Tag Archive for Security

| December 9, 2009
Comments Off on Which Anti-Malware is Best?

Which Anti-Malware is Best?

Which Anti-Malware is Best?In a report, AV-Comparatives compared the base performance of some of the top anti-malware products on the market. The objective of these tests was to identify how well antivirus scanners can detect new malware using their base functions.

Base anti-malware functions included their proactive scanning and heuristics methods, without the advantage of downloading the latest signatures. Forcing a test without the latest virus signatures makes it possible to evaluate the strength of the heuristic-or proactive, technology of the anti-malware engines.

ArsTechnica summarizes that the tests were run on two sets of malware. Set A, which contains malware from December 2007 to December 2008 (of which most products could detect over 97%). Set B, contained 1.6 million samples of malware collected between August 11 and August 17, 2009. This set included the following categories of malware: Trojans (69.5%), Backdoors/Bots (20.7%), Worms (6.1%), other malware (1.5%), and Windows viruses (0.4%).

Results

Ars reported these proactive detection results (rounded to the nearest percent):

After taking these results into consideration and adjusting for false positives, AV-Comparatives rated the security companies from best to worst in three categories:

  • Advanced+:
    • G DATA,
    • Kaspersky,
    • ESET,
    • F-Secure,
    • Microsoft,
    • Avast,
    • eScan.
  • Advanced:
  • Standard:

In September of 2008 NetworkWorld reported on Gartner claims that enterprises are paying too much for security software. Gartner says vendors simply aren’t doing enough to keep up with the prevalence of threats on the Internet. Neil MacDonald, a research vice president at Gartner says that security vendors are “maintaining high-profit margins on firewalls and antivirus software despite these products being nothing more than commodities.NetworkWorld says that during his presentation at the Gartner’s 2008 IT Security Summit in London, Mr. MacDonald was vociferous in his condemnation of how security products are actually increasing their prices over the years across a backdrop of lowered effectiveness, contradicting pricing schemes across the rest of the IT industry.

Anti-malware pricing is broken

Security vendors have maintained a pricing scheme that contradicts the rest of the IT industry, Mr. MacDonald said. Typically with software or hardware, prices go down year after year with the introduction of new and better products. In some cases, however, security software often loses its effectiveness as new threats emerge, while prices stay high. “Why in antivirus year after year do we pay more for something that gives us less?” MacDonald asked. “It’s insanity. Why is information security immune from the trends of the IT industry?

Gartner recommends that firms use the commodity status of security software to their advantage, “I know it’s hard to switch but you have to seriously enter the negotiations,” MacDonald said. “Let the vendors know that you are not afraid to switch.”  And he recommends that buyers should aggressively negotiate for better prices.

rb-

While most malware writers are script kiddies with an affinity to making minor modifications to existing malware there are some very good black hat hackers out there that are not dummies.  These tests are important for buyers to understand which product’s core functionality is more efficient against new threats and not rely on constant updates to augment their capabilities. In the face of new threats, superior heuristic capabilities are crucial to anti-malware software? The weekly, daily, or even multiple times a day, definitions updates are the lifeline of the anti-malware industry. The need for constant updates is what drives the annual payments for subscriptions.

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| November 20, 2009
Comments Off on 16x Increase in Malware Threats

16x Increase in Malware Threats

16x Increase in Malware ThreatsThe last six months have seen a gradual decrease in the amount of SPAM and malware hitting my account. An average of 44.3 SPAM messages per day (SM/D) were blocked by the SPAM filter for my account in October.

 

2009 Daily Average SPAM

This is a decline in SM/D from a high of 77.5 in May. This is also below the year-to-date SM/D of 54.7.

While the overall SM/D trend may be declining another trend is developing that is more dangerous. Since August 2009, the amount of SPAM containing malware has increased dramatically. For the first six months of 2009, there were only 24 SPAM messages that contained malware. This represents .11 malware-laden messages per day.  Since August 1st there have been 188 SPAM messages containing malware to date. This equates to 1.8 SPAM messages with a malware payload per day. This represents a 16X increase in malware trying to attack my PC daily. The most common malware was the Bredo family of Trojans, followed by the Kryptik Trojans and then various Fake Alert Trojans.

2009 Malware Types

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| November 11, 2009
Comments Off on Microsoft Cop Tool Leaked

Microsoft Cop Tool Leaked

Microsoft Cop Tool LeakedI recently wrote about Microsoft’s COFEE computer forensics tool here. Three weeks later, Yobie Benjamin at SFGate writes that Microsoft COFEE, “One of the most important tools in computer forensics and law enforcement,” was apparently uploaded to bit torrent site What.CD on November 09, 2009, and is now available on the Internet.

What.CD management issued a statement, “Suddenly, we were forced to take a real look at the program, its source, and the potential impact on the site and security of our users and staff… And when we did, we didn’t like what came of it. So, a decision was made. The torrent was removed (and it is not to be uploaded here again).

Microsoft logoDarkReading says that COFEE was so sought after in the computer underground that an enormous bounty of 1.6 terabytes of capacity was offered to the first one who would upload the software. Robert Graham on DarkReading explains that the version on COFEE om BitTorrent has only Microsoft tools, so I don’t know for certain what other tools it might run. Yet similar forensics toolkits all run the same sorts of programs. They run standard tools for grabbing the browser history (from Firefox and IE). The tools can run versions of “pwdump” to grab the password hashes for offline cracking. The browser cache can be captured by these types of tools. They look for recently changed files. They might scour the hard drive and take an MD5 hash of all the files. Similar tools look for unique device IDs, such as your MAC address or built-in hard drive ID.

Steve Ballmer is mad

Who took my COFEE

One of the worries is that now that the tool is public, criminals can now defend against it. This is nonsense according to Graham. Police forensics are already well-known, and criminals already know how to defend against them. Graham, concludes that tools like COFEE don’t do anything extra that is unknown or secret. What makes them dangerous (to criminals) is that law enforcement agents can run them without much training, in an automated fashion.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| October 23, 2009
Comments Off on WordPress Security Help

WordPress Security Help

WordPress Security HelpWith all of the hubbub over the recent Labor Day WordPress worm. The worm caused every installation not hosted at WordPress.com to be suspected of being at risk. In response to the worm, WordPress pushed out WordPress 2.8.5, a “hardening patch” it is time to get some help with WP security.

Wordpress logoOne of the tools I found is the WordPress Exploit Scanner plugin by Donncha O Caoimh. The Exploit Scanner does a number of things to help you manage your WordPress installation. The scanner installs on the WP dashboard and compares your sites’ files against an MD5 hash of the WordPress files for the version of installation you’re running. The scanner ignores files that are present but it does not have a hash for. If your hash’s don’t match then you have a problem. It also looks for suspicious code in your files that may have been deposited by attackers. It looks for “invisible” text through CSS; the use of iframes to embed code from other sites; and base 64 encoding, which can be used to obfuscate entire programs. It will also look through your posts and users to see if there’s anything suspicious or spammy about them.

This tool is not designed to identify new files, it identifies altered core WordPress files. According to the author’s website, It will not stop someone from hacking into your site, but it may help you find any uploaded or compromised files left by a hacker.

rb-

Besides staying current on patches (déjà vu MSFT) and implementing a tool like the Exploit Scanner, turning off “user registration” is probably one of the simplest and most effective ways of “hardening” WordPress. Hopefully, WP will fix this in version 2.9 so the community aspect of WP can be securely turned back on.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| October 17, 2009
Comments Off on Microsoft Serves COFEE to Cops

Microsoft Serves COFEE to Cops

Microsoft Serves COFEE to CopsAccording to an article on the Seattle Post Intelligencer website, Microsoft has teamed up with the National White Collar Crime Center (NW3C) to distribute a computer forensics tool to U.S. police for free.

The Computer Online Forensic Evidence Extractor (COFEE) makes it easy for any officer, not just digital forensics specialists, to record the current processes of a suspect’s computer. An officer can plug in a COFEE-formatted USB thumb drive, run COFEE, and download data that would have been lost if the computer were turned off for transit to the police station according to the article.

Microsoft logoCOFEE can be used to identify parts of a computer’s hard drive that a criminal might use for identity theft, online fraud, child pornography or other crimes. It can speed up the forensics process when a computer-crime specialist takes over the investigation. COFEE  requires Windows XP for configuration and works best at downloading data from machines running XP or earlier. However, it does have some Windows Vista support. Microsoft plans to release a new version of COFEE next year that fully supports Vista and Windows 7, a spokesperson said.

It’s a rather straightforward tool and it uses a lot of off-the-shelf technology already,” said Richard Boscovich, a senior attorney for Microsoft’s World Wide Internet Security Program. “That’s the beauty of the tool – that you don’t need that forensics expert at the scene.” Michael Merritt, assistant director of the U.S. Secret Service told an audience at Microsoft’s Digital Crime Consortium, “The difference now with technology is that many companies like yours house valuable information  … And that now has become the target of many criminals.

Boscovich said Microsoft is offering the tool for free because it helps police cut down on the larger problem of high-tech crime. Microsoft software, because of its ubiquity, is usually considered the most at-risk for digital attacks.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , ,
« Older Entries   Recent Entries »