Fake Video Codecs Still Going Strong

2 years ago, Blue Coat reported in their yearly security report that the top two sources of malware infection came from the fake video codec and fake a/v rouses. In the fake video codec, a link is posted to a video or the link is emailed out, and when a user clicks on the video (usually sent or posted by a known friend whose account has been hacked), they get an error saying they don't have the correct codec to play back the video and are redirected to a download of the "right" codec, which turns out to be malware. The fake a/v scam is similar, with the user getting an error that they have a virus, and are prompted to download anti-malware software that is in fact malware. Neither of these sources of malware are new and weren't new in 2009 when Blue Coat reported that they were consistently the top two sources of infection.

The trend continues this year, and Zscaler is reporting that fake video codec based malware is still going strong.

It just goes to show you users aren't as sophisticated as you think, and they do need to be protected with a secure web gateway or web proxy that has up to date anti-malware protection.

No Surprise: Android Malware is Increasing

It should be no surprise to anyone in the security industry that Android-based malware is up 472% since July 2011 according to Juniper. If you've been following the news this year, you would already have known malware on Android has been increasing faster than on any other platform. Malware targeting smartphones is up 250% from 2009 to 2010.

It's a good reminder why you need security on your network, and for mobile devices. While your secure web gateway provides security when you're on the corporate network, mobile devices like those running Android typically roam to other networks as the end-user takes the device home and on trips.

That's when cloud based security becomes important. Cloud and mobility make sense together, since the mobile client will be tied to a cloud security solution regardless of the network the end-user is using. As we see more mobility, you'll undoubtedly see more secure web vendors touting cloud as the solution.

7 Charged With Using Malware to Rack Up $14 Million

The recent news that the Department of Justice has indicted seven people for allegedly hijacking millions of computers, manipulating traffic on popular websites, and generating more than $14 million in fraudulent advertising revenue, shows that malware does indeed enable cyber-criminals to make plenty of money, which is a good indicator that there will continue to be waves of cyber-criminals and malware in the foreseeable future.

From the PC World article on the recent news:

The defendants -- six Estonians and one Russian -- allegedly hijacked more than 4 million computers using malware that rerouted Internet traffic to websites where they would get a cut of the ad revenue. Infected computers with users looking for popular websites such as Netflix, Amazon, and iTunes were rerouted to webpages that featured the defendants’ ads.

This case is supposedly the "first of its kind," according to US Attorney Preet Bharara, because the suspects set up their own "rogue servers" in order to perform the rerouting. Using their rogue servers, the defendants were allegedly able to substitute legitimate Internet ads with their own ads, thereby generating millions in advertising revenue.

According to BusinessWeek, the indictment cited a case in which an American Express ad on the Wall Street Journal's home page was replaced -- instantly, once users clicked on it -- with an ad for "Fashion Girl LA."

About 500,000 of the infected computers were located in the United States, Bharara said in a news conference in New York. The alleged scheme, which ran from 2007 to 2011, was first discovered at NASA, where 130 computers were infected.

It's an interesting case, because it uses malware to redirect the end-users browsers and basically force them to click on ads that would help the hackers make money. It could just as easily have redirected users to more malware sites.

This particular news item highlights the need to have visibility into where end-users are going on a corporate network, and to figure out what computers have been hacked and are sitting on your corporate network.

Websense on Facebook can be bypassed

Blackhat Academy is already reporting that the new Websense web filtering that will be available on Facebook can be bypassed. Earlier this month, Websense and Facebook announced that users clicking on links inside of Facebook would have those links scanned by Websense, and those URLs examined for malware, and a pop-up would appear if those links seemed to be of a malicious intent.

Blackhat Academy showed this week that they could circumvent this technology by recognizing the request for the URL was coming from Facebook, and display a different webpage to Facebook, then the actual page being delivered. Here's an example of how this works from PC World:

Blackhat Academy members, provided a live demonstration, which involved posting the URL to a JPEG file on a wall.

Facebook crawled the URL and added a thumbnail image to the wall post, however, clicking on its corresponding link actually redirected users to YouTube. This happened because the destination page was able to identify Facebook's original request and served a JPEG file.

"While most major sites that allow link submission are vulnerable to this method, sites including Websense, Google+ and Facebook make the requests easily identifiable," the Blackhat Academy hackers said.

"These sites send an initial request to the link in order to store a mirror thumbnail of the image, or a snapshot of the website being linked to. In doing so, many use a custom user agent, or have IP addresses that resolve to a consistent domain name," they explained.

Looks like Facebook is going to have to do a little work to hide the fact that these request for categorization are coming from Facebook, if they want the true value of URL filtering.

QR Codes Lead to Malware

There's new report about QR codes leading to malware. As the author mentions, it shouldn't be a surprise and it was certainly expected to happen. It brings new light to the need for protection of smartphone and tablet devices, those most likely to scan a QR code, to be protected the same way laptops and workstations are behind something like a secure web gateway or web proxy.

While other reports have indicated there's little need for protection of iPhone devices, this new malware would indicate otherwise. Android is already known as the most at risk smartphone platform for malware.

So, if you haven't started looking at solutions for mobility around securing web browsing, maybe now is the time to start.

Panda Cloud Antivirus Outperforms McAfee, Microsoft and Trend Micro on Malware Protection in its First AV-Test.org Product Review

In Panda Cloud Antivirus' first participation in av-test.org's evaluation of antivirus vendors, Panda outperformed McAfee, Microsoft and Trend Micro among others.

The AV-Test.org evaluation, conducted between July and August 2011, compared Version 1.5.1 of Panda Cloud Antivirus to 24 other home user security products. The full report is available at http://www.av-test.org/no_cache/en/tests/test-reports/test-reports/?tx_avtestreports_pi1 [report_no]=113111.

It's an interesting positive note for a cloud based AV, and lends creedence to other cloud based architectures as well. So maybe the next step is cloud, or a mix of on premise and cloud, otherwise known as hybrid.

Blue Coat Gets Slammed in Twitter

If you follow any of the proxy vendors in twitter, you can get some interesting results. This past week, Blue Coat in particular (using #bluecoat) has been called out for being a co-conspirator to events in Syria. This happened because Telecomix, a hacking group released 54GB of logs from what appears to be a Blue Coat device handling Syrian traffic, showing that Syria had been using their Blue Coat device to enable blocking of websites, and in particular, tracking of internet usage.

While it's true Blue Coat devices allow blocking of websites (and in particular for most enterprises and ISP's they use it for blocking malware and for corporate compliance), the Blue Coat device is just a tool. It's still the user of the Blue Coat device, in this case apparently the Syrian government, that chose to implement it and use it the fashion that's being claimed. While I fully support freedom and democracy, I think it's little short-sighted to blame what's essentially a tool, for the actions of others.

Especially since the company making the tool doesn't generally have control over how the tool is used after the device has been sold. Note, even Blue Coat has claimed they have a policy against selling directly to Syria, but had no control if it's sold indirectly (through a reseller). It's like blaming the manufacturer of a kitchen knife for a crime committed with the knife.

This of course isn't the first controversy a secure web gateway has seen in the news. Other vendors, like M86 and Blue Coat have seen controversy when their devices have been used in schools to block sites with LGBT (Lesbian, Gay, Bisexual, and Transgender) content. In those cases as well, it was the schools in question that implemented the policy, not the device provider, yet the protest and anger was directed at the hardware vendors, which seems to be a misplaced and misguided blame.

Facebook Partners with Websense

Looks like Websense scored a coup this week with the announcement that Facebook is going to use their Threatseeker and ACE (Advanced Classification Engine) technologies as part of Facebook's standard offering. Using Websense, anytime a user clicks on a link, it will get processed through Websense technology to determine if the link is malware or phishing, and display a warning appropriately if it's deemed malicious. There's also an opt out so if a user decides to bypass the warning, they still can.

It's good news for Facebook users, since any additional protection in today's malware heavy world is a net positive. But what's interesting about this announcement and perhaps something corporate users of Websense should take note of is, the inclusion of the the ACE technology in this announcement. By default, Websense's standard offering doesn't use ACE, it's an option that needs to be enabled.

We've talked about technology like ACE in other posts here on the Proxy Update, and definitely think any type of dynamic rating system for web sites is an absolute must for secure web gateways. So if you don't have it in your proxy or web gateway, you should investigate and consider turning it on, or moving to a technology that has this feature.

Future of Malware

This week Network World takes a look at the future of malware in a slideshow format. For those of us that battle it on a daily basis, it's always good to take a step back and look at the bigger picture, and try to see where the evolution points are, and maybe, just maybe get a step ahead.

Each slide covers a different aspect of malware, presented with a viewpoint from different vendors. We've heard the term APT already, Advanced Persistent Threat, and it seems these attacks are getting more advanced if not more persistent. Slide 4 from the presentation talks about an attack where the wives of executives were targeted for a socially engineered malware attack. The idea being they would be less tech savvy and have a less secure PC at home, and offer up a way to target the executives.

While mobile is continuing to be a concern, there was also an interesting slide that seemed to indicate that while mobile platforms like iPhone and Android may be interesting targets, it's more likely hackers are going to go for platform agnostic malware that would affect the commonality between these smartphone platforms and regular PC platforms, like HTML and Javascript.

Without any doubt, malware is in our future, and we need to keep vigilant with up to date security software, web proxies and secure web gateways.

Say Hello To Hybrid, Cloud Is So Yesterday

When we thought cloud was just beginning to take hold as the new buzz word, it seems the industry has already started moving away from cloud and moving towards a new buzz word, "Hybrid". The idea behind "hybrid" is to combine both on premise equipment along with a cloud offering into an integrated solution that solves the secure web gateway needs of both the on-site workers as well as the remote office and traveling workers.

The on premise appliance or gateway solution would continue to protect on-site workers, while the cloud offering (aka SaaS offering) would protect smaller remote offices that can't justify the expense of an appliance, along with protecting traveling and remote workers.

The big benefit to hybrid would be integrated reporting and management, that is the ability to get a unified report for all users in a single reporting infrastructure, and the ability to manage policy for both appliance and cloud from a single interface. This seems to be the direction many proxy vendors are starting to head towards so don't be surprised when you see the term hybrid in the latest advertising from secure web gateway vendors.

Websense Selects Image-Analyzer

Websense announced last week that they selected Image-Analyzer, a company that has a product with the ability scan images and determine their appropriateness for the corporate or organization, essentially another layer of protection for those companies that block pornography.

Right now, it's just an announcement of a partnership, but the eventual goal for Websense is to include the technology in their Triton solution. There's no date for when this will be accomplished yet, so stay tuned.

Image analysis technology isn't new, it's been around for a while, and this company in particular has been in existence since 2005. The reason technology like this hasn't gotten more traction in the past has been the latency involved in scanning images, as well as what has traditionally been extremely high false positive rates. It remains to be seen how Websense handles these issues when they integrate image analysis into their product.

Heidi Klum, More Dangerous Than You Think

McAfee recently came out with a list of the most dangerous celebrities. That is when you search for them on the Internet. Apparently searching for Heidi Klum gives you a 1 in 10 chance of landing on a malicious website. The top five most dangerous celebrities are:

1. Heidi Klum

2. Cameron Diaz

3. Piers Morgan

4. Jessica Biel

5. Katherine Heigl

All of which is a good reminder, why web security is so important, and making sure the secure web gateway or web proxy has protection against malware and phishing.

Your car, the next target for malware?

Last week McAfee released a new report talking about cars, and specifically car electronics as the likely next target for hackers who spread malware. While it still seems far-fetched today, as cars become more sophisticated, they are beginning to have complete computer systems, and while much of that is hidden from the driver, it will become more and more visible and interactive with the driver. Even my car today, has voice recognition, and interfaces with my cell phone to get me directions, news, weather stock quotes, etc, all given back to me through bluetooth, transferred directly through the radio's speaker system. So an attack if it's targeted like an APT, is certainly a possibility in the near future on car electronics.

The question though is what's in it for the hacker? As most know today, hackers today are driven by money, and creating malware is generally tied to making money in some manner. But where's the money in hacking a car? You could certainly hack a car and cause an accident, but until money or identity can be remotely retrieved from a person's vehicle, attacks on individual cars, probably remains unlikely, other than just as a curiosity.

Typo Squatting

While a lot of the mainstream press is calling this the latest attack vector, it's actually not new. Phishing attacks have long used the typo squatting method, basically relying on close, but misspelled domain names to capture personal information. The latest attack is being reported as new only because of they way the attack is implemented. Rather than imitating the domain's login page to capture login information from an unsuspecting user, the latest attack uses a pop up survey to collect personal identifying information, perhaps with the reasoning that an end-user will be less security conscious with a survey than they would with a fake login page.

As always, the best protection for threats like these is a good secure web gateway or web proxy, with the latest in malware and phishing protection. And because users aren't always on the organization's network, a good mobile or cloud solution should be available from your secure web gateway vendor as well.

Reverse Proxy Make A Comeback

It seems the latest news in the proxy world is all about Web Application Firewalls (WAF). It just goes to show you that everything old is new again. WAFs are of course nothing more than souped up reverse proxies, which were the rage when the dot com boom came about. Reverse proxies were used to prevent overload on webservers and distributed the web load to proxy servers that not only cached content, but also protected the web servers to some degree.

In today's world the WAF, is a bit more sophisticated in that there's more malware and more cybercrime in the world. The good news is that most reverse proxy vendors out there have improved their offering to include protection against schemes like SQL injection and Cross site scripting (XSS), regardless of whether they use the fancy new WAF terminology to label themselves as such. Also today's WAF or reverse proxy supports SSL proxy, important because more and more webservers today rely on SSL as a base protocol, rather than the exception.

So if you're trying to protect your webservers, remember to check out WAFs as well as reverse proxies, since reverse proxies probably do more than you remember them doing in the past.

Big Drop In Fake AV

Both McAfee and Blue Coat had reported that the Fake AV scam was one of largest purveyors of malware last year. In case you're not familiar with it, basically it's a pop-up, javascript or some other injected code that notifies the end-user that their computer is infected with a virus, and offers to clean it, by paying for antivirus software, and instead of downloading a/v software, it basically downloads malware to the workstation.

Apparently by June of this year, the Fake AV sites had practically disappeared from the web. The reason for the quick drop? From ZDnet:

The event that caused the sudden plunge? A high-profile bust by Russian authorities. On June 23, a network of web sites that were distributing fake antivirus software for Windows PCs and Macs suddenly went offline when the head of the company that processed payments for the group was busted.

While the decrease is good news for end-users in general, it's expected it's only a minor hiccup in the cybercrime activity, and it's expected to ramp back up again soon, so it's no time to drop your guard in terms of protecting your end-users and network.

Google Search Results Cleaner in 2011 than 2010

There's a new report showing that Google search results are a lot better this year than last with regard to the results containing malware (SEP - Search Engine Poisoning) sites. That sounds like really good news on the face of it, as it means your web proxy or secure web gateway won't have to work as hard to protect you from these malicious search engine results. It used to be up 90% of results contained malware, and now, it's as few as only 3 malicious links in the first 10 pages of search results.

But there's bad news buried in this news as well. It turns out searches for software purchases online still contains about 90% malicious results. So there's no reason to back down from protecting your users, and if anything if you've got users out there searching for software purchases, you probably should increase your security and the protection your offering your users in your web proxy/secure web gateway.

Are you ready for HTTPS Everywhere?

The EFF, in collaboration with the Tor Project, launched the official 1.0 version of HTTPS Everywhere tool on Aug. 4, just past a year after the first beta version was released in June 2010. According to EFF's blog post, the extension will help secure Internet browsing by encrypting connections to more than 1,000 Web sites.

If you're an administrator of a Secure Web Gateway or web proxy, that statement alone should have you worried, or at the very least give you a momentary pause. The reason? While most organizations have deployed secure web gateways for HTTP traffic, very few have actually gone the additional step of turning on the SSL traffic for their external web traffic. The reasons are varied, but they include the overhead that encryption and decryption would have on the web proxy, the fact that most sites until recently, generally provide data and content unencrypted, and the privacy issues and concerns around inspecting SSL traffic.

But SSL is gaining traction, and most email providers and even Facebook offers options for keeping SSL turned on. This increases the likelihood that malware and other undesirable content can be brought down to the organization's network since SSL is likely bypassing the proxy.

What's the right solution? If you haven't already turned on your SSL proxy, investigate what it means to your network and your proxy if you do. Make sure your proxy can handle the additional load of SSL decryption and encryption. The easiest way to do this is to check to see if your proxy has an SSL hardware card, or the option to add one. Trying to do decryption and encryption in software will add additional load to what's probably an overloaded proxy to begin with, and in all likelihood could add latency to your web traffic, that's why hardware based SSL is the best bet.

Next set up policy so that you aren't violating your employees policy rights. That may include turning off SSL proxy for users in certain countries, and turning it off for certain categories (like banking). Run this past your HR and legal to be sure you're doing the right thing.

Once you've got those figured out, it's time to go live with the SSL proxy, and you'll be sure you're inspecting encrypted traffic for malware and undesirable content.

Huge spike in malicious emails

After what seemed to be a continuing decrease in the amount of spam email and malicious spam email, M86 is reporting now a huge spike in the amount of malicious spam email since the beginning of August. The belief is that with the arrest of cyber-criminals and the take down of major botnets, the cyber-criminals are back in force trying to re-establish their bot networks.

This increase in malicious spam is a good reminder to IT administrators to keep vigilant with their security, whether it's email or web based security, as many emails rely on tricking users into filling out linked web pages or downloading malicious software from linked pages. Security should especially be of concern for your web proxy if you're only using URL database filtering today. In addition to that layer of security every web proxy should also do real time scanning of downloaded content using an anti-malware or anti-virus engine.

Thinking DLP? Think Proxy.

If you've got plans to implement DLP (Data Leakage Protection) into your organizations network, either for regulation or corporate compliance around confidential data protection, you're probably also looking at your secure web gateway (aka web proxy).

Why is that? Because most traffic that's likely to leave your organization today is going out over the web. Most DLP vendors prefer to not be directly inline in the network as a single point of failure, nor are their boxes or software designed to be inline as a network traffic device.

That's where the web proxy or secure web gateway comes in. The web gateway can decided when to send traffic to a DLP device over a standard protocol like ICAP and wait for a response from the DLP server before giving a response back to the end-user. Any major DLP vendor today will point you to a web proxy as the integration point for network based DLP.

The key here is to make sure your secure web gateway is capable of ICAP for integration, and generally capable of at least two ICAP server support (one for uploads and one for download scanning). The upload ICAP server is the one used for DLP, and the download one is used for malicious threat scanning (anti-malware).

Web Application Controls

I wrote an article a few months ago talking about the new feature called "Web 2.0 controls". This feature has been firming up of late, and seems to be coalescing around the term "Web Application Controls". Each vendor does have a slightly different take on it, some focusing more on social networking, others being more broad based and covering a number of applications. Even those without real controls, are claiming "web application control" capability.

That being said, it's important to find out what a vendor means when they say "web application control". For some it just means blocking a web site based on its category. That alone probably isn't sufficient in today's malware laden web world. Really, the secure web gateway or web proxy needs to be able to control actions with web sites (applications). For example, does the web proxy allow the user to view the website, but prevent them from posting information to that update, restrict them from uploading a photo, a video or other documents? Is there any granular control over the types of information or document type that can or cannot be uploaded? Can a user be prevented from using a chat function within a page or an email function within a page?

Those are the important controls and the ones needed to customize a policy to adhere to an organization's compliance rules. It may be easy to say create a read-only Facebook policy, but it won't apply across the board. Marketing folks may need to add the ability to post to the company's Facebook site, but maybe you don't let them chat on Facebook. The CEO may be the only one allowed to do anything of Facebook, etc.

The key takeaway here? Make sure you know what your web proxy can do and make sure it fits your needs around "web application control".

Sophos AV Critically Flawed?

The big news out of Black Hat last week in Las Vegas was a session that described Sophos AV as being critically flawed.

A Google security engineer, Tavis Ormandy, released his findings in a paper following his presentation at Black Hat. Ormandy said his analysis found that Sophos software uses weak or outdated cryptography in the way it builds and matches virus signatures, relies on obfuscation for security too often, and fails to comprehend certain exploitation techniques, among other problems.

From Ormandy:

“My intent for this project was to provide the missing technical speficiations for Sophos Antivirus in order to help those evaluating antivirus do so thoroughly,” Ormandy said. “They’ll be able to make informed decisions about whether this product makes sense in the context in which they want to deploy it.”

Sophos has promised fixes in an upcoming release. When asked if these problems existed in other AV vendors, the suggestion was that it's likely as most of these programs are not that fundamentally different.

It's a troubling concern and hopefully one that's addressed by all AV vendors now that there's some light on the issue.

Malware affects 6 Million Websites

eWeek is reporting a new malware outbreak that affects 6 million web pages. Should we be scared? As an IT admin, should there be concern this is more pages than my web proxy or secure web gateway can rate?

The simple answer is no, and there's a good reason to it as well. While there might be 6 million web pages that have been compromised with an iFrame injection containing javascript, this javascript actually leads to only 8 different Ukraine based websites that actually contain the malware. So if you've got a web proxy or secure web gateway that can block embedded URLs (this is key so you can still get to the content on those 6 million web pages), and can rate those 8 pages as malware, you can be pretty confident that you're protected. In fact most malware attacks on the web are pretty similar to this one. While there may be 8 bad sites, there's many more (in this case 6 million) websites that lead you to those 8 bad sites. So while you can't possibly block all 6 million web sites, you can block the 8 bad ones, and prevent users from loading bad embedded URLs on a page.

Just make sure your web proxy or secure web gateway can do this to, and you won't have to worry about the hype, just the reality.

Cybercrime costs up 56% in 2011

According to a study by Ponemon and sponsored by Arcsight, the cost of battling cybercrime went up by 56% in 2011 for the organizations they interviewed. For the 50 organizations they looked at, the cost averaged 8.4 million dollars.

This new study is a good reminder why security, especially web security should be at the top of your list for IT dollars, if it isn't already. The web remains the primary vehicle for cybercrime, and protecting your end-users regardless of whether they are behind the company firewall or remote and on a hotel wifi should be one of the largest IT concerns today.

When selecting your web security solution make sure they can answer the tough questions about how they protect you from malware and how they protect your remote users as well as your local ones.

Video Usage

It's old news, but Cisco has estimated that 90% of all internet traffic will be consumer based video by 2013. That of course instantly translates to businesses as well, whether or not the IT administrator realizes it or not. In fact what most network assessment companies find, is that most IT admins really have little idea of the types of traffic that's running on their network. For example, do you know what percentage of your traffic is peer-to-peer, video usage, or social networking?

PacketShaper users do know, but that's because it's one product that's commonly used in network assessments. But if you're not a PacketShaper owner, what can you do? One thing you can do is to make sure your web proxy or secure web gateway is reporting on video usage and social networking usage. Make sure you know who the top video watcher is on your network, and what percentage of your web traffic goes to video sites.

For social networking, you want to know the same things, but you probably also want controls to either create a "read-only" social networking policy, or at least examine the content that's going to social networking sites. These are features your web proxy or secure web gateway should be able to provide you today.

Microsoft Planning to Phase out Forefront TMG

Buried in the latest version of the Gartner Magic Quadrant for Secure Web Gateway that was issued this past May, was information about Microsoft's Forefront TMG product.

Essentially Microsoft, has discontinued full updates to the Forefront TMG product, and has placed it into sustaining mode. For that reason Gartner chose not to evaluate Microsoft Forefront TMG and did not put it in the Magic Quadrant.

This is good news for the other vendors in this market space, but bad news for customers who use Microsoft's product for their secure web gateway. With the constantly evolving threat landscape it's important for the secure web gateway product to evolve and keep up with the latest in technology. If you're at all security conscious, and you use Microsoft, it may be time to start investigating other options.

Shapeshifter Trojan

CRN is reporting on a new virus spread through Facebook, that disables the user's anti-virus program and then pretends to be the anti-virus program. It recognizes anti-malware programs from 16 different vendors, including McAfee, Symantec and BitDefender.

This new virus is spread using old tricks, specifically the "fake codec" method. Users are encouraged to click and watch a video using hijacked facebook accounts that offer up a video. When they try to watch the video, they're told they don't have the right "video codec" to watch it, and they can install it by clicking a link. Instead of installing the codec, (in this case a fake Adobe Flash Player) they get the new virus. Once installed, the user helps spreads the malware, but posting on their own facebook account more links to the malware.

In this particular case, the fake video actually has the facebook user's name embedded in the title to make it seem even more real to any unsuspecting victims.

This latest socially engineered attack is a good reminder as to why organizations need to have a secure web gateway or web proxy in place to protect users from malware, and to have policies around social networking sites, even the possibility of having a "read-only" Facebook policy.

Multi-language support

Many proxy vendors that support URL filtering also have the ability to rate the webpages that aren't in URL category database in real-time. They do this using automated programs that scan the web pages and categorize them based on the content of the website. Part of this is being able to recognize the words, tags, and tokens used on the website. That means the real-time categorization engine has to understand different languages if you have sites that world-wide. Foreign language support is probably not as wide-spread as you'd expect it to be with proxy vendors, so you should ask your vendor what languages they support in their real-time engine.

Some even have languages that aren't necessarily commonplace. For example, Blue Coat reports support for Klingon, as well as a made up language they call "Pornovian", basically common terms found on porn sites, for them to more easily rate a site as a pornography site.

Some vendors also report language support in both real-time engines as well as background rating engines (those engines used when the page doesn't have any obvious markers that would allow it to be rated in real-time). In most cases, the background rating engine will have more language support than the real-time engine.

So if your organization is truly multi-national or global, make sure your proxy vendor is as well.

Black Hat Show

With the summer lull continuing, there's a show coming to Vegas for those security conscious IT admins. From July 30 to August 4, the Black Hat Technical Security Conference will be in Las Vegas. If you're looking for something to do, or just need a break, this is the show to be at if you're involved in security.

License Limits

As most IT buyers know, software purchases usually come with licensed limits. It's no different with secure web gateways and web proxies. Typically the anti-malware and URL filtering licenses are licensed by the number of users in the organization. For most of these platforms, they determine the number of users by counting IP addresses or unique user logins. After the license limit has been reached, each vendor's products may behave a little differently.

Some vendors will send out nag notices, letting you know you've reached your license limit, others will reduce their functionality (maybe block malware), but not content by policy, and still others, just stop blocking altogether for those users over the license limit.

Depending on what type of organization you work for any of those could be acceptable, but for certain organizations, (like schools), to stop blocking altogether might not be an acceptable risk, especially when there might be complaining parents. So make sure your software does what you want it to do if you reach a licensed limit. (Also make sure it isn't a way for users to get around your corporate policy - I heard rumors that some students at a school generated a program to use up DHCP IP addresses to reach the license limit on their filtering software, so the "overage" IP addresses could browse freely).

Enterprises Accept Malware As Cost of Doing Business

A new study from Osterman Research and M86 found that 49% of businesses acknowledged security breaches in their network, and accepted them as a cost of doing business. 78% experienced a breach in the last 12 months. It's surprising given each of these breaches has an associated cost. Over half estimated the cost of a breach to be up to $50,000.

With costs like that it makes sense to look at the security infrastructure and make sure you're protecting end-users from malware, phishing, and targeted attacks where possible. The secure web gateway or web proxy is just one component in this protection, but definitely one you should have in place if you're looking to protect end-users from malware in today's web driven world.

Web 2.0 Controls

The latest in web security seems to be what some vendors call Web 2.0 controls, and others call social networking control. Before the new controls, most security companies just offered the basic block and allow of specific categories like "Social Networking", and some even offered the slightly more advanced blocking of sites that match two categories, for example blocking sites classified as both "Social Networking" and "Games", in order to prevent employees from playing "Farmville" and "Mafia Wars" while still being able to use Facebook.

But the new controls are even more advanced, allowing you to prevent uploads to social networking sites, posting to social networking sites, etc. The benefit here, is sort of a read-only capability with social networking sites. Employees can view, but they can't share any information to a social networking site. It's a big change from just block and allow.

Both Blue Coat and Ironport have these types of controls in their latest software. These capabilities give IT admins the ability to allow social networking without having to worry about data leakage, additional wasted time on games on social networking sites, and users spending the day updating their Facebook pages.

Gartner Risk and Security Conference

Next week at the Gaylord National Harbor Hotel in Washington, D.C., from June 19-22, 2011 is the Gartner Risk and Security conference. It's a great conference if you're an organization and looking to hear the latest on risk and security, and to visit some of the leading vendors recommended by Gartner, including of course secure web proxy vendors.

Users Ignore Malware Warnings

As an IT admin you're all too familiar with the type of user who gets a warning that they're visiting a malicious site, about to open a malicious executable, or read spam email, but they do it anyway, overriding the security of their system. Some of them even have to enter a password to override their security settings, and yet they do it anyway, and sure enough they infect themselves with a virus or malware.

The folks over at Blue Coat wrote a recent article on their Security blog talking about an new phishing attack, that basically had no information at all in the attack with the exception of a single link (the email basically had no subject, from, or text other than the link), and sure enough some users of their home security product, K9 went ahead and overrode the settings to visit the link and were infected.

Examples like these are good reminders why we don't depend on our end-users to maintain their own security, or make sure their security is up to date. It's why a secure web gateway or web proxy maintained by an IT department is so important, and also why you don't give your users the admin password.

Security Considerations for IPv6

PC World ran an article last week on the security concerns around transitioning to IPv6. It's a relevant topic with World IPv6 day coming this week, and with the runout of IPv4 address space.

Number one on their list of concerns was security when translating between IPv4 and IPv6, and the concern that a transaction that starts out securely in one or the other technology might open itself up to being attacked when translated to the to other technology.

That's when it's important to consider technology that actually proxies IPv4 traffic to IPv6 rather than bridges the traffic. A proxy of course terminates the traffic and creates a completely new secure transaction to the destination. In addition as the proxy is a security device and should already have security implemented, compared with a device like a switch that's acting as a translation device.

No matter how you integrate IPv6, you'll want to make sure your remember security as part of the deployment scenario.

Malware Up, Spam Down

McAfee's latest quarterly security report is showing an large increase in the amount of malware, along with a decrease in the amount of spam. The first quarter included six million unique samples of recorded malware, the most ever reported in a Q1 report by McAfee.

Spam is reported to be at its lowest levels in years, but cybercriminals have made up for the lack of spam with the increase not only in malware, but in platforms that are targeted, including Macs and Android operating systems.

The report is a good reminder that email security isn't the only application level security needed in an organization. Web security is as important if not more important in today's web based world.

New Gartner Secure Web Gateway Magic Quadrant

The new Gartner Secure Web Gateway Magic Quadrant is out for 2011. As most of you know, the Magic Quadrant is used by many large and medium enterprises as a guideline for deciding which IT products to purchase. The Secure Web Gateway report outlines those products which are typically Web Proxies (forward proxies), also known as secure web gateways.

For companies competing to be in the Magic Quadrant, the desirable corner to be in, is the upper right hand corner, also known as the "leaders" quadrant. This year, the usual suspects are in the "leaders" quadrant. Blue Coat, Cisco, McAfee and Websense are all in the "leaders" quadrant as expected, but this year, there's one additional name that's there, and it's a bit of a surprise. Zscaler was added to the leaders quadrant, and it's the only vendor on the list that isn't an on premises or appliance vendor. Instead Zscaler offers a solution that's a SaaS (Security as a Service), also known as a cloud solution. The other vendors on the list, while they offer on-premises solutions, have also started branching to the cloud as well, and offer their own SaaS based solutions as alternatives to the on-premises equipment.

For anyone considering a cloud solution, there are well-known limitations to cloud computing (control over the environment/maintenance windows, bandwidth constraints to the data centers, latency, and other issues). So it'll be interesting to see if these cloud based solutions start to take hold, and if they become the dominant solutions in recommendations like Gartner's.

Malware for smartphones up 46%

Zdnet just reported on a study that showed malware targeting smartphones is up 46% this year over previous years. According to the report run by McAfee, Symbian remains the most targeted mobile platform, but vulnerabilities are also targeted in the Android and Apple IOS.

This new report is a bit of concern given the other news this week on organizations having more of an issue with smartphone loss than with smartphone malware. With malware up, the prudent IT administrator would make sure they deal with both smartphone loss (using policy and other tools), as well as malware (using secure web proxies and gateways).

Apple to Issue MacOS Update to Combat Malware

Apple says it will issue a software update in coming days for Macs to combat a recent surge of malware attacks. I reported on these attacks a few weeks ago.

When using a Web browser, the phishing scheme redirects users to fake websites and claims their computer has a virus. Apple's response to the latest malware attacks, shows that the threat to MacOS devices is serious, and that Macs may not be as secure as many previously believed.

It's still a good reminder that any web browsing should be done through a secure web gateway or web proxy, since many operating systems (especially ones like MacOS, smartphone OS, and tablet OS) may not yet have good anti-malware options.

Smartphone loss outweighs malware risk

A new study by McAfee finds that the risk of losing a smartphone (and the associated confidential and proprietary data on the phone) is greater than the risk of losing data through malware. The study found that 4 in 10 organizations had already lost data due to smartphone theft or loss.

This study may help explain why there's less concern with malware picked up from browsing the web, and why many organizations have yet to implement web security for mobile devices like smartphones. With greater risk coming from the physical loss of the device, many IT departments are already struggling with ways to keep the physical device safe and secure, and securing the web browsing on a smartphone has fallen to second place in the realm of security issues.

Part of the problem is many organizations do not have policies around smartphones, like they do around PCs and laptops, and that may be the first step to addressing this problem, and one that can help move them towards looking at securing the web access as well.

1 in 14 downloads is malicious

According to Microsoft, 1 in 14 downloads is malicious. That number isn't too big of a surprise for anyone already dealing with web security. With the prevalence of fake A/V and fake codec malware out of the web, it's not surprising users are getting prompted to download malware more and more often.

In today's world, hackers find it easier to trick end-users into downloading malware, rather than finding holes in browsers or hacking into websites. While the evolution of browsers has led to many newer browsers being able to detect and warn end-users about threats like these, they don't always catch these threats, and of course it's unlikely end-users are running the latest browsers with the latest safeguards.

That's why it's still important to have an extra layer of security in place like a web proxy, or secure web gateway. News articles on the prevalence of malicious downloads, are just a good reminder we need this extra layer of security, and to make sure this extra layer of security is doing in-depth analysis and scanning of downloads to make sure they are malware-free.

Canada, new hub for cybercrime?

A new report from Websense shows that due to the increased scrutiny of IP addresses and hostnames from China and Eastern Europe, cybercriminals are increasingly relocating to Canada. Apparently there's been a 319% increase in phishing sites in Canada in the last 12 months and a 53% increase in bot networks. Canada also jumped from number 13 to number 6 from 2010 to 2011 in rank of countries that host cybercrime.

This latest report just continues to show the importance of applying security across the board on all web requests regardless of where the request is headed and regardless of the reputation of the site being visited.

All sites should be rated, and any objects coming from those sites should be scanned for malware. Anti-malware and anti-virus software on gateway is mandatory in today's malware infested web.

Webpulse in a PacketShaper

I'm a little late getting to this, but Blue Coat announced a few months ago the inclusion of their Webpulse technology in the PacketShaper (the traffic shaping device that Blue Coat acquired when they acquired Packeteer a few years ago).

If you're not familiar with Webpulse, it's the cloud service behind Blue Coat Web Filter (BCWF), the URL filtering database that's an option on Blue Coat's ProxySG platform. Basically when you visit a URL that's not in the local URL database, it checks Webpulse to see if there's a rating for that URL already cached in the cloud, and if so brings down that rating to the local ProxySG and caches that information locally. If it's not been rated in the past (because no one else in their 75 million user community has visited the page yet), then they'll use an automated rating system that goes out and scans the page and tries to rate the page real-time, and then adds the real-time rating to their cache, so that any other ProxySG (or other devices that use Webpulse), will get the rating if they ask for it for the same URL.

PacketShaper on the other hand is a device that offers visibility, classifies network traffic, and allows you put in constraints (essentially QoS) on each of the different "buckets" of classified network traffic. For example, if you want to allow P2P on your network, but you only want it to take up 1% of the available network bandwidth you can set up a rule to enforce that.

Before adding Webpulse to PacketShaper, it basically considered Web traffic to be one large category. By adding Webpulse, PacketShaper now recognizes different categories being browsed and can automatically use Webpulse to add unknown URLs to a specific category within Web traffic. The big benefit here is being able to control specific types of web traffic (say traffic going to porn sites), by using either bandwidth controls, or even blocking that traffic (although it allows you to block traffic, it's not as secure as a security device like ProxySG, because the default to PacketShaper is to allow traffic that it doesn't know, until it's able to classify it, so you may allow some "bad" traffic to go out or come into your network, before the block takes effect based on your rules.

Webpulse adds great additional visibility to PacketShaper, but it doesn't replace the web proxy, unless you're willing to let some "bad" traffic in before it's blocked, which I don't think any IT admin would allow. But PacketShaper does serve an interesting purpose as a network monitoring device, and reporting tool, especially if you don't have secure web gateway yet. By putting in a PacketShaper, you can see if it's worthwhile to get secure web gateway, and at the same time you can restrict certain types of traffic from going through your network (or at least slowing it down enough to discourage users from even trying it).

More Reports on Mac Malware

As Apple continues to gain marketshare (around 15% of the desktop market in the latest numbers), it's no surprise that there's more malware targeting Mac OS. While many Mac users feel innoculated from the widespread attacks of malware because of the OS they run, they should feel less safe now, with the introduction of the MacDefender virus and the Weyland-Yutani bot, both of which specifically target Mac users.

It's an inevitable outcome of the popularity of Apple, and probably only a small foreshadowing of the attacks to come on iOS, the operating system of the popular iPhone, iPod and iPad.

With fewer choices for security for Apple devices, it makes sense to have a organization wide web proxy or secure web gateway to block any threats coming from the web, specifically for those users on the organization's network. Unfortunately when those users are off the organization's network, they're generally on their own when it comes to web defense (unless you've installed a client based web protection application, like those offered by Blue Coat, Websense and others).

Web security for Macs is inevitable, and one aspect of your organization's security you'll probably want to investigate sooner rather than later.

Bin Laden's Death Leads to More Malware

In what shouldn't be any surprise to IT Admins, Osama Bin Laden's death this week led to an immediate surge in malware, with many scams posted using the lure of stories, videos and photos of his death. Almost all the major security firms reported a tremendous uptick in malicious websites with fake info this week based on the news story.

In what is new news, ZDnet reported this week that unlike most malware, this weeks attacks included ones specifically targeted at Macs, rather than PCs. These attacks apparently are targeted specifically at MacOS X.

This is especially dangerous for IT admins, since many Mac users think they're immune to malware, and generally don't have anti-malware programs running on their local desktops. That's why it's especially important to have a web proxy or secure web gateway protecting your Mac users, if you have them in your organization.

71% Increase in New Zombies

Commtouch is reporting an increase in the number of zombies (compromised computers) on the Internet. Their numbers indicate a 71% increase since the start of a new malware outbreak based on fake advertising pretending to be from shippers like DHL, UPS, USPS, and Fedex.

It appears that the this new attack has been relatively successful, convincing large numbers of users to click on malware getting themselves infected. It's sad that despite common sense, and warnings from administrators, end-users continue to click on malicious links and emails attachments.

It's a good reminder on why you need to have a protection in place like a web proxy in addition to scanning all your incoming email for spam and malware. A web proxy helps protect users who click on malicious links from downloading malware to their PCs. If you don't have a secure web gateway or a proxy, here's another reminder why you need one.

Destroying Hard Drives

Network World recently published an interesting article about a practice at Google. It turns out they keep rigorous track of all their hard drives, and when they are no longer needed they shred and destroy them to prevent any chance of data leakage.

At first glance this practice sounds like almost overkill, but in this day and age of continual security breaches, this practice may actually turn out to be the safe and prudent one to follow, and certainly only the tip of the iceberg in terms of security practices you can follow to prevent data leakage at your organization.

We've talked previously here on this blog about DLP (data leakage protection) solutions that tie into your existing web proxies using the ICAP protocol. This article on hard drive destruction to prevent data leakage is a good reminder to look into DLP solutions for your proxy if you haven't done so already.

Why Intel Bought McAfee

A year after the acquisition of McAfee by Intel, there's still discussion about just why Intel would be interested in a security company like Intel. The latest article to tackle this is on readwriteweb.com, and basically explains that Intel didn't buy McAfee to put security into silicon, like many speculated when the acquisition was first announced.

Instead it's because security for silicon is going to come more and more from software and putting that software lower in the stack, and that's the primary driver for Intel's acquisition according to the article.

That sort of leaves one wondering how much effort Intel's going to put into maintaining the security products that work much higher in the chain, like their Secure Web Gateway, which is an application level security device. We'll just have to wait and see.

Language Recognition

Last week Blue Coat announced that it added Norwegian to its list of languages it recognizes when analyzing websites for malware and categorization in its Webpulse system. It brings Blue Coat to 18 languages recognized by Webpulse, and 50 languages categorized in their database.

Language recognition doesn't seem to be something very many security firms tout as a feature, so I'm wondering how important is it that your security company recognize Norwegian, or even Chinese, Spanish or German? My guess is while the individual language may not be important to you, the ability to classify sites written in different languages is.

As a side note, Blue Coat's also the company that some time ago claimed they recognized Klingon as a language in their threat detection and web site classification modules.

With each new holiday comes new malware - Easter

With Easter approaching it should be no surprise that malware with an Easter theme is going around the web. McAfee has reported a wave of emails this morning which pretend to be Easter cards containing an animated greeting.

The download is instead a Trojan which contains key-logging software and backdoor access to return data and allow additional malware to be deployed.

So keep vigilant, and browse the web safely.

More sites get hacked

In case you missed the news, another big name (not in security) got hacked this week. This time it was Wordpress, the guys that host and provide the software for many popular blog sites.

This on the heels of the recent news of the Epsilon breach, has a lot of IT admins on edge, wondering if their own web servers are safe.

It's a good reminder to look into reverse proxies and web application firewalls, the devices that are designed to keep the corporate web server safe. It was the fact that Barracuda took down their web application firewall that led to their security breach. Getting a reverse proxy or web application firewall in of itself probably isn't enough to call yourself secure, you also need to make sure the software on your webserver is up-to-date, and review any code you're running on your webserver.

Firewall software open to TCP handshake hack

A new report from NSS shows that out of 6 common firewalls, 5 were vulnerable to a "TCP Split Handshake Attack", an attack that allows a hacker to trick the firewall in to thinking an IP connections is a trusted one from behind the firewall. Checkpoint was the only vendor that was not vulnerable. The other vendors tested included Cisco, Juniper, Palo Alto Networks, Fortinet and SonicWall, which were found to be vulnerable.

NSS Labs independently tested the Check Point Power-1 11065, the Cisco ASA 5585-40, the Fortinet Fortigate 3950, the Juniper SRX 5800, the Palo Alto Networks PA-4020 and the SonicWall NSA E8500.

Many of these firewalls also offer web security, an offering similar to what secure web gateways and proxies offer, generally with a lower level of anti-malware protection. This report is a good reminder on why it's a better practice to keep different security products on different platforms, rather than go for a UTM (unified threat management) device that tries to do everything in one box. You don't want a vulnerability in one box to affect all your security. Typically email and web security should be kept on separate devices, not only to keep any vulnerabilities separate, but also because each can easily have a load that overwhelms any single device that would cause other security to be compromised.

Latest AV Comparatives report is out

If you're wondering which AV vendor to use on your web gateway, you might want to take a look at the latest AV Comparatives report.

It covers a long list of AV Vendors including: Avast, AVG, Avira, BitDefender, eScan, Eset, F-Secure, G Data, K7, Kaspersky, McAfee, Microsoft, Panda, PC Tools, Qihoo, Sophos, Symantec Norton, Trend Micro, Trustport and Webroot.

In terms of missed samples (lower is better), G Data topped the list followed by Trustport, Avast, Panda, and F-Secure. At the bottom of the list was K7, followed by Webroot, AVG, PC Tools and Sophos. This ranged from a 99.8% detection rate down to 84.4% for K7.

The other side of the testing looked at false positives. McAfee scored at the top with zero false positives, followed by Microsft, and a 3 way tie for third with BitDefender, eScan and F-Secure. At the bottom of the list was Trend Micro with 290 false positives, followed by Qihoo, Webroot, Eset, and Avast. Avast came in with 19 false positives.

In addition to detection rates and false positives, AV Comparatives also looked at speed of scanning. The highest throughput was Avast, followed by Panda, K7, Webroot and McAfee. The slowest vendor was Microsoft, followed by PC Tools, Qihoo, eScan and Eset.

Given these three parameters, 7 products were awarded the highest honors. These vendors included Trustport, F-Secure, Bitdefender, Avira, eScan, Kaspersky and McAfee.

Check out the report yourself at http://www.av-comparatives.org/images/stories/test/ondret/avc_od_feb2011.pdf

Another security vendor gets hacked - this time Barracuda

After the news of the McAfee website getting attacked, comes news that Barracuda's website got hacked, and leaked sensitive company information including partner info, and employee credentials.

It appears the breach came from an SQL injection attack. It's especially troubling because Barracuda sells something called a Web Application Firewall (WAF), basically a souped up reverse proxy designed to protect websites from attacks like this one. In a recent followup the CMO of Barracuda acknowledged their WAF was offline during the attack, during a maintenance window.

The latest attack just continues to prove you can't be too paranoid about security in this day and age.

Captcha Protected Malware

The Blue Coat Security Group has written about a new way of distributing malware on the web. A few new official looking corporate type websites that are offering jobs after completion of an online examination have popped up here in the U.S. and in the U.K.

The unfortunate part about these websites is that they look even more official, since they require the end user to pass through a "captcha" before getting to the exam. A "captcha" in case you aren't familiar with the term is a graphic that has squiqqly letters and numbers, supposedly that cannot be read by a machine, so that only a human could recognize them and you have to enter them correctly to proceed.

While these malware sites require passing through a "captcha", it turns out that you can enter anything in the field, and you get by the "captcha" and automatically start downloading malware, instead of actually getting to an online examination.

The key to protecting yourself here, is of course what we always say, and that's making sure you're browsing the web behind a secure web gateway or proxy, that's running up to date web filtering and anti-malware software. For those end-users that need to get protected and aren't on a corporate network, there's always the free software from Blue Coat also, K9, available at www.getk9.com

Email Malware Gets Big Uptick

Commtouch is reporting this week that there's a huge spike in the amount of email with attached malware

From their blog:

Virus distributors have steadily decreased their usage of email as a means of malware distribution. The more popular methods nowadays include the use of drive-by downloads as well as “voluntary” downloads of “shockwave updaters” and “movie codec files”.

But the last day or so has seen very high levels of emails with attached malware. At one point these accounted for over 30% of all email received. The sudden increase can be seen in the graph

It's surprising since the amount of malware had actually been going down from email and going up in web delivery. It makes me wonder if the increase in web security is driving malware writers back to email as a delivery mechanism. Maybe they think security companies have gone lax in email as they've stepped up web security. The key takeaway? Keep your security up to date, no matter what it's protecting.

Cisco calls out Websense on Lizamoon attack

If you've been following the malware news this past week, you've probably noticed an article or two on Websense's report regarding a new malware attack based on an SQL injection, that they dubbed 'Lizamoon'. As the news progressed so did their numbers on how many sites were affected. By their own count they claimed as much as 1.5 million websites were compromised, and other news outlets even claimed 4 million sites were compromised.

But yesterday Websense updated their website, and claimed the numbers may have been inflated a little bit, and in reality there were probably only 500,000 sites infected.

Cisco, specifically their Scansafe division took offense at even that number and reported it's likely not even 1,000 sites were infected.

From a threatpost article on the issue:

Landesman said Cisco had identified only 1,154 unique compromised Websites between September, 2010 and March 2011 that were associated with the mass SQL injection attacks. Even within those domains, the individual or group behind the SQL injection attacks is throttling the distribution of attack code, meaning just a fraction of all potentially malicious encounters actually deliver malicious code. Landesman said the "live encounter rate" is around %0.15, according to Cisco data.

Cisco has had only a handful of detections, she said. Other firms, also, said they were seeing only low numbers of compromises related to Lizamoon. Kaspersky Lab reports just four detections from domains associated with the Lizamoon SQL injection attacks. Websense did not respond immediately to a request for comment.

Cisco said it is providing a signature for the Lizamoon SQL injection attack because of "intense media attention," but considers the danger of infection from the attack to be extremely low.

So while we see alarming news, it's always a good thing to check the facts before you start to worry.

Data Theft Expected to Lead to Targeted Phishing

You'd pretty much have to not be part of the digital age to not have been affected by this weekend's news that Epsilon, an email marketing firm was compromised, and that mailing lists from well known companies like Tivo, JP Morgan Chase, Capital One, Best Buy and others were stolen. While only names and email addresses were in the stolen data, there's already predictions that this stolen information will lead to targeted phishing attacks looking for more personal information that could be used for more harmful dangerous activities like identity theft.

So no surprise, be wary of emails from the organizations you know have been compromised in this attack, and don't send out any personal information, especially not over email, and not on websites that you haven't verified (by checking to make sure it's not an obfuscated URL, e.g. bestbuy.xyz.com instead of bestbuy.com), and checking the SSL certificate you're getting on the site (when connecting over HTTPS, which you should be if before you give out any sensitive information) to make sure it's really from the site you're going to and verified by a CA (certificate authority).

If all that's too much to remember, then also make sure you're using a secure web gateway or proxy, that identifies and blocks phishing sites, especially one that can do this real time as new sites come online.

Employee leaks are most significant data threat

McAfee has a new survey out that found the most significant threat to businesses is data that is leaked accidentally or intentionally by employees. In addition to that the survey also found that companies were reluctant to report data breaches because of the impact to their reputation, and 1 in 10 said they would not report a breach unless legally required to (like in California).

The threat from data leakage is one that's been around for a while, but is probably even more prevalent now that the web is such a ubiquitous tool in most organizations. Many employees don't think twice about using the web as part of their day to day operations.

The question is how does an organization protect themselves from this threat while still providing access to the web. The answer of course is the web proxy. It serves the important purpose of protecting web surfers from malware coming in from the web, but it can also be used to monitor outbound data to the web, to help prevent accidental or intentional data leakage through the web. Many DLP vendors integrate with the proxy through ICAP, so there's no reason you can't have an easy to deploy DLP solution in your network today.

McAfee's Website Full of Security Holes

The TechEYE.net is reporting that McAfee's corporate website is riddled with vulnerabilities. It must be a bit of an embarassment for McAfee and new owner Intel, that the YGN Ethical Hacker Group reported the McAfee website is full of security mistakes that could lead to cross-site scripting and other attacks. These holes were reported to McAfee last month.

From the TechEYE.net article:

In addition to cross-site scripting, YGN discovered numerous information disclosure holes with the site including seeing an internal hostname and finding 18 source code disclosures.
The bit of the site that could be used for XC scripting attack hosted some of McAfee's files for downloading software.
If only there were some software which could scan a site to detect such errors.
McAfee peddles a McAfee Secure service to enterprises to make sure their their customer-facing websites are secure. McAfee Secure scans a website daily for "thousands of hacker vulnerabilities and if a site gets McAfee's "high standard of security," then users of McAfee anti-malware products see a "McAfee Secure" label in their browsers.
The security product claims to test for personal information access, links to dangerous sites, phishing, and other embedded malicious dangers that a website might unknowingly be hosting.

Apparently problems with security on McAfee's website aren't new.

Actually McAfee's website is regularly found to be lacking in security. In 2008 it was found to be suffering from cross-site scripting (XSS) errors by security outfit XSSed.
In 2009, white-hat hacker going by Methodman published proof-of-concept attacks against websites kc.mcafee.com and mcafeerebates.com and in April 2010, the McAfee.com community forums were defaced via an XC scripting attack.

One certainly hopes McAfee puts more security in their product than they do in their website.

Why Isn't Endpoint Security Enough?

Just this week someone posed the question on Yahoo Answers, of whether endpoint security was really enough, and why was a web security proxy even needed. It's surprising to me how many people still think that end-point security is enough in this day and age. With web attacks being the primary vehicle for malware and spyware today, you'd think more IT administrators would want to proactive about their defenses against threats from the web.

While end-point security is one layer of security for web threats, it shouldn't be the only layer of defense. Why not? Well, the answer is rather simple, would you trust your end-user to do the right thing? What I mean by that is, do you trust your end-users to make sure their end-point security is up to date, has the latest patches, and downloads the latest definitions regularly. On top of that are you sure your end-users haven't found a way to disable their end-point security, because they found it annoyingly slow, blocked sites they wanted to visit or some other seemingly benign reason?

If you think your end-users are well-behaved, then I'm sure you're in the minority. For the rest of us, the web security proxy, adds another layer of defense for the paranoid IT administrator. It also provides some additional security layers that aren't typically found in end-point security software options. Some proxy vendors offer real time category ratings, cloud based information sharing of the latest threats, as well as the ability to scan all downloads for malware and spyware.

Many even let you pick the vendor whose anti-virus and anti-malware software your going to run on the proxy, enabling the IT administrator to select a different vendor than the one used on the end-point security client. This makes sure you've really got an added layer of defense so that when one vendor misses malware, you've at least got the chance the other vendor will catch it.

All these are good reasons to have secure web proxy, even when you've got end-point security.

Microsoft pays Nortel $7.5 million for IPv4 addresses

In a Network World article today it was announced that Microsoft offered to pay Nortel $7.5 million for 666,624 legacy IPv4 addresses. The sale is pending approval by U.S. Bankruptcy Court for the District of Delaware as part of Nortel's Chapter 11 bankruptcy.

It may just be the start of things to come as we've run out of IPv4 address space as previously mentioned in this blog. If you haven't started your migration to IPv6, its definitely time to start the investigation.

This sale is reportedly the first publicly disclosed large-scale sale of IPv4 addresses since ICANN announced they had run out of address blocks. If the court approves the sale on April 26, these 666K-plus addresses will selling for $11.25 per address. Network World estimates that's more than the going rate for to register a .com domain name, which these days can be had for as little as $7.50.

Additional information from Network World:

Nortel filed for Chapter 11 on On January 14, 2009. In November, it realized its block of legacy IPv4 addresses might be worth something to its debtors and it hired Addrex, a stealthy broker of IPv4 addresses, to find a buyer. Addrex began shopping around and, in early December, asked eighty potential purchasers if they were interested. Of these, 14 expressed interest and seven actually submitted bids for all or some of the addresses, according to the court documents. Obviously, Microsoft walked with the prize for being the highest bidder.

Interestingly, those in the IP-address-assigning business seem to be busy launching brokering sites so that deals like this one can grow commonplace. The so-called "aftermarket" for IPv4 addresses is expected to heat up in about six months, as large network providers feel the pressure of their dwindling IPv4 address supply, John Curran, president and CEO of the American Registry for Internet Numbers told Government Computer News.

Just a reminder for those of you that don't know where to begin with your IPv6 migration, that there are more tools announced every day to help. Blue Coat, the proxy vendor announced early on their proxy would do IPv4 to IPv6 proxying, and would be a useful migration tool. Brocade announced this week that their switches would do something similar.

So there are tools out there, and no reason not to get started with IPv6

Update to the site template

If you've been a regular follower of this blog, you'll notice a couple of new updates I've added on the information bar. I've gone ahead and added the google analytics statistics as well as the gadget called "Sociable". The google analytics shows you how popular this blog has been, and the "Sociable" gadget lets you add a favorite post or article directly to your facebook account, tweet the link, or send it to some other favorite social networking site. Hope you enjoy these changes.

Websense puts itself up for sale

News came out on Wednesday that San Diego-based Websense is considering putting itself up for sale. Websense is working with Qatalyst Partners to evaluate whether it should sell.

The Wall Street Journal estimates the company could be worth about $1 billion in a sale. If Websense does manage to sell itself, it will become the latest web security vendor to get acquired. Ironport and Secure Computing, were two other high profile web security companies that were acquired. If Websense joins their ranks, it will leave Blue Coat as the only major player that hasn't been acquired into a much larger company.

What's preventing you from putting in a proxy?

With new headlines almost daily about the rise in web threats, there's really no excuse for not having some protection against malware that comes across from web sites. A proxy or secure web gateway would go a long way in reducing the vulnerability of your organization's web surfers to malicious intent.

So if you're organization doesn't have a proxy or secure web gateway, the question then is why? Is it a cost / budget issue? Do you think the technology is too difficult to implement without a specialist on staff? Are you afraid of the user experience with web browsing after you implement a proxy?

It it's cost, then think about the cost of one serious malware breach spreading across the workstations in your organization. There should be some budget available to prevent that given the overall likelihood of a significant malware event from a web source only continues to increase.

If it's complexity, then you should consider looking at new easier to use products like Blue Coat's ProxyOne platform. Compare it with other appliances on the market and see which one is the easiest to implement. There are definitely more vendors going after the ease of use market than ever before.

Finally, what's the user experience after you put in a proxy. By all accounts you should have better performance, especially if you put in a caching proxy. A caching proxy will cache information from the world wide web so that the end user can fetch it locally if it's been asked for before, improving the overal experience of the user with web browsing. Web caching browsers are also used by many service providers to improve their user's experiences with web browsing.

So what are you waiting for? Go put in the requisition for a secure web gateway or web proxy today.

Number of Malware Infected Sites Double

A new Dasient report says that the number of Web sites infected with malware has doubled in the past year. That means there's around 1.2 million Web sites out there infected with malware.

According to Crunchgear, that means it takes about three months of Web surfing for the average person to have a 95 percent chance of running into malware.

All the more reason to keep your secure web gateway/proxy system up-to-date and with a working anti-malware program running at all times. It probably doesn't hurt to have end-user protection on the organizations workstations and laptops as well.

Intel completes acquisition of McAfee

In case you missed the news, Intel Corporation announced the acquisition of McAfee, Inc. is complete as of February 28, 2011

McAfee will continue developing and selling security products and services under its own brand. Intel and McAfee plan to bring the first fruits of their strategic partnership to market later this year, with the intent of tackling security and the pervasive nature of computing threats in an entirely new way.

As a wholly-owned subsidiary of Intel, McAfee reports into Intel's Software and Services Group. The group is managed by Renée James, Intel senior vice president, and general manager. McAfee's president, Dave DeWalt, will report to James.

For those of you that have been following the company once known as Secure Computing (who produced the proxy device also known as the McAfee Secure Web Gateway, that means one more layer of ownership.

How to Get IPv6 Now?

With all the hype around running out of IPv4 address space you'd think it'd be easy to find resources to help you move to IPv6.

I've already talked in previous posts about how the Blue Coat ProxySG serves as an IPv4 to IPv6 proxy, but I haven't found much other information about getting to IPv6 until I came across this post on Cisco's Blog by Phil Remaker.

Remaker includes a lot of good links to resources for those who don't know where to begin with IPv6.

Hardware Comes Quietly Into the Night

I'm not sure why, but hardware vendors seem to be loathe to talk about new hardware offerings. In part I think it's because they're afraid if their competitors find out they'll use the opportunity to push their hardware thinking the customer will be forced into some forklift upgrade. While some competitors may see it that way, I'd tend to think most would be smart enough to realize that new hardware doesn't always signal the end of the old hardware. Typically older hardware still has some life in it, and vendors tend to allow their customers to renew support on older hardware for some period of time (otherwise, they'd have some pretty unhappy customers).

But even so, every major proxy vendor introduced new hardware in the last year without much fanfare. Blue Coat last year announced new low end platforms, the ProxySG 300 and ProxySG 600, a desktop and a 1U rack mount unit. The two new platforms now offer booting from a solid state device, for better reliability along with built in hardware SSL acceleration.

Cisco updated its high-end S-series hardware introducing a S370 and S670 platform. Both appear to be just hardware revisions of the S360 and S660 that they replace. McAfee finally took the opportunity to get off of their Dell based hardware and replace it with Intel based chassis hardware, given their recent acquisition announcement by Intel. The low end WW500 and WW1100 finally get replaced by the WG4000 and WG4500, lining up with the WG nomenclature already used by their higher-end siblings.

Even Websense introduced a new V5000 and new V10000, dubbing them the V5000 G2 and V10000 G2. No major differences in the specs were discernable, so either a cost reduction or simply update to currently available hardware.

So here's to new hardware across the board. Too bad we didn't get a bigger news splash from the vendors themselves.

Has Network Security Stood Still For 15 Years?

In this recent article on The Inquirer discusses Nir Zuk's assertion that that the corporate world is still protecting its networks with core security technology that dates back to 1995.

Nir Zuk is generally credited with creating stateful inspection technology, the first commercially viable firewall, and the world's first intrustion protection system (IPS).

Zuk's argument was that all web applications are dangerous, even big enterprise ones like WebEx and Microsoft Sharepoint and that today's security vendors can only secure web and email traffic rather than crucial applications like Facebook, Skype, LinkedIn and Twitter.

But contrary to his argument if you visit any of the big web security vendors, all of them are talking about web application control. As applications move to the web, we're seeing the traditional web security vendors moving to control web applications, and this trend is likely to continue. While Zuk is correct that the traditional network security vendors aren't protecting the users when they use web applications, at least the traditional web security vendors appear to offer that protection today.

Blue Coat has been touting "application visibility and control" since their Packeteer acquisition a few years ago, and specifically mentions the ability to block Facebook games without blocking Facebook, something Zuk mentions can't be done with a network security vendor. Cisco, likewise just recently announced the same tag line of "application visibility and control" by adding in additional knobs to their AsyncOS 7.0 for social media including Facebook.

So even if your network security is from 1995, just make sure your web security comes from one of the leading web security vendors.

Blue Coat's Cloud Announcement

Blue Coat made an announcement this week that they were introducing a new cloud service, and would be demonstrating it at RSA next week. Their new service offering is provides another alternative to web security. While many enterprises will probably decide to stick with their web proxies, it's likely many smaller companies may choose cloud offerings for web security, due to the lower maintenance requirements and technical expertise necessary within their own organizations to deploy a cloud offering.

The big advantage to Blue Coat's offering is they bring a big name to this type of cloud service. Blue Coat's already well known for the secure web gateway appliances offering threat protection for web users, and that same protection is now available as a cloud offering.

Other choices in this area are Zscaler and ScanSafe (acquired by Cisco). It will be interesting to see how Blue Coat's offering compares, and whether companies will move to the cloud or stick with their appliances and proxies.

One more on Reputation

As I continued my daily scanning of articles relevant to proxies, I found yet another article on why reputation doesn't work because of IP address space. A company moving datacenters found their reputation went down and were considered spammers because they had to pick up a new IP address space in their new datacenter, and of course the IP address space was previously used by spammers.

Note: It took Ironport 7 days to rectify the situation in their reputation database. A sure sign that reputation isn't a good way to go when trying to determine threat levels, at least when it takes that long to fix a problem.

Spammers Grab IP Space Assigned to Egyptian President's Wife

Incredibly just hours after I published the post on why reputation is becoming less relevant due to the runout of IPv4 address space, I read this article on eWeek talking about the hijack of IPv4 address space.

Here's the excerpt:

Spammers have control of thousands of IP addresses assigned to the wife of Egyptian President Hosni Mubarak and the science center that bears her name. According to the Spamhaus Project, spammers hijacked IP addresses assigned to Suzanne Mubarak and the Suzanne Mubarak Science Exploration Center. The move is typical of spammers trying to get their hands on Internet address space that has not been blacklisted, security pros told eWEEK. “Spammers hijack IP address space to be able to use IPs that are not…listed as having been used for spam, so that their spam has a greater chance of being delivered,” said Mike Geide, senior security researcher for Zscaler. “IP address hijacking by spammers does occur regularly. It also occurs on occasion from accidents/misconfigurations."

It's another indication that reputation as I mentioned is going to be less relevant. Hackers were able to take over IP address space with a good reputation in order to accomplish their bad deed of sending spam.

Is Reputation Even Less Relevant Today?

With the news that the IPv4 addresses have run out, another nail is put in the coffin of using reputation ratings for fighting malware and threats. Why? It's simple. In addition to the fact that hackers are attacking and inserting threats in sites that have good reputations, there's the fact that the lack of IPv4 address space is going to drive people to reuse old IPv4 address space where ever it's available.

If you're one of the unlucky ones to get an old IPv4 address that previously hosted malware it's likely you're also inheriting the reputation rating of the previous web site. The more this happens, the more quickly you'll see reputation ratings use start to decrease. While we may still find some use for reputation ratings, I believe you'll find it will have a less impact in determining the threat rating on a site. Threats really need to be analyzed in real time as new threats can come up at any time and at any web site.

No More IPv4 Addresses

Network World reported this week, we've officially run out of IPv4 addresses. I reported back in January that we'd run out of IPv4 addresses in a matter of weeks, and that prediction has come true.

So there's no time like the present if you haven't already investigated IPv6, and what you'll need to do to transition your network to support IPv6. As a reminder there are IPv6 proxies available to help this migration, basically a seamless way to pass traffic between IPv6 and IPv4 networks.

In the News

This week also brought a lot of interesting headlines. Some of the more interesting ones included:

* Facebook is the most blocked and 2nd most whitelisted application. Which goes to show you organizations can't decide how to treat social networking yet. As an FYI, Youtube was the most whitelisted.

* The EU cleared Intel's purchase of McAfee. The only caveat was Intel had to promise to keep the software compatible with other vendors, and not embed it their chips and make it proprietary to their hardware.

* At this same time this week, Symantec took a jab at McAfee, with Enrique Salem, Symantec's CEO claiming a lot of enterprise wins over McAfee, claiming that McAfee is "distracted".

The Myth of Browser Based "Do Not Track"

It turns out a lot of browsers have been including privacy options lately as part of their feature offerings. But a new article written by Robert McGarvey claims these browser based methods don't really protect the end-user's privacy.

The explanation from his article:

The problem -- and it is huge -- is that we suddenly are in a lather about Websites tracking our movement on the Internet, with the result that we get barraged with targeted advertisements. Look at a travel site about Barbados, and for the next week likely you will be served ads offering deals and discounts in Barbados.

Now, by late January, the major browser developers have announced tools to help users prevent being tracked. The Internet Explorer tool is built into IE 9. Google’s tool for Chrome is here. Mozilla discusses its Firefox initiative here.

The problem with these new privacy tools is they require the participation of the advertiser to work. If the advertiser respects your settings, you're all good, but if they choose not to respect them, you're still being tracked. How many of us trust the advertisers to actually trust settings in a web browser?

Accordingly McGarvey does offer one solution:

The only way not to be tracked may be the use of proxy sites. “Proxies truly work,” says Hayes. Surf through a third-party detour and, suddenly, all the Internet ad surfers are baffled by your identity.

Downside: Most proxies produce a very slow Internet experience, which is why they haven’t caught on.

But note that until we start surfing with proxies we almost certainly will be tracked; that just is reality. “People have very little right to their own privacy online,” says Hayes. “It’s scary.”

Of course what McGarvey means when he says to use proxy sites, is of course anonymous proxy sites as we've discussed on this site in the past. Anonymous proxies have their upside and their downsides as well. One of the big downsides is of course the ability to allow end-users to bypass the security settings on an organization's web proxy, and letting the end-user surf to sites that might be considered banned by the organization. Which makes me think there's a market for web proxies to include an anonymous proxy in their secure web gateway.

The End is Nigh

We've known for a while that it's been coming. It's been predicted for a while, but ICANN and Google now reports that it's only weeks away from running out of IP address space in the IPv4 realm. Most companies and organizations have been dragging their heels in moving to IPv6, and the actual run-out of IPv4 addresses is only going to exacerbate the problem. Many may try to get around the problem by sharing addresses using more NAT devices, but even that can only go so far.

The biggest problem is going to be that many organizations can't move that quickly to IPv6 because many of their applications may still only run on IPv4 platforms. There is a solution, and we've talked about it in the past here on The Proxy Update. There is such thing as an IPv6 to IPv4 proxy, which manages to do seamless translation between the two technologies, allowing you to slowly migrate over to IPv6 as you upgrade each of your platforms to the new technology.

Blue Coat Systems was the leader in the space introducing their IPv6 proxy first. McAfee has since also reported that they have included an IPv6 to IPv4 bridge in the latest version of their software for their web gateway.

So there's really no excuse anymore. It's time to update your network, and you've got tools available to get you there.

How much do you use the web?

In an average day, how many web requests do you think you make? 100? 200? 1000? One thousand web requests in a single day may sound like a lot. That is until you remember that a visit to a single web page, can actually result in literally hundreds of web requests. It's a good reminder and one that Zscaler provided in this recent blog article. As the author, Mike Geide mentions, a single visit to cnn.com results in 127 separate web requests.

Today, web pages are much more complicated and most are a "mash-up" of multiple sites. No web security company wants to block you from getting the important data you might want to see from cnn.com, but with 127 separate web transactions, the likelihood one of them may lead you to malware or spyware, is fairly significant. It's the reason why you want to make sure the web security solution, whether it's a secure web gateway or web proxy, can block embedded URLs and not just URLs at a top level. That way only the offending embedded web request gets blocked, and not your entire session to a site like cnn.com

So how many web requests do you make a day? According to Geide, the average per user per day is around 3343 web requests per day.

Questions from a Newbie

I recently got this question with regard specifically to Blue Coat's products, and thought there might be others out there that were confused by this as well, so I'm republishing it here. The answer is the same for other similar web gatway products.

Hi Timothy,

I'm hoping you can clarify the features of ProxyAV and WebFilter for me. As far as I can tell, they both do inline malware detection as well as antivirus scanning.

It appears that ProxyAV is an additional hardware appliance you can use in conjunction with ProxySG, whereas WebFilter is just software that runs on ProxySG.

Is this correct? Are there differences between their functionality, or are they just two implementations of the same end result?

ProxyAV is a separate appliance and talks with ProxySG over a protocol called ICAP. It runs actual AV engines, and you can choose to purchase an AV license to run either Kaspersky, Sophos, McAfee, or Panda software on the ProxyAV device. It will scan any files you attempt to download from the web via the ProxySG for viruses and malware.

BCWF (Blue Coat Web Filter), on the other hand is a URL categorization database and back-end cloud service known as Webpulse. It puts URLs in categories. For example, google.com is in the category “Search Engines/Portals”. Some URLs are in multiple categories, for example, www.facebook.com/farmville is in both “Social Networking” and “Games”.
There is a “Malware” category in BCWF, but it doesn’t actually scan for viruses. It knows a particular URL contains a virus and keeps the URL in that category. Because of this if something is in an allowed category, e.g. google.com in “Search Engines/Portals”, and if somehow google.com gets infected with a virus, the ProxySG wouldn’t block it, even if you had the entire "Malware" category blocked, when you try to download the virus, unless you also had ProxyAV turned on to do file scanning and it detected the virus. For new URLs and new malware, often the categorization isn't in a local BCWF database, and the ProxySG can rely on up to date categorizations from the Webpulse cloud, which can also do real-time categorization.

Because virus scanning is also typically more CPU intensive, you would really rather not send stuff to it if you don’t have to. By having BCWF filtering with Webpulse come first, it provides a quick URL database search, and if it’s in the malware, phishing, spyware categories, you can block a significant amount of threats without having to use the resources of the ProxyAV engine.

Does Anti-Malware Ruin the Web Experience?

Surprisingly many admins who install secure web gateways or web proxies choose not to run an anti-malware or anti-virus engine on the external web traffic. While these same administrators wouldn't dream of letting email into the company without a virus scan, they don't hesitate to allow web traffic in without a similar scan. I've talked elsewhere on why you absolutely need anti-malware at the web gateway.

One reason I've heard for this reluctance to implement anti-virus at the web gateway is because of the end-user experience when scanning is on. For most end-users, the web is considered a vehicle for instant gratification. A delay of more than a second is generally considered unacceptable. Malware scanning inevitable introduces a delay, even if it's only on the order of hundreds of milliseconds.

What's even more surprising is that when an admin does agree to implement malware scanning, it's quite common for them to request it running on the same system as the web gateway (rather than on separate CPU processor linked via ICAP). By implement the malware scanning on the gateway, there's still the delay for the scanning, and now unless you're a fairly small site, you've also slowed down your web gateway adding another delay, which may be why admins see it as a problem. Having a separate CPU to process malware scanning makes sure the web gateway performs optimally, and allows the best reponse time for delivering web pages to the end-user.

There's also some new tools to make large file scanning more bearable for web pages. Gone are the days of requiring "patience" pages (pages that are displayed to a web browser asking for patience while an object is being scanned). Today, advanced web gateways allow for "trickle" based scanning, either trickle first or trickle last). What trickle does is allows part of a download to start while the scan is in progress. This allows the web browser to provide feedback to the end-user that activity is occurring, rather than the "hung" status that seemed to happen before trickle was available. Trickle would let almost all of the file get downloaded, but hold back the last part until the scan completed, and could abort the download if after scanning it was discovered the download was malicious.

So if you're finding you're reluctant to implement anti-virus and anti-malware scanning, look at offloading malware scanning to separate CPU, and implement trickle to provide feedback while longer scans are occurring, and you may find that anti-malware scanning is more acceptable in real time web environments than you previously thought.