SEO Spreads Risk

This topic has been discussed quite a bit lately, by almost all the major security vendors, but we really haven't talked about it here on this forum, and it's probably a good time to remind everyone that one of the newest forms of attacks in the web space is around poisoning the search results from Google, basically using Google's Search Engine Optimization (SEO) techniques to get infected web pages highly ranked in search results, especially around current topics that are high interest (recently the Haiti Earthquake, the iPad announcement, Toyota's recall, and President Barack Obama's State of the Union address have all been targets).

What's really devastating about these poisoned search results, is that the end-user isn't likely to realize they are getting infected, since the search result, may refer eventually to a well known site, like CNN. But the referring link will contain some piece of malware; infecting the end-user's machine.

All the more reason IT admins need to make sure there's a proxy in place acting as a Secure Web Gateway with the right anti-malware software, and for those traveling users on laptops, there's some local software client protecting web browsing as well.

Security Before the Proxy

Here at The Proxy Update, we all know the importance of having a proxy acting as a Secure Web Gateway to protect end-users who are browsing the web. But there's a whole layer of security before we even discuss the proxy, and that has to do with User Authentication.

Last month, Imperva examined 32 million passwords stolen from RockYou and found some disturbing trends in password practices among end-users.

According to the analysis, approximately one out of five Web users chose a simple, easily guessed password like "123456", "abc123", "iloveyou" or even "password" to protect their data.

“I guess it’s just a genetic flaw in humans,” said Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. “We’ve been following the same patterns since the 1990s.”

So a reminder to IT admins, make sure your users know the importance of picking secure passwords, and understand what makes a password secure.

2010: Is it all hype?

When it turned the year 2000, there was all this worry that computers would crash, and our infrastructure would have problems from date rollover. Nothing significant happened. But we surprised ourselves as the year 2010 came around, and there were actually news reports of computers having problems with the date change.

Some of the reported problems included:

Symantec's "Endpoint Protection" business anti-virus solution started the new year by labelling signatures dated 01/01/2010 or newer as "out of date" even though the signatures are current. Symantec is reportedly working to fix the flaw. Until an update has become available, the vendor will date any further new signatures December 31, 2009 and only increase the revision number. Affected products include Symantec Endpoint Protection v11.x and Symantec Endpoint Protection Small Business Edition v12.x.

The Internet Storm Center reports that Cisco's Content Switching Module (CSM) has problems with its load balancing feature. The default cookie expiration in the load balancer is reportedly set to 01/01/2010 and has, therefore, expired. As a result, connections to programs such as web applications are reportedly being continuously "rebalanced".

I guess it's never too late to check to make sure your code is date compliant.

A Separate AV/Malware Box?

For those admins who are looking to refresh their proxy architecture, and looking at the various vendors out there for Secure Web Gateways, you may be wondering whether there's a benefit to having the AV (anti-virus) and malware scanning on a separate box. The 600 lb gorilla in the marketplace for web gateway appliances, Blue Coat Systems uses a two box architecture, while most of the competitors, use a single box design running the AV and malware scanning on the same box as the gateway.

What's the advantage to the second box? In reality the big gain is scale and throughput. By offloading to a second box, you can handle much bigger throughput and you can handle many more connections. If neither of these is a concern for you, you should also consider when an AV or malware engine goes into a CPU usage storm, whether you want it to affect the other users using the web gateway. There are files designed to cause AV engines to go into infinite processing loops and if your AV or malware engine hasn't been tuned to detect these, an AV CPU spike will cause web downtime for your end-users if you aren't using a separate box for AV and malware scanning.

If web access isn't mission critical to your organization, and you aren't concerned with scale and throughput, a single box solution may be the answer. But before you go that route, make sure you price out the two box solution, and make the right decision based on all the factors and features available to you.

The Latest in Trojan Attacks

From http://www.webhostingfan.com/2009/12/the-latest-in-trojan-attacks/


Just when it seems as though malware and Trojan attacks could not get much worse, along comes yet another to toss a monkey wrench into the works. The latest Trojan horse program to be released on the Web is the URLzone Trojan that attacks banks.

Is that your bank?

The URLzone Trojan horse program was discovered by Finjan Software at the end of September, 2009 and has been reported as being extremely advanced. The program rewrites bank pages in such a way that unsuspecting victims have no idea that their bank accounts are being emptied. With an integrated command-and-control interface, nefarious types can set specific amounts they would like to remove from their victims accounts.

Slippery little bugger

Not only has this bit of malicious coding gathered the interest of Finjan but RSA Security has been tracking and researching URLzone. Thus far the Trojan horse program has proven to be a bit of a slippery one to catch. The malware uses several techniques to peg machines being used by law enforcement and investigators in attempts to catch URLzone. The one good thing to come of is the creators of the program know they are now being watched and reacting.

Just how slippery is this Trojan? Once it has detected it is being monitored, it continues to force a money transfer. Instead of using one of its own people, it grabs a legitimate and innocent victim who has been part of legal money transfers in the past and makes it appear as though that person is generating the transaction. The end result is a bunch of very confused investigators.

To date, over 400 unsuspecting accounts have been used as mules, over 6,400 computers have been infected with URLzone, and the total amount cleared on a daily basis has been in excess of $17,500.

How does it work?

How does URLzone work its way onto unsuspecting computers? Once the malware executes, a copy is made of itself to c:\uninstall02.exe. An ID is created and this is sent along with a version ID of URLzone to the command-and-control interface. This effectively sends a confirmation that the machine in question is now infected with the Trojan. The command-and-control interface then logs the information, downloads a new executable, and copies itself to the SYSTEM32 directory with a random and hidden name. The program does not change any existing system files and needs to add itself to the startup registry each time the machine in question is rebooted.

At this point, URLzone hooks itself to the svchost.exe process and quietly checks with the command-and-control interface for new updates and commands while simultaneously watching for web browsers to open. Once a web browser is opened, the Trojan horse program goes to work and the unsuspecting computer user is completely unaware anything is happening.

Final Thoughts

All in all, the URLzone Trojan horse program is one nasty piece of work. The best defense any computer user can take is ensuring that their operating system is up to date with the latest security updates and their anti-virus protection software has been recently updated with all the latest information.

Once again, you should also make sure you're protecting your end-users from browsing malware sites, and your proxy is scanning for malware, with the latest anti-malware updates.

How SSL-encrypted Web connections are intercepted

I've written plenty of articles in the past about SSL and proxies. SSL is an important piece you shouldn't forget when securing web access from your organization. Searchsecurity.com published an article this week on how SSL-encrypted web connections can be intercepted, from the legitimate use (proxying and filtering), to illicit interception. It's good long article explaining the different technologies involved. Click here for the full article on the link on the title above.

Choosing the Right Anti-Malware/Anti-Virus for Your Proxy

I've talked a lot about having an scanning engine on your enterprise proxy implementation. You need this to make sure you're scanning any webpages your end-user visits for malware or viruses.

This of course begs the question which anti-malware or anti-virus software should you be using with your proxy. It's a tough question if the proxy is new to your network, or if you haven't run an anti-malware package with your proxy before.

Almost every organization out there is already running anti-virus and anti-malware for email and desktops. Deciding which package to run for web, depends on what you're trying to accomplish. If you need an extra layer of protection, and the desktop package already scans web pages, you probably want to run a different vendor on the proxy so that you get an added layer of defense.

The other thing you should look into, is how much CPU each vendor uses, and how easy it is to write policy to determine what gets scanned, so that not everything is scanned (e.g. radio streams, video streams should probably not be scanned). In addition cost, reputation, and actual catch rates will be factors in your decision. There's one site out there, avtest.org that rates the catch rates for the various anti-virus and anti-malware vendors and may be a good starting point for research. Of course not all vendors will agree with the results from this site, and it's also important to research false positive rates as well. The right answer for anti-malware and anti-virus packages will be different for each organization, so be sure to do your research when you select the package to work with your proxy.

Man-in-the-Middle HTTPS Attack Weak Point in Major Browsers

Softpedia reported this week on a research project carried out at Microsoft, where developers broke numerous secure HTTPS connections using a man-in-the-middle attack with the aid of a specially configured proxy. Based on the results of this research, security experts from SecurityFocus revealed several vulnerabilities found in all major modern browsers.

From the article:

The SecurityFocus advisory initially targeted Mozilla (which subsequently released a security update), but it was recently updated to reflect all major browsers like: Opera, Internet Explorer, Safari and Chrome.

Using Pretty-Bad-Proxy (PBP), three developers from Microsoft and a teaching assistant from Purdue's Computer Science department revealed several loopholes in browser behavior regarding HTTPS connections. They were able to inject HTML and scripting language inside a secure page, which lead to a breach inside the HTTPS connection without ever breaking the cryptographic scheme.

This way, they were able to steal secure data from the connection, fake a secure server, fake a secure page and impersonate an authenticated user in a server-client conversation. Regarding this issue, the developers said in their statement that “These vulnerabilities reflect the neglects in the design of modern browsers. […] Thus further (and more rigorous) evaluations of the HTTPS deployments in browsers appear to be necessary.”

According to the researchers, all major web browser companies were informed about this issue and have planned to patch their browsers. Until now, only Firefox was updated in June. Meanwhile, the rest of the browsers continue to be vulnerable against man-in-the-middle type of attacks in HTTPS connections.

In principle, the major flaw that cripples all browsers is that they are executing all error messages inside the secure environment of the page being called, so all requests and data can be sniffed and modified by PBP. If cookies are enabled and involved in the authentication process, credentials and account info can be intercepted and stolen.

More Mac OS X malware discovered

For those of us in the security business, we tend to ignore those under our care that use Macs. Macs are less likely to be targeted, and they don't generate anywhere near the number of problems the Windows machines do in terms of viruses and malware.

But if there's one thing you can be sure of in the security world, it's that nothing is absolutely safe. Sophos just reported on some Mac OS X malware in their blog.

Last night, SophosLabs was sent a message containing what claimed to be the “SRC CoDE of new Macintosh Worm” and so our Canadian labs released OSX/Tored-Fam, a generic way for us to detect future variants of the Tored family of malware.

One of the files was called ReadIt.txt and contained the following text:

RESPECT about what are you talking about me (cybercriminal..)
Dont say what you ignore !!!!!!!!

Then, this morning, Graham pointed me in the direction of the ParetoLogic blog which detailed a new piece of malware (which Sophos detects as OSX/Jahlav-C) hiding out on what presents itself as a hardcore porn website.

Two pieces of Mac OS X malware released in one week. A good reminder for all of us that Macs need to be behind a proxy and protected as well.

How can you handle risks that come with social networking?

Last week I wrote about one of a collection of seven pieces on Burning Security Questions published by Network World. I'm going to look at a second piece today on the risks that come with social networking.
Facebook, MySpace, Twitter are hard for your end-users to resist but can bring security dangers to your organization's network.

From the article:

[I]t comes with huge risks that range from identity theft to malware infections to the potential for letting reckless remarks damage corporate and personal reputations.

...

Jamie Gesswein, MIS network engineer at Children's Hospital of the King's Daughters in Norfolk, Va. ... still favors blocking general access to social-networking sites unless that access is really needed.

"Be careful of what you post," Gesswein says. "I know users who post anything on everything on these sites. It is at times almost a contest to see who can outdo whom."

He thinks social-networking enthusiasts may be missing the point that this posted information stays around for many years and could come back to haunt them if a job recruiter tries to find out about their digital past.

...

Gaby Dowling, manager for IT manager for international law firm Proskauer Rose, says there's a sound business argument for using social networking sites such as LinkedIn, but she worries about the potential for malware being spread by exploiting trust.

"The Koobface worm spread on Facebook was tricking you because you were receiving that from a trusted party," she points out.

"Social networking sites carry high risks of infecting systems with malware," says SystemExperts analyst Jonathan Gossels, who adds, "At a policy level, employees should not be visiting social-networking sites from production systems."
...

"A typical Facebook or MySpace user session ranges for a few minutes to tens of minutes so you could write an application that farms personally identifiable information," Schwartz said.

This is of course a good reminder not only to keep your end-user informed of the risks of social networking, but to make sure your secure web gateway proxy is up to date and running anti-malware protection to block attacks like the Koob face virus. The latest proxy technology should protect you from the malware threats found on social networking sites, but unfortunately won't protect your end-users from making bad decisions.

Boost your corporate security posture even if you don’t have any budget

It's no surprise to anyone right now that it's a tough economy out there. That translates to a tough economy for many IT budgets. With shrinking budgets how does an IT administrator keep their network and applications secure? Network World tackled that topic this week with an article on boosting your corporate security even if you don't have the budget dollars to support it. How do they recommend you do this? Use your existing products that you already have in your network. It's likely most companies aren't using products they own to their fullest potential. There's probably a lot of features you haven't played with on your existing network devices that may actually solve some of the problems you had originally planned on tackling.

Network World discussed some hidden security features in Cisco devices. But all devices probably have something of value you didn't know was already there. Web proxies are no exception. Blue Coat proxies for example, are chock full of other features besides just web proxy capability. Were you planning a CDN project? Or an IM control project? How about a DLP project? The Blue Coat proxy already in your network might be able to get you all the way there, or at least part of the way there towards solving another one of your security issues.

Short-lived Web malware: Fading fad or future trend?

Security software vendor AVG Technologies announced that Web-based malware attacks are now so prevalent that attackers craft them to be "secretive, short-lived and fast-moving." This trend became more obvious this week with the Conflicker virus, which tried to access domains that did not even exist, causing domain registrars to scramble to block registrations of 50,000+ domains. Using a more sophisticated Web delivery mechanism that is short-lived helps to reduce the likelihood of attackers getting caught by antivirus signatures or heuristic checks.

From Tech Target's article on the same topic:

One of the best ways to counter newly created sites containing malware is to use some sort of proxy or Web filter that denies new sites not yet scanned and classified under a certain category (i.e. business, investing, news, social networking, etc.). While this strategy will help prevent new websites from compromising systems, it doesn't do anything for compromised legitimate sites allowed by default. For those sites, the best option is to ensure the enterprise security products in place are configured to combat the entire Web threat landscape, namely via real-time analysis of sites prior to serving them to users.

We couldn't have said it better ourselves. Make sure you use a proxy and a web filter, make sure your anti-virus is up to date, and use some type of real-time rating system or block unknown categories!

15 Foolish High Tech Stories

Network World chose to honor April Fools Day with a story around 15 "foolish" stories that have occurred over the last year. Some interesting tidbits include the rise of fake security programs going from 2,500 to close 10,000 this year and the rise in online scams to take advantage of the government's stimulus program.

Both of these are good reminders to keep an eye on corporate security and an eye on what your end-users are downloading from the internet into the corporate network. The secure web gateway remains the best defense against malicious intent.

April 1st, April Fools

With April 1 coming soon, there's plenty to worry about if you're a security administrator. First off there's plenty of articles already floating around the internet, worrying about what the Conflicker worm will do on April 1st. The experts still aren't quite certain what, if anything Conflicker might do when it activates its payload. With that uncertainty, and the usual glut of viruses and practical jokes that occur on April Fools Day, the typical security administrator should have no lack of things to worry about.

As a part-time administrator myself (I do still manage all my home systems, and the systems of family members, even if I don't currently manage a corporate network), it still amazes me when one of my end-users asks me why a web page is being blocked. I'm amazed because the software I have installed on their system (the free K9 software from Blue Coat), says specifically why (spyware or malware source, or illegal/questionable) they are being blocked, yet the typical end-user wants to go to that site anyway (since it came up in a search of what they were looking for). With April 1st coming around the corner, I'll have to redouble my resolve to keep blocking bad websites. The corporate admin should never lose their resolve to keep their security in place.

Melissa virus turning 10 ... (age of the stripper unknown)

We celebrate a notorious anniversary this week, it's the 10th anniversary of the Melissa virus, one of the more well-known email viruses. Some of the comments on the Network World article on the anniversary, include disbelief that it's been 10 years already since the outbreak of Melissa. It does seem like it was only yesterday that IT admins were cleaning up the mess left from Melissa. This anniversary is a good reminder for all admins to keep vigilant and review the current security measures in place for for any traffic that goes to or comes from the internet.

China becoming the world's malware factory

It's not a surprise to anyone already working in the security industry, but a lot of malware and viruses come from or are hosted in China. A new article in Network World this week highlighted this fact.

With China's economy cooling down, some of the country's IT professionals are turning to cybercrime, according to a Beijing-based security expert.

Speaking at the CanSecWest security conference last week, Wei Zhao, CEO of Knownsec, a Beijing security company, said that while many Chinese workers may be feeling hard times, business is still booming in the country's cybercrime industry. "As the stock market dropped like a stone, a lot of IT professionals lost lots of money on the stock market," he said. "So sometimes they sell 0days," he said, referring to previously unknown software bugs.

This increase in cybercrime should be a concern to any IT administrator. The job of security is difficult enough without the addition of more hackers intent on bringing malware to our end-users. And hackers are finding more ways to target end-users. Just look at this quote below from Network World.

Hackers have had a lot of success launching widespread 0 day attacks against programs like RealPlayer and Adobe Flash, but they have also hit local Chinese programs, including Xunlei, QQ and UUSee.

Need I say any more?

Hacked page hauls estimated at $10,000 a day

A new study out from Finjan estimates that embedded URLs on compromised webpages is netting a huge haul of cash for hackers.

The attackers had compromised a series of pages which were then embedded with lists of popular search terms collected from services such as Google Trends or current news items. The same pages were then injected with obfuscated code that redirected to the attack page, which used fake alert boxes to convince the user to download and purchase the bogus security software for $50 (£34).

We've talked about compromised webpages on this blog before, and it's important to remember even well-known and trusted sites can be compromised. That's why it's important to make sure your end-users are browsing the web safely through a secure web gateway or proxy that has embedded URL blocking (that way they can get to the content they need without having to block the entire page), and scanning for malware and viruses. Equally important is real-time rating of URLs since risky sites are added daily to the world wide web.

Microsoft Security Update Fails

PandaLab's IT security laboratory has issued an advisory to users against Microsoft's MS09-008 update released recently, which is designed to fix vulnerabilities in the Windows DNS server and WINS server. According to the press statement, an unpatched flaw has been detected in the DNS server, specifically in WPAD (Web Proxy Autodiscovery Protocol) registration.

"If an attacker manages to redirect targeted users to a malicious proxy, they could obtain private information, redirect them to malicious pages in order to infect them with malware, or monitor their Internet movements," said Luis Corrons, technical director at PandaLabs.

This vulnerability could be used to launch "man-in-the-middle" attacks on Windows DNS servers. Clients have to download WPAD entries from the DNS server, and these entries could be affected by the attack. An attacker, who could exploit this vulnerability, may successfully redirect users' traffic through a malicious proxy.

However, the laboratory further advises the users who use these systems to be extra cautious and to keep an eye on new Microsoft updates to patch this vulnerability, to patch it as soon as possible.

The Crossover from Email to Web

It wasn't that long ago we thought of email when someone said the word virus or malware. Corporate IT budgets included line items for an email gateway and anti-virus software became so commonplace, that today, I doubt there are any organizations that don't have some form of protection on their incoming email. While we continue to hear about virus and malware outbreaks, for the most part they have moved from email to hybrid viruses, ones that use a combination of email, vulnerabilities, and/or web pages to deliver their payload.

Because email is so well protected today, much of the malware today is distributed on webpages, where there's less protection. Even if you are protected by a corporate web proxy, it's unlikely you have the same protection when browsing the web from home, and that leaves the web an inviting target for those intent on doing harm. It's also likely that you aren't protected by a corporate web proxy, or that your corporate web proxy doesn't do any anti-virus or anti-malware scanning. The reason of course is that most IT departments implemented the web proxy to implement corporate HR policy and not to protect the organization from malware and threats.

With the recent shift of attacks moving from email to hybrid and web, there's a real need for organizations to re-evaluate their web security, and start scanning for viruses and malware on webpages that their users are accessing from the corporate network. It's a tough decision to implement such a policy as there's less tolerance for slowdowns created by an added layer of scanning in web browsing as compared to email. With email you can get away with a slightly longer delay when scanning for viruses. Webpages are so interactive, your users demand real-time response when requesting information.

As an IT administrator, you need to make sure you're protecting your organization from web based threats, but at the same time, you need to make sure your solution doesn't add any unnecessary latency, or you'll find yourself subject to more helpdesk calls. In previous articles we've talked about ICAP as a protocol to offload anti-malware and anti-virus scanning to separate processor boxes to keep the latency created by scanning down to a minimum.

Online March Madness May Boost Morale at Work but Can Also Pose Risk

As hoops fans and businesses prepare for the March Madness season, Websense, Inc. (NASDAQ: WBSN), a leader in secure Web gateway technology, today reported double-digit increases in the number of sports and gambling Web sites from a year ago, as well as a trend among attackers to use major events like March Madness to spread information-stealing malware through the Web and email.

The quote above from the linked article should be enough to give any IT administrator pause and re-evaluate their web security to make sure it's up to date and blocking malware.

While blocking malware is important there's one other side-effect of March Madness that IT administrators need to fear as well. Whenever there's a major sporting event or any other widely broadcast event, there's a very real possibility that event watchers using their internet links at work will overwhelm the organization's internet link, making it impossible for other employees to get any work done.

In this instance a malware blocking web proxy isn't sufficient, you also need one that has a sophisticated cache engine capable of caching video from the web, so it's only requested once across the WAN link, and distributed from the proxy to anyone in the organization that's requesting that video. The other option of course is just to block access completely, which may have the unintended side-effect of forcing users to tactics like using anonymous proxies to bypass the corporate proxy.