In the News

This week also brought a lot of interesting headlines. Some of the more interesting ones included:

* Facebook is the most blocked and 2nd most whitelisted application. Which goes to show you organizations can't decide how to treat social networking yet. As an FYI, Youtube was the most whitelisted.

* The EU cleared Intel's purchase of McAfee. The only caveat was Intel had to promise to keep the software compatible with other vendors, and not embed it their chips and make it proprietary to their hardware.

* At this same time this week, Symantec took a jab at McAfee, with Enrique Salem, Symantec's CEO claiming a lot of enterprise wins over McAfee, claiming that McAfee is "distracted".

The Myth of Browser Based "Do Not Track"

It turns out a lot of browsers have been including privacy options lately as part of their feature offerings. But a new article written by Robert McGarvey claims these browser based methods don't really protect the end-user's privacy.

The explanation from his article:

The problem -- and it is huge -- is that we suddenly are in a lather about Websites tracking our movement on the Internet, with the result that we get barraged with targeted advertisements. Look at a travel site about Barbados, and for the next week likely you will be served ads offering deals and discounts in Barbados.

Now, by late January, the major browser developers have announced tools to help users prevent being tracked. The Internet Explorer tool is built into IE 9. Google’s tool for Chrome is here. Mozilla discusses its Firefox initiative here.

The problem with these new privacy tools is they require the participation of the advertiser to work. If the advertiser respects your settings, you're all good, but if they choose not to respect them, you're still being tracked. How many of us trust the advertisers to actually trust settings in a web browser?

Accordingly McGarvey does offer one solution:

The only way not to be tracked may be the use of proxy sites. “Proxies truly work,” says Hayes. Surf through a third-party detour and, suddenly, all the Internet ad surfers are baffled by your identity.

Downside: Most proxies produce a very slow Internet experience, which is why they haven’t caught on.

But note that until we start surfing with proxies we almost certainly will be tracked; that just is reality. “People have very little right to their own privacy online,” says Hayes. “It’s scary.”

Of course what McGarvey means when he says to use proxy sites, is of course anonymous proxy sites as we've discussed on this site in the past. Anonymous proxies have their upside and their downsides as well. One of the big downsides is of course the ability to allow end-users to bypass the security settings on an organization's web proxy, and letting the end-user surf to sites that might be considered banned by the organization. Which makes me think there's a market for web proxies to include an anonymous proxy in their secure web gateway.

The End is Nigh

We've known for a while that it's been coming. It's been predicted for a while, but ICANN and Google now reports that it's only weeks away from running out of IP address space in the IPv4 realm. Most companies and organizations have been dragging their heels in moving to IPv6, and the actual run-out of IPv4 addresses is only going to exacerbate the problem. Many may try to get around the problem by sharing addresses using more NAT devices, but even that can only go so far.

The biggest problem is going to be that many organizations can't move that quickly to IPv6 because many of their applications may still only run on IPv4 platforms. There is a solution, and we've talked about it in the past here on The Proxy Update. There is such thing as an IPv6 to IPv4 proxy, which manages to do seamless translation between the two technologies, allowing you to slowly migrate over to IPv6 as you upgrade each of your platforms to the new technology.

Blue Coat Systems was the leader in the space introducing their IPv6 proxy first. McAfee has since also reported that they have included an IPv6 to IPv4 bridge in the latest version of their software for their web gateway.

So there's really no excuse anymore. It's time to update your network, and you've got tools available to get you there.

How much do you use the web?

In an average day, how many web requests do you think you make? 100? 200? 1000? One thousand web requests in a single day may sound like a lot. That is until you remember that a visit to a single web page, can actually result in literally hundreds of web requests. It's a good reminder and one that Zscaler provided in this recent blog article. As the author, Mike Geide mentions, a single visit to cnn.com results in 127 separate web requests.

Today, web pages are much more complicated and most are a "mash-up" of multiple sites. No web security company wants to block you from getting the important data you might want to see from cnn.com, but with 127 separate web transactions, the likelihood one of them may lead you to malware or spyware, is fairly significant. It's the reason why you want to make sure the web security solution, whether it's a secure web gateway or web proxy, can block embedded URLs and not just URLs at a top level. That way only the offending embedded web request gets blocked, and not your entire session to a site like cnn.com

So how many web requests do you make a day? According to Geide, the average per user per day is around 3343 web requests per day.

Questions from a Newbie

I recently got this question with regard specifically to Blue Coat's products, and thought there might be others out there that were confused by this as well, so I'm republishing it here. The answer is the same for other similar web gatway products.

Hi Timothy,

I'm hoping you can clarify the features of ProxyAV and WebFilter for me. As far as I can tell, they both do inline malware detection as well as antivirus scanning.

It appears that ProxyAV is an additional hardware appliance you can use in conjunction with ProxySG, whereas WebFilter is just software that runs on ProxySG.

Is this correct? Are there differences between their functionality, or are they just two implementations of the same end result?

ProxyAV is a separate appliance and talks with ProxySG over a protocol called ICAP. It runs actual AV engines, and you can choose to purchase an AV license to run either Kaspersky, Sophos, McAfee, or Panda software on the ProxyAV device. It will scan any files you attempt to download from the web via the ProxySG for viruses and malware.

BCWF (Blue Coat Web Filter), on the other hand is a URL categorization database and back-end cloud service known as Webpulse. It puts URLs in categories. For example, google.com is in the category “Search Engines/Portals”. Some URLs are in multiple categories, for example, www.facebook.com/farmville is in both “Social Networking” and “Games”.
There is a “Malware” category in BCWF, but it doesn’t actually scan for viruses. It knows a particular URL contains a virus and keeps the URL in that category. Because of this if something is in an allowed category, e.g. google.com in “Search Engines/Portals”, and if somehow google.com gets infected with a virus, the ProxySG wouldn’t block it, even if you had the entire "Malware" category blocked, when you try to download the virus, unless you also had ProxyAV turned on to do file scanning and it detected the virus. For new URLs and new malware, often the categorization isn't in a local BCWF database, and the ProxySG can rely on up to date categorizations from the Webpulse cloud, which can also do real-time categorization.

Because virus scanning is also typically more CPU intensive, you would really rather not send stuff to it if you don’t have to. By having BCWF filtering with Webpulse come first, it provides a quick URL database search, and if it’s in the malware, phishing, spyware categories, you can block a significant amount of threats without having to use the resources of the ProxyAV engine.

Does Anti-Malware Ruin the Web Experience?

Surprisingly many admins who install secure web gateways or web proxies choose not to run an anti-malware or anti-virus engine on the external web traffic. While these same administrators wouldn't dream of letting email into the company without a virus scan, they don't hesitate to allow web traffic in without a similar scan. I've talked elsewhere on why you absolutely need anti-malware at the web gateway.

One reason I've heard for this reluctance to implement anti-virus at the web gateway is because of the end-user experience when scanning is on. For most end-users, the web is considered a vehicle for instant gratification. A delay of more than a second is generally considered unacceptable. Malware scanning inevitable introduces a delay, even if it's only on the order of hundreds of milliseconds.

What's even more surprising is that when an admin does agree to implement malware scanning, it's quite common for them to request it running on the same system as the web gateway (rather than on separate CPU processor linked via ICAP). By implement the malware scanning on the gateway, there's still the delay for the scanning, and now unless you're a fairly small site, you've also slowed down your web gateway adding another delay, which may be why admins see it as a problem. Having a separate CPU to process malware scanning makes sure the web gateway performs optimally, and allows the best reponse time for delivering web pages to the end-user.

There's also some new tools to make large file scanning more bearable for web pages. Gone are the days of requiring "patience" pages (pages that are displayed to a web browser asking for patience while an object is being scanned). Today, advanced web gateways allow for "trickle" based scanning, either trickle first or trickle last). What trickle does is allows part of a download to start while the scan is in progress. This allows the web browser to provide feedback to the end-user that activity is occurring, rather than the "hung" status that seemed to happen before trickle was available. Trickle would let almost all of the file get downloaded, but hold back the last part until the scan completed, and could abort the download if after scanning it was discovered the download was malicious.

So if you're finding you're reluctant to implement anti-virus and anti-malware scanning, look at offloading malware scanning to separate CPU, and implement trickle to provide feedback while longer scans are occurring, and you may find that anti-malware scanning is more acceptable in real time web environments than you previously thought.

Spam is back

At the beginning of the month, I ran an article talking about the reduction in the level of spam over the holidays this year. The news outlets are now reporting that the spam level is back to the pre-holiday levels.

The drop in spam volume is attributed to a botnet army known as Rustock going offline. Apparently it came back online on Sunday, January 12, 2011.
From the NY Times report:

The volume of spam sent by Rustock on Monday — estimated to total 19 billion messages, or approximately 28 percent of all spam — suggests that the botnet will persevere as the largest source of global spam. A smaller compatriot botnet Xarvester, which also took a vacation from spam, also resumed business on Monday, said Matt Sergeant, senior anti-spam technologist at MessageLabs, a unit of Symantec. The Lethic botnet remained dark, he said. Rustock is sending about 100,000 to 200,000 spam e-mails per second.

So, while it looked promising for a while that maybe spam was on the decline, it appears to have been a false hope, and we're back to full mailboxes.

High Profile Websites Hacked and Serving Up Dangerous Links

Zscaler reported that they discovered some high profile sites including Harvard, MIT, and Stanford University's websites were redirecting visitors to fake shopping sites containing malware. From the threatpost article describing the attack:

A subdomain of Harvard University's Website that belongs to the Chandra X-Ray Observatory was among the domains identified by zScaler as having been compromised. Also, various pages hosted on the domain of MIT belonging to academics, as well as a page belonging to the High-Low Tech group that "integrates high and low technological materials, processes and cultures." At Stanford University, Web sites operated by the Associated Students of Stanford University was compromised, inclduing a Web portal for information about mental and sexual health. There was no clear pattern discernable among the sites compromised, though at least one of the subdomains was hosting the Wordpress blogging software.

zScaler also discovered commercial and governmental sites that were redirecting users to the bogus online stores. Among them, a subdomain of the Fandango.com movie information site was found to be redirecting users, as was part of the Web site used to promote the Webby Awards, which honor excellence in online media.

Zscaler's finding is just another datapoint showing a website's reputation has nothing to do with whether it can get hacked and redirect you to something malicious, or even just contain something malicious on its own website. Controls that let you bypass scanning for websites with good reputation are dangerous. The only safe way to surf the web is to scan everything and to do it efficiently. That means using URL filtering to block out the majority of known bad links, and using AV and malware scanning for anything that still remains. In addition the savvy IT administrator needs to make sure their secure web gateway or proxy blocks embedded links like the ones used in this attack rather than block the parts of the site that still contain useful information. In this case Harvard, MIT and Stanford's sites didn't have the malicious content, rather embedded links and redirection on their sites did. The proxy or secure web gateway protecting your environment should be smart enough to recognize that and only block the embedded links and redirection.

Tablets and Smartphones will drive next wave of web filtering

It's inevitable. With Apple's success in both the iPhone and iPad, and the resulting copycats in tablets and smartphones, there's no doubt that tablets and smartphones are finding their way into the corporate office. While that's no problem when you're on wifi and connected through the corporate network, with protection from the corporate proxy or secure web gateway, it is an issue for those products that move off the corporate network on to public and other private wifi networks, and for those that have cellular data plans and are surfing over the their provider's networks.

There's already been news reports popping up about anti-virus and anti-malware products from operating systems like Android, used on smartphones and tablets, and I'm expecting as we move forward into 2011, you'll see a lot more companies jumping on the bandwidth and providing support and protection for tablets and smartphones.

For now, make sure your corporate wifi network routes through your corporate proxy / secure web gateway, so that these devices are at least protected, while they're on the corporate network.

Don't confuse the messenger with the message

It's been a rather unusual week for me, hearing complaints about censorship and miscategorized websites from various venues. For starters, there's this blog post at iptegrity.com complaining that Vodafone was censoring the internet access that a British writer's Blackberry had, and she did not want to be subjected to the whims of an "American" company called Blue Coat that was blocking her internet.

Unfortunately what the writer fails to realize is that while Vodafone uses products like Blue Coat's for internet filtering, it's not Blue Coat that makes the decision on what to block or filter. It's strictly Vodafone's decision. It's akin to deciding that it's your TV's fault that the program your watching contains something you don't like. It would be the same regardless of what vendors product they used to establish internet filtering.

Next someone on the other side of the world complained about the rating of taobao.com. For those of you that aren't familiar with that site, it's the Chinese equivalent of ebay. The person complaining had just read this article in PC Magazine on how some scammers were selling illegal iTunes account information on taobao.com. They wanted to know why the site wasn't classified as illegal, and instead was classified as auctions and shopping. It'd be the same as if someone went on to ebay and sold illegally obtained merchandise. Because some sellers happen to be illicit, does that mean all of ebay should be classified as illegal? Once again, the person is confusing the message with the messenger.

Unfortunately in this day and age, it's too easy to confuse the companies that provide tools with people who might be using them the wrong way. A company like Vodafone using a tool like Blue Coat's has every right to do so, but in the interest of customer retention and satisfaction might want to consider being up front about their practice and explaining their intentions. Just don't shoot the messenger.

Sudden Spam Drop Leaves Experts Baffled

Cisco, Commtouch and other security companies are reporting a drop in the amount of spam email worldwide. Most expected a spam increase around the holidays, which did not happen. Commtouch reported a 30% decrease in SPAM from the September 2010 high. Some experts believe that spammers may be changing their attention from e-mail to attacks in the social networking realm. This alone should bring up concern to those running a secure web gateway and proxy for web services.

There's no doubt that social networking is a prime target for malware, and if the assumption by experts is true, there's more need than ever to be making sure that IT administrators are running the latest URL filtering software and malware scanning software on their secure web gateways.