Via Help Net Security, Barracuda’s recently released its Barracuda Labs 2010 Midyear Security Report which includes the results of a study it did on search engine and Twitter malware. It focused on 25,000 trending topics over a two month period. The somewhat surprising finding was that percentage of malware laden links on Google (69%) exceeded Yahoo! (18%), Bing (12%), and Twitter (1%) combined. The “Searching for Malware, A Comparative Study,” starts on page 56 of the report.
It would have been interesting if the study broke down the results by page. In other words, the percentage of malware found on the first page of the search results, etc. Most people only review the first few pages of a search result.
This provides additional proof of the need of a web-based anti-malware solution. You surely cannot depend on the search engines themselves to do the job.
Full disclosure. Cymbel does partner with Barracuda, but for Web Application Firewalls. For web-based anti-malware, we recommend Zscaler.
Trend Micro’s research lab is reporting that the Koobface trojan continues to put unsuspecting Facebook users at risk. Because Koobface is really a bot, its Command & Control infrastructure can and does change the message and the link you receive to lure you a page that will download the Koobface trojan onto your system.
You could ask, why can’t Facebook eradicate Koobface? Apparently, they are not seeing a significant number of users canceling their accounts due to Koobface and other malware to warrant the investment.
Why not simply block Facebook? If the business side of the organization (sales and marketing) is OK with that, then blocking Facebook in the office is a reasonable step. There are two issues to consider:
Increasingly, sales and marketing departments want to take advantage of Facebook and other social networking sites to reach current and prospective customers.
Even if you do block social networking sites in the office, laptop users who travel or just use their laptops at home are at risk of being exploited by malware from social networking sites.
The Electronic Frontier Foundation (EFF), in conjunction with The Tor Project, has announced a new Firefox plug-in called HTTPS Everywhere, which will automatically provide encrypted SSL sessions to major web sites that support HTTPS. Obviously, this is an effort to improve browsing privacy, but is it also increasing risks to those users? The answer could be yes.
If you are a road-warrior and use HTTPS Everywhere from your hotel room, I would agree that you are reducing the likelihood of a third party sniffing your traffic. However, HTTPS will increase risk for corporations whose firewalls or intrusion prevention systems do not have the ability to decrypt SSL. For example, one of the default sites encrypted by HTTPS Everywhere is Facebook. If you have policies that allow certain employees to use certain features of Facebook for marketing/sales purposes, you surely want to monitor that traffic for threats. Given the amount of malware on Facebook, an employee could inadvertently go to a page that downloads a trojan onto the employee’s workstation. If your firewall or IPS cannot decrypt SSL then it will not be able to detect the malware.
The excitement of World Cup Soccer is increasing. Do you know how many people in our organization are watching matches during the work day? How much Internet bandwidth is being consumed? What about the active malware campaigns leveraging the tournament?
Palo Alto Networks has a blog post detailing its World Cup Soccer video controls and protection capabilities called Prepare for Soccer Hooliganism 2.0.
Slate recently published an article entitled, “The End of Malware?” The sub-title is, “How Android, Chrome, and the iPad are shielding us from dastardly programs.” The premise trotted out the usual, Windows is insecure; Android, Chrome, and the iPad are more secure because they deploy sandboxing technology, i.e. restricting an application’s access to operating system resources.
While this may be a good thing, it is hardly the “end of malware.” Not even close.What the author is missing is the intent and motiviation of the bad guys. They go where the money is, i.e. where there is the opportunity to steal cash from people’s bank accounts, steal credit card information, steal intellectual property they can sell. At present, these opportunities are minimal on Android, Chrome, and iPads. Once there is critical mass for profitable hacking, you will definitely see an increase in exploits on these devices.
Now even with limited opportunities for profitable hacking we are starting to hear about vulnerabilities on these devices. Just yesterday I wrote about a Massive iPhone Security Issue where passcode protected content on the iPhone can be accessed by simply attaching the device to a computer running Ubuntu or OSX. Therefore, if you lose your iPhone, your passcode protection is useless.
If you need to hear more, check out the June 3 article in the Wall St. Journal, Dark Side Arises for Phone Apps. Here are some key quotes, first on Google:
In one incident, Google pulled dozens of unauthorized mobile-banking apps from its Android Market in December. The apps, priced at $1.50, were made by a developer named “09Droid” and claimed to offer access to accounts at many of the world’s banks. Google said it pulled the apps because they violated its trademark policy.
The apps were more useless than malicious, but could have been updated to capture customers’ banking credentials, said John Hering, chief executive of Lookout, a mobile security provider. “It is becoming easier for the bad guys to use the app stores,” Mr. Hering said.
And on Apple:
Apple vets applications before they appear in its App Store, but risks still exist. In July 2008, Apple pulled a popular game called Aurora Feint from its store after it was discovered to be uploading users’ contact lists to the game maker’s servers. More recently, it yanked hundreds of apps it said violated its policies, some out of security concerns.
In conclusion, while sandboxing is a good idea, there is no silver bullet when it comes to security.
Slate recently published an article entitled, "The End of
Malware?" The sub-title is, "How Android, Chrome, and the iPad are
shielding us from dastardly programs." The premise trotted out the
usual, Windows is insecure; Android, Chrome, and the iPad are more
secure because they deploy sandboxing technology, i.e. restricting an
application's access to operating system resources.
While this may be a good thing, it is hardly the "end of malware."
Not even close.What the author is missing is the intent and motiviation
of the bad guys. They go where the money is, i.e. where there is the
opportunity to steal cash from people's bank accounts, steal credit card
information, steal intellectual property they can sell. At present,
these opportunities are minimal on Android, Chrome, and iPads. Once
there is critical mass for profitable hacking, you will definitely see
an increase in exploits on these devices.
Now even with limited opportunities for profitable hacking we are
starting to hear about vulnerabilities on these devices. Just yesterday I
wrote about a Massive iPhone
Security Issue where passcode protected content on the iPhone can be
accessed by simply attaching the device to a computer running Ubuntu or
OSX. Therefore, if you lose your iPhone, your passcode protection is
useless.
If you need to hear more, check out the June 3 article in the Wall
St. Journal, Dark Side Arises for Phone Apps. Here are some key
quotes, first on Google:
In one incident, Google pulled dozens of unauthorized
mobile-banking apps from its Android Market in December. The apps,
priced at $1.50, were made by a developer named "09Droid" and claimed
to offer access to accounts at many of the world's banks. Google said
it pulled the apps because they violated its trademark policy.
The apps were more useless than malicious, but could have been
updated to capture customers' banking credentials, said John Hering,
chief executive of Lookout, a mobile security provider. "It is becoming
easier for the bad guys to use the app stores," Mr. Hering said.
And on Apple:
Apple vets applications before they appear in its App
Store, but risks still exist. In July 2008, Apple pulled a popular game
called Aurora Feint from its store after it was discovered to be
uploading users' contact lists to the game maker's servers. More
recently, it yanked hundreds of apps it said violated its policies,
some out of security concerns.
In conclusion, while sandboxing is a good idea, there is no silver
bullet when it comes to security.
Content stored on an iPhone 3GS with passcode
protection can be accessed without the passcode simply by attaching the
device to a computer running the latest version of Ubuntu or a Windows
or OSX system running off the shelf software such as iPhone Explorer.
This flaw was discovered by Bernd Marienfeld, an information
security professional and blogger, last week. Recently, the enterprise
has seen a steep increase in the adoption of the iPhone and iPad. But Apple will need to
aggressively address security concerns such as these in order to gain
and hold market share.
Aza Raskin, the Creative Lead for Firefox, (via Ajaxian) describes a new variation on phishing called "tabnabbing," the "process of replacing the entire contents of a page while it's on a background tab." This is another example of malicious Javascript in action. Does your Secure Web Gateway vendor block this attack?
Sunbelt has a detailed blog post of a ridiculously simple and obvious social engineering attack on Facebook users. The good news is that only 0.05% of Facebook users fell for it. The bad news is that the actual number of Facebook users is 191,372. Given the ease of creating these attacks and the rewards to the attackers, they are not going to stop anytime soon.
Researchers at matousec.com, a security research and consulting group, released a paper describing a vulnerability in the way that anti-virus vendors integrate their products with Windows – System Service Descriptor Table (SSDT). They also built code that exploits this vulnerability which enables them to bypass these anti-virus programs. The Register has a good summary.
My first reaction is "so what?" Anti-virus programs have become almost irrelevant as the primary attack vector has shifted to browser-based applications. On the other hand, this vulnerability could lead to a resurgence of more direct viruses.
Second, how and how quickly will Microsoft and the anti-virus vendors react?
Third, what are the implications for Intel's vPro technology?
Fourth, is there an anti-virus vendor out there that does not use SSDT to integrate with Windows?
