The Blue Coat Security Group has written about a new way of distributing malware on the web. A few new official looking corporate type websites that are offering jobs after completion of an online examination have popped up here in the U.S. and in the U.K.
The unfortunate part about these websites is that they look even more official, since they require the end user to pass through a "captcha" before getting to the exam. A "captcha" in case you aren't familiar with the term is a graphic that has squiqqly letters and numbers, supposedly that cannot be read by a machine, so that only a human could recognize them and you have to enter them correctly to proceed.
While these malware sites require passing through a "captcha", it turns out that you can enter anything in the field, and you get by the "captcha" and automatically start downloading malware, instead of actually getting to an online examination.
The key to protecting yourself here, is of course what we always say, and that's making sure you're browsing the web behind a secure web gateway or proxy, that's running up to date web filtering and anti-malware software. For those end-users that need to get protected and aren't on a corporate network, there's always the free software from Blue Coat also, K9, available at www.getk9.com
Friday, April 8, 2011
Thursday, April 7, 2011
Email Malware Gets Big Uptick
Commtouch is reporting this week that there's a huge spike in the amount of email with attached malware
From their blog:
Virus distributors have steadily decreased their usage of email as a means of malware distribution. The more popular methods nowadays include the use of drive-by downloads as well as “voluntary” downloads of “shockwave updaters” and “movie codec files”.
But the last day or so has seen very high levels of emails with attached malware. At one point these accounted for over 30% of all email received. The sudden increase can be seen in the graph
It's surprising since the amount of malware had actually been going down from email and going up in web delivery. It makes me wonder if the increase in web security is driving malware writers back to email as a delivery mechanism. Maybe they think security companies have gone lax in email as they've stepped up web security. The key takeaway? Keep your security up to date, no matter what it's protecting.
Wednesday, April 6, 2011
Cisco calls out Websense on Lizamoon attack
If you've been following the malware news this past week, you've probably noticed an article or two on Websense's report regarding a new malware attack based on an SQL injection, that they dubbed 'Lizamoon'. As the news progressed so did their numbers on how many sites were affected. By their own count they claimed as much as 1.5 million websites were compromised, and other news outlets even claimed 4 million sites were compromised.
But yesterday Websense updated their website, and claimed the numbers may have been inflated a little bit, and in reality there were probably only 500,000 sites infected.
Cisco, specifically their Scansafe division took offense at even that number and reported it's likely not even 1,000 sites were infected.
From a threatpost article on the issue:
So while we see alarming news, it's always a good thing to check the facts before you start to worry.
But yesterday Websense updated their website, and claimed the numbers may have been inflated a little bit, and in reality there were probably only 500,000 sites infected.
Cisco, specifically their Scansafe division took offense at even that number and reported it's likely not even 1,000 sites were infected.
From a threatpost article on the issue:
Landesman said Cisco had identified only 1,154 unique compromised Websites between September, 2010 and March 2011 that were associated with the mass SQL injection attacks. Even within those domains, the individual or group behind the SQL injection attacks is throttling the distribution of attack code, meaning just a fraction of all potentially malicious encounters actually deliver malicious code. Landesman said the "live encounter rate" is around %0.15, according to Cisco data.
Cisco has had only a handful of detections, she said. Other firms, also, said they were seeing only low numbers of compromises related to Lizamoon. Kaspersky Lab reports just four detections from domains associated with the Lizamoon SQL injection attacks. Websense did not respond immediately to a request for comment.
Cisco said it is providing a signature for the Lizamoon SQL injection attack because of "intense media attention," but considers the danger of infection from the attack to be extremely low.
So while we see alarming news, it's always a good thing to check the facts before you start to worry.
Monday, April 4, 2011
Data Theft Expected to Lead to Targeted Phishing
You'd pretty much have to not be part of the digital age to not have been affected by this weekend's news that Epsilon, an email marketing firm was compromised, and that mailing lists from well known companies like Tivo, JP Morgan Chase, Capital One, Best Buy and others were stolen. While only names and email addresses were in the stolen data, there's already predictions that this stolen information will lead to targeted phishing attacks looking for more personal information that could be used for more harmful dangerous activities like identity theft.
So no surprise, be wary of emails from the organizations you know have been compromised in this attack, and don't send out any personal information, especially not over email, and not on websites that you haven't verified (by checking to make sure it's not an obfuscated URL, e.g. bestbuy.xyz.com instead of bestbuy.com), and checking the SSL certificate you're getting on the site (when connecting over HTTPS, which you should be if before you give out any sensitive information) to make sure it's really from the site you're going to and verified by a CA (certificate authority).
If all that's too much to remember, then also make sure you're using a secure web gateway or proxy, that identifies and blocks phishing sites, especially one that can do this real time as new sites come online.
So no surprise, be wary of emails from the organizations you know have been compromised in this attack, and don't send out any personal information, especially not over email, and not on websites that you haven't verified (by checking to make sure it's not an obfuscated URL, e.g. bestbuy.xyz.com instead of bestbuy.com), and checking the SSL certificate you're getting on the site (when connecting over HTTPS, which you should be if before you give out any sensitive information) to make sure it's really from the site you're going to and verified by a CA (certificate authority).
If all that's too much to remember, then also make sure you're using a secure web gateway or proxy, that identifies and blocks phishing sites, especially one that can do this real time as new sites come online.
Wednesday, March 30, 2011
Employee leaks are most significant data threat
McAfee has a new survey out that found the most significant threat to businesses is data that is leaked accidentally or intentionally by employees. In addition to that the survey also found that companies were reluctant to report data breaches because of the impact to their reputation, and 1 in 10 said they would not report a breach unless legally required to (like in California).
The threat from data leakage is one that's been around for a while, but is probably even more prevalent now that the web is such a ubiquitous tool in most organizations. Many employees don't think twice about using the web as part of their day to day operations.
The question is how does an organization protect themselves from this threat while still providing access to the web. The answer of course is the web proxy. It serves the important purpose of protecting web surfers from malware coming in from the web, but it can also be used to monitor outbound data to the web, to help prevent accidental or intentional data leakage through the web. Many DLP vendors integrate with the proxy through ICAP, so there's no reason you can't have an easy to deploy DLP solution in your network today.
The threat from data leakage is one that's been around for a while, but is probably even more prevalent now that the web is such a ubiquitous tool in most organizations. Many employees don't think twice about using the web as part of their day to day operations.
The question is how does an organization protect themselves from this threat while still providing access to the web. The answer of course is the web proxy. It serves the important purpose of protecting web surfers from malware coming in from the web, but it can also be used to monitor outbound data to the web, to help prevent accidental or intentional data leakage through the web. Many DLP vendors integrate with the proxy through ICAP, so there's no reason you can't have an easy to deploy DLP solution in your network today.
Tuesday, March 29, 2011
McAfee's Website Full of Security Holes
The TechEYE.net is reporting that McAfee's corporate website is riddled with vulnerabilities. It must be a bit of an embarassment for McAfee and new owner Intel, that the YGN Ethical Hacker Group reported the McAfee website is full of security mistakes that could lead to cross-site scripting and other attacks. These holes were reported to McAfee last month.
From the TechEYE.net article:
Apparently problems with security on McAfee's website aren't new.
One certainly hopes McAfee puts more security in their product than they do in their website.
From the TechEYE.net article:
In addition to cross-site scripting, YGN discovered numerous information disclosure holes with the site including seeing an internal hostname and finding 18 source code disclosures.
The bit of the site that could be used for XC scripting attack hosted some of McAfee's files for downloading software.
If only there were some software which could scan a site to detect such errors.
McAfee peddles a McAfee Secure service to enterprises to make sure their their customer-facing websites are secure. McAfee Secure scans a website daily for "thousands of hacker vulnerabilities and if a site gets McAfee's "high standard of security," then users of McAfee anti-malware products see a "McAfee Secure" label in their browsers.
The security product claims to test for personal information access, links to dangerous sites, phishing, and other embedded malicious dangers that a website might unknowingly be hosting.
Apparently problems with security on McAfee's website aren't new.
Actually McAfee's website is regularly found to be lacking in security. In 2008 it was found to be suffering from cross-site scripting (XSS) errors by security outfit XSSed.
In 2009, white-hat hacker going by Methodman published proof-of-concept attacks against websites kc.mcafee.com and mcafeerebates.com and in April 2010, the McAfee.com community forums were defaced via an XC scripting attack.
One certainly hopes McAfee puts more security in their product than they do in their website.
Monday, March 28, 2011
Why Isn't Endpoint Security Enough?
Just this week someone posed the question on Yahoo Answers, of whether endpoint security was really enough, and why was a web security proxy even needed. It's surprising to me how many people still think that end-point security is enough in this day and age. With web attacks being the primary vehicle for malware and spyware today, you'd think more IT administrators would want to proactive about their defenses against threats from the web.
While end-point security is one layer of security for web threats, it shouldn't be the only layer of defense. Why not? Well, the answer is rather simple, would you trust your end-user to do the right thing? What I mean by that is, do you trust your end-users to make sure their end-point security is up to date, has the latest patches, and downloads the latest definitions regularly. On top of that are you sure your end-users haven't found a way to disable their end-point security, because they found it annoyingly slow, blocked sites they wanted to visit or some other seemingly benign reason?
If you think your end-users are well-behaved, then I'm sure you're in the minority. For the rest of us, the web security proxy, adds another layer of defense for the paranoid IT administrator. It also provides some additional security layers that aren't typically found in end-point security software options. Some proxy vendors offer real time category ratings, cloud based information sharing of the latest threats, as well as the ability to scan all downloads for malware and spyware.
Many even let you pick the vendor whose anti-virus and anti-malware software your going to run on the proxy, enabling the IT administrator to select a different vendor than the one used on the end-point security client. This makes sure you've really got an added layer of defense so that when one vendor misses malware, you've at least got the chance the other vendor will catch it.
All these are good reasons to have secure web proxy, even when you've got end-point security.
While end-point security is one layer of security for web threats, it shouldn't be the only layer of defense. Why not? Well, the answer is rather simple, would you trust your end-user to do the right thing? What I mean by that is, do you trust your end-users to make sure their end-point security is up to date, has the latest patches, and downloads the latest definitions regularly. On top of that are you sure your end-users haven't found a way to disable their end-point security, because they found it annoyingly slow, blocked sites they wanted to visit or some other seemingly benign reason?
If you think your end-users are well-behaved, then I'm sure you're in the minority. For the rest of us, the web security proxy, adds another layer of defense for the paranoid IT administrator. It also provides some additional security layers that aren't typically found in end-point security software options. Some proxy vendors offer real time category ratings, cloud based information sharing of the latest threats, as well as the ability to scan all downloads for malware and spyware.
Many even let you pick the vendor whose anti-virus and anti-malware software your going to run on the proxy, enabling the IT administrator to select a different vendor than the one used on the end-point security client. This makes sure you've really got an added layer of defense so that when one vendor misses malware, you've at least got the chance the other vendor will catch it.
All these are good reasons to have secure web proxy, even when you've got end-point security.
Subscribe to:
Comments (Atom)
Posts
