Ahem… I refer my honourable friends to my earlier post last year.
In which, I said,
So Microsoft’s new strategy could be to own both hardware and software – starting with its own tablet but moving into phones (perhaps by buying Nokia?) and desktops (perhaps by buying Dell or Acer, or even building new from scratch?)…
Toward a new strategy for Microsoft
Yesterday, Reuters reported,
Microsoft Corp is in discussions to invest between $1 billion and $3 billion of mezzanine financing in a buyout of Dell Inc, CNBC cited unidentified sources as saying on Tuesday.
Microsoft in talks to invest up to $3 billion in Dell
Keep up, chaps.
Last week’s news stories (Jan 30 to Feb 3):
Security researchers break satellite phone encryption
German researchers have cracked 2 satellite phone encryption codes – huge implications.
EU publishes 10 Myths about ACTA
EU says ACTA ain’t bad, just misunderstood.
VeriSign repeatedly hacked in 2010
VeriSign was repeatedly hacked in 2010, and never even told its own senior management.
Science and Technology Committee publishes Malware and Cyber Crime report
Commons committee makes recommendations on how to tackle cybercrime.
New development in post-transaction banking fraud
Banking malware now seeks to divert telephone calls between banks and customers.
Counterclank is not malware, just aggressive adware
Contrary to Symantec’s initial claim, Android’s Counterclank (Apperhand) is not a trojan.
Major UK companies still not blocking porn namesakes
UK companies remain open to cybersquatting by YourBrandName.xxx
New Forrester Report: Big Data Risks
Forrester describes how to secure Big Data.
Resilience is the key to security says World Economic Forum
WEF suggest an holistic view of resilience to risk rather than an isolated view of prevention.
A call for a new standard in infosec training and awareness
We need a new standard to improve security awareness in users.
IE6 users: no longer caught between a rock and a hard place
A new product allows legacy IE6 applications to run in new versions of the browser.
75% of all new malware are trojans
PandaLabs 2011 report is full of facts, figures and information.
Spam and phishing are growing problems: DMARC has the answer
A new standard is being developed to help stop spam and phishing.
CSO Interchange: Cloud concerns are largely propaganda
Misunderstandings about the cloud make it seem a problem rather than an opportunity.
Up to five million Androids infected with Counterclank
Android’s largest ever infection reported by Symantec.
I’m not behind Kelihos botnet, claims Sabelnikov
Man named by Microsoft says I didn’t do it, guv.
Sophos showed the way. It was the first major anti-virus company with free AV for Mac. In a masterly PR stroke it gave away what it could not sell: Mac AV for home users. The rest of the industry was thrown into catch-up.
And finally it has started. AVAST Software has launched a new free Mac AV product, available for 10.5 and newer users.
“It’s time for Mac users to start thinking about an antivirus app and this beta shows what they will need for their protection,” said Ondrej Vlcek, CTO of AVAST Software. “The Mac has long had a ‘cloak of invulnerability’ because its small market share made it a fringe target for malware. As Mac sales surge it is becoming a natural target for malware such as the Pinhead and Boonana Trojans or the MacDefender fake antivirus.”
For the moment it’s still in beta – and if you want to try that you can get it here. Otherwise you’ll have to wait for the released version which should be announced soon.
A new and most welcome reality is gaining traction: vendors’ understanding that users do not buy product for their personal computers. Business vendors get their income from business computers, not from home computers.
So, if home users are never going to buy my software, and it costs me effectively nothing to let them have it (courtesy of the internet), why should I not give it away free for personal/home use? No reason at all. In fact it makes excellent PR, and good business sense since that home user might also be a senior executive between 9 and 5.
DTI Data Recovery is the latest company to see this sense. It is making three products available for free download:
- External Hard Drive Undelete
- Hard Drive Partition Repair
- Windows Hard Drive Recovery Verification
Since the world comprises those who have been through the panic and heartache of lost data and those who will soon experience that panic and heartache, these products could go a long way towards preserving our future sanity.
Websense has launched a new series of reports based on the huge amount of information its HoneyGrid captures. The Websense HoneyGrid is a sort of massively distributed honeypot hosted by the Websense installations all around the world: that’s something like 50 million real-time data collection systems parsing one billion pieces of content every day. That’s a lot of information in almost real-time.
Introducing these new Websense Insights, Charles Renert, senior director of security research at Websense, explained: “The security landscape changes so fast these days that it’s increasingly difficult to get that information out in a timely fashion. We’re putting in a little extra effort to take all of the information we have – which is immense – and collapse it into the core messages about what’s happening out there on the web.”
It’s a laudable intent. But is it achieved? I asked him to explain the first report.
“When we did this study we were looking at link ecosystems. The web is composed of links – it’s the links that make the web what it is. We wanted to get a better understanding of the link ecosystems on social networks and other popular sites, and then to correlate that understanding with what the bad guys are doing. How, for example, are those link ecosystems being used by the bad guys to spread malware and spam today. Something like 75% of all internet traffic on the planet is going to the top 20 sites – so how are the bad guys using this new phenomenon to spread their wares?
“We took a look at the most frequently visited sites, and we looked at their link ecosystems. We looked at the links on the popular sites and we downloaded all of the content from all those links and analysed them. That gave us the two-click analysis: are you just two-clicks away from malware when on the most popular sites?Well, if you take the top sites on the web, for example news and media sites, we found you have over a 72% chance of having at least one piece of malware within two clicks of the site. Message Boards and forums were 71%, entertainment was 53%, and social networking was 55%. More specifically, on Facebook we found that 40 percent of status posts contain a URL, and that 10 percent of those are either spam or malicious.”
I’m not sure how much value we really get from this particular Websense study. For the average user I consider the ‘2 clicks’ concept is potentially quite dangerous. My advice would be for all users anywhere on the internet to assume that you are always just one-click away from malware. Don’t ever click on any link without weighing up the possibility that it might be leading you to malware. Assume the worst and you won’t be disappointed. Trust and verify? No. Verify before you trust on the internet.
You can see the actual report here. But if you do look at it, remember Renert’s description of how much information went into the making of it; and then consider how much information we’re given within it. It’s not much in comparison – and I blame that on the medium. Websense has chosen video reports; and in my opinion a video report is almost always lightweight in comparison to a 20-page PDF document. Video makes good advertising, and to a large extent that’s what this inaugural Insight really is. I hope Websense learns for future Insights. They could be something special. The first one is not.
Last Thursday, Qualys (in conjunction with TippingPoint and SANS) published The Top Cyber Security Risks Report. I consider this report to be more valuable than most, because it
…features in-depth analysis and attack data from HP TippingPoint DVLabs, vulnerability data from Qualys and additional analysis provided by the Internet Storm Center and SANS.
The Top Cyber Security Risks Report
In short, it combines genuine data with the highest quality professional analysis. Compare this approach to the two recent ‘perception’ surveys I discuss here and here. Perception is, of course, highly valuable for marketing purposes: the danger is that other users might confuse the perception of what works with the reality of what works – and make bad choices. I put Wolfgang Kandek, CTO of Qualys on the spot by asking him if his experience of reality confirmed the general perception held by both of the perception reports that data loss prevention (DLP) and encryption are two of the best security controls for preventing security breaches.
“I haven’t seen that impact, I have to say,” he responded. “For me, encryption is very helpful on, let’s say, on the laptop that is lost or stolen. It’s good then if it’s encrypted; it makes it very difficult for someone who finds or steals that laptop to actually get to the data. It’s also very useful between two points, if someone eavesdrops on the line or the internet connection. In these situations it is very, very useful. However, with the attacks we are seeing today, the attackers actually get into the end point where the data is unencrypted, where you actually write your emails, or where you submit your bank transfer before you type in your password. At that point it has to be unencrypted; and that is where the modern attackers are acting right now.
“DLP is again a useful technology for the unintentional leakage points; but I’m not sure how well it works against a determined attacker who is able to use encryption in his communications.” To illustrate his point, I could do no better than point to the section Analysis of a PDF attack in The Top Cyber Security Risks Report. It includes a series of graphics to illustrate the process of the attack – and I include the final graphic here. It shows the endgame. The attacker has compromised the victim’s network, and is communicating sensitive data back to home base. How effective, we have to ask ourselves, would DLP be if the attacker’s malware is able to encrypt the communications?
And we have to assume that today’s professional criminal is well able to do this.
One of the more alarming trends observed in the previous six months is the increased sophistication of attacks. Attackers have not only become more organized, they are also increasingly subversive and inconspicuous in the way they execute their attacks. The attacks are so sophisticated and subtle that few victims realize they are under attack until it is too late. It is increasingly common to hear of attackers remaining inside a compromised organization for months, gathering information with which they design and build even more sophisticated attacks. Once the desired information is obtained, the attackers launch attacks that are both more devastating and more covert.
The Top Cyber Security Risks Report
“What we’re seeing,” explains Kandek, is that the modern attacker is moving away from emailing threats or malicious attachments and is instead attacking the tools that the user is using: the web browser, all the plug-ins, the web itself, and so on. The modern attacker has decided that the easiest thing to do is to attack the website that the user is going to visit rather than setting up special malicious sites and trying to drive users to them.We’ve learnt how to recognise bad sites and not to go there – so the bad guys are focusing their attention today on normal websites that people go to anyway, and say that if I could infect that site with a little pointer that then makes that client visitor do my bidding, well, that would be really good. The intent today is not to deface the website, and publish a political message or something like that – but to put a little code or malware on the site that then infects the client browser that visits the websites.”
To prove Kandek’s point, it is worth mentioning that last week (6 September) the popular site TechCrunch was compromised and started serving its visitors with malware. And on 17 September, the day after the Qualys report was published, Websense announced that the music site Songlyrics.com had been compromised. Songlyrics gets something like 200,000 visitors each day, making it a far more attractive proposal (for the attackers) than creating a new site and trying to drive people to it.
Once a user accesses the main page of the song lyrics site, injected code redirects to an exploit site loaded with the Crimepack exploit kit. Attempted exploits result in a malicious binary (VT 39.5%) file that’s run on the victim’s computer. Once infected, the machine becomes another zombie-bot in the wild.
It is interesting to note that the malicious code injected on Songlyrics.com uses a similar obfuscation algorithm as Crimepack – a prepackaged commercial software used by attackers to deliver malicious Web-based code. It appears that the majority of pages served by Songlyrics.com are compromised. Crimepack has become one of the best selling exploit packs on the market due to its huge number of pre-compiled exploits offering a great base for the “drive-by-download & execute” business implication.
Websense report: Singing a malicious song
So, in short, if you want to know what’s really happening out there so that you can work out how to stop it, then I cannot more highly recommend that you get and read The Top Cyber Security Risks Report.
Be careful out there. Just as Qualys releases its latest report discussing the changing face of today’s threats (and I’ll be discussing that with Wolfgang Kandek in the next post), Websense discovers a perfect example: bad guys are compromising good sites. The Websense Security Labs ThreatSeeker Network has found that Songlyrics.com (which gets about approximately 200,000 daily page views) got compromised with obfuscated malicious code.
Once a user accesses the main page of the song lyrics site, malicious code is injected which leads the user to an exploit site loaded with the Crimepack exploit kit. Only 39.5% of antivirus engines currently recognise this exploit. Any computer exposed and infected just becomes another zombie-bot in the wild; and there’s hardly anything the user can do to prevent this from occurring.
We are seeing the bad guys more frequently compromise popular sites in an effort to infect and exploit the most users, as in this most recent case with songlyrics.com, a site that gets millions of unique visitors. It is unfortunate that in this case, Google Instant results are also helping to steer unaware users to this malicious content. Without real-time content analysis, all users are at risk.
Carl Leonard, Senior Manager, Websense Security Labs