Big Drop In Fake AV

Both McAfee and Blue Coat had reported that the Fake AV scam was one of largest purveyors of malware last year. In case you're not familiar with it, basically it's a pop-up, javascript or some other injected code that notifies the end-user that their computer is infected with a virus, and offers to clean it, by paying for antivirus software, and instead of downloading a/v software, it basically downloads malware to the workstation.

Apparently by June of this year, the Fake AV sites had practically disappeared from the web. The reason for the quick drop? From ZDnet:

The event that caused the sudden plunge? A high-profile bust by Russian authorities. On June 23, a network of web sites that were distributing fake antivirus software for Windows PCs and Macs suddenly went offline when the head of the company that processed payments for the group was busted.

While the decrease is good news for end-users in general, it's expected it's only a minor hiccup in the cybercrime activity, and it's expected to ramp back up again soon, so it's no time to drop your guard in terms of protecting your end-users and network.

Google Search Results Cleaner in 2011 than 2010

There's a new report showing that Google search results are a lot better this year than last with regard to the results containing malware (SEP - Search Engine Poisoning) sites. That sounds like really good news on the face of it, as it means your web proxy or secure web gateway won't have to work as hard to protect you from these malicious search engine results. It used to be up 90% of results contained malware, and now, it's as few as only 3 malicious links in the first 10 pages of search results.

But there's bad news buried in this news as well. It turns out searches for software purchases online still contains about 90% malicious results. So there's no reason to back down from protecting your users, and if anything if you've got users out there searching for software purchases, you probably should increase your security and the protection your offering your users in your web proxy/secure web gateway.

Are you ready for HTTPS Everywhere?

The EFF, in collaboration with the Tor Project, launched the official 1.0 version of HTTPS Everywhere tool on Aug. 4, just past a year after the first beta version was released in June 2010. According to EFF's blog post, the extension will help secure Internet browsing by encrypting connections to more than 1,000 Web sites.

If you're an administrator of a Secure Web Gateway or web proxy, that statement alone should have you worried, or at the very least give you a momentary pause. The reason? While most organizations have deployed secure web gateways for HTTP traffic, very few have actually gone the additional step of turning on the SSL traffic for their external web traffic. The reasons are varied, but they include the overhead that encryption and decryption would have on the web proxy, the fact that most sites until recently, generally provide data and content unencrypted, and the privacy issues and concerns around inspecting SSL traffic.

But SSL is gaining traction, and most email providers and even Facebook offers options for keeping SSL turned on. This increases the likelihood that malware and other undesirable content can be brought down to the organization's network since SSL is likely bypassing the proxy.

What's the right solution? If you haven't already turned on your SSL proxy, investigate what it means to your network and your proxy if you do. Make sure your proxy can handle the additional load of SSL decryption and encryption. The easiest way to do this is to check to see if your proxy has an SSL hardware card, or the option to add one. Trying to do decryption and encryption in software will add additional load to what's probably an overloaded proxy to begin with, and in all likelihood could add latency to your web traffic, that's why hardware based SSL is the best bet.

Next set up policy so that you aren't violating your employees policy rights. That may include turning off SSL proxy for users in certain countries, and turning it off for certain categories (like banking). Run this past your HR and legal to be sure you're doing the right thing.

Once you've got those figured out, it's time to go live with the SSL proxy, and you'll be sure you're inspecting encrypted traffic for malware and undesirable content.

Huge spike in malicious emails

After what seemed to be a continuing decrease in the amount of spam email and malicious spam email, M86 is reporting now a huge spike in the amount of malicious spam email since the beginning of August. The belief is that with the arrest of cyber-criminals and the take down of major botnets, the cyber-criminals are back in force trying to re-establish their bot networks.

This increase in malicious spam is a good reminder to IT administrators to keep vigilant with their security, whether it's email or web based security, as many emails rely on tricking users into filling out linked web pages or downloading malicious software from linked pages. Security should especially be of concern for your web proxy if you're only using URL database filtering today. In addition to that layer of security every web proxy should also do real time scanning of downloaded content using an anti-malware or anti-virus engine.

Thinking DLP? Think Proxy.

If you've got plans to implement DLP (Data Leakage Protection) into your organizations network, either for regulation or corporate compliance around confidential data protection, you're probably also looking at your secure web gateway (aka web proxy).

Why is that? Because most traffic that's likely to leave your organization today is going out over the web. Most DLP vendors prefer to not be directly inline in the network as a single point of failure, nor are their boxes or software designed to be inline as a network traffic device.

That's where the web proxy or secure web gateway comes in. The web gateway can decided when to send traffic to a DLP device over a standard protocol like ICAP and wait for a response from the DLP server before giving a response back to the end-user. Any major DLP vendor today will point you to a web proxy as the integration point for network based DLP.

The key here is to make sure your secure web gateway is capable of ICAP for integration, and generally capable of at least two ICAP server support (one for uploads and one for download scanning). The upload ICAP server is the one used for DLP, and the download one is used for malicious threat scanning (anti-malware).

Web Application Controls

I wrote an article a few months ago talking about the new feature called "Web 2.0 controls". This feature has been firming up of late, and seems to be coalescing around the term "Web Application Controls". Each vendor does have a slightly different take on it, some focusing more on social networking, others being more broad based and covering a number of applications. Even those without real controls, are claiming "web application control" capability.

That being said, it's important to find out what a vendor means when they say "web application control". For some it just means blocking a web site based on its category. That alone probably isn't sufficient in today's malware laden web world. Really, the secure web gateway or web proxy needs to be able to control actions with web sites (applications). For example, does the web proxy allow the user to view the website, but prevent them from posting information to that update, restrict them from uploading a photo, a video or other documents? Is there any granular control over the types of information or document type that can or cannot be uploaded? Can a user be prevented from using a chat function within a page or an email function within a page?

Those are the important controls and the ones needed to customize a policy to adhere to an organization's compliance rules. It may be easy to say create a read-only Facebook policy, but it won't apply across the board. Marketing folks may need to add the ability to post to the company's Facebook site, but maybe you don't let them chat on Facebook. The CEO may be the only one allowed to do anything of Facebook, etc.

The key takeaway here? Make sure you know what your web proxy can do and make sure it fits your needs around "web application control".

Sophos AV Critically Flawed?

The big news out of Black Hat last week in Las Vegas was a session that described Sophos AV as being critically flawed.

A Google security engineer, Tavis Ormandy, released his findings in a paper following his presentation at Black Hat. Ormandy said his analysis found that Sophos software uses weak or outdated cryptography in the way it builds and matches virus signatures, relies on obfuscation for security too often, and fails to comprehend certain exploitation techniques, among other problems.

From Ormandy:

“My intent for this project was to provide the missing technical speficiations for Sophos Antivirus in order to help those evaluating antivirus do so thoroughly,” Ormandy said. “They’ll be able to make informed decisions about whether this product makes sense in the context in which they want to deploy it.”

Sophos has promised fixes in an upcoming release. When asked if these problems existed in other AV vendors, the suggestion was that it's likely as most of these programs are not that fundamentally different.

It's a troubling concern and hopefully one that's addressed by all AV vendors now that there's some light on the issue.

Malware affects 6 Million Websites

eWeek is reporting a new malware outbreak that affects 6 million web pages. Should we be scared? As an IT admin, should there be concern this is more pages than my web proxy or secure web gateway can rate?

The simple answer is no, and there's a good reason to it as well. While there might be 6 million web pages that have been compromised with an iFrame injection containing javascript, this javascript actually leads to only 8 different Ukraine based websites that actually contain the malware. So if you've got a web proxy or secure web gateway that can block embedded URLs (this is key so you can still get to the content on those 6 million web pages), and can rate those 8 pages as malware, you can be pretty confident that you're protected. In fact most malware attacks on the web are pretty similar to this one. While there may be 8 bad sites, there's many more (in this case 6 million) websites that lead you to those 8 bad sites. So while you can't possibly block all 6 million web sites, you can block the 8 bad ones, and prevent users from loading bad embedded URLs on a page.

Just make sure your web proxy or secure web gateway can do this to, and you won't have to worry about the hype, just the reality.

Cybercrime costs up 56% in 2011

According to a study by Ponemon and sponsored by Arcsight, the cost of battling cybercrime went up by 56% in 2011 for the organizations they interviewed. For the 50 organizations they looked at, the cost averaged 8.4 million dollars.

This new study is a good reminder why security, especially web security should be at the top of your list for IT dollars, if it isn't already. The web remains the primary vehicle for cybercrime, and protecting your end-users regardless of whether they are behind the company firewall or remote and on a hotel wifi should be one of the largest IT concerns today.

When selecting your web security solution make sure they can answer the tough questions about how they protect you from malware and how they protect your remote users as well as your local ones.

Video Usage

It's old news, but Cisco has estimated that 90% of all internet traffic will be consumer based video by 2013. That of course instantly translates to businesses as well, whether or not the IT administrator realizes it or not. In fact what most network assessment companies find, is that most IT admins really have little idea of the types of traffic that's running on their network. For example, do you know what percentage of your traffic is peer-to-peer, video usage, or social networking?

PacketShaper users do know, but that's because it's one product that's commonly used in network assessments. But if you're not a PacketShaper owner, what can you do? One thing you can do is to make sure your web proxy or secure web gateway is reporting on video usage and social networking usage. Make sure you know who the top video watcher is on your network, and what percentage of your web traffic goes to video sites.

For social networking, you want to know the same things, but you probably also want controls to either create a "read-only" social networking policy, or at least examine the content that's going to social networking sites. These are features your web proxy or secure web gateway should be able to provide you today.