Things will change: Wishful thinking in 2010?

A satirical approach to security in 2010

1. More budget allocated for IT security spending

Even though many countries are starting to pull out of the recession, don’t think it will be a bumper year for IT security budgets. You may notice an increase in overall IT spending but come the first bump, IT security projects will be the first to get the chop.

2. Management grasps the concept of an ever-evolving security landscape

The media has been awash with security stories this year but that doesn’t mean that management will be aware of the changing security landscape. Unless they’ve been hit themselves (and hard) many in management will still think that solutions other than anti-virus and anti-spam are a waste of money. The ‘it won’t happen to me’ syndrome will strike again.

3. Employees boost productivity, forsake non-work related browsing

If only. There are too many online distractions for employees these days. Social networking sites, news, entertainment, adult material are just too much of an attraction to ignore. How else are employees supposed to pass the time at the office? If you’re looking to boost productivity, you better have the means to control what your employees are doing online!

4. Security policies are understood and adhered too without enforcement

And they will be asking for monthly updates (sic). Security policies are there to be ignored (like most laws) and employees will only huff and puff when you mention them. How dare you tell them what type of password to use or that they cannot buy stuff from eBay? Putting your trust and faith in a compliant and accepting workforce next year will only create more problems – especially when security is at stake.

5. Employees will not lose their laptops, USB sticks or hard drives

If the statistics are anything to go by, you had better make sure all your external and portable devices have decent encryption on them and you know exactly what data is being copied. Apart from those with malicious intentions, most employees are just negligent with items that are not theirs… and it is so easy to forget a laptop in the car while they pop into the convenience store. Why they would need to take a USB stick with them to the pub for a pint (and leave it there) is beyond reason… but it happens. So you are forewarned.

6. All suspicious links, emails or web activity are reported immediately

No way. Employees will continue to use IT with little regard for security. The will still click on links in emails or on websites without stopping to think how their actions could compromise security. And if something bad happens, you’ll get the standard response ‘I have no clue how that happened’. The only immediacy you’ll see is a request for help when their Internet connection is down or their email is not working. As if they’ll tell you that they have downloaded a couple of games from a warez site or something funny happened when they connected a USB stick someone gave them.

7. Employees will not fall for social engineering or phishing attacks

Hope lives eternal… but you’re in for a long wait. Too much trust and an element of scaremongering are the main factors why people fall for social engineering tricks. Unfortunately, employees tend to act and then think after they did something. If it’s any consolation even C-level individuals are known to slip up more than once. Hopefully, it won’t happen in your own backyard.

8. Huge decrease in software patches released

Now wouldn’t that make a lot of people happy? Yes, but it won’t be the case in 2010. Products and platforms are more stable nowadays but don’t bet your last dime on a year of fewer exploits and even less frequent Patch ***days (choose relevant day/s of the week).

9. Spam will fall to manageable levels

Spammers will not become an extinct breed in 2010. With spam holding its ground at around 90% of all email, it will take a miracle to drop that percentage down to anything remotely acceptable. The spamming community and their army of botnets will continue sending out spam and more spam. Be prepared for some new nasties in the New Year.

10. Your dreams will come true

Not. If you really are confident that these dreams will materialize, your optimism abounds. While all may sound doom and gloom there will always be a flickering light at the end of the tunnel. It’s just going to take a bit longer to get there and a lot more hard work.

Contributed by David Kelleher of GFI

Tags: Blog 1 Comment »

Cyber thieves are constantly adapting their techniques to get inside of users’ computers, and to ultimately get hold of private or secure information. This year has been no different. To help computer users make sense of what the past year has brought in terms of online security, Andrew Browne, team leader at Malware Labs at the online security company Lavasoft, answers questions on the state of malware in 2009, and what it means for users online security.

In general, what type of year has 2009 been in terms of online threats that users are faced with?

The number of malware samples added to Ad-Aware’s threat database in Q1/Q2 of 2009 has increased by 600 percent compared to Q1/Q2 of 2008. The bad guys have been busy.

What was the biggest challenge that the bad guys presented this past year?

The sheer volume of malware being produced has been the biggest challenge for us – many samples are repackaged versions of the same thing so we have worked hard on making efficient detection routines for ‘same but different’ malware.

Malware writers, rather than simply releasing one version of their creation into the wild, will make changes to the malware so that while the functionality of it remains the same, it looks like a different file. They then release thousands of essentially the same file into the Internet. Our new detection system in Ad-Aware, Genotype, allows us to look at core attributes of this series of malware – we then create detection routines that allow us to detect all of the files that share the same core attributes.

LN: What about what home users are seeing as they browse the Web – has Malware Labs identified any trends in 2009?

Unsuspecting users eager for more information on breaking news and current events have been more likely than ever to encounter a booby trapped website via search engine results poisoned by blackhat SEO (search engine optimization) techniques, spam e-mail or social networking sites.

In order to increase numbers of potential victims, malware distribution has, on occasion, crept onto well known legitimate sites in the form of advertising banners that contain malicious code. Criminals have audaciously impersonated advertising representatives from large companies in order to plant malicious adverts on these high profile sites. The sheer number of visitors to sites like The New York Times, which was affected by a malicious advert this year, means that it is certainly profitable for criminals to go to such unusual lengths.

LN: There’s a lot that computer users need to be aware of when it comes to their online security. What do you see as the most significant security challenge to home users this past year – and what can be done about it?

Recognizing vulnerable, unpatched applications on their PC. Ongoing efforts to raise consciousness about the importance of applying operating system patches are making ground. Conficker gained much media attention this year with many of the reports relating an unusually high level of information, highlighting the vulnerability in the Microsoft Windows Server Service (MS08-067) and advising users to apply the patch available for it from Windows Update.

Users have begun to appreciate the need for operating system patching but are probably less aware of the need to apply security updates to applications on the operating system. There is still some work to be done on the part of software publishers. Patches fixing application vulnerabilities are typically slow to appear and when they do appear, it is not always clear to the user that a patch or update is available and that action should be taken.

The latest versions of the Firefox browser will warn users if their version of the Adobe Flash Player plug-in is out-of-date and recommend updating it. Mozilla, publishers of Firefox, plan to work with other vendors to provide similar checks for their plug-ins. This is a big step forward in alerting users that it’s not only the operating system that should be kept up to date with the latest patches.

To home users, I would recommend checking out Secunia’s free Personal Software Inspector application which can help identify which applications on their machine are out of date and have patches or updates available for them.

Contributed by Erin Earley, editor of Lavasoft News, the anti-malware pioneer’s educational industry newsletter, has written extensively about computer security issues and the risks that affect computer

Tags: Blog, Protect Against Malicious Software 2 Comments »

Cyber Monday is coming soon – many SMBs aren’t protected from the threats posed by employees online shopping from work.

Online holiday season retail sales grew 12 percent (Forrester Research Inc.) last year and much of this was done by employees using company computers in the workplace. Last year, 55.8 percent of workers with Internet access said they planned to shop online on Cyber Monday (National Retail Federation). This year does not look like it will be any different with over 40 percent of online shoppers stating they shop online because of the ability to shop at any hour of the day (Shop.org). Further, some say they shop online because of the new websites and tools that are springing up to help consumers locate the bargains they want (MarketingVox).

According to a study published by ISACA, a nonprofit association of IT professionals, the most prolific shoppers are those in the 18-24 age bracket, as 40 percent of those in this bracket said they will spend up to five hours doing online shopping from their desks. Ironically, this group is also typically the least concerned about the security of their work PCs.

“The fact that so many plan to do holiday shopping from their work computers, combined with their lack of concern for how secure their computers are, points to an urgent need for employers to pay closer attention to what employees are doing online during office hours and to educate employees to be careful what sites they are visiting and what files they are downloading”, says David Kelleher at GFI Software.

According to a recent GFI survey of small-medium businesses (SMBs) only 9 percent said they are concerned about internal threats and only 36 percent monitor employee browsing activity. There are two points that merit discussion. First, companies are still ignoring the fact that employees are the weakest link in security and that their actions can cause serious problems. Second, if so much time is spent shopping online during office hours, then that business has a productivity problem.

Business should be more concerned during the holiday season because an increase in online activity and browsing of non-work related websites is both a security risk and a business problem.

The following are some tips that can help businesses to improve both security and productivity.

• Monitor user’s activity 24 x 7 – If your business is concerned that people are spending too much time online and downloading non-work related material, then you need to exert some form of control. Monitoring user activity will cut down on abuse while implementing web security measures will prevent malicious code from entering your network through irresponsible browsing. With proper measures in place, there is no harm in allowing employees to shop online during the lunch break – So long as you know what’s happening.
  
•  Acceptable usage policies. In small organizations, security policies are either non-existent or never enforced. Every organization should provide new employees with an acceptable usage policy that defines how they use corporate computers, what is acceptable in terms of Internet use and what is not tolerated nor accepted. Moreover, this document should be signed by the employee the day he or she joins. This will greatly reduce the risk of an employee who is dismissed for breach of the policy fighting back by saying that he or she was never told what they could or could not do.
    
• Education – Explain to employees why they have to be careful when browsing the Internet. The usual ‘because I say so’ approach does not work with them. It only spurs them to bypass whatever the IT manager is telling them not to do. Employees are intelligent and will understand basic concepts of security especially when they can associate actions with the result it will have on their ability to do their job. Gaining an employee’s understanding is essential if an organization wants their cooperation. Even more so during this holiday season.
   
• Everybody is a potential security threat – SMBs need to approach security without allowing emotions and friendship to interfere. Every employee, including the CEO, is a security risk. Employees need to understand that controls are there for good reason and not because the company doesn’t trust them. The IT manager is employed to ensure the network is as secure as possible; and if that means stepping on people’s toes, so be it.
• Invest in technology – Security should not be considered an expense but a cost of doing business in an online age. It is also recommended that you invest in a security awareness program too. Technology and awareness need to be managed together and not separately.

Tags: Blog 2 Comments »

Small and medium businesses (SMB’s) face the same computer and network security threats as their enterprise counterparts, however they don’t have the same resources available. Implementing effective security takes a combination of tools and skills. Both cost money and both must be maintained and upgraded over time.

Panda Security created the Cloud Protection solution to provide cost-effective enterprise-class security for SMB’s. Cloud Protection is a Software-as-a-Service (SaaS) solution hosted in the cloud, providing managed security while still allowing customers to administer and maintain control as well.

This white paper will explore the value of SaaS for delivering network and computer security for SMB’s. It will also provide a look under the hood at how Panda Cloud Protection works and whether or not it is a viable security solution.

*disclaimer – I was engaged by Panda Security to review the Panda Cloud Protection service and produce this white paper. I was compensated for my services, but compensation was in no way tied to a favorable opinion of the service. The white paper reflects my actual experiences with, and honest assessment of, the Panda Cloud Protection service.

You can download a PDF of the white paper here: Panda Cloud Protection

Tags: Blog 4 Comments »

Social networking presents a paradox when it comes to security. The very premise of ’social’ networking is to share news and information with friends, family, and like-minded individuals, but sharing too much information or being too trusting of those within your social sphere of influence can result in getting your system compromised or your identity stolen.

Facebook and Twitter have both been targeted recently by different attacks. The Facebook attack is more of an old-school style phishing attack. It is designed to look like it came from Facebook and it actually succeeds better than most phishing scam emails I have received.

The attacker is probably capitalizing on the recent modifications to the Facebook homepage to catch users off guard and convince them that changing login information is just another change being made. Both the ‘Update’ button and the link that says ‘Click here’ lead to some malicious destination and not to Facebook.

The Twitter phishing attack is a little more insidious because it attempts to leverage the social aspect of social networking to breach your trust. The Twitter phishing URL arrives via DM, or Direct Message. Unlike normal Twitter tweets that are public domain and can be searched and viewed by all, DM’s are private and can only be sent to you from a user that you follow. The very fact that you are following the person on Twitter implies at least some level of trust between you and that party.

The actual DM is relatively short, saying something to the effect of “ur on here http://twitter-videos…” with the URL being shortened or obfuscated in some way to hide the true URL. If you click on the URL you arrive at a page that looks identical to a Twitter login page. If you enter your credentials on this page you are giving them to the attacker who can then use your account to DM others who follow you and continue the web of phishing.

If you follow me on Twitter you may have received such a DM from me. I fell victim to this attack. Before you slap my wrists for the security oversight, I figured out the course of events and it serves as an additional warning for you.

See- I don’t really use Twitter. I use the service, and I use my Twitter account, but I don’t use the site. Ever. I use Tweetdeck. So, when I got the DM–from someone I trust–I clicked on the URL. When I saw the Twitter login page I didn’t think twice about entering my credentials because I knew I wasn’t logged in to Twitter. Had I been logged in to the Twitter site when I received the DM it would have seemed odd that it was asking me to log in *again*, but because of the way I interact with Twitter it didn’t concern me in the least.

Bottom line: I know its social networking and you’re using it to share with others and be social. Just remember that attackers are actively looking for ways to exploit the implicit trust you place in your social networking connections so always be skeptical and use some common sense.

Tags: Blog 6 Comments »

ioSafe started a fan page on Facebook to provide a forum for users to share ans discuss experiences with the ioSafe drives, and for ioSafe to be able to share news and updates related to the devices. To provide incentive for users to join the community on the Facebook page, ioSafe is running a contest to give away a 1Tb ioSafe drive.

The original target was 5,000 fans. ioSafe has discovered that driving membership to the Facebook page is easier said than done even if you’re giving away a 1Tb drive. So, the goal has been modified to 1,000 followers. Once the ioSafe Facebook page reaches 1,000 followers, ioSafe will select one lucky fan to win a 1Tb ioSafe drive- a drive that the ioSafe Facebook page says is “Like an aircraft black box for your data.”

There are currently about 500 followers. Go to the ioSafe fan page on Facebook and join to become a fan for a chance to win an 1 Tb ioSafe drive.

ioSafe posted the following rules for the contest on the Facebook page:

RULES: 1. The judge’s decision is final. No bellyaching or petulant whining is permitted! 2. The contest is open to real humans only. Dogs, cats, fish and discarnate entities on the astral plane are excluded. 3. Should you not tell us your address within 14 days of us sending the notification that you’ve won, we’ll give the ioSafe to somebody else. If you think this is unfair, see clause #1.

Tags: Blog 10 Comments »

Microsoft released 13 Security Bulletins today fixing 34 different flaws- a new record. Eight of the Security Bulletins (and subsequently 21 of the actual flaws) are rated as Critical by Microsoft. A couple of them have already been targeted as ‘zero-day exploits’ in the wild.

Check out the links in the October 2009 Microsoft Security Bulletins Summary to view the individual Microsoft Security Bulletins and to download any patches that might be required for your system. Microsoft will discuss the issues addressed in the Security Bulletins and field questions from users during a webcast which can also be viewed after the fact. You can also visit Windows Update to automatically determine what patches or updates your system needs.

Not to be outdone, Adobe also unleashed a barrage of security updates today as well. Adobe addressed 29 flaws in Adobe Acrobat and Acrobat Reader. Make sure you get your Adobe Reader patched so your system won’t be vulnerable to the inevitable attacks coming soon to a PC near you.

Tags: Blog 1 Comment »

This Tuesday is Patch Tuesday- the regularly scheduled day when Microsoft releases Security Bulletins for the month. According to the Advance Notification from Microsoft, this month is a doozy too! There are 13 total Security Bulletins planned for Tuesday: 8 Critical and 5 Important.

That is not the only computer security event coming up this Tuesday though. In ‘honor’ of Patch Tuesday, Check Point is offering ZoneAlarm Pro 2010 for free. The offer runs for 24 hours, beginning at 6am (the time zone isn’t specified- I am going to guess they mean Eastern time?) on Tuesday, October 13. During that timeframe you can visit www.zonealarm.com/only24hours to download a fully-licensed copy of ZoneAlarm Pro 2010 for free.

ZoneAlarm Pro 2010 is a firewall product that combines the popular ZoneAlarm firewall with an OSFirewall that monitors the operating system for changes and suspicious behavior. Check Point designed ZoneAlarm Pro 2010 to complement existing security controls and software to provide even better protection against malware and unauthorized access.

According to Check Point, ZoneAlarm Pro 2010 features include:

• Advanced Download Protection technology that automatically checks and analyzes the programs a user wishes to download to determine if they are safe or malicious. 
• Anti-phishing, both signature and heuristic based, to block more fraudulent sites. 
• Free Identity Protection Services with daily credit report monitoring and Victim Recovery Services that help consumers recover quickly from identity theft.

I have been provided with a free copy of the software for review, but I have not yet installed it. When I do, I will post my review including my experiences with and thoughts about the software. If you download and install it, feel free to comment here and let us know what you think.

ZoneAlarm has an established reputation for providing superior personal firewall protection so its certainly seems worth at least downloading it to try it out. You’ve got nothing to lose– you can’t beat the price.

Tags: Blog 3 Comments »

“Identity Theft Soars in 2009”

“Cyber Crime at Record Highs”

“Online Scammers Work Overtime in the Downturn”

These are the types of headlines that we see time and time again in the security news, reminders of the extent to which sophisticated online scammers are taking a toll on the safety and security of computer users around the world.

But, there is another side of the spectrum that many users may not be completely aware; law enforcement agencies around the world are working diligently to track the online scams and schemes plaguing the Internet, in order to find those responsible and bring them to justice.

Unfortunately, the Internet has made it easier for criminals to scam victims, as they work across borders, separated from those they are stealing from by countries or even continents. While investigators of cyber crimes do have additional challenges in tracking down criminals and bringing about positive change, progress is being made, both by regular law enforcement and by organizations – like the Computer Crime & Intellectual Property Section of the U.S. Department of Justice and the Department of Defense’s Cyber Crime Center – that work with other government agencies, the private sector, academic institutions and foreign governments to prevent, investigate and prosecute cyber crimes.

One of the most well-known law enforcement agencies in a full-fledged battle to track cyber criminals and bring them to justice is the U.S. Federal Bureau of Investigation (FBI). According to its website, the FBI’s cyber mission is “first and foremost, to stop those behind the most serious computer intrusions and the spread of malicious code.”

The FBI has several cyber operations, including a Cyber Division at FBI headquarters, specially trained cyber squads at 56 field offices across the United States, Cyber Action Teams that travel the world to assist in computer intrusion cases, 93 Computer Crimes Task Forces around the country, and growing partnerships with other federal agencies.

The FBI also established the Internet Crime Complaint Center (IC3), a joint effort with the National White Collar Crime Center, to serve as a clearinghouse to triage cyber complaints – then sending leads to federal or international law enforcement for further investigation. In any given month, the IC3 has an intake of roughly 20,000 complaints that are waded through to uncover patterns and go after the scammers.

“Bots. Worms. Viruses. Spyware. Hacking….Every day, criminals are invading countless homes and offices…not by breaking down windows and doors, but by breaking into laptops, personal computers, and wireless devices via hacks and bits of malicious code. The collective impact is staggering. Billions of dollars are lost every year repairing systems hit by such attacks. Some take down vital systems, disrupting and sometimes disabling the work of hospitals, banks, and 9-1-1 services…” according to the FBI’s website.

While investigators are experiencing an onslaught of cyber crime, justice does get served, and some of the “bad guys” of online crime are held responsible for their actions. One such accomplishment cited by the FBI was the guilty plea of John Schiefer, a California man who was prosecuted in 2008, in the first case of its kind in the nation, on federal charges related to his use of botnets. And, there have been other similar successes, shown in the compilation of news in the FBI’s Cyber Crime Headline Archives.

A major break came in late 2008, when the FBI, together with its global partners, wrapped up a two-year undercover cybercrime investigation of “Dark Market,” a message forum for online criminals where stolen information, as well as tools to facilitate online fraud, were bought and sold. The operation resulted in nearly 60 arrests worldwide, the prevention of $70 million in potential losses, and the FBI said, the confirmation that “while there might be honor among thieves, in the end, they are still just thieves.”

“It showed that we can get you no matter where you live. We were able to make internal relationships and work cases jointly with law enforcement in other countries. In the future there will be other joint cases in Europe and around the world. You don’t necessarily have to be in the U.S. for us to bring you to justice,” said FBI Special Agent J. Keith Mularski, whose undercover work was central to the sting operation, in an interview with CNET News.[1]

While there are undoubtedly positive steps being taken, cyber crime continues to be pervasive, as well as lucrative for online criminals. Working across borders to track the web of crime rings and finding global solutions to combat scams remains challenging for those trying to bring the perpetrators to justice.

“The bottom line is to make sure there are consequences for criminal cyber actions and similar consequences everywhere,” said Christopher Painter, Deputy Assistant Director of the FBI’s Cyber Division, at the International Conference on Cyber Security. The event was sponsored by the FBI in January 2009 to find global solutions to emerging threats, and brought in cyber experts and law enforcement officials from over 35 countries.[2]

“The bad guys need to know there is no free ride,” Painter said.

Contributed by Erin Earley at Lavasoft

[2] http://www.fbi.gov/page2/jan09/fordham_011409.html

Tags: Blog 6 Comments »

If you have ever tried to copy and paste a URL from a web site to share with a friend in an email you may have noticed that some of those suckers are LONG! They’re filled with coded gibberish that only make sense or matters to the web server delivering the content to you. The explosion of Twitter– which limits messages to a maximum of 140 characters, URL included– has made the length of URL’s an even more relevant issue.

Fear not! Services like Bit.ly and TinyURL have sprung up to solve the problem. These services take whatever URL you throw at them and convert it to a much shorter alias URL. For example, I entered ‘http://www.tonybradley.com’ into Bit.ly and got the shortened URL ‘http://bit.ly/A5RCi‘.

That works great for fitting the URL into Twitter, but it poses an issue from a security perspective. One of the simplest deterrents to malicious websites and phishing attacks is to simply look at the URL you are clicking on and apply an ounce of common sense. You can’t do that when the URL you are clicking on is a shortened alias of gibberish that has nothing to do with the actual destination web site.

For instance, if you receive an email allegedly from Customer Service at Bank of America and you actually have an account at Bank of America you might actually be tempted for a second to click on the link. But, when you see that the link in the email goes to ‘http://www.bankofamerica.com.sadisticattacker.is/Iplantotakeyourmoney’ you realize that the request is not legitimate.

But, when I take that exact same URL and enter it into Bit.ly I get ‘http://bit.ly/3nR6gq’. With a shortened URL like this one there is no way to tell just by looking at it whether it is legitimate or malicious.

Twitter users who use Tweetdeck have a security control to help out. Tweetdeck has a setting to ’show preview information for short URL’s’. When you click on a short URL a pop-up window appears which displays the short URL, the real URL it leads to, and the title of the destination web page so you can make an informed decision about whether or not to follow through and visit the site.

That is great for Twitter users….at least those who use Tweetdeck. The rest of you on your own though. Make sure you keep your system patched and updated and that you are running some type of antimalware protection on your PC just in case you click on the wrong URL. Think twice about the source of shortended URL’s and always remember Step #1 of the 5 Steps to Protect Yourself From Phishing Scams: BE SKEPTICAL!

Tags: Blog 2 Comments »