Friday, October 29, 2010

Boo! Are your employee's computers haunted?

These are scary times for information security professionals who face increasing demands for protecting sensitive company information and at the same time are supporting more and more employee-owned devices connecting to the corporate network.

In my last posting I mentioned an Information Week article that I will return to this week. The article describes how anti-malware software is not getting the job done. The author was focusing on enterprise IT organizations protecting corporate networks and devices.

But the successful evasion of software defenses that malware authors are enjoying in the enterprise is even more troubling when we look at the Bring Your Own PC model of corporate computing. In this model company employees use their own PCs and laptops to access enterprise resources. Bring Your Own PC could also be called "Bring Your Own Malware." If million dollar enterprise software budgets cannot keep the hackers away, how can we assume an employee-owned PC will be free of infection?

"Bring Your Own PC" could also be called "Bring Your Own Malware"

There are two eye-opening statistics in the Information Week article, derived from a Ponemon Institute survey of IT and IT security practitioners: Nearly 80% of companies report malware evades their antivirus systems, and almost half report malware infections take longer than 30 days to remove. That's a long time for malware-infected computers to continue connecting to corporate networks and accessing sensitive data--and these are fully managed PCs controlled by corporate IT. The numbers must be much worse for employee-owned PCs. Last year Trend Micro reported their results from monitoring 100 million compromised IP addresses: half of the addresses showed signs of infection for over 300 days.

Nearly 80% of companies report malware evades their antivirus systems, and almost half report malware infections take longer than 30 days to remove.

SafeCentral Enterprise delivers secure remote access even from machines that are compromised with malware. SafeCentral blocks the keylogging and other data-stealing techniques of malware, providing focused protection for web, VPN, remote desktop, hosted virtual desktop and other client sessions. You can learn more here.

Wednesday, October 20, 2010

Protecting Corporate Data on the Edge

Information is money and modern criminals know how to get their hands on both. Enterprise IT professionals are severely challenged these days to keep corporate data both protected and available to authorized users at the same time.

Going to Sea in a Sieve
Greg Shipley called out security software vendors in this InformationWeek article, pointing out that: "...we've spent billions of dollars on security technologies, and we still can't curb these threats. Intruders trot through firewalls deployed to block them, while malware flourishes on systems that antivirus vendors pledge to immunize."

When it comes to endpoint PCs I have to agree. The problem I see is that the Windows PC is too open, too programmable, with too many APIs and too many extensible applications like web browsers and productivity suites. This creates a rich environment for malware authors to infiltrate and take up permanent, or at least persistent, residence as a malicious ghost haunting the machine. From this position a malware operator can harvest sensitive data, including authentication credentials, customer records, employee data and other sensitive information.

IT teams have the strange mandate to deploy an extremely flexible operating system, but immediately take flexibility away from end users. This creates a tug of war between security and usability.

Benefits of Data Centralization
These facts are inducing a reverse in the swing of the IT pendulum, which is now moving back to centralization. Cloud-based apps, which keep data-at-rest in the data center, are helping to limit the physical spread of data and keep it under tight control behind many layers of physical and network protection. Hosted Virtual Desktops like Citrix XenDesktop do the same thing for entire virtual machines..allowing IT to build, deploy and maintain virtual PCs inside the data center and then deliver them over the Internet to thin client applications like the Citrix Receiver.

Don't Forget the Endpoint
Centralization is good for data, but not for people. The workforce has become more distributed, working from home or the road or a branch office. The point is that data can be stored centrally in the data center but it must be used out on the edge of the network; that's where the users are. In most cases, "the edge" still means a Windows PC or laptop (I exclude call centers from "the edge").

The information security benefits of data centralization are lost when unmanaged or semi-managed endpoint PCs connect to the data center. All the risks that Greg Shiply called out then come into play:

"Walking into the CEO's office and saying that the products you've spent a small fortune on are effective only at stopping novices and for checking off compliance forms? That takes more intestinal fortitude than most can muster."


Centralized Data with Secure Remote Access
I think the pendulum is swinging to a safer place. Centralizing data and functionality, along with endpoint lockdown and secure remote access create a formula that works. Network Access Control (NAC) was an attempt to ensure that only properly secured endpoint computers could connect to a corporate network. But NAC relies on the imperfect Antivirus and Firewalls Greg Shipley called out as ineffective.

Here at SafeCentral we are addressing the risks to data in use on remote endpoints differently. We do not protect the endpoint, we protect the data..while it is in use. We provide a Secure Desktop that protects against keyloggers, screen-scrapers, DNS redirection, code injection and other threats. From the Secure Desktop the user launches their VPN client and logs in, with full anti-keylogger protection for their username and password. Once connected to the VPN and while on the Secure Desktop, the user can only run applications white-listed by the IT administrator. "Thin client applications" like Citrix or Microsoft Remote Desktop are perfect fits for the SafeCentral Secure Desktop (see my earlier posting: Patented Data Loss Protection). Users can switch back and forth between the locked-down Secure Desktop and their normal Windows desktop, multi-tasking throughout the day. This gives them the benefit of extreme lock-down while accessing corporate data, with an option to switch out to the more open environment of the standard Windows desktop when they want. The data on the Secure Desktop remain protected.

Centralizing data and functionality, along with endpoint lockdown and secure remote access create a formula that works.


Examples of White-listed Clients on the SafeCentral Secure Desktop:
  • Cisco AnyConnect VPN

  • Juniper Netconnect VPN

  • Juniper Citrix Services secure proxy

  • F5 Firepass VPN

  • Citrix XenDesktop or XenApp

  • VMWare View 4.5 Client

  • Microsoft Remote Desktop Client

  • SafeCentral SafeBrowser (a locked-down web browser)

  • Attachmate

  • more on the way...



If you are interested in hearing more, please drop me a line at rdickenson/at/safecentral/dot/com or post a comment here.

Tuesday, September 28, 2010

$10 Million Stolen in 3 Months by an e-Crime Gang in London

The London Metropolitan Police Central e-Crime Unit arrested 15 men and women who stole nearly $10 million from online bank accounts in only 3 months. The gang infected the personal computers of unsuspecting Internet users with a mass-market crimeware trojan named "Zeus" and transferred the money out of their victims' online banking accounts.

Police representatives said the total amount of money stolen will likely climb as the investigation proceeds.

The Zeus trojan is a very effective piece of "crimeware," software designed to conduct online crimes, that can be purchased for $300 on black market websites. Willing criminals do not have to be computer experts to operate a Zeus network. The authors of the Zeus trojan have automated most of the details of the crimeware's operation, and even offer guarantees that it will not be detected by antivirus programs.

The Zeus trojan comes with a "Command and Control" server that collects stolen data and can be configured to control hundreds of thousands of infected PCs, issuing instructions on how and where to transfer funds automatically out of online bank accounts.

The Zeus trojan is a top money-earner for online criminals worldwide. We use Zeus in our tests of SafeCentral WebProtection and verify that SafeCentral blocks the trojan's data-stealing features. Below is a screenshot from a control test of the Zeus trojan, showing keystrokes being collected out of a Bank of America online banking session when SafeCentral is not being used.


Stolen Data Report from a Zeus Trojan Server



Monday, September 6, 2010

Patented Data Loss Protection from SafeCentral, Inc.

It's been a busy summer for SafeCentral and I am eager to share the results of our hard work. We've put out a couple of press releases recently that hint at the action going on behind the scenes: we got the first of 5 patents assigned to our Trusted Security Extensions (TSX) technology and just completed the sale of our antivirus business to Commtouch. First I'd like to say that the Commtouch folks have been a real pleasure to work with over the summer as we put together a deal that makes a ton of sense both to them and us. That transaction allows us to focus on proactive data and application protection powered by TSX and embodied in our SafeCentral product. TSX brings unparalleled protection to sensitive data for consumers and enterprises alike.

There is no better signal of our focus than renaming the entire company to SafeCentral, Inc.! We will be launching a new website in a couple of weeks that takes the wraps off some additional products we are bringing to market.

Our consumer product is going strong--we will be announcing several distribution partnerships for SafeCentral over the next few weeks. We will also be announcing some of the new things we have been working on for enterprise customers. Here is a sneak peek at endpoint data protection for thin client access methods such as Virtual Desktop Infrastructure (VDI), Virtual Applications, and Remote Desktop.



Data Loss Protection for XenApp Clients



Tuesday, April 27, 2010

SafeCentral featured on AOL.com

SafeCentral is featured today in one of the lead stories on AOL.com. In a story about phishing, "If You Get This E-Mail, Delete It ASAP," a sidebar focuses on how SafeCentral helps secure your online shopping and banking transactions. SafeCentral is available to AOL subscribers at a 50% discount.


Wednesday, March 17, 2010

Tax Season Starts with FBI Report on Doubling of Internet Crime

The IRS refunded $43.5 billion to tax filers last year, 72% of whom filed electronically (GAO report here). That much money and sensitive information flowing over the network attracts the attention of online thieves who move in like grizzly bears during a salmon run. Today I will share a few tips on how you can avoid being snatched up by the bad guys while you do your annual patriotic duty to help fund Uncle Sam.

First it is worth noting that dollars lost to Internet crime doubled from 2008 to 2009, topping half a billion dollars in the US. The 2009 Internet Crime Report released on Friday listed average losses at over $5,000 per incident with a mean loss closer to $500. The report pointed out that prosecution of online crimes is difficult because the victim and perpetrator "may be located anywhere in the world."

The same convenience that electronic tax preparation and filing presents to the tax payer can also work for the criminal. Simply having an electronic copy of your tax return on your computer can expose you to risk. Last August a Seattle man was convicted of fraud when a lucky break allowed authorities to catch him with tax returns, financial aid applications and other documents pilfered over the Internet from family computers across the country. Frederick Wood used file-sharing programs to search for keywords like "tax return" and find documents on personal computers thousands of miles away. He used information in these documents to commit financial fraud.

Tips for Safe Tax Filing

  1. Start with a clean machine: don't use the same computer to prepare your taxes that you use for social networking like Facebook and Twitter. Online criminals use these services to spread malware via links that appear to come from friends, or even through display ads that can infect your computer even if you don't click on them.
  2. Turn on WiFi Encryption: if your home network uses WiFi, make sure it is encrypted with WPA or at least WEP. Consult your wireless router manual or the manufacturer's website for setup instructions. Unencrypted wireless networks can allow thieves to connect to your network and gain access to sensitive documents on your computer even when you are not at home.
  3. Run a full antivirus scan: antivirus can't catch everything, but running a full scan before performing sensitive work like tax filing will give you the best chance for privacy. These scans can take an hour or more to run, so plan ahead and let the scan run overnight before your marathon tax session.
  4. Use unique passwords: if you are signing up for a new online tax filing service, resist the impulse to use that same password you use for everything else. Create a password that is memorable only to you--use something you can see from your computer, like "Green Vase" but mix it up with some punctuation and other characters: "Green--Vase:)" Just don't break the vase!
  5. Remove dangerous programs: if you have a file-sharing program like LimeWire, remove it or carefully review the files it is sharing. Latest versions of LimeWire will no longer share documents by default, but many users do not update software and may be running with an older version. If you want to keep your file sharing program but be really sure you are not sharing sensitive files, ask a friend to connect to your library and see what you are sharing (see LimeWire's "Direct Connect" feature). You should know, however, that file sharing programs are a major source of malware infection.
While the Clean Machine is the best bet for safe filing, you may be planning on using your tax refund to buy your new laptop--this puts you in a bit of a chicken-egg situation. For you, we have SafeCentral. SafeCentral creates a "clean desktop" on your existing computer, shielding you from keyloggers and other nasty programs that try to steal your sensitive information. You can give it a try free for 14 days here on the website. That should be plenty of time to get your taxes filed and decide whether a small piece of your refund is worth the price of protecting you online all year with SafeCentral.

Monday, January 11, 2010

PC Magazine Four-Star Review of SafeCentral 2.6

We earned 4 stars in the PC Magazine review of SafeCentral 2.6 that review that appeared on Friday. I am very happy to see the review up on the PCMag.com home page.




The reviewer, Neil J. Rubenking, commends our ease-of-use and the real-time feedback we give users on the safety of their web sessions. Our support for 64-bit platforms, including XP, Vista and Windows 7 was also noted.

One of the "Cons" in the review is the closed nature of the SafeCentral browser. We do not allow any and all browser plugins. We see this as a strong positive. On our work computers we are used to the network admins at our companies limiting what we can install and run, and which websites we visit. We understand that these constraints are necessary to protect company assets. Now is the time for us to recognize that we need to exercise the same control over our home PCs and laptops. When we sign into our bank or online retirement account, we should think and act differently--we have more to protect at this moment that when we are watching the latest funny YouTube video or posting a photo to Facebook.

Just like the iPhone is carefully managed by Apple to ensure the quality and security of iPhone applications, we recognize that browser plugins can introduce additional risks into sensitive web sessions and seek to protect users from those risks. Increased security almost always comes with some impact on usability. With SafeCentral, though, you still can use your regular browser and those Digg and Flickr toolbars to do all your fun stuff. Use SafeCentral for serious web stuff like banking, stock trading and tax filing.

Friday, December 18, 2009

Twitter Hack and the Iranian Cyber Army

(See continuing updates to this story below.)

Earlier this morning a DNS hack took control of Twitter.com traffic and redirected to a website with a splash page proclaiming, "THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY." This hack has a lot in common with the Dr.Hiad website defacement I reported on two weeks ago.

New information
The so-called Iranian Cyber Army has defaced websites in the same manner as Dr.Hiad. At this moment (7:35AM Eastern Time) there is a website displaying the exact image that Twitter users saw earlier today during the Twitter hack event. A screenshot of that web page is shown below. The webpage contains an email link to the Iranian Cyber Army's Gmail account.

It is likely that the Twitter DNS attackers simply pointed "twitter.com" to the IP address of a defaced website like the one below. It would not make sense for them to point Twitter traffic to their own web server: that would allow them to be traced and possibly caught.

When the Twitter attackers realized they could take over Twitter's DNS, they had to decide where to point the traffic. Redirect it to comedycentral.com? Disney.com? Or how about a defaced webpage bearing the image of the Iranian Cyber Army?

There is some chance the Twitter attackers executed both the website defacement and the DNS takeover.

Screenshot of Iranian Cyber Army Website Defacement



DNS is Fundamental
DNS is the Internet service that kicks in when we type a website name into our browser or click a link on a web page. Type "twitter.com" into your browser and DNS will lookup the IP address of the Twitter web server so your browser can connect and download all those tweets. As fundamental as DNS is to our Internet experience, it has virtually no security, particularly on our home computers and Internet connections. Also, the DNS servers "up in the cloud" are rife with vulnerabilities that enable attackers to gain control and carry out pranks like the Twitter redirection this morning.


Updates

December 18, 2009 8:20AM - Update
The defaced website that Twitter users were directed to, shown in the screenshot above, is an online forum for the Green Freedom Wave, an Iranian reform movement.

December 18, 2009 9:08AM - Update
The Green Freedom Wave website was hosted at Netfirms, a managed web server company that is well-known to website defacers who exploit weaknesses in web and database servers. These web hosting companies offer lots of functionality, including web sites, databases and online shops, at very reasonable prices. However, these features also can make them vulnerable to compromise.

The website defacement is the minor part of this story. The DNS takeover is extremely serious, especially since it happened at Twitter.com, which receives over 20 million visitors per month. If the Twitter.com site had been redirected to a web page containing malware, a huge chunk of the Internet population would be infected. Perhaps I should say a "huger" chunk: 35 million computers infected per month with one type of malware.

December 18, 2009 10:35AM - Update
The Green Freedom Wave website was probably hacked using SQL Injection, Remote File Inclusion, or similar techniques that are well-documented on the web. Note the signature line of Dr.Hiad from my earlier post. Remote File Inclusion allows an attacker to exploit a script on the target website to replace the home page of the website.

December 19, 2009 7:49AM - Update
Busy day yesterday speaking to reporters and colleagues about the Twitter DNS compromise. Here are a couple of stories:

Tuesday, December 8, 2009

Securing the Cloud

I will be a speaker at a free cloud security webinar sponsored by Enterprise Florida on Thursday, December 10 and 2PM Eastern Time. Cloud computing is a topic generating both hype and anti-hype right now. The anti-hype comes mostly from the security community warning that the benefits of fast, easy development and hosting are just what we do not need right now.

Also presenting will be Chris Day, Chief Security Architect at Terremark, and Alex Eckelberry, CEO of Sunbelt Software. The event is moderated by Esther Schindler, author and industry expert.

See you there!

Tuesday, December 1, 2009

Dr.HiaD: Islamic Terrorist or Teenager Having Fun?


Click image for expanded view


Let me steal my own thunder and go with Teen Having Fun.

Earlier today the campaign website of Bill Connor, candidate for Lieutenant Governer in South Carolina, was defaced with a graffiti-like image in the typical fashion of juvenile hackers.


Screenshot of the Bill Connor Website Defacement
Source: FITSNews Political Blog (not verified)

Click image for expanded view


The hacked page included a small amount of Arabic text, which got the attention of the candidate and former US Army officer, who served in Afghanistan. A statement on his campaign's Facebook page said, "I do hope this serves as a wakeup call to the continuing danger we face in South Carolina from the threat of radical Islam and shari’a law."


"I do hope this serves as a wakeup call to the continuing danger we face in South Carolina from the threat of radical Islam and shari’a law."

Bill Connor


Was this a political act by Isamic extremists? Examining the facts makes it hard to draw that conclusion. There are many valid threats to our safety on the Internet today, but it is important to isolate the facts and not rush to judgement when it comes to identifying and prosecuting true crime online.

"Hi ADmin your security = 0" Thus reads the graphic that displaced the candidate's home page. That statement is a poke in the eye at the web hosting company that operates the web server (not the candidate) and is typical of widespread pranks conducted by computer savvy kids who enjoy exercising their technical skills to penetrate weak server configurations from far across the Internet and leave their mark.

"Dr.HiaD" in this case is the online nickname used by the hacker. Dr.HiaD has taken credit for over one hundred such website defacements. I have seen lists of URLs of over 4,000 web pages with his signature on them. Other pranksters have perpetrated many more thousands of website hacks and even keep track of their scores. See below a screenshot of one such scorecard showing recent defacements by Dr.HiaD. The score for all "players" on this website is a staggering 43,000 on December 1, 2009 alone.


Website defacement scoresheet of Dr.HiaD
Source: Ray Dickenson

Click image for expanded view


I have blocked out the website names in order to prevent readers from attempting to visit these sites, which may now host malware that can infect PCs. But you can see Dr.HiaD is a prolific defacement artist.

Another site Dr.HiaD hacked, that also contained a short snippet of Arabic script, was the website of a Chinese baby products company. Again, I will withhold the name of the site, but share the graphic that was posted there.


One of many other websites defaced by Dr.HiaD
Source: Ray Dickenson

Click image for expanded view


Who is Dr.HiaD? He appears on an Arabic hacker website with the below signature. Now, when it comes to teenage hackers, it is difficult to believe everything we read. Is Dr.HiaD really 15-years-old? Is Dr.HiaD from Morocco? Hard to say for sure, but I believe he (or she) is. These pranksters must balance two competing goals: (1) not getting caught and (2) claiming and receiving credit for their exploits. For young hackers, recognition normally trumps caution. On the score-keeping website mentioned above, there are hackers from Singapore, Russia, India, Switzerland, Germany and many more countries around the world. So Dr.HiaD really could be from anywhere.

 
Dr.HiaD Signature on Hacker Website
Source: Ray Dickenson

Click image for expanded view


One last point about the colors used in Bill Connor's website defacement. Some of the English letters appeared in white, green and red with black background. It is true that these are Islamic colors. But they are also the simplest colors to use in web pages. The RGB color codes for these colors are: FF0000, 00FF00, 000000, FFFFFF. Extremely simple for kids making web pages who do not want to be bothered with shades like 0CF1E2, CECE28. They are also stark and strong. Perfect for a prankster.

Let's close with a comment about the first screenshot above (source: Ray Dickenson). That one came from the website of an auto accessories company in China that was hacked by Dr.HiaD. Is this a photo of the real Dr.HiaD? Probably not. But it does convey something about the Dr's personality and the artistic flair of his or her pranks. Many teenagers who crave technical accomplishment and get into trouble pursuing recognition for their talents grow up to be valuable contributors in the computer field. Ask Michael "MafiaBoy" Calce or Kevin Mitnick.

December 2, 2009 - Update
I spoke with Susanne Schafer of the Associated Press about this story, and she wrote an article that appeared here.

December 3, 2009 - Update
The dramatic image in the first screenshot above comes from an Italian photographer, posted here on Flickr: Amegliocchi. One interesting connection is that a large number of Italian language websites were defaced by Dr.Hiad.

Connection to Dr.Hiad splash screen courtesy of TinEye, a pretty effective reverse image search engine. Want to find photos of you on the web? Try TinEye. If you dare :)