Security | Bach Seat

Tag Archive for Security

RB | May 8, 2012

Comments Off

Unknown Malware Rampant in Enterprise Networks

Unknown malware plague enterprise networks according to network security company Palo Alto Networks. Help Net Security reports that Palo Alto Networks found hundreds of unique, previously unknown malware samples on live networks. Palo Alto Networks conducted the research with their new WildFire malware analysis engine.

DarkReading says that the cloud-based WildFire analysis engine found that seven percent of all unknown files analyzed contained malware. WildFire is a new service recently announced by Palo Alto Networks that integrates in-line firewalling with automated cloud-based malware analysis. Over a three-month period of analyzing unknown files from the Internet entering enterprise networks,the firm discovered more than 700 unique malware samples, 57 percent of which had no coverage by any antivirus service or were unknown by Virus Total at the time of discovery. Out of all the new malware identified, 15 percent also generated malicious or unknown outbound command and control traffic.

The firewalls identify unknown and potentially malicious files by executing them in a virtual cloud-based environment to expose malicious behavior even if the malware has never been seen in the wild before. Wade Williamson, Senior Security Analyst at Palo Alto Networks says, “WildFire is taking sandbox technology out of the lab and applying it to a real product … customers can detect and protect themselves against malware using the hardware that they already have deployed today.”

For malicious files, Palo Alto Networks automatically generates new signatures for both the file itself and for any traffic generated by the malicious file. These signatures are then distributed with regular signature updates, as well as providing the user with actionable analysis of exactly how the malware behaves, who was targeted, and what application delivered the threat.

“I think we were all a bit surprised by the volume and frequency with which we were finding unknown malware in live networks,” the Senior Security Analyst said. “Unknown malware often represents the leading edge of an organized attack, so this data really underscores the importance of getting new anti-malware technologies out of the lab and into the hands of IT teams who are on the front lines. The ability to detect, remediate and investigate unknown malware needs to become a practical part of a threat prevention strategy in the same way that IPS and URL filtering are used today.”

Palo Alto Networks found that a variety of web applications distributed zero-day malware, in addition to the traditional HTTP web-browsing and email traffic commonly associated with malware distribution. WildFire was able to identify specific phishing campaigns based on their affinity for particular applications. One attacker used AOL Mail and another used the Hotfile file hosting service as the delivery vector.

“It’s important to note this because many enterprises only inspect email or FTP traffic for malware but do not have the ability to scan other applications. Applications that tunnel within HTTP or other protocols can carry malware that will be invisible to a traditional anti-malware solution,” said Williamson. “These are examples of the big reasons why a lot of malware gets missed – most enterprises only focus on scanning their corporate email application. To control this problem we need to expand our view to other applications, pull the traffic apart, and go a level deeper in to find out if there’s a file transfer happening.”

Taking the Leap to Cloud-Based Malware Inspection (circleid.com)
Debate Over Facebook Use At Work Gets New Compromise From Palo Alto Networks Firewall (allfacebook.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2012, Cloud computing, Malware, Network security, Palo Alto Networks, Security, VirusTotal.com, WildFire

RB | April 12, 2012

2 comments

What is Malware?

Most users I talk to about malware seem to use the following terms interchangeably; malware, virus, trojan, keylogger, worm, backdoor, bot, rootkit, ransomware, adware, spyware, and dialer. Raymond.cc offers some standard definitions to clarify the conversations.

Malware is short for Malicious Software where all the terms above fall into this category because they are all malicious. The different term being used instead of just plain virus is to categorize what the malicious software is capable of doing.

Virus spreads on its own by smuggling its code into application software. The name is in analogy to its biological archetype. Not only does a computer virus spread many times and make the host software unusable, but also runs malicious routines.

Trojan horse/Trojan is a type of malware disguised as useful software. The aim is that the user executes the Trojan, which gives it full control of your PC and the possibility to use it for its own purposes. Most of the time, more malware will be installed in your system, such as backdoors or key loggers.

Worms are malicious software that aims at spreading as fast as possible once your PC has been infected. Unlike viruses, it is not other programs that are used to spread the worms, but storage devices such as USB sticks, communication media such as e-mail, or vulnerabilities in your OS. Their propagation slows down the performance of PCs and networks, or direct malicious routines will be implemented.

Key loggers log any keyboard input without you even noticing, which enables pirates to get their hands on passwords or other important data such as online banking details.

Dialers are relics from a time when modems or ISDN were still used to go online. They dialed expensive premium-rates numbers and thus caused your telephone bill to reach astronomic amounts. Dialers have no effect on ADSL or cable connections, but they are making a comeback with mobile devices and QR codes (I covered Attaging here).

Backdoor / Bots is usually a piece of software implemented by the authors themselves that enable access to your PC or any kind of protected function of a computer program. Backdoors are often installed once Trojans have been executed, so whoever attacks your PC will gain direct access to your PC. The infected PC, also called “bot”, will become part of a botnet.

Exploits are used to systematically exploit vulnerabilities of a computer program. Whoever attacks your PC will gain control of your PC or at least parts of it.

Spyware is software that spies on you, i.e. collect different user data from your PC without you even noticing.

Adware is derived from “advertisement”. Besides the actual function of the software, the user will see advertisements. Adware itself is not dangerous, but tons of displayed adverts are considered a nuisance and thus are detected by good anti-malware solutions.

Rootkit mostly consists of several parts that will grant unauthorized access to your PC. Plus, processes and program parts will be hidden. They can be installed, for instance, through an exploit or a Trojan.

Rogues / Scareware are also know as “Rogue Anti-Spyware” or “Rogue Anti-Virus”, rogues pretend to be security software. Often, fake warnings are used to make you buy the security software, which the pirates profit from.

Ransomware “Ransom” is just what you think it is. Ransomware will encrypt personal user data or block your entire PC. Once you have paid the “ransom” through an anonymous service, your PC will be unblocked.

There are different categories of malware the author says that most of the malware today combines different kinds of malware to achieve a higher rate of infection and giving more control to the hacker. Most malware is invisible that runs silently without your knowledge to avoid detection except for ransomware and adware.

Using “virus” as a catch-all phrase to include all types of malware is no longer right. The correct word to use should be malware. However, don’t expect the big anti-virus companies to rebrand their products to Kaspersky Anti-Malware or Bitdefender Anti-Malware because doing that may risk losing their brand identity even if they do offer a complete anti-malware solution.

The blog says it doesn’t mean that you’re safe if you don’t see it so it is important to run an anti-virus software from reputable brands such as Kaspersky, ESET, Avast, Avira, AVG (at one time AVG was installing a Yahoo toolbar without notice) MSE together with a second opinion anti-malware such as HitmanPro, Malwarebytes Anti-Malware, and SUPERAntiSpyware. As for Emsisoft Anti-Malware, it comes with its own Anti-Malware engine and Ikarus Anti-Virus Engine.

Flashback Trojan affects around 600,000 Macs (macmusings.wordpress.com)

Category: Uncategorized | Tags: 2012, Anti-Virus, Attaging, Avast, AVG Technologies, Avira, Botnet, Computer, ESET, Kaspersky, Malware, Ransomware, Security, Spyware, Trojan Horse, Virus

RB | March 29, 2012

Comments Off

Social Media Biggest Risk in 2012

The Security Labs over at Websense (WBSN) a provider of Web, data, and email content security have used the Websense ThreatSeeker Network (PDF) which provides real-time reputation analysis, behavioral analysis, and real data identification to announce (PDF) their picks for the top IT security threats for 2012. Social media is the #1 risk in 2012,.

1. Websense says that stealing, buying, trading credit card, and social security numbers is old news. They say that your social media identity may prove more valuable to cybercriminals than your credit cards.

Today, your social identity may have greater value to the bad guys because Facebook (FB) has more than 800 million active users. More than half of FB users log on daily and they have an average of 130 friends. Trust is the basis of social networking, so if a bad guy compromises social media logins, the security firm says there is a good chance they can manipulate your friends. (Stacy Cowley at CNN Money has an excellent article on how this can work with LinkedIn (LNKD). Which leads to their second prediction.

2. According to Websense most 2012 advanced attacks’ primary attack vector will blend social media “friends,” mobile devices, and the cloud. In the past, advanced persistent threats (APTs) blended email and web attacks together. In 2012, the researchers believe advanced attacks could use emerging technologies like: social media, cloud platforms, and mobile. They warn that blended attacks will be the primary vector in most persistent and advanced attacks of 2012.

3. The San Diego CA-based firm says to expect increases in exposed vulnerabilities for mobile devices in 2012. They predict more than 1,000 different variants of exploits, malicious applications, and botnets will attack smartphones or tablets. Websense security investigators predict that a new variant of malware for mobile devices will appear every day.

The Internet security firm stresses that application creators need to protectively sandbox their apps. Without sandbox technology malware will be able to get access to banking and social credentials as well as other data on the mobile device. This includes work documents and any cloud applications on that handy device. The firm believes that social engineering designed to specifically lure mobile users to infected apps and websites will increase. Websense predicts the number of mobile device users that will fall victim to social engineering scams will explode when attackers start to use mobile location-based services to design hyper-specific geolocation social engineering attempts.

4. SSL/TLS will put net traffic into a corporate IT blind spot. Two items are increasing traffic over SSL/TLS secure tunnels for privacy and protection. First, the disruptive growth of mobile and tablet devices is moving packaged software to the cloud and distributing data to new locations.

Second, many of the largest, most commonly used websites, like Google (GOOG ) Search, Facebook, and Twitter have switched their sites to default to HTTPS sessions. This may seem like a positive since it encrypts the communications between the computer and destination. But as more traffic moves through encrypted tunnels, Websense correctly says that many traditional enterprise security defenses (like firewalls, IDS/IDP, network AV, and passive monitoring) will be left looking for a threat needle in a haystack, since they cannot inspect the encoded traffic. These blind spots offer a big doorway for cybercriminals to walk through. (We have started to battle this as we move from a POC system from ~~McAfee~~ another vendor to a modem content filter to be nameless but was just bought and we haven’t solved it yet, the NoSSLSearch for GOOG still needs some work)

5. For years, security defenses have focused on keeping cybercrime and malware out (Also called M&M security, hard on the outside, soft and chewy on the inside). The Websense Security Lab team says that there’s been much less attention on watching outbound traffic for data theft and evasive command and control communications. The researchers say hacking and malware are related to most data theft; they estimate that more than 50 percent of data loss incidents happen over the web. This is aggravated by delayed DLP deployments as vendors use traditional overly excessive processes like data discovery (designed to over-sell professional services?).

In 2012, organizations will have to stop data theft at corporate gateways that detect custom encryption, geolocations for web destinations, and command and control communications. The security firm predicts organizations on the leading edge will add outbound inspection and will focus on adapting prevention technologies to be more about containment, severing communications, and data loss mitigation after an initial infection.

6. The London Olympics, U.S. presidential elections and Mayan calendar apocalyptic predictions will lead to broad attacks by criminals. SEO poisoning has become an everyday occurrence. The Websense Security Labs still sees highly popular search terms deliver a quarter of the first page of results as poisoned.

The researchers expect that as the search engines have become savvier on removing poisoned results, criminals will port the same techniques to new platforms in 2012. They will continue to take advantage of today’s 24-hour, up-to-the-minute news cycle, only now they will infect users where they are less suspicious: Twitter feeds, Facebook posts/emails, LinkedIn updates, YouTube video comments, and forum conversations. Websense recommends extreme caution with searches, wall posts, forum discussions, and tweets dealing with the topics listed above, as well as any celebrity death or other surprising news from the U.S. presidential campaign.

7. Scareware tactics and the use of rogue anti-virus, will stage a comeback. With easy to acquire malicious tool kits, designed to cause massive exploitation and compromise of websites, rogue application crimeware will reemerge Websense says. Except, instead of seeing “You have been infected” pages, they expect three areas will emerge as growing scareware subcategories in 2012: a growth in fake registry clean-up, fake speed improvement software, and fake back-up software mimicking popular personal cloud backup systems. Also, expect that the use of polymorphic code and IP lookup will continue to be built into each of these tactics to bypass blacklisting and hashing detection by security vendors. (Rival IT Security firm GFI Software proves Websense’s point by reporting a “new wave of fake antivirus applications (or rogue AV)” since the start of the year and are “a popular tactic among cybercriminals.”)

Browsing Security Predictions for 2012 (paulsparrows.wordpress.com)

Category: Uncategorized | Tags: 2012, APT, Cloud computing, Data, Facebook, FB, GOOG, Google, Internet, LinkedIn, LNKD, McAfee, Mobile device, Network, Security, Social, SSL, Theft, WebSense

RB | March 20, 2012

One comment

Spyware Prevention 101

Spyware goes by many names, including adware, malware, crimeware, scumware, and snoopware. No matter what you call it, spyware’s purpose is still the same: to steal your personal information (PII).

Help Net Security says that once hackers have your personal information they can steal your identity, use your credit cards, siphon funds from your bank accounts, and more. Simply put: it’s bad news and you want nothing to do with it.

The good news, according to the article, is that spyware prevention is possible and there are many ways to keep these dangerous programs at bay. In addition to installing the right software, users can practice these computer security tips from Broomfield, CO-based Internet security firm Webroot:

Download software directly from the source. The article says a common way to get a spyware infection is to install free or pirated programs from file-sharing sites which have been booby-trapped with malware.
Set your browser security settings to “high” and protect yourself from “drive-by” downloads and automatic installations of unwanted programs.
Avoid questionable websites, such as those featuring adult material. They’re notorious for spreading spyware threats and causing users problems.
Use a firewall.
Be suspicious of email and IM.
Don’t open attachments unless you know the sender and are expecting a file from them.
Delete messages you suspect are spam (don’t even open them).
Avoid clicking on links within messages.
Do not give personal information to unsolicited requests even if they seem legitimate.
If you receive a request for personal information from your bank or credit card company, contact that financial institution directly, but do not click on a link embedded in the email message.

rb-

Amichai Shulman – CTO, Imperva posted that the credentials to a Hotmail account are worth $1.50 and a Gmail account is worth over $80 to cyber-criminals. Gmail is more valuable to the attacker because of the wide variety of other Gmail cloud services that can be accessed through Gmail credentials.

It is also likely that credentials used by a person for one application will most work on other applications as well. It is not uncommon for people to have the same username and password used for their Facebook account, their Twitter account, their Airline Frequent Flyer account, or any application that uses their Gmail account as the application account name.

That’s why spyware is bad.

Save Your Smartphones from Spyware and Malware Invasion (cellphones.org)
Google Intros ‘Bouncer’ Security System for Android Market (phonescoop.com)

Category: Uncategorized | Tags: 2012, Gmail, GOOG, Google, Imperva, Malware, PII, Security, Spyware, Webroot

RB | March 15, 2012

Comments Off

First Computer Passwords Useless

First Computer Passwords Useless Robert McMillan at Wired dug thru the annals of tech and recently confirmed that passwords have been a pain in the tuckus for a millennium. But who’s to blame? Who invented the computer password?

The origin of the password is shrouded in the mist of history like the invention of the wheel or the story of the doorknob, according to Wired. Roman soldiers memorized spoken passwords to gain access to camps. Shakespeare kicks off Hamlet but where did the first computer password show up? Wired asks.

Computer passwords probably arrived at the Massachusetts Institute of Technology in the mid-1960s. Wired says nearly all the computer historians they contacted said that the first password must have come from MIT’s Compatible Time-Sharing System. In geek circles, it’s famous. CTSS pioneered many of the building blocks of computing as we know it today: things like e-mail, virtual machines, instant messaging, and file sharing.

Fernando Corbató who worked on CTSS back in the mid-1960s is a little reluctant to take credit. “Surely there must be some antecedents for this mechanism,” he told Wired, before questioning whether the CTSS was beaten to the punch in 1960 by IBM’s (IBM) Sabre ticketing system. When Wired contacted IBM, big blue claimed it wasn’t sure.

According to Mr. Corbató, even though the MIT computer hackers were breaking new ground with much of what they did, passwords were pretty much a no-brainer. “The key problem was that we were setting up multiple terminals which were to be used by multiple persons but with each person having his own private set of files,” he told Wired. “Putting a password on for each individual user as a lock seemed like a very straightforward solution.”

Back in the ’60s, there were other options, according to Fred Schneider, a computer science professor at Cornell University. The CTSS guys could have gone for knowledge-based authentication, where instead of a password, the computer asks you for something that other people probably don’t know — your mother’s maiden name, for example.

But in the early days of computing, passwords were surely smaller and easier to store than the alternative, Professor Schneider says. A knowledge-based system “would have required storing a fair bit of information about a person, and nobody wanted to devote many machine resources to this authentication stuff.”

The irony is that CTSS may also have been the first system to experience a data breach. The article recounts that in 1966, a software bug jumbled up the system’s welcome message and its master password file so that anyone who logged in had access to the entire list of CTSS passwords.

The story goes that an MIT Ph.D. researcher was looking for a way to bump up his usage time on CTSS. He received four hours per week, but it wasn’t nearly enough time to run the simulations he’d designed for the new computer system. So he simply printed out all the passwords stored on the system.

“There was a way to request files to be printed offline by submitting a punched card,” he wrote. “Late one Friday night, I submitted a request to print the password files and very early Saturday morning went to the file cabinet where printouts were placed and took the listing.”

To spread the guilt around, Mr. Scherr then handed the passwords over to other users. One of them — J.C.R. Licklieder — promptly started logging into the account of the computer lab’s director Robert Fano and leaving “taunting messages” behind.

Are Passwords Becoming Obsolete? (readwriteweb.com)
Replacing a Hacked Password (cryptosmith.com)

Category: Uncategorized | Tags: 2012, Compatible Time-Sharing System, CTSS, Data breach, IBM, MIT, Passwords, Security, Shakespeare, Wired

« Older Entries Recent Entries »

S	M	T	W	T	F	S
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31

Bach Seat

Tag Archive for Security

What is Malware?

Related articles

Spyware Prevention 101

Related articles

Meta