Network World recently published an interesting article about a practice at Google. It turns out they keep rigorous track of all their hard drives, and when they are no longer needed they shred and destroy them to prevent any chance of data leakage.
At first glance this practice sounds like almost overkill, but in this day and age of continual security breaches, this practice may actually turn out to be the safe and prudent one to follow, and certainly only the tip of the iceberg in terms of security practices you can follow to prevent data leakage at your organization.
We've talked previously here on this blog about DLP (data leakage protection) solutions that tie into your existing web proxies using the ICAP protocol. This article on hard drive destruction to prevent data leakage is a good reminder to look into DLP solutions for your proxy if you haven't done so already.
Thursday, April 28, 2011
Wednesday, April 27, 2011
Why Intel Bought McAfee
A year after the acquisition of McAfee by Intel, there's still discussion about just why Intel would be interested in a security company like Intel. The latest article to tackle this is on readwriteweb.com, and basically explains that Intel didn't buy McAfee to put security into silicon, like many speculated when the acquisition was first announced.
Instead it's because security for silicon is going to come more and more from software and putting that software lower in the stack, and that's the primary driver for Intel's acquisition according to the article.
That sort of leaves one wondering how much effort Intel's going to put into maintaining the security products that work much higher in the chain, like their Secure Web Gateway, which is an application level security device. We'll just have to wait and see.
Instead it's because security for silicon is going to come more and more from software and putting that software lower in the stack, and that's the primary driver for Intel's acquisition according to the article.
That sort of leaves one wondering how much effort Intel's going to put into maintaining the security products that work much higher in the chain, like their Secure Web Gateway, which is an application level security device. We'll just have to wait and see.
Tuesday, April 26, 2011
Language Recognition
Last week Blue Coat announced that it added Norwegian to its list of languages it recognizes when analyzing websites for malware and categorization in its Webpulse system. It brings Blue Coat to 18 languages recognized by Webpulse, and 50 languages categorized in their database.
Language recognition doesn't seem to be something very many security firms tout as a feature, so I'm wondering how important is it that your security company recognize Norwegian, or even Chinese, Spanish or German? My guess is while the individual language may not be important to you, the ability to classify sites written in different languages is.
As a side note, Blue Coat's also the company that some time ago claimed they recognized Klingon as a language in their threat detection and web site classification modules.
Language recognition doesn't seem to be something very many security firms tout as a feature, so I'm wondering how important is it that your security company recognize Norwegian, or even Chinese, Spanish or German? My guess is while the individual language may not be important to you, the ability to classify sites written in different languages is.
As a side note, Blue Coat's also the company that some time ago claimed they recognized Klingon as a language in their threat detection and web site classification modules.
Tuesday, April 19, 2011
With each new holiday comes new malware - Easter
With Easter approaching it should be no surprise that malware with an Easter theme is going around the web. McAfee has reported a wave of emails this morning which pretend to be Easter cards containing an animated greeting.
The download is instead a Trojan which contains key-logging software and backdoor access to return data and allow additional malware to be deployed.
So keep vigilant, and browse the web safely.
The download is instead a Trojan which contains key-logging software and backdoor access to return data and allow additional malware to be deployed.
So keep vigilant, and browse the web safely.
Thursday, April 14, 2011
More sites get hacked
In case you missed the news, another big name (not in security) got hacked this week. This time it was Wordpress, the guys that host and provide the software for many popular blog sites.
This on the heels of the recent news of the Epsilon breach, has a lot of IT admins on edge, wondering if their own web servers are safe.
It's a good reminder to look into reverse proxies and web application firewalls, the devices that are designed to keep the corporate web server safe. It was the fact that Barracuda took down their web application firewall that led to their security breach. Getting a reverse proxy or web application firewall in of itself probably isn't enough to call yourself secure, you also need to make sure the software on your webserver is up-to-date, and review any code you're running on your webserver.
This on the heels of the recent news of the Epsilon breach, has a lot of IT admins on edge, wondering if their own web servers are safe.
It's a good reminder to look into reverse proxies and web application firewalls, the devices that are designed to keep the corporate web server safe. It was the fact that Barracuda took down their web application firewall that led to their security breach. Getting a reverse proxy or web application firewall in of itself probably isn't enough to call yourself secure, you also need to make sure the software on your webserver is up-to-date, and review any code you're running on your webserver.
Firewall software open to TCP handshake hack
A new report from NSS shows that out of 6 common firewalls, 5 were vulnerable to a "TCP Split Handshake Attack", an attack that allows a hacker to trick the firewall in to thinking an IP connections is a trusted one from behind the firewall. Checkpoint was the only vendor that was not vulnerable. The other vendors tested included Cisco, Juniper, Palo Alto Networks, Fortinet and SonicWall, which were found to be vulnerable.
NSS Labs independently tested the Check Point Power-1 11065, the Cisco ASA 5585-40, the Fortinet Fortigate 3950, the Juniper SRX 5800, the Palo Alto Networks PA-4020 and the SonicWall NSA E8500.
Many of these firewalls also offer web security, an offering similar to what secure web gateways and proxies offer, generally with a lower level of anti-malware protection. This report is a good reminder on why it's a better practice to keep different security products on different platforms, rather than go for a UTM (unified threat management) device that tries to do everything in one box. You don't want a vulnerability in one box to affect all your security. Typically email and web security should be kept on separate devices, not only to keep any vulnerabilities separate, but also because each can easily have a load that overwhelms any single device that would cause other security to be compromised.
NSS Labs independently tested the Check Point Power-1 11065, the Cisco ASA 5585-40, the Fortinet Fortigate 3950, the Juniper SRX 5800, the Palo Alto Networks PA-4020 and the SonicWall NSA E8500.
Many of these firewalls also offer web security, an offering similar to what secure web gateways and proxies offer, generally with a lower level of anti-malware protection. This report is a good reminder on why it's a better practice to keep different security products on different platforms, rather than go for a UTM (unified threat management) device that tries to do everything in one box. You don't want a vulnerability in one box to affect all your security. Typically email and web security should be kept on separate devices, not only to keep any vulnerabilities separate, but also because each can easily have a load that overwhelms any single device that would cause other security to be compromised.
Wednesday, April 13, 2011
Latest AV Comparatives report is out
If you're wondering which AV vendor to use on your web gateway, you might want to take a look at the latest AV Comparatives report.
It covers a long list of AV Vendors including: Avast, AVG, Avira, BitDefender, eScan, Eset, F-Secure, G Data, K7, Kaspersky, McAfee, Microsoft, Panda, PC Tools, Qihoo, Sophos, Symantec Norton, Trend Micro, Trustport and Webroot.
In terms of missed samples (lower is better), G Data topped the list followed by Trustport, Avast, Panda, and F-Secure. At the bottom of the list was K7, followed by Webroot, AVG, PC Tools and Sophos. This ranged from a 99.8% detection rate down to 84.4% for K7.
The other side of the testing looked at false positives. McAfee scored at the top with zero false positives, followed by Microsft, and a 3 way tie for third with BitDefender, eScan and F-Secure. At the bottom of the list was Trend Micro with 290 false positives, followed by Qihoo, Webroot, Eset, and Avast. Avast came in with 19 false positives.
In addition to detection rates and false positives, AV Comparatives also looked at speed of scanning. The highest throughput was Avast, followed by Panda, K7, Webroot and McAfee. The slowest vendor was Microsoft, followed by PC Tools, Qihoo, eScan and Eset.
Given these three parameters, 7 products were awarded the highest honors. These vendors included Trustport, F-Secure, Bitdefender, Avira, eScan, Kaspersky and McAfee.
Check out the report yourself at http://www.av-comparatives.org/images/stories/test/ondret/avc_od_feb2011.pdf
It covers a long list of AV Vendors including: Avast, AVG, Avira, BitDefender, eScan, Eset, F-Secure, G Data, K7, Kaspersky, McAfee, Microsoft, Panda, PC Tools, Qihoo, Sophos, Symantec Norton, Trend Micro, Trustport and Webroot.
In terms of missed samples (lower is better), G Data topped the list followed by Trustport, Avast, Panda, and F-Secure. At the bottom of the list was K7, followed by Webroot, AVG, PC Tools and Sophos. This ranged from a 99.8% detection rate down to 84.4% for K7.
The other side of the testing looked at false positives. McAfee scored at the top with zero false positives, followed by Microsft, and a 3 way tie for third with BitDefender, eScan and F-Secure. At the bottom of the list was Trend Micro with 290 false positives, followed by Qihoo, Webroot, Eset, and Avast. Avast came in with 19 false positives.
In addition to detection rates and false positives, AV Comparatives also looked at speed of scanning. The highest throughput was Avast, followed by Panda, K7, Webroot and McAfee. The slowest vendor was Microsoft, followed by PC Tools, Qihoo, eScan and Eset.
Given these three parameters, 7 products were awarded the highest honors. These vendors included Trustport, F-Secure, Bitdefender, Avira, eScan, Kaspersky and McAfee.
Check out the report yourself at http://www.av-comparatives.org/images/stories/test/ondret/avc_od_feb2011.pdf
Tuesday, April 12, 2011
Another security vendor gets hacked - this time Barracuda
After the news of the McAfee website getting attacked, comes news that Barracuda's website got hacked, and leaked sensitive company information including partner info, and employee credentials.
It appears the breach came from an SQL injection attack. It's especially troubling because Barracuda sells something called a Web Application Firewall (WAF), basically a souped up reverse proxy designed to protect websites from attacks like this one. In a recent followup the CMO of Barracuda acknowledged their WAF was offline during the attack, during a maintenance window.
The latest attack just continues to prove you can't be too paranoid about security in this day and age.
It appears the breach came from an SQL injection attack. It's especially troubling because Barracuda sells something called a Web Application Firewall (WAF), basically a souped up reverse proxy designed to protect websites from attacks like this one. In a recent followup the CMO of Barracuda acknowledged their WAF was offline during the attack, during a maintenance window.
The latest attack just continues to prove you can't be too paranoid about security in this day and age.
Friday, April 8, 2011
Captcha Protected Malware
The Blue Coat Security Group has written about a new way of distributing malware on the web. A few new official looking corporate type websites that are offering jobs after completion of an online examination have popped up here in the U.S. and in the U.K.
The unfortunate part about these websites is that they look even more official, since they require the end user to pass through a "captcha" before getting to the exam. A "captcha" in case you aren't familiar with the term is a graphic that has squiqqly letters and numbers, supposedly that cannot be read by a machine, so that only a human could recognize them and you have to enter them correctly to proceed.
While these malware sites require passing through a "captcha", it turns out that you can enter anything in the field, and you get by the "captcha" and automatically start downloading malware, instead of actually getting to an online examination.
The key to protecting yourself here, is of course what we always say, and that's making sure you're browsing the web behind a secure web gateway or proxy, that's running up to date web filtering and anti-malware software. For those end-users that need to get protected and aren't on a corporate network, there's always the free software from Blue Coat also, K9, available at www.getk9.com
The unfortunate part about these websites is that they look even more official, since they require the end user to pass through a "captcha" before getting to the exam. A "captcha" in case you aren't familiar with the term is a graphic that has squiqqly letters and numbers, supposedly that cannot be read by a machine, so that only a human could recognize them and you have to enter them correctly to proceed.
While these malware sites require passing through a "captcha", it turns out that you can enter anything in the field, and you get by the "captcha" and automatically start downloading malware, instead of actually getting to an online examination.
The key to protecting yourself here, is of course what we always say, and that's making sure you're browsing the web behind a secure web gateway or proxy, that's running up to date web filtering and anti-malware software. For those end-users that need to get protected and aren't on a corporate network, there's always the free software from Blue Coat also, K9, available at www.getk9.com
Thursday, April 7, 2011
Email Malware Gets Big Uptick
Commtouch is reporting this week that there's a huge spike in the amount of email with attached malware
From their blog:
Virus distributors have steadily decreased their usage of email as a means of malware distribution. The more popular methods nowadays include the use of drive-by downloads as well as “voluntary” downloads of “shockwave updaters” and “movie codec files”.
But the last day or so has seen very high levels of emails with attached malware. At one point these accounted for over 30% of all email received. The sudden increase can be seen in the graph
It's surprising since the amount of malware had actually been going down from email and going up in web delivery. It makes me wonder if the increase in web security is driving malware writers back to email as a delivery mechanism. Maybe they think security companies have gone lax in email as they've stepped up web security. The key takeaway? Keep your security up to date, no matter what it's protecting.
Wednesday, April 6, 2011
Cisco calls out Websense on Lizamoon attack
If you've been following the malware news this past week, you've probably noticed an article or two on Websense's report regarding a new malware attack based on an SQL injection, that they dubbed 'Lizamoon'. As the news progressed so did their numbers on how many sites were affected. By their own count they claimed as much as 1.5 million websites were compromised, and other news outlets even claimed 4 million sites were compromised.
But yesterday Websense updated their website, and claimed the numbers may have been inflated a little bit, and in reality there were probably only 500,000 sites infected.
Cisco, specifically their Scansafe division took offense at even that number and reported it's likely not even 1,000 sites were infected.
From a threatpost article on the issue:
So while we see alarming news, it's always a good thing to check the facts before you start to worry.
But yesterday Websense updated their website, and claimed the numbers may have been inflated a little bit, and in reality there were probably only 500,000 sites infected.
Cisco, specifically their Scansafe division took offense at even that number and reported it's likely not even 1,000 sites were infected.
From a threatpost article on the issue:
Landesman said Cisco had identified only 1,154 unique compromised Websites between September, 2010 and March 2011 that were associated with the mass SQL injection attacks. Even within those domains, the individual or group behind the SQL injection attacks is throttling the distribution of attack code, meaning just a fraction of all potentially malicious encounters actually deliver malicious code. Landesman said the "live encounter rate" is around %0.15, according to Cisco data.
Cisco has had only a handful of detections, she said. Other firms, also, said they were seeing only low numbers of compromises related to Lizamoon. Kaspersky Lab reports just four detections from domains associated with the Lizamoon SQL injection attacks. Websense did not respond immediately to a request for comment.
Cisco said it is providing a signature for the Lizamoon SQL injection attack because of "intense media attention," but considers the danger of infection from the attack to be extremely low.
So while we see alarming news, it's always a good thing to check the facts before you start to worry.
Monday, April 4, 2011
Data Theft Expected to Lead to Targeted Phishing
You'd pretty much have to not be part of the digital age to not have been affected by this weekend's news that Epsilon, an email marketing firm was compromised, and that mailing lists from well known companies like Tivo, JP Morgan Chase, Capital One, Best Buy and others were stolen. While only names and email addresses were in the stolen data, there's already predictions that this stolen information will lead to targeted phishing attacks looking for more personal information that could be used for more harmful dangerous activities like identity theft.
So no surprise, be wary of emails from the organizations you know have been compromised in this attack, and don't send out any personal information, especially not over email, and not on websites that you haven't verified (by checking to make sure it's not an obfuscated URL, e.g. bestbuy.xyz.com instead of bestbuy.com), and checking the SSL certificate you're getting on the site (when connecting over HTTPS, which you should be if before you give out any sensitive information) to make sure it's really from the site you're going to and verified by a CA (certificate authority).
If all that's too much to remember, then also make sure you're using a secure web gateway or proxy, that identifies and blocks phishing sites, especially one that can do this real time as new sites come online.
So no surprise, be wary of emails from the organizations you know have been compromised in this attack, and don't send out any personal information, especially not over email, and not on websites that you haven't verified (by checking to make sure it's not an obfuscated URL, e.g. bestbuy.xyz.com instead of bestbuy.com), and checking the SSL certificate you're getting on the site (when connecting over HTTPS, which you should be if before you give out any sensitive information) to make sure it's really from the site you're going to and verified by a CA (certificate authority).
If all that's too much to remember, then also make sure you're using a secure web gateway or proxy, that identifies and blocks phishing sites, especially one that can do this real time as new sites come online.
Subscribe to:
Posts (Atom)
Posts
