currently, 76 per cent of companies are choosing to block social networking and it is now a more popular category to block than online shopping (52 per cent), weapons (75 per cent), alcohol (64 per cent), sports (51 per cent) and Web mail (58 per cent).

Blocking social networking is still an option for any IT administrator, or at least tracking who uses it. But it's definitely something that's going to remain in the news for some time to come.

Spam targets financial transfers

In news showing more links between bad webpages and spam, and definitely news in the fight against malware, viruses and hackers, the latest is that there's a new spam attack that targets a financial transfer system handling trillions of dollars in transactions annually. What's not surprising is that it turns out it's yet another case of fake emails.

The spam messages pretend to come from the National Automated Clearing House Association (NACHA), a U.S. nonprofit association that oversees the Automated Clearing House system (ACH). ACH is a widely used by system used by financial institutions for exchanging details of direct deposits, checks and cash transfers.

It appears that in the last few months, numerous businesses have lost money through ACH fraud. It happens when the hackers obtain the authentication credentials required to transfer money. Although NACHA has no direct involvement in the processing of the payments, spammers have launched a campaign with messages purporting to be from the organization saying that an ACH payment has been rejected.

The spam messages have a link to a fake website that looks like NACHA's. The site asks the victim to download a PDF file, but it is actually an executable. If launched, the file will install Zbot, also known as Zeus, an advanced piece of banking malware that can harvest the authentication details required to initiate an ACH transaction.

NACHA has put an advisory on its website, warning: "NACHA does not send communications to individuals or organizations about individual ACH transactions that they originate or receive."

With this kind of sophisticated trickery, the question becomes: How do you stop it? For starters, make sure you publicize the scheme and keep ACH clients well-trained to refuse emails even if they look real. And of course, make sure your proxy system is up to date with the latest anti-malware, URL database and real-time rating system.

M86 E-Mail Security Program Blocks Messages with Malicious URLs

Security vendor M86 has enhanced its e-mail gateway security program. MailMarshal SMTP version 6.7 includes a blended threat module that blocks e-mails containing malicious URL links and uses a cloud-based malware behavior analysis service for rapid identification of new malicious links. The analysis service is actually an "interaction," as the company calls it, with the behavioral malware detection technology from Avinti, acquired by M86 earlier this year.

The new release also includes IP Reputation Service, which blocks incoming spam based on the sending IP address reputation to dramatically decrease bandwidth previously consumed by spam, and SpamBotCensor, which identifies and blocks bot-based spam.

"Blended threats are the most prominent malicious e-mail security threat to organizations today," said William Kilmer, chief marketing officer and former CEO of Avinti. "In fact, according to recent research from M86 Security Labs, blended e-mail threats have spiked to exceed 30 percent of all spam, about one in every three messages.

It's just another recognition that the threat vector is increasingly moving from email to the web. While email security remains important, the payload from viruses and malware is increasingly coming from web sources, making the proxy one of the most important tools in a security arsenal any organization should have.

War beneath the web

A new article in the Guardian talks about the state of website hacking. Hacking websites used to be a way to show off. Now, it's a lucrative crime – committed on an industrial scale.

You can read the entire article here.

And here are some highlights from the article:

Experts agree that the change is due to one critical factor: money. Hackers generally don't now aim to make a mess; they do it to get cash.

"The difference is that in about 2003 people realised they could use these weaknesses to make money," explains Richard Clayton, a security researcher at Cambridge University. "There are three ways they do it: drive-by downloads, which enlarge a botnet [which can be hired to send spam, assist in the theft of personal details, or attack websites to extort their owners]; hosting a phishing site, so they can collect login details; and putting spam links on the site to raise the spam's search engine ranking." The hacking of Free Our Data and the other sites had the latter purpose.

...

Clayton and his team have done extensive research into phishing sites hosted on cracked web servers. "We found the same sites would get hacked. Our insight was that people were using Google to find websites to break into, by doing specific searches for particular versions of software that they knew had particular vulnerabilities – Wordpress 1.3.1 or Drupal or whatever. So they'd do a Google search, find those sites and then hack all 50 sites using the same method."

...

"It's a big problem and getting worse," says Dave Jevans, chief executive of IronKey and chair of the Anti-Phishing Working Group. "When I have tracked website attacks, I've found it convenient to look at the Zone-H statistics. Zone-H.org reports on website breach defacements, as reported by bragging hackers. The exact same attack methodologies are used to make a website host malware or a phishing site.

"Today they reported 1,110 defacements so far. For the month of October 2009 they reported 47,560. So that's about half a million defaced websites per year. Now keep in mind that this is reporting by hackers themselves. Imagine the number of sites that are attacked and breached that are not reported to Zone-H."

Sounds scary, but shouldn't be any new news for a savvy IT administrator. All these points just reiterate the need for a proxy acting as web security gateway in your network.

Rogue Anti-Spyware Targets Sesame Street's Big Bird

Most of you have seen by now that Google's search engine page features Sesame Street characters to honor the 40th anniversary of Sesame Street. Google follows the news and trends of the world and honors significant events in its logo.

Unfortunately, the idea of malware distributors abusing Google Trends is not new. The bad guys have once again demonstrated that they, too, can take advantage of Google Trends. This time their target is Sesame Street's birthday.

With the fortieth anniversary of Sesame Street, the bad guys have begun their attack. Searching for keywords such as Big Bird's birthday and Big Bird on Google displays pages with compromised sites.

More with video clip in

http://www.avertlabs.com/research/blog/index.php/2009/11/09/rogue-anti-spyware-targets-sesame-streets-big-bird/

Targeted attacks possible in the cloud, researchers warn

Network World reported last week, that the use of virtualization by cloud service providers using virtual systems on servers shared by multiple customers is opening up fresh data leak risks.

The article is based on a report by four researchers at MIT and the University of California at San Diego showing how vulnerabilities in cloud infrastructures could allow attackers to locate and eavesdrop on targeted virtual machines (VMs) anywhere in the cloud.

From the article:

The attack described in the report was conducted against Amazon's Elastic Computer Cloud (EC2) service. But the vulnerabilities that enable it are generic and would likely affect other cloud providers, said Eran Tromer, a post-doctoral researcher at MIT's Computer Science and Artificial Intelligence Laboratory and one of the authors of the report. The report is scheduled to be presented at the Association for Computing Machinery (ACM) Conference on Computer and Communications Security next month.

The research raises questions about a fundamental assumption about cloud computing which says that data hosted in a cloud is relatively safe from targeted attacks because it's hard to know where in the cloud the data is located. The research also comes at a time when concerns are high about security and privacy issues related to cloud computing.

This may be one more reason to reconsider that move to the cloud, or at least wait until better security can be devised for the cloud.

Blue Coat Acquires S7

On Thursday, the company said it would acquire S7 Software, a services company based in Bangalore. Blue Coat is paying US$5.25 million in cash for the 65-person company.

S7 specializes in migrating applications from one platform to another. Blue Coat sells network security and performance monitoring appliances, but it is buying S7 because of the company's software development expertise.

Blue Coat also announced it is restructuring its business, and Blue Coat will shift an undisclosed number of engineering jobs from its Sunnyvale, California, and Austin, Texas, offices to S7's offices in Bangalore and other locations. With new hires and S7 additions, the company's total headcount reduction as part of the restructuring will be around 10 percent.

Welcome to Application Delivery 2.0

Network World, last week published an article declaring that many IT organizations are entering a new era of application deliver – one that they refer to as Application Delivery 2.0. The challenges of the Application Delivery 2.0 era will be notably more complex and challenging than are those of the current one.

First the background:

While ensuring acceptable application delivery has always been important, it historically was not a top of mind issue for most IT organizations. That changed a few years ago when IT organizations began to focus on ensuring acceptable application delivery. They did this by deploying a first generation of solutions that were intended to mitigate the impact of chatty protocols such as CIFS (Common Internet File System), to offload computationally intensive processing (for example TCP termination and multiplexing) off of servers, and to provide visibility into the performance of applications. Unfortunately, the IT organization of a few years ago typically approached application delivery from a tactical, stove-piped approach.

Hence, we are hesitant to use the phrase Application Delivery 2.0 as it sounds so much like just one more marketing cliché. However, we see distinct evidence, both from vendors and from IT organizations that we are indeed entering a second generation of application delivery.

Part of the characterization of Application Delivery 2.0 is that IT organizations are beginning to face a new set of challenges. That does not mean that the traditional challenges of supporting chatty protocols or maximizing the performance of servers have gone away. As is so often the case in our industry, IT organizations have to support traditional or legacy technologies and challenges at the same time that they have to respond to new technologies and challenges.

One of the new challenges facing IT organizations stems from the changing role of the mobile worker. A few years ago, there were relatively few mobile workers and the communications needs of the mobile workers of that era were satisfied with simple cell phones. That is no longer the case. Now it is common to have 25% or more of employees be mobile at any point in time. These employees have smartphones or other wireless devices that they routinely use to access business-critical applications. This introduces all of the performance and security issues associated with wireless networking into the mix of application delivery challenges.

While Network World seems to think we're entering a new era of Application Delivery, these issues seems to be the same ones we've already faced for some time now. Mobile workers doesn't sound like a new phenomenon to me, but maybe I'm missing something.

M86 Buys Finjan Security

M86 (formerly Marshal8e6 - the merger of Marshal and 8e6 Technologies) announced today the acquisition of Finjan Security, a web and email security vendor. This latest deal confirms that the security industry consolidation continues.

Finjan brings to the table a secure Web gateway product and software-as-a-service solutions, M86 said in a statement. Under the merger, which is effective immediately, Finjan will maintain a development center and operations in Netanya, Israel.

The U.S.-based Finjan SW will remain an independent company to retain its malware detection intellectual property, according to a statement.

M86 was created a year ago with the merger of Marshal and 8e6. In March 2009, the combined company acquired behavioral malware detection company Avinti.

Last week, Cisco Systems said it was buying Web-based security software company ScanSafe. And earlier in October, Barracuda Networks, which makes security appliances, announced its purchase of Purewire, a Web security-as-a-service provider.

Meanwhile, vulnerability management provider Rapid7 recently acquired Metasploit, an open-source penetration testing framework and exploit database.