Welcome to the Proxy Update, your source of news and information on Proxies and their role in network security.

Thursday, July 22, 2010

Fake femme fatale shows social network risks

From: Fake femme fatale shows social network risks



By Jaikumar Vijayan, Computerworld
July 22, 2010 06:22 AM ET

Hundreds of people in the information security, military and intelligence fields recently found themselves with egg on their faces after sharing personal information with a fictitious Navy cyberthreat analyst named "Robin Sage," whose profile on prominent social networking sites was created by a security researcher to illustrate the risks of social networking.

In a conversation with Computerworld, Thomas Ryan, co-founder of Provide Security, said he used a few photos to portray the fictional Sage on Facebook, LinkedIn and Twitter as an attractive, somewhat flirty cybergeek, with degrees from MIT and a prestigious prep school in New Hampshire. Then he established connections with some 300 men and women from the U.S. military, intelligence agencies, information security companies and government contractors.

The goal, said Ryan, was to determine how effective social networking sites can be in conducting covert intelligence-gathering activities.

Despite some patently obvious red flags -- such as noting that the 25-year-old Sage had worked professionally for 10 years -- the scheme worked. The connections to Sage, who was depicted as a real-life Abby Scuito, a fictional character in CBS's NCIS television series, were established in less than a month. Many friends freely shared personal information and photos, invited the fictional threat analyst to conferences and asked her to review documents. Some "friends" at major companies, including Google and Lockheed Martin, even expressed interest in hiring her, he noted.

A security researcher created a fake online profile for a fictional cyberthreat analyst named "Robin Sage."

Had Sage really been a foreign agent, she would have had access to a lot of very useful information, said Ryan, who is scheduled to present his findings next week at the BlackHat security conference in Las Vegas. Excerpts from his interview with Computerworld follow:

What prompted you to conduct the experiment? One of the biggest drivers was all the talk about cyberwarfare and cyberespionage -- and what's real and what's not real. I wanted to see how much intel you could gather from a person just by lurking on a social networking site. I [also] wanted to see who was most susceptible to clicking. I wanted to see how fast this thing would propagate. One of the things I found was that MIT and St. Paul's [prep school] were very cliquey. If they don't remember seeing you, they are not going to click. You had less of a chance of penetrating those groups than the actual intel and security communities.

How many connections and friends did Robin Sage make? On Facebook, 226; on LinkedIn, 206; and on Twitter, 204. The connections on Facebook were security and military, LinkedIn was mainly security and intel, and Twitter was mostly hackers.

Did Sage mostly seek out these friends, or were they more likely to make the first move? It was a combination of both. I did approach a few people, [mostly] from the security industry. They had the most connections. They are the speakers, the ones that are always sociable.

What type of information can one get through such connections? Pretty much everything. I had access to e-mail and bank accounts. I saw patterns in the kind of friends they had. The LinkedIn profiles would show patterns of new business relationships.

Why do you think Sage was so successful at making new connections? Because she was an attractive girl. It definitely had to do with looks.

Were most of the connections male? It wasn't all men. The male versus female split was 82% to 18%. The highest number of women were from the intelligence community. The only women who were there from the security community were people promoting conferences and stuff like that.

Do you think a fictional male character would have been as successful in attracting "friends"? It depends on who the male was and how he was portrayed.

What did Facebook do when they discovered what was going on? Facebook shut down the Robin page and my personal page. They said, due to security reasons, I am not allowed to use Facebook again. LinkedIn just deleted the Robin account but [a cached version] is still there on Google.

What's the takeaway from the experiment? The big takeaway is not to friend anybody unless you really know who they are. The same tactic was used to infiltrate a secret Israeli base. The people on the base were the only ones on a private Facebook page. Somebody was able to gain access to it and gather intel on the base.

Anything else? I was never able to friend anyone from the CIA or the FBI. I tried. It just didn't work. Toward the end of the experiment, there was this massive influx of Arabs from overseas that were trying to get on the Robin page where all the military stuff was. I didn't really care for it. That was a bit scary.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Monday, July 19, 2010

Latest News from ScanSafe Puts It In Direct Competition With Ironport

Strangely enough, a new security report from ScanSafe, talks about compromised legitimate sites that are now hosting re-directors for phishing scams (purportedly trying to look like Bank of America), so they can bypass reputation filters.

Both ScanSafe and Ironport are of course owned by Cisco, so it's interesting to see ScanSafe put down a technology that Ironport talks up as one of their strengths.

The fact that reputable sites can get compromised has always been a reason to avoid reputation filters for web security. Reputation may work well for email security, but it just doesn't translate to web security in the same way.

Friday, July 16, 2010

Cybercriminals Increase Effectiveness with Multi-stage Attacks

From: http://finance.yahoo.com/news/Cybercriminals-Increase-bw-3831469612.html?x=0&.v=1

Commtouch® (Nasdaq:CTCH - News) today released its Internet Threats Trend Report for Q2 2010 and video highlights from the report.

Cybercriminals have been increasing the effectiveness of their individual outreach by creating multi-stage, also known as blended, attacks, which combine messaging and Web elements. They use email or search engine results to lure victims to sites hosting spam advertising, malware, or phishing. The Q2 report analyzes the many methods fraudsters, malware distributors and spammers use to inspire their victims to action, such as leveraging trusted brands like Apple and Google; holidays, such as Mother’s Day; or current events, for example, the Football World Cup.

During Q2, Gmail and Yahoo kept the top spots as far as spoofed domains for email distribution, but they have been joined in the top six by Twitter. The Twitter domain was faked in a widespread mailing designed to lure users to a “password reset” Web page that contained malware.

Commtouch’s quarterly trend report is based on the analysis of more than two billion email messages daily, as well as the GlobalView™ URL database, within the company’s cloud-based GlobalView Network.

Other highlights from the Q2 Trend Report include:

* Spam levels averaged 82% of all email traffic throughout the quarter, bottoming out at 71% at the start of May and peaking at nearly 92% near the end of June. These numbers are slightly lower than those detected in Q1 and equate to an average of 179 billion spam messages per day.
* Pharmacy spam retained the top spot with 64 percent of all spam.
* An average of 307,000 zombies were activated daily to inflict malicious activity, representing a slight increase over the prior quarter.
* India has surpassed Brazil for the title of the country with the most zombies (13 percent of the world’s total).
* TDSS.17 was the most widely distributed email-borne virus, but the Mal/Bredo malware had the most variants - over 1800 (more than double the variants of Q1).
* Pornography remains the Web site category most infected with malware.
* In the Web 2.0 sphere of user-generated content, streaming media/downloads is the most popular topic for blog creators.

"Cybercriminals have been forced to change their techniques to evade improved detection technology," said Asaf Greiner, Commtouch vice president, products. "Complex multi-stage attacks with improved social engineering are proving to be the preferred technique."

Commtouch Recurrent Pattern Detection™ and GlobalView technologies identify and block messaging and Web security threats, including increasingly malicious malware and phishing outbreaks. More details, including samples and statistics, are available in the Commtouch Q2 2010 Internet Threats Trend Report, available at http://www.commtouch.com/download/1753, with video highlights available at http://www.commtouch.com/trend-report-video-q2.

NOTE: Reported global spam levels are based on Internet email traffic as measured from unfiltered data streams, not including internal corporate traffic. Therefore global spam levels will differ from the quantities reaching end user inboxes, due to several possible layers of filtering.

Thursday, July 15, 2010

Finjan sues McAfee, Symantec over patent claims

From: http://www.computerworld.com/s/article/9179184/Finjan_sues_McAfee_Symantec_over_patent_claims

Finjan has sued five rival security companies, including Symantec and McAfee, claiming it holds crucial patents used by popular antivirus products and security services.

The lawsuit was filed Monday in the U.S. District Court for the District of Delaware. Also named are Webroot Software, Websense and Sophos.

Finjan alleges that flagship products from these companies violate two patents that Finjan has held for about a decade. Formerly a technology vendor itself, Finjan sold most of its assets last November to another security company, M86, but held onto its patent portfolio, which it is now trying to turn into a moneymaker. Finjan owns about a dozen patents, all related to computer security.

In 2008, Finjan won a jury verdict against Secure Computing (now owned by McAfee), awarding it damages for patent infringement by Secure Computing's Webwasher and CyberGuard TSP software. Jurors awarded Finjan US$9.2 million in damages, but a federal judge later increased that award to $13.8 million.

Monday's lawsuit involves one of the patents covered in the Secure Computing case that relates to network-based virus protection. It also names a second patent, a "system and method for protecting a client during runtime from hostile downloadables," that covers Finjan's desktop antivirus claims.

The company asked the court to award unspecified financial damages and an injunction preventing the companies from selling their products, which include McAfee's Web Gateway and VirusScan software, and Symantec's Brightmail Gateway and Norton Antivirus.

Symantec and McAfee declined to comment on the suit. Webroot, Websense and Sophos (which was acquired by Apax Partners in May) could not immediately be reached for comment.