"When the Spamhaus Project, an organization devoted to cataloguing the Internet's most prolific spammers, placed marketer e360insight on a spammer "blacklist" in November 2003, the result was a $25 million lawsuit. E306insight founder David Linhardt says his Wheeling, Ill.-based marketing [firm] should never have been on Spamhaus' Registry of Known Spamming Operations...since his company landed on Spamhaus' list, it has been blocked from 4 million e-mail accounts, and has lost more than $3 million in revenue. "
Linhardt sued last year and won a judgement for $11.7M but Spamhaus, located in the UK has refused to pay. This kind of case may be unusual but I don't think we've heard the last of them...I'm quite sure disputes like this will continue to arise.
Part of the problem stems from a lack of a legal definition for spam. What is spam? If it's simply unwanted, unsolicited emails, there are many legitimate companies that fall into that category when all they are doing is simply marketing.
The notion of an opt-in list helps but isn't really an effective or fair solution. I hate spam as much as the next guy but I also have the perspective of running a small business and using email marketing campaigns as a means to promote a company webcast or new program. We mailed only to a mailing list that opted in but we were at times still accused as spamming by service providers. All it takes is one complain from a recepient from an opt-in list of thousands. Sometimes, the guy that opted in on behalf of the company had since departed...other times, the person who opted in forgot that he did so. We always got it cleared up with the ISPs but it was a hassle.
This is an interesting development because overall, I think from an end user's perspective, most ISPs appear to have gotten a decent handle on spam, unlike 2-3 years ago. To do so, besides the use of antispamming technology, they needed to adopt a strict stance against anything that looked or smelled like spam. But in the process, have legitimate companies been hurt? Or is this just the price you pay for the good of the entire Internet ecosystem?
]]>Roger Duriono, was hired by UBS PaineWebber in 1999 without a background check which would have uncovered a police record. Instead, Duriono ended up committing computer sabotage by releasing a logic bomb which crashed a couple thousand corporate servers and temporarily interrupted trading for thousands of brokers. The financial loss wasn't detailed in the article but needless to say, the loss of trading business was far more than the cost of fixing the technical problem.
The lessons here are simple. When it comes to security, an ounce of prevention is worth a pound of cure. Background checks and character references matter. To the point I made in the last post, hire for technical expertise but if you think integrity or character isn't important....think again. I bet UBS wished they did.
]]>A closer look might be a little more revealing according to this ComputerWorld article. Based on a Carnegie Mellon study, it highlights a couple of interesting statistics. 86% of all attackers are IT workers, with a majority of those holding sys admin privileges. More than half were committed by ex employees regaining entry via old user names and passwords. Does the phrase "fox guarding the hen house" come to mind? You can read the full Carnegie Mellon study here. It offers practices that will help detect and protect against these attacks based on system dynamics.
In addition to the recommendations of the study, I'd suggest that these statistics can teach us a few things -
First, security policies regarding termination of employees should be defined, documented and practiced. Documentation is important especially for a small IT group. In the event, your sys admin is the one terminated, you need to be able to hand it off to someone to execute on the policy.
Second, when it comes to security policies, checks and balances are good. We too often focus on technology and forget the security audit process.
Third, it matters who you hire, not simply what they can do. Hire for technical brilliance, for sure but ignore character at your own risk. Especially when you're hiring for a position that has sys admin privileges and access to proprietary and privacy info, you cannot put too high a premium on integrity.
Finally, monitor for insider attacks. It's vitally important because insider attacks pose a greater risk with regard to corporate data and intellectual assets. I'm going to stay on this topic over the next couple of weeks because I think it's largely overlooked so stay tuned.
]]>Obviously, attackers are taking advantage of the high degree of traffic generated by Superbowl interest. Until further notice, it's probably advisable to avoid the site.
Meanwhile, many of the IM security companies have sold out, closed up or limped along. It turns out that security for IM is melding into existing security solutions as a feature rather than a separate product. This doesn't mean there aren't threats associated with IM or that IM security should be ignored.
I've put together the Top 10 IM security best practices for your edification -
#10 - Treat IM Communication as Untrusted. IM is great for informal communication but when used in a corporate environment, it must be viewed as an "untrusted" communication medium. This means no communication of corporate sensitive information
#9 - Separate passwords for IM. If you're going to take #10 seriously, then ensure that you don't use thhe same passwords for trusted communication channels as you do for unofficial, untrusted channels like IM.
#8 - Host your own IM server. It's not always feasible for every company but if IM is to be used extensively as a corporate communication medium, hosting your own IM server and securing it is essential
#7 - Keep current with patches - Like any software, IM security starts with keeping patch currency on both client and server side software
#6 - Define and adopt user policies. - Educate users on what's appropriate to communicate on IM and what's not. Also, the security policies associated with the use of IM - see # 5
#5 - Reject all attachments from untrusted sources. This is not your father's IM. Today, IM can transmit files, stream video, audio and other content.
#4 - Do not click on links from untrusted sources. We're accustom to this policy on email but sometimes let our guard down in other mediums.
#3 - Use encrypted IM for sensitive info. If you're using IM for anything sensitive, use an encrypted IM channel
#2 - Link IM to corporate directory. It's a layer of security and makes it easier to switch IM systems, if you ever want to do so.
#1 - Mitigate risks through security tools. Having a corporate IM system is one thing, securing it is another. Make sure you have tools to filter out SPIM (IM Spam), firewalling and intrusion prevention tools with specific IM security packages to protect against IM specific attacks.
]]>A new wave of attacks makes this kind of expertise even more necessary than before. Second generation phishing attacks leveraging cross site scripting and ransom attacks are far more subtle and immensely difficult to contain.
"Subtle attacks are way up," says Mark McManus, vice president of research for Computer Economics. "There are more targeted attacks, and people are less likely to want to report them." With ransom attacks, for instance, hackers will infiltrate a company's networks, and threaten to unleash devastation or give the information to a competitor unless they're paid.
Meanwhile, expect courses like the ones Aaron Cohen offers to become more prevalent as the good guys catch up.
It's not too late to sign up...
The issue centers around how Adobe Reader browser plugin can be made to execute JavaScript code on the client side. This code can then be the trigger for any number of malicious activities. A well written, detailed explanation plus code is available here at GnuCitizen.
The use of Javascript in cross site scripting is raising numerous headaches for security managers, especially with phishing attempts. By taking advantage of cross site scripting vulnerabilities, an attacker may launch malicious code referencing a URL that points to a carefully constructed phishing Web page. So for instance, when you're downloading a pdf report at your online broker's webpage, the attacker could take launch a script to throw up what looks like an official, legitimate request to validate your account number and password. That, my friends is what makes this so scary. The self righteous among us may have sneered in disdain at friends and family that fall for the unsophisticated phishing attempts. But this ability to perform highly contextualized phishing will fool any of us.
While you ponder about the possibility of that exposure, make sure you do this - download Acrobat 8.0 which fixes the vulnerability in the first place.
]]>"For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users"
Does this surprise you? It shouldn't...and it's not all Microsoft's fault either. It's the very nature of the world we live in today where vulnerabilities are discovered and exploits are released weekly. Microsoft just happens to have more software deployed than any other vendor so they're exposed a little more.
A couple of other points -
First, the situation in reality is worse than the 284 days of exposure because most organizations cannot or will not keep up with patching. When you consider databases, application server software, ERP systems on top of the Microsoft OS desktop software, we are reaching a point where patching as a proactive solution to security exploits is hitting a critical juncture. The rate of known vulnerabilities and exploits are reaching a level whereby to keep up a security mananger would have to patch almost every day.
Second, since patching is not a seamless exercise in the life of an enterprise IT organization, most companies patch regularly at fixed intervals - sometimes monthly or more. Mucho exposure. If you ever wonder why you need an IPS system - this "patch gap" window is exactly why. You need to be protected until you get your systems patched ...and by then the patch gap window exposure has moved on.
]]>Let me offer this brief perspective - this is a win-win scenario for both companies. NFR has always had great IPS technology with limited sales distribution channels. Check Point is a very impressive company in terms of its security heritage, expertise and global presence... but it doesn't have an IPS product. Seems like a perfect fit to me.
The bottom line is that the IPS space is consolidating into a big company play. Besides a great product, you need marketing visibility and distribution channels to keep up. Here's another trend - even among best of breed proponents, point products are becoming less interesting. What enterprise security buyers are looking for is a security platform or suite of products that are best in class, yet complementary and integrated.
So I'm back with a renewed commitment to blog more frequently in 2007. Happy New Year.
]]>The exploit takes advantage of a vulnerability with MySpace and Quicktime's support for Javascript. Upon playing the malicious video, the unsuspecting MySpace user will find links on his/her profile altered and replaced with links to phishing Web site. The goal is to solicit more visits to these MySpace phishing sites. As others visit this infected site, their profiles will be infected and the problem proliferates.
Expect more of the same as hackers broaden their scope from Windows and focus on the new crop of Web 2.0 platforms.
For anyone interested, technical details on the attack are available here.
]]>The exploit takes advantage of a vulnerability with MySpace and Quicktime's support for Javascript. Upon playing the malicious video, the unsuspecting MySpace user will find links on his/her profile altered and replaced with links to phishing Web site. As others visit this infected site, their profiles will be changed, the site infected with the mal-video and the problem proliferates. The goal of this attack is to solicit more visits to these MySpace phishing sites where users are tricked into entering their passwords. Should a user succumb, one outcome is that the MySpace account will be used to send pornographic spam.
This won't abate - expect more of the same as hackers broaden their scope from Windows and focus on the new crop of Web 2.0 platforms.
For anyone interested, technical details on the attack are available here.
]]>In response, Paul DeGregorio, chairman of the EAC has opined that the concerns voiced by security experts are actually hurting the electoral process rather than helping it. He says
"Is there any proof that a voting system has successfully been hacked during an election? No... Can the hype over hacking discourage voters from participating in our elections? It certainly can."
Mr. DeGregorio may be right but there are others who are concerned about protecting the integrity of e-voting before any compromise or tampering occurs.
A Princeton paper released a couple of months ago highlighted that the Diebold e-voting machines were assessed to be vulnerable to malware and voter fraud. This has led to widespread concern about the overall security and robustness of the e-voting machines.
The Electronic Frontier Foundation argues convincingly for a paper trail in order to maintain auditability and provide confirmation to the voter that the votes were registered as intended. On their website, the EFF makes the following case -
"Twenty-three states still do not require a paper record of all votes, despite the demonstrated technical failures of e-voting machines in the 2004 presidential election -- including the complete loss of thousands of votes. In turn, voters cannot verify that the e-voting machines are recording their votes as intended, and election officials cannot conduct recounts."
To not federally mandate a paper trail befuddles me...seems like a simple enough solution with important ramifications. It's amazing that we can get paper verification on how much gas we've purchased but not on who we've voted for.
The W32/Nachi worm would target hosts vulnerable to the W32/Lovesan (blaster) worm. In the process, it would eliminate the blaster worm and even go as far as to download the patch from the Microsoft site, protecting the host from further possible infection from the MS03-026 vulnerability. Later variants of Nachi such as W32/Nachi.worm.b would also eliminate competing viruses/worms.
Now Joe Stewart from SecureWorks writes about the Spamthru trojan that serves up spam from an infected host. It appears that Spamthru does not play nice with other spamming trojans, leveraging the Kaspersky Antivirus to eliminate other malware on the system while leaving its own in place. Here's what Joe tells us how Spamthru does
this -
"SpamThru takes the game to a new level, actually using an antivirus engine against potential rivals. At startup, SpamThru requests and loads a DLL from the control server. This DLL in turn downloads a pirated copy of Kaspersky AntiVirus for WinGate from the control server into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL in order to avoid having Kaspersky refuse to run due to an invalid or expired license. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation. Any other malware found on the system is then set up to be deleted by Windows at the next reboot. "
Of course, Spamthru also does bad stuff like acting as a proxy for spammers as well as serve up obfuscated spam using GIF randomization techniques.
This cannot be a good sign when malware like trojans, worms and spam/spyware engines have to compete for hosts. Do you think we have a serious problem?
]]>Windows Defender is a free program that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software.
It's available for download here.
Although not a surprise to other major security vendors like Mcafee or Symantec, it must still be a troubling sign to them as Microsoft releases free products that competes with their revenue generating anti-spyware products. It'll further commoditize anti-spyware technology which is good news for consumers and businesses alike.
]]>Both companies have taken a very public and aggressive stance in defending their core business. Part of the dispute arose from the limited access that was afforded to the Vista kernel. This will make Vista more secure but also has the potential effect of locking out other anitvirus companies. Most of the debate is going on in Europe, probably leading to a complaint filed with the European Union. Mcafee even took out an ad in the Financial Times to stake out their position. Part of the ad reads as follows:
“Only one approach protecting us all: when it fails, it fails for 97 percent of the world’s desktops...”
Stay tuned, this fight is just getting started...
]]>