Websense on Facebook can be bypassed

Blackhat Academy is already reporting that the new Websense web filtering that will be available on Facebook can be bypassed. Earlier this month, Websense and Facebook announced that users clicking on links inside of Facebook would have those links scanned by Websense, and those URLs examined for malware, and a pop-up would appear if those links seemed to be of a malicious intent.

Blackhat Academy showed this week that they could circumvent this technology by recognizing the request for the URL was coming from Facebook, and display a different webpage to Facebook, then the actual page being delivered. Here's an example of how this works from PC World:

Blackhat Academy members, provided a live demonstration, which involved posting the URL to a JPEG file on a wall.

Facebook crawled the URL and added a thumbnail image to the wall post, however, clicking on its corresponding link actually redirected users to YouTube. This happened because the destination page was able to identify Facebook's original request and served a JPEG file.

"While most major sites that allow link submission are vulnerable to this method, sites including Websense, Google+ and Facebook make the requests easily identifiable," the Blackhat Academy hackers said.

"These sites send an initial request to the link in order to store a mirror thumbnail of the image, or a snapshot of the website being linked to. In doing so, many use a custom user agent, or have IP addresses that resolve to a consistent domain name," they explained.

Looks like Facebook is going to have to do a little work to hide the fact that these request for categorization are coming from Facebook, if they want the true value of URL filtering.

QR Codes Lead to Malware

There's new report about QR codes leading to malware. As the author mentions, it shouldn't be a surprise and it was certainly expected to happen. It brings new light to the need for protection of smartphone and tablet devices, those most likely to scan a QR code, to be protected the same way laptops and workstations are behind something like a secure web gateway or web proxy.

While other reports have indicated there's little need for protection of iPhone devices, this new malware would indicate otherwise. Android is already known as the most at risk smartphone platform for malware.

So, if you haven't started looking at solutions for mobility around securing web browsing, maybe now is the time to start.

Panda Cloud Antivirus Outperforms McAfee, Microsoft and Trend Micro on Malware Protection in its First AV-Test.org Product Review

In Panda Cloud Antivirus' first participation in av-test.org's evaluation of antivirus vendors, Panda outperformed McAfee, Microsoft and Trend Micro among others.

The AV-Test.org evaluation, conducted between July and August 2011, compared Version 1.5.1 of Panda Cloud Antivirus to 24 other home user security products. The full report is available at http://www.av-test.org/no_cache/en/tests/test-reports/test-reports/?tx_avtestreports_pi1 [report_no]=113111.

It's an interesting positive note for a cloud based AV, and lends creedence to other cloud based architectures as well. So maybe the next step is cloud, or a mix of on premise and cloud, otherwise known as hybrid.

Blue Coat Gets Slammed in Twitter

If you follow any of the proxy vendors in twitter, you can get some interesting results. This past week, Blue Coat in particular (using #bluecoat) has been called out for being a co-conspirator to events in Syria. This happened because Telecomix, a hacking group released 54GB of logs from what appears to be a Blue Coat device handling Syrian traffic, showing that Syria had been using their Blue Coat device to enable blocking of websites, and in particular, tracking of internet usage.

While it's true Blue Coat devices allow blocking of websites (and in particular for most enterprises and ISP's they use it for blocking malware and for corporate compliance), the Blue Coat device is just a tool. It's still the user of the Blue Coat device, in this case apparently the Syrian government, that chose to implement it and use it the fashion that's being claimed. While I fully support freedom and democracy, I think it's little short-sighted to blame what's essentially a tool, for the actions of others.

Especially since the company making the tool doesn't generally have control over how the tool is used after the device has been sold. Note, even Blue Coat has claimed they have a policy against selling directly to Syria, but had no control if it's sold indirectly (through a reseller). It's like blaming the manufacturer of a kitchen knife for a crime committed with the knife.

This of course isn't the first controversy a secure web gateway has seen in the news. Other vendors, like M86 and Blue Coat have seen controversy when their devices have been used in schools to block sites with LGBT (Lesbian, Gay, Bisexual, and Transgender) content. In those cases as well, it was the schools in question that implemented the policy, not the device provider, yet the protest and anger was directed at the hardware vendors, which seems to be a misplaced and misguided blame.

Facebook Partners with Websense

Looks like Websense scored a coup this week with the announcement that Facebook is going to use their Threatseeker and ACE (Advanced Classification Engine) technologies as part of Facebook's standard offering. Using Websense, anytime a user clicks on a link, it will get processed through Websense technology to determine if the link is malware or phishing, and display a warning appropriately if it's deemed malicious. There's also an opt out so if a user decides to bypass the warning, they still can.

It's good news for Facebook users, since any additional protection in today's malware heavy world is a net positive. But what's interesting about this announcement and perhaps something corporate users of Websense should take note of is, the inclusion of the the ACE technology in this announcement. By default, Websense's standard offering doesn't use ACE, it's an option that needs to be enabled.

We've talked about technology like ACE in other posts here on the Proxy Update, and definitely think any type of dynamic rating system for web sites is an absolute must for secure web gateways. So if you don't have it in your proxy or web gateway, you should investigate and consider turning it on, or moving to a technology that has this feature.

Future of Malware

This week Network World takes a look at the future of malware in a slideshow format. For those of us that battle it on a daily basis, it's always good to take a step back and look at the bigger picture, and try to see where the evolution points are, and maybe, just maybe get a step ahead.

Each slide covers a different aspect of malware, presented with a viewpoint from different vendors. We've heard the term APT already, Advanced Persistent Threat, and it seems these attacks are getting more advanced if not more persistent. Slide 4 from the presentation talks about an attack where the wives of executives were targeted for a socially engineered malware attack. The idea being they would be less tech savvy and have a less secure PC at home, and offer up a way to target the executives.

While mobile is continuing to be a concern, there was also an interesting slide that seemed to indicate that while mobile platforms like iPhone and Android may be interesting targets, it's more likely hackers are going to go for platform agnostic malware that would affect the commonality between these smartphone platforms and regular PC platforms, like HTML and Javascript.

Without any doubt, malware is in our future, and we need to keep vigilant with up to date security software, web proxies and secure web gateways.