Internet Worm Protection

UN and ITU team up to fight Cybercrime

Melisa LaBancz-Bleasdale — Tue, 24 May 2011 06:38:57 +0000

On May 19, 2011 the ITU , the United Nations agency for information and communications technologies, cemented new global partnerships designed to make cyberspace a safer, more secure place to be for consumers, businesses, and – most crucially – children and youth.

A Memorandum of Understanding (MoU), signed between ITU and the United Nations Office on Drugs and Crime (UNODC) at this year’s WSIS Forum event in Geneva will see the two organizations collaborate in assisting ITU and UN Member States mitigate the risks posed by cybercrime.

The MoU will enable the two bodies to work together to make available the necessary expertise and resources to establish legal measures and legislative frameworks at national level, for the benefit of all interested countries. It is the first time that two organizations within the UN system have formally agreed to cooperate at the global level on cybersecurity.

“This new alliance with UNODC is a major milestone in implementing a coordinated global approach to an increasingly serious global problem. Together, our two agencies will generate powerful synergies that will help all interested countries fight the scourge of cyberthreats and cybercrime and create a safer online environment for all,” said ITU Secretary-General Dr Hamadoun Touré.

In line with its long tradition of public-private partnership, ITU has also signed an MoU with Symantec, provider of security, storage and systems management solutions. ITU will use Symantec’s security intelligence, in the form of its quarterly Internet Security Threat Reports, to increase understanding of and readiness for cybersecurity risks.

By distributing this report – which captures data from across Symantec’s Global Intelligence Network – to interested Member States, ITU aims to help better prepare governments in developing and developed nations alike to respond to the ever-growing risk from malware, cyber attackers and information thieves. This will facilitate awareness raising and knowledge transfer, complementing the work of ITU and strengthening its effectiveness as a global forum for governments and private sector to build confidence and security in the use of ICTs.

Commenting on the partnership, Enrique Salem, President and Chief Executive Officer of Symantec, said: “Over the past year and a half, the researchers that make up Symantec’s Global Intelligence Network have noted a dramatic increase in the number of cyberattacks, as well as the growing sophistication and impact of threats. The partnership between ITU and Symantec will facilitate an increased understanding of cybersecurity risks and how they can be reduced, increasing confidence in new and emerging technologies and facilitating the evolution of the digital world.”

Further reinforcing ITU’s efforts in this area, ITU’s work and relations with IMPACT continue to gain momentum, with over 130 ITU Member States now part of the ITU-IMPACT coalition.

ITU-IMPACT is the first cooperative global venture to make available cybersecurity expertise and resources to enable interested Member States to detect, analyze and respond effectively to cyberthreats. Of particular benefit to developing countries and smaller states without the capacity and resources to develop their own sophisticated cyber response centres, the coalition also benefits technically advanced nations by providing them with a global snapshot of potential and real online threats.

ITU-IMPACT members enjoy:

· Access to the IMPACT Global Response Centre (GRC), the foremost cyberthreat resource centre in the world for global threat information, at no cost.

· Access to the Electronically Secure Collaboration Application Platform for Experts (ESCAPE), allowing experts across different countries to share their knowledge and best practices with regard to cybersecurity, as well as facilitate the mitigation of cyberattacks, at no cost.

· On-site assessments and elaboration of implementation strategies for the establishment of the Computer Incidents Response Teams (CIRTs). To date 24 countries have been assessed, and work is in progress to move to the implementation phase.

· Specialized cybersecurity capacity building programmes to arm Member States and international agencies with relevant knowledge to face and prevent cyberthreats. To date, more than 200 cybersecurity professionals and 50 law enforcement officers have received specialist training. In addition, 155 training scholarships to 29 partner countries globally have been provided.

ITU-IMPACT also offers Managed Security Services to the UN family of agencies.

DOJ Takes Action to Disable Coreflood—Massive International Botnet

Melisa LaBancz-Bleasdale — Thu, 14 Apr 2011 00:17:51 +0000

More Than 2 Million Computers Infected with Keylogging Software as Part of Massive Fraud Scheme

WASHINGTON - On April 13, 2011, the Department of Justice (DOJ) and FBI announced the filing of a civil complaint, the execution of criminal seizure warrants, and the issuance of a temporary restraining order as part of the most complete and comprehensive enforcement action ever taken by U.S authorities to disable an international botnet.

The botnet is a network of hundreds of thousands of computers infected with a malicious software program known as Coreflood, which installs itself by exploiting a vulnerability in computers running Windows operating systems. Coreflood allows infected computers to be controlled remotely for the purpose of stealing private personal and financial information from unsuspecting computer users, including users on corporate computer networks, and using that information to steal funds.

“Botnets and the cyber criminals who deploy them jeopardize the economic security of the United States and the dependability of the nation’s information infrastructure,” said Shawn Henry, Executive Assistant Director of the FBI’s Criminal, Cyber, Response and Services Branch. “These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States and reflect our commitment to being creative and proactive in making the Internet more secure.”

The U.S. Attorney’s Office for the District of Connecticut has filed a civil complaint against 13 “John Doe” defendants, alleging that the defendants engaged in wire fraud, bank fraud and illegal interception of electronic communications. In addition, search warrants were obtained for computer servers throughout the country, and a seizure warrant was obtained in U.S. District Court for the District of Connecticut for 29 domain names. Finally, the government obtained a temporary restraining order (TRO), authorizing the government to respond to signals sent from infected computers in the U.S. in order to stop the Coreflood software from running, thereby preventing further harm to hundreds of thousands of unsuspecting users of infected computers.

“The seizure of the Coreflood servers and Internet domain names is expected to prevent criminals from using Coreflood or computers infected by Coreflood for their nefarious purposes,” said U.S. Attorney David B. Fein for the District of Connecticut. “I want to commend our industry partners for their collaboration with law enforcement to achieve this great result.”

“The actions announced today are part of a comprehensive effort by the department to disable an international botnet, while at the same time giving consumers the ability to take necessary steps to protect themselves from this harmful malware,” said Assistant Attorney General Lanny A. Breuer of the Criminal Division. “Law enforcement will continue to use innovative and responsible actions in our fight against cyber criminals and at the same time, we urge consumers to ensure they are continually taking prudent measures to guard against harm, including routinely updating anti-virus security protection.”

According to court filings, Coreflood is a particularly harmful type of malicious software that records keystrokes and private communications on a computer. Once a computer is infected with Coreflood, it can be controlled remotely from another computer, known as a command and control (C & C) server. A computer infected by Coreflood and subject to remote control is referred to as a “bot,” short for “robot.” According to information contained in court filings, the group of all computers infected with Coreflood is known as the Coreflood botnet, which is believed to have been operating for nearly a decade and to have infected more than two million computers worldwide.

Coreflood steals usernames, passwords and other private personal and financial information allegedly used by the defendants for a variety of criminal purposes, including stealing funds from the compromised accounts. In one example described in court filings, through the illegal monitoring of Internet communications between the user and the user’s bank, Coreflood was used to take over an online banking session and caused the fraudulent transfer of funds to a foreign account.

In the enforcement actions announced today, five C & C servers that remotely controlled hundreds of thousands of infected computers were seized, as were 29 domain names used by the Coreflood botnet to communicate with the C & C servers. As authorized by the TRO, the government replaced the illegal C & C servers with substitute servers to prevent Coreflood from causing further injury to the owners and users of infected computers and other third parties.

What Is Coreflood?

The Coreflood malware on a victim’s computer is programmed to request directions and commands from C & C servers on a routine basis. New versions of the malware are introduced using the C & C servers on a regular basis, in an effort to stay ahead of security software and other virus updates. If the C & C servers do not respond, the existing Coreflood malware continues to run on the victim’s computer, collecting personal and financial information. The TRO authorizes the government to respond to these requests from infected computers in the U.S. with a command that temporarily stops the malware from running on the infected computer. During that time, the defendants will not be able to introduce different versions of the Coreflood malware onto the infected computers. By limiting the defendants ability to control the botnet, computer security providers will be given time to update their virus signatures and malicious software removal tools so that all victims can have a reliable tool available to them that removes the latest version of the malware from an infected computer.

The DOJ and FBI, working with Internet service providers around the country, is committed to identifying and notifying as many innocent victims as possible who have been infected with Coreflood, in order to avoid or minimize future fraud losses and identity theft resulting from Coreflood. Identified owners of infected computers will also be told how to “opt out” from the TRO, if for some reason they want to keep Coreflood running on their computers. At no time will law enforcement authorities access any information that may be stored on an infected computer.

What You Can Do

While this enforcement action completely disabled the existing Coreflood botnet by seizing control from the criminals who ran it, this does not mean that Coreflood malware or similar forms of malware have been removed from the Internet entirely. Nor does it mean that criminals will not attempt to build another botnet using a different version of the Coreflood malware or other malware. The best defense against such malware, and botnets in general, is for users to ensure their computers are protected by regularly-updated anti-virus security software.

The DOJ strongly encourages computer users to ensure they are using security software on their computers and that users regularly update their security and routinely scan their computers for viruses. To learn more about what you can do to protect your computer, including how to download and receive updates on security vulnerabilities, the public may go to the: Computer Emergency Readiness Team (CERT) and the Federal Trade Commission (FTC).

The law enforcement actions announced today are the result of an ongoing criminal investigation by the FBI’s New Haven Division, in coordination with the U.S. Marshals Service. Additional assistance was provided by Microsoft, the Internet Systems Consortium and other private industry partners. The matter is being prosecuted by the U.S. Attorney’s Office for the District of Connecticut, led by Assistant U.S. Attorney Edward Chang, and attorneys from the Computer Crime and Intellectual Property Section in the Justice Department’s Criminal Division.

The "State of Application Security Survey" - 88 Percent Spend More on Coffee Than Security

Melisa LaBancz-Bleasdale — Sun, 10 Apr 2011 21:46:17 +0000

Back in February, Barracuda Networks Inc., Cenzic Inc. and the Ponemon Institute released the“State of Application Security Survey,” which found that 73 percent of organizations had been hacked at least once in the last 24 months through insecure web applications. The news that web apps are insecure isn’t really shocking, but the percentage of organizations that fell prey to attacks is certainly eyebrow raising. I chose to address this report now, because it appears that companies just haven’t gotten around to determining the best way to handle the influx of insecure web apps exposing their organizations to increasingly sophisticated and damaging attacks.

In one of those, “It’s so awful it’s funny” findings, the survey notes that even though website attacks are the biggest concern for companies, 88 percent of them spend more on coffee than securing their web apps. Don’t get me wrong, I love me some coffee, but I also love me some secure banking and private medical files. I think it would be illuminating for an IT manager to use this data point in a meeting, “Last June we spent 50K on our Colombian roast and 2K our web security products. We’ve been hacked 187 times but our coffee is really, really good.”

The results of the survey reveal respondents’ perceptions and experiences protecting web applications. It underscores the lack of adequate protection currently in use and overall insufficient resources and knowledge around Web application security in general.

Strangely, (or not?), the report found that 69 percent of organizations rely on network layer firewalls to protect their websites, leaving web applications wide open for attack. Haven’t we all learned that firewalls are like long underwear? They offer some protection but won’t cut it on Mt. Everest. I was mystified to find that organizations still feel this is an adequate defense mechanism.

What wasn’t surprising to me was the finding that 72 percent of organizations test less than 10 percent of their web applications for security holes, some knowing they have been hacked in the past. I don’t actually know of any organization that runs the recommended regular security checks. This frustrates the analysts and security experts but time, resources, and competing priorities usually get in the way of such things as routine maintenance and ensuring the safety of the corporate network. I do think it should be required for all financial institutions, government agencies, medical organizations and any other company that deals with sensitive amounts of customer data—which is pretty much everyone right?

According to 74 percent of respondents, web application security is either more critical or equally critical to other security issues faced by their organizations. Despite this, the study shows there are many misconceptions around the methods used to secure Web applications, primarily web application firewalls and vulnerability assessment.

“While it is encouraging to see that web application security is on the minds of most organizations, there still seems to be a real disconnect between the desire and implementation of security countermeasures required for Web application security,” said Dr. Paul Judge, chief research officer and VP for Barracuda Networks. “The fact that 69 percent of respondents are relying upon network firewalls to secure web applications is like relying upon a cardboard shield for protection in a sword fight—eventually your shield will prove that it’s insufficient and an attack will reach you that can fly past a network firewall.” I agree. It’s probably never a good idea to use a cardboard shield whilst wearing your long underwear to a sword fight.

Mandeep Khera, CMO for Cenzic says it’s a huge red flag that a quarter of respondents could not provide a range for how many web applications they have. He expressed shock that 20 percent of organizations do not test at all and 40 percent test only 5 percent of their web applications, but as I mentioned above, it’s just never really been part of the day-to-day risk mitigation plan (and it should be). It is shocking though that most of these companies have been hacked multiple times through insecure web applications. “If you know that burglars come through a broken door repeatedly wouldn’t you want to fix that door?” asks Khera.

Other key findings in the study include:

Data protection (62 percent) and compliance (51 percent) were the top reasons for securing web apps. Job protection was also a significant reason cited by 15 percent of respondents.

Despite 51 percent listing compliance as a key driver for web application security, 43 percent are not familiar with or have no knowledge of OWASP, a key component to compliance standards like PCI.

With 41 percent reporting they have over 100 web applications or more, the majority (66 percent) test less than 25 percent of these applications for vulnerabilities.

More than half (53 percent) expect their web hosting provider to secure their web applications.

Of those respondents who own a web application firewall, nearly 2 times agreed that a reverse proxy is a better and more secure technology than a transparent bridge technology.

“While IT practitioners recognize the criticality of secure web applications, their organizations do not provide adequate resources and expertise to manage the risk,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Over half of the respondents we polled believe they do not have resources to detect and remediate insecure web applications, and 64 percent said they believe that their organization have inadequate governance and usage policies.”

The results of the survey from the Ponemon Institute are based on responses from 637 practitioners in a variety of industries with an average of 11 years of experience in their profession.

Social Media May be Dangerous to Your Reputation

Melisa LaBancz-Bleasdale — Sat, 02 Apr 2011 01:15:44 +0000

Every good thing is tempered by some amount of risk, not to mention a Psalm or two. Social media is no different. For all the good that it perpetrates—connectedness, real-time sharing, creative collaboration, etc.—it comes with its share of unique, annoying, and downright serious problems.

Several months ago I posed a question to my LinkedIn group, Public Relations and Communications Professionals, asking whether or not they felt that every company needs a Facebook page. Overwhelmingly, the 20,000 odd members said no. “There’s a delicate balance in delivering value to the customer and deriving value from the customer,” says Art Hall, manager of customer relations at Altanta-based firm Alvarez & Marsal, “The key in the social arena is whatever content you give has to be of value,” Hall said.

It used to be that a company’s reputation was more important than how many followers they had. You may have 4,000 followers but what are you doing with them? What value are you bringing to the table? In the case of Messaging News, it’s my hope that we foster conversation and debate among our readers as well as expose people to ideas they may not have considered.

Too many organizations have actually done damage to their reputations by annoying customers with their Facebook pages. For me, even thinking about certain companies having a Facebook page annoys me. Diluting your brand by jumping on a bus that isn’t even going in your direction is an awful decision. If you are dead set on launching a page or participating in social media, run a focus group, conduct an extensive survey on the street corner or poll your current and potential customer base to find out why you should or should not have a social media program and how/why they’d use it.

Referring to Stephanie Jordan’s recent piece on privacy, I also think twice before I hand out my info on social media sites—and make no mistake, “friending” an organization is indeed handing out all of your online info to anonymous sources. On top of that, I’m not sure I need anyone to know if I’ve “friended” a feminine hygiene vendor.

The dangers of using social media are well documented but I think we’ve all developed the “invisible sign” syndrome: if you read a sign every day it soon becomes invisible. Most people reading Messaging News are not unfamiliar to technology and thus, know that whatever you put out there is for others to take. However, we don’t often think about it, we just know it.

Michael Shaffer of the Bradenton Herald writes, “When you post your personal information on a social media website, or anywhere on the Internet that is not security encrypted, it is accessible by everyone. Your name, address, e-mail and other personal information can all be accessed and is there to be used against you. Spammers often use social media sites to gather e-mail addresses for their campaigns. More dangerous still are identity stealers who use information gathered on social media sites to identify targets.”

We saw this happen in tandem with the Indonesian Tsunami relief efforts. Bogus pages were popping up, legitimate sites were hacked and kidnapped and Facebook “friending” of fraudulent pages became an issue. With the Japanese earthquake efforts people are a little more cautious, but not everyone is savvy and the criminals know that well-meaning people are their best customers.

Shaffer explains that criminals use social media to steal your identity by asking you to provide information, which is then used to impersonate you online. It’s an up-leveled form of social engineering. You receive an “event invite” asking you to join a good cause and because it requires no effort, you accept the invite. You are then re-routed via URL re-direct to a fraudulent page and a drive-by download of malicious code occurs. “It is human nature to want to help and unfortunately, these thieves are masters at playing to human nature,” Shaffer says.

Legitimate businesses are often the unwitting targets of identity thieves and risk losing their visitors and revenue without even knowing they were targets. eHow has a brief no-nonsense tutorial on what to do about website hijacking. They recommend that all webmasters monitor their sites for the telltale signs of hijacking.

In addition to the risk of infecting yourself or your online visitors with malware and viruses, you may be exposing yourself to career-impacting and reputation-damaging situations as well. Twitter is a prime example of a social media platform that can be used against you. If you are an executive of a well-known organization and you happen to be tweeting on your personal account about an exhausting meeting with a “blow-hard client”, that information may make its way to your peers, or worse, that client. The beauty, and terror of the Internet is that once it’s there, it stays there (usually). You may post some contentious comments on a user group—like LinkedIn—only to find during a job interview that the interviewer is a member of that same group and had opposed your views.

When I consider the “dangers” of social media, it’s not usually in the context of viruses, worms, etc. For me, it’s as much about the risk of being inundated with pointless sites and pages as it is about being turned into a botnet. Computer issues, although difficult and time-consuming to remedy, are easier to fix than a bad customer experience or perception of your organization.

ESET Mail Security for MS Exchange Designed for Enhanced Spam Detection

Melisa LaBancz-Bleasdale — Fri, 01 Apr 2011 00:47:06 +0000

ESET has released their business-ready ESET Mail Security for Microsoft Exchange Server 4.3. The update offers an advanced anti-spam engine with precision score dials, and spam and grey listing logs.

Out of the top twenty corporate endpoint security vendors worldwide, ESET is the fastest growing company in this category according to IDC. ESET Mail Security for Microsoft Exchange Server is built on the NOD32 Antivirus 4 ThreatSense® engine and provides customers with proactive technology for detecting viruses and other malware. In addition to stripping malware from messages, the integrated anti-spam and grey listing features keep unwanted spam from reaching end users.

“We are always focused on continuous improvement and with that mindset we enhanced the anti-spam capabilities and provided tools and logs for easy management,” said Pavel Luka, Chief Technology Officer, ESET. “Messaging security is the first line of defense against malware outbreaks, spam interruptions, and phishing attacks, and ESET Mail Security for Microsoft Exchange Server provides fast and accurate messaging security with minimal overhead for businesses of all sizes.”

ESET Mail Security for Microsoft Exchange Server was designed to offer proactive protection against emerging threats without having to wait hours or days for signature updates. Additionally, the company says the solution has a light system footprint that has minimal impact on mail server performance and is easy to deploy.

New features of ESET Mail Security for Microsoft Exchange Server 4.3 include:

New Anti-spam engine
Anti-spam score dials—Define anti-spam threshold scores at three levels with greater precision for more control.
Advanced setup tree—Redesigned advanced setup tree for more intuitive navigation.
Automatic exclusions—Automatically detects and excludes critical server files for smooth operation.
License merging—Automatically merges two or more licenses with the same customer name for easier license management.
Spam log—Displays sender, recipient, spam score, classification reason and action taken for actionable information.
Grey listing log—Displays grey listed sender, recipient, action taken and shows status until connection denial period ends for actionable information.

For Messaging, RSA Conference Focuses on Email, Web and Mobile Security

Stephanie Jordan — Thu, 17 Feb 2011 08:25:12 +0000

The RSA Conference held in San Francisco’s Moscone Convention Center this week offers a glimpse into the hopes of a post-recession IT boom. Very debatable that the recession is actually over, but to me this year was characterized by more foot traffic than in recent years, the return of bigger booths and promotional stunts including knights in shinny armor, blue girls, and pirates.

When it came to messaging, common discussion points included malicious activity on social media sites like Facebook and Twitter, the increase in interest and adoption of email encryption, the rise of hacktivisim, the decrease in spam levels (and the various theories as to why), and the cloud among other topics.

While the show runs an entire week, the first half of this week has seen a variety of news announcements for the messaging space. Here are a few highlights as of press time:

Barracuda Networks Inc. re-announced its Barracuda Web Security Flex, which unifies SaaS, appliance and remote filtering deployment options under a single management and reporting portal.

Cisco announced its new SecureX Architecture, which enables context-aware security enforcement, and that the first to offer the context-aware firewalling and policy enforcement is the Cisco Adaptive Security Appliance (ASA).

GlobalSCAPE announced its new hosted MFT (managed file transfer) solution in its GlobalSCAPE’s cloud MFT suite. GlobalSCAPE Hosted Enhanced File Transfer Server is a service that expands the company’s cloud-based Managed Solutions, launched in July 2010.

M86 unveiled M86 MailMarshal 7.0, a complete overhaul and re-architecture of its software-based email policy management solution that boasts support for Microsoft Exchange 2010.

Messageware offered a demo of its new software solution, OWA (Outlook Web Access) Guard for Exchange Server 2010, an endpoint security software enhancement that is designed to protect both businesses and their employees from unauthorized access to corporate information. (The product is in beta and expected to be released next quarter.)

Solera Networks demonstrated its recently announced Solera OS 5.0, a major update to its network forensics platform, which offers real-time and historical views of everything on the network, think surveillance camera.

SRA International, Inc. announced the launch of its SRA One Vault Messenger, an encryption solution for SMS text messaging for BlackBerry smartphones, the latest addition to the SRA One Vault suite of products released in 2010.

ValidEdge unveiled its new Network Malware Security, a combined hardware and software solution, that monitors critical networks for any suspect code intrusion, performs instant analysis and issues alerts for IT personnel.

Voltage Security, Inc. announced v4 of Voltage SecureMail, an email encryption solution. The new version offers enhanced end-user experience and business features for global enterprises.

Websense offered a demo of its new Mobile DLP capability that uses Websense DLP technology to prevent the loss of confidential data on iPads, iPhones, Android, and other mobile devices.

ZixCorp announced a new product, ZixMobility, for the email encryption market that aims to enhance ease of use for encrypted email on a number of major smartphone platforms including Android, BlackBerry and iPhone.

Zscaler, Inc. unveiled Zscaler Mobile, which works in tandem with Zscaler’s existing Web and email cloud security services, to enforce the same policy for users wherever they go, across all devices.

There is always so much to see and learn at RSA. I always leave wishing I had more time for more meetings, more introductions and more lectures. This year proved to be no different!

Survey Reveals Internet Porn Still a Major E-threat Source

Melisa LaBancz-Bleasdale — Thu, 27 Jan 2011 01:31:44 +0000

BitDefender, an Internet security solutions provider, found in a recent study that Internet pornography remains a main source of e-threats. The study, which exposes data security risks and implications when accessing adult content web sites, confirmed that 63 percent of users searching for adult content compromised their computers’ security on multiple occasions. This information didn’t necessarily surprise me, as porn is an excellent vehicle for cloaking viruses and malware as it’s such a huge business. What I did find most interesting was that the study consisted of a survey concerning the psychological background of adult on-line content use, and a net-research aiming to identify the ensuing malware and privacy related issues.

More than 72 percent of the 2,017 respondents interviewed in the study admitted that they had searched for and accessed adult content sites (78 percent men and 22 percent women). The study found that of the most accessed pornographic materials, 91 percent were videos that can be downloaded from different sources including torrents, web sites and hubs. Again, this isn’t really earth-shattering news, but when you look at numbers, It’s a clear indication that if you’re a cybercriminal, this is where you should be focusing your “efforts”. Real-time adult content sites, such as video-chats and adult dating, ranked second in respondents’ preferences with 72 percent.

The study also found that 69 percent of the interviewed participants usually access adult content web sites from home, while 25 percent access them from their work places and only 6 percent from other locations (Internet cafés and other super inappropriate places). I was actually relieved to know that the bulk of the time people at work are actually, well, working.

On the psychology side of things, the study determined that the main motivations (54 percent) for accessing adult sites were the need to relax and curiosity (38 percent). I’d say that probably 36 percent of that 38 percent of respondents weren’t being totally truthful and belong with the initial 54 percent, but that’s my uneducated opinion.

“The BitDefender survey confirms that users should think twice when accessing these pornographic sites since this is an area that cyber criminals continue to exploit,” states Sabina Datcu, E-Threats Analysis and Communication Specialist and author of the survey. “Over 60 percent of respondents admitted that they have had malware-related issues more than one time as a direct consequence of accessing adult content. In the end, the findings of this study should make users consider whether accessing these sites is worth compromising their systems, data and work.”

More details on this survey can be found on MalwareCity.

2011 CEAS Conference Call for Papers

Ben Gross — Mon, 24 Jan 2011 22:31:27 +0000

CEAS 2011–the Collaboration, Electronic messaging, Anti-Abuse and Spam Conference will be held in Perth in Australia September 1-2, 2011. This will be the 8th annual gathering for the event formerly known as the Conference on Email and Anti-Spam. Curtin University’s Anti Spam Research Lab in the Digital Ecosystems & Business Intelligence Institute will host the conference.

There are nine conference tracks:

Email Spam
Web Spam & Spam 2.0
Spam & Security in Social Networks
Cyber Crime
Spam Economics
Network Security
Information Technology Security
Security Technologies
Security Management

The CEAS call for papers is available as Word and PDF document, although not as HTML. The relevant dates for potential authors are:

Abstract deadline: April 5, 2011
Submission deadline: April 15, 2011
Author notifications: June 15, 2011
Final accepted papers due: Aug 15, 2011

Proceedings including the full text of papers from previous CEAS conferences are available from the ceas.cc site, which has not been updated to include material for the 2011 conference.

Spam Bouncing Back, Facebook’s New Threat

Stephanie Jordan — Thu, 13 Jan 2011 02:07:04 +0000

In the fourth quarter of 2010 spam levels dropped to an all time low. The thrill has been short lived, however, as Commtouch reports spam has increased 45 percent this week.

In its quarterly Internet Threats Trend Report, which covers spam, phishing, malware and Web threats, Commtouch says December’s daily average for spam was around 30 percent less than in September. The average amount of spam for the fourth quarter (Q4) of 2010 was 83 percent of all email sent worldwide, down from 88 percent in the third quarter (Q3).

According to the report, in Q4 approximately 288,000 zombies were activated daily, a significant decrease as compared to 339,000 during Q3. “An inactive botnet is like an idle factory, a money-losing proposition for spammers,” warns Asaf Greiner, Commtouch vice president of products. “We have seen situations where after a lull in spam or malware distribution a new tactic was introduced. Threat experts are wise to continue following changes in network behavior in order to proactively block new threats.”

Commtouch found spam levels averaged 142 billion spam/phishing messages per day during Q4 compared to the 198 billion spam/phishing messages per day during Q3. Commtouch stated that spam activity increased by 45 percent just prior to the report’s publication on January 12.

Also this week, AppRiver, LLC released its year-end Threat and Spamscape report, which offers a summary and analysis of spam and malware trends traced over the course of 2010.

According to Fred Touchette, AppRiver report author and senior security analyst, phishing techniques showed increasing sophistication in 2010. Touchette predicts that phishing campaigns will continue to be a trend in 2011. Specifically, he believes the following phishing characteristics will be seen this year:

Pretending to be a Banking Institution— Touchette says posing as a trusted bank is a tried and true persona for cyber criminals. Unsuspecting online bankers will continue to be victims, as they respond to simple emails that appear to be from their bank asking them to login.

Activating Botnets—Despite the take down of the Pushdo and Bredolab botnets, Touchette notes that the presence of botnets does not appear to be going away any time soon. Underground forums that sell kits, mostly ZeuS-based kits, will enable botnets to continue to spew out spam for the foreseeable future.

Targeting Mobile Devices—The steadily increasing use of mobile devices will increase the likelihood of these devices becoming prime targets for malicious attacks, predicts Touchette, offering evidence of the attack we saw in late August, where cyber criminals showed just how easy it is to create a believable Facebook spam campaign targeting smartphone users.

Capitalizing on Facebook and Twitter—Touchette sees social networking sites as prime locations for cyber criminals to prey on the naïve and unsuspecting. He says the large cross-section of users makes the potential for a successful attack significant.

Speaking of Facebook, it was recently reported that a new social networking worm in the vein of Koobface is currently doing the rounds. Chester Wisniewski, a senior security advisor at Sophos Canada, commented that the reported threat is different from the usual Facebook malady because “unlike the majority of Facebook scams we report, this one actively infects your computer with malware instead of simply tricking you into taking surveys and passing on messages to other users.”

It appears that an individual received a link in his Facebook chat from a friend, which pointed to an app.facebook.com/CENSORED link. Writes Wisniewski, “Typically when you go to a Facebook app page it prompts you to add the application and grant it permission to post on your behalf or read your profile data. The scary part about this one is that it immediately prompts you to download a “FacebookPhotos#####.exe” file with no prompting or clicking required.”

Wisniewski goes on to say that a dialog box says that the photo has been moved to another location and encourages the user to click VIEW PHOTO in order to see it. Wisniewski warns, “If your computer has not already downloaded the malware, the “View Photo” button will download the virus for you.”

Facebook quickly removed the application, but as Wisniewski concludes, there are no doubt more like this one out there.

As we review 2010 and look forward to 2011, from a messaging security standpoint, it appears we are in for more of the same when it comes to spam, phishing and malware. Social networking sites with Facebook and Twitter perhaps in the lead, and mobile devices too will continue to be not only popular among users, but also popular with the bad guys.

Eye on Messaging is written by Stephanie Jordan, editor in chief of Messaging News. If you have story ideas or news to share, email her: sjordan [at] messagingnews [dot] com

Security Training vs. Technology

Michael Osterman — Tue, 14 Dec 2010 19:51:18 +0000

Clearswift recently reported the results of a security-focused survey it conducted. The good news is that 74% of the office workers it surveyed are “confident” in their understanding of Internet-focused security policies in their company. The bad news is that one-third of respondents have not received any IT security training since they were hired by their employer, and most without training in the recent past have been with their employer for more than five years.

What this means is that many employees joined a company before they used Twitter or Facebook, before the Web became the primary vector for malware, and before the Zeus botnet became a widespread problem—and they have never had IT security training on these issues. This then begs the question—why are so many employees confident in their understanding of their employer’s security policies? They probably should not be.

This finding suggests a couple of things:

First, employers need to train their employees on security policies. This means creating detailed and thorough policies about the use of email, Twitter, Facebook, LinkedIn, instant messaging, Web surfing, personal Webmail accounts, use of corporate assets at home and everything else that employees might use, download or otherwise introduce into the corporate network. Policies should focus on acceptable use, the types of content that can and cannot be shared, the appropriate venues for sending content, etc. The policies and the training that support them should be updated regularly.
Second, realizing that employees are not perfect and that even with the best training they will still make mistakes, robust technologies should be implemented as a backstop against these mistakes. This includes Web gateways offered by companies like Clearswift and many others, anti-malware technologies, data loss prevention technologies, anti-virus at the desktop, compliance tools on smartphones and a host of other capabilities.

It’s important to note that training and technology are both critical elements in any company’s security infrastructure. You can implement all the training you want, but it won’t guard against employee mistakes. You can implement all the technology you want, but it won’t provide a perfect defense against bad stuff coming in or the sensitive stuff going out. Our own research finds that both training and technology are effective components of a security system, although IT decision makers believe that the latter is the more effective. However, as the Clearswift study suggests, both training and technology are indispensible elements in defending an organization to the greatest extent possible.

We're All Sheriffs in the Land of the Walking Dead: The Botnet Fight

Stephanie Jordan — Mon, 22 Nov 2010 18:36:26 +0000

“Wake up!” Or so one might want to shout at those enterprise network operators and IT managers who consistently act as if their operations were islands unto themselves. These are the mavericks that ignore industry best practices and go their own way, believing their networks immune to zombies or bot infections, and who disregard the lessons learned by their peers.

The sad reality is that we all suffer once zombies or bots find their way onto these susceptible networks or Web sites. The bot-delivered malware that ends up surreptitiously installed on users’ computers is a finely tuned parasite, capable of stealing valuable informational assets such as personal identity records or credit card numbers. The bot then turns the computer into an efficient spam machine, sending abusive email just under the network operator’s radar and often launching highly-targeted phishing expeditions—all without the computer owner’s permission or knowledge. Enterprises and their banking operations are being precisely targeted by malware such as Zeus and SpyEye, which is designed and, is very successful, in compromising banking credentials, thereby gaining access to corporate bank accounts and stealing millions of dollars.

Spam from bot-infected computers clogs the Internet and is often loaded with malicious code aimed at other unsuspecting users. According to metrics aggregated by the Messaging Anti-Abuse Working Group (MAAWG), almost 90 percent of all email traffic on the Internet is abusive. Together with social engineering and compromised Web sites, spam is one of the most important ways to get end-user machines compromised with malware.

Beyond the personal and business setbacks it spawns, abusive messaging also has become a huge budgetary drain. Ferris Research, Inc. estimated that spam cost the U.S. $42 billion in 2009. This is just slightly less than the $40 billion that globalissues.org calculates it would cost to provide universal access to basic social services in all developing countries. Ferris puts the worldwide outlay for spam last year at more than three times this amount, around $130 billion globally.

Given the scope of the problem, no one entity alone can stop bots or the resulting spam they generate. Creating a safe online environment is the responsibility of all of us who have an interest in the free exchange of information. This includes network operators and email providers, industry vendors, corporate networks, small business users, and yes, even end-users. We all have a role to play in protecting the Internet.

Taking a Stand

The first priority for end-users is to learn good computing habits and to understand the dangers inherent in spam. Half of the email users in North America and Western Europe opened or accessed spam last year, according to the 2010 MAAWG Email Security Awareness and Usage Survey. Tens of millions clicked on links or opened attachments that could leave their computers vulnerable to a bot. As long as users continue to interact with spam, and as long as spam remains a profitable commerce model, the cybercriminals will be open for business.

In some respects, battling spam and cybercrime is a never-ending arms race. As soon as the industry identifies a bot or a cleverly devised phishing scheme, the cybercriminals quickly morph the code or change their mode of operation, making the malware more difficult to detect. We have to remember that in the time of open source and Internet standards, the tools available to the good guys are just as easily used by the bad guys too.

Yet, there are definite remedies in sight. From the industry’s perspective, one of the best weapons in this battle is the development of generally accepted procedures and tactics. Industry best practices tackle the thorny issues that require a broad, consensus approach to problem solving. They incorporate the industry’s collective wisdom on avoiding common mistakes and how to provide a better online experience for users. Best practices are guidelines freely offered by the industry to be voluntarily applied within a relevant organization’s strategic and technical framework.

The question any enterprise or business should be asking is not if it should implement anti-abuse best practices. Given the enormous cost and risk associated with spam and bots, the question is why would an organization not make adopting best practices a priority? Many of these practices cost next to nothing to implement, in many cases just requiring simple configuration changes or minor modifications to working practices.

Best Practices Illuminate Industry’s Shared Knowledge

Industry associations like MAAWG bring together representatives from all perspectives to work out solutions to common problems. As a result, the best practices developed through MAAWG tend to be more balanced rather than advancing a specific company’s or business sector’s interests. For example, many of the bulk senders in MAAWG worked closely with our network operator members to understand all sides of the issues when developing the MAAWG best practices for email marketers. Likewise, ISPs talked with abuse desk professionals in developing the best practices for notifying users when they have a bot on their computer and in addressing other issues related to remediation of infected machines, which often are placed in walled gardens.

Best practices also help to clarify the processes and technological strategies proven to be most effective in combating abuse. They often spell out common steps abuse and IT managers can take to better serve end users. MAAWG recently issued the first best practices aimed at providers of Web messaging systems. Among the recommendations were several well-known tactics that might otherwise be undervalued by Web messaging developers, such as auditing user account metrics and requiring registration before users can post or send messages.

The outcome of the effort within organizations like MAAWG to develop best practices is that smaller enterprises or regional operators have access to the broader and more varied experience of larger companies. These larger operations, with access to more resources and higher R&D budgets to invest in anti-abuse strategies, willingly share their knowledge and expertise to help advance the industry.

The only way to take down zombies, bots and spam is through this type of socially responsible action. By working together to protect the Internet and users’ online experience, we all profit. To that end, we have all been deputized in the Internet posse.

—

About Michael O’Reirdan

Michael O’Reirdan is serving his third term as chairman of the Messaging Anti-Abuse Working Group (MAAWG), the industry’s largest global trade association that works against messaging spam, viruses, denial-of-service attacks and other online exploitation. Professionally, O’Reirdan is a Distinguished Engineer at a major ISP in North America with over 18 years of experience in the ISP field and with public facing messaging platforms. He has served on executive advisory boards for several major computer vendors and academic institutions and is active in other industry organizations.

Quarterly Threat Report Found Malware Peak in August

Stephanie Jordan — Mon, 22 Nov 2010 08:56:30 +0000

Last week, Cisco offered its latest Global Threat Report for the period of July to September. The report reveals that enterprise users experienced an average of 133 Web malware encounters per month, peaking at over 140 during the month of August. Approximately 10 percent of Web malware was encountered via search engine traffic and/or services. During 3Q10, 7 percent of all Web malware encounters resulted from Google referrers, followed by Yahoo! at 2 percent.

According to the report, if you are in the Pharmaceutical & Chemical vertical, you were most at risk for Web malware encounters in 3Q10, experiencing a heightened risk rating of 372 percent. Other higher risk verticals in 3Q10 included Energy & Oil (209 percent), and Agriculture & Mining (169 percent). The vertical least at risk during the quarter was Aviation & Automotive.

“We can also report that spam volumes were highest in August 2010 compared to the remainder of the quarter,” says Mary Landesman, market intelligence manager at Cisco. “The Rustock botnet was the most frequently encountered event handled by Cisco Remote Operations Services (ROS) peaking in late August. This botnet is believed to be one of the largest purveyors of spam and has been most predominantly affiliated with sending pharmaceutical and counterfeit watch spam, often in the form of a breaking news alert, a tactic first popularized by the Storm botnet.”

The report also shows that during the course of the largest LinkedIn spoofing in mid-September, the malicious LinkedIn email comprised a significant 31.26 percent of all spam for that period.

For more on the Global Threat Report, visit Cisco’s website.

G-20 Summit Subject Lines Used for Targeted Attacks

Stephanie Jordan — Thu, 11 Nov 2010 04:15:30 +0000

The G-20 summit between leaders of the world’s biggest economies being held this week in Seoul has been the focal point for messaging exploits, says Symantec Hosted Services. Since October, attacks being monitored by the company have increased to at least three per day.

According to the Symantec/MessageLabs Intelligence’s Mathew Nisbet, these attacks “claim to have some kind of invitation, or report attached. The attachment is usually a compressed archive that contains a document with an exploit that will be activated as soon as the recipient attempts to open it.”

Some sample subject lines:

“G20 services”

“Seoul Summit Development Issue Report”

“Key info for G20 Seoul Summit”

“[G20] Draft Communique of the FMM&CBG meeting in Gyeongju”

In Nisbet’s blog, he offers some examples of what the emails look like noting that senders are usually “a made up a persona, complete with email address and job title at a well-known global news organization, to give a more human and therefore more believable edge to the mail. At first glance it may seem quite genuine, but a little investigation is all that is needed to know something is not right.”

Events such as the G-20 Summit are often used to great success, because during such times people are more likely to receive unsolicited mail with attachments, or be following the topic with deep interest increasing the likelihood of opening the document.

Blocking Malware as Far Back as Possible

Michael Osterman — Mon, 04 Oct 2010 21:13:09 +0000

Roughly 80% of the new domains on the Internet are not registered by real companies, but often by hackers, malware authors, speculators and others. Many of these domains—but certainly not all—are registered simply for the purpose of spreading malware or otherwise doing harm. Further, the Software Engineering Institute at Carnegie Mellon found that a disproportionate number of newer and non-commercial top-level domains (TLDs) are used for malicious purposes. For example, while .org domains account for 11.0% of the domains currently in use, they account for 16.7% of malicious TLDs; similarly, .info and .biz account for fairly small proportions of the total TLDs in use, but they represent 19.9% and 6.7% of the malicious TLDs, respectively. The .cn domain accounts for 1.7% of TLDs, but 3.0% of malicious TLDs. You can read more on the study here.

So, what can you do about it?

In late July at the Black Hat conference in Las Vegas, Paul Vixie, president of Internet Systems Consortium (ISC), announced a technology called Response Policy Zones (DNS RPZ). The concept behind DNS RPZ is fairly simple: those using the technology can both share and consume information about domain reputations for the purpose of helping the community know which domains should and should not be resolved. The technology, which is based on the same principle as realtime blacklists for email, basically identifies the reputation of domains based on various criteria, and then allows users of DNS RPZ to decide which domains to resolve.

ISC’s role in DNS RPZ will not be to publish reputation data on domains. Instead, they are developing only the technology that will allow participants to share reputation data with one another and then make decisions appropriate to their enterprise, customer base or whatever other requirements they might have.

What’s the upside of this approach? Clearly, it represents a way to prevent malicious content, such as keystroke loggers and other malware, from being served up to users through blended threats (links to malicious Web sites in email), through drive-by attacks or by users visiting Web sites they shouldn’t be visiting. The downside is the potential for false positives, blocking access to valid Web sites that have mistakenly been identified as malicious or at least questionable. However, early testing has demonstrated a very low false positive rate.

Will DNS RPZ be the silver bullet that ends the plague of malicious content being distributed on the Web? Of course not. However, it represents a promising step forward at blocking content from reaching users before it must be processed and its consequences dealt with.

Stolen Emails Serve as Templates for Email Messages and Brand Spoofs

Stephanie Jordan — Wed, 22 Sep 2010 21:53:15 +0000

This week marks the return of plug-and-play (PNP) malware, according to St. Bernard’s Red Condor security team. Cyber-criminals are actively spoofing major brands, including Amazon, eBay, Facebook and WordPress, and are also using “misdirected” personal email as templates.

“Like the global ‘Here you have…’ spam campaign from earlier this month, this new round of PNP spam is virulent and relies on social engineering to get users to click on a link or open an attachment, but that is where the similarities end,” explains Mary Mizrahi, product manager at St. Bernard. “The PNP spam is much more sophisticated and more dangerous than the ‘Here You Have…’ campaign, which did not cause any harm to computers. From a single click on a link in the PNP email message, multiple exploits can silently infect a computer system in a matter of seconds.”

Mizahi goes on to note that the downloaded malware cocktail appears to include root-kits that can be used to plant keyloggers, sniff banking credentials and perform other nefarious activities.

The company believes that the creators behind the malware vary their methods to bypass filters and entice users to click on a link or attachment, and have also switched from using their own obfuscation techniques for JavaScript that is sent through email to using commercially available tools like AntsSoft HTML Protector, which is designed to prevent certain actions on Web pages such as right-clicking.

According to St. Bernard’s report, this is how it works: If a recipient opens the HTML attachment in the spam emails, the embedded JavaScript causes the browser to navigate to the compromised host, which then performs a silent drive-by-download (iFrame technique) of more obfuscated JavaScript. The additional script attempts several exploits and shuttles the browser to another fake anti-virus site, similar to the sites reported in August 2010. The JavaScript obfuscation technique for the downloader component of this campaign has been completely revamped, and is attempting to exploit CVE-2010-0886, vulnerability in the Java Development Toolkit, as well as pulling down several other virulent components, including “installer_m.exe,” “flash.swf” and “libtiff.pdf.” A Virus Total scan of the multiple malicious components contained in the downloader found that none of the virus engines had detected installer_m.exe, 12 had identified the flash.swf as a Trojan virus, and five had detected libtiff.pdf.

For more on the PNP malware, visit St. Bernard’s Red Condor Security Alerts blog.