VSAPI: NABU Trend Micro News Summary - 03/06/10

“The Zeus Trojan is the primary tool that organized criminals have been using to steal banking information from countless small businesses,” asserts Paul Ferguson, threat researcher for Trend Micro’s Core Tech Engineering (us.trendmicro.com).

Conducting Online Banking Transactions; Take Action To Secure Your Business

Processor – 3/12/10

"ZeuS is nothing new – we've seen it at work for years. But what's alarming is the recent rise in attacks," said Raimund Genes, CTO of Trend Micro.

9 million ZeuS attacks blocked in the last 6 months

Help Net Security – 3/10/10

Adding to that is a Trend Micro research paper that noted an average of around 300 unique Zeus samples per day crossing their Malware collection points.

SP takedown deals smashes Zeus botnet – for a few hours

The Tech Herald – 3/1/10

Botnet takedowns 'don't hurt crooks enough'; Punching fog

The Register – 3/8/10

War against botnets is everlasting, endless and fruitless

Ecommerce Journal – 3/9/10

“So, while we continue to win significant battles, winning the war will need closer cooperation between governments [and] law enforcement agencies on an ongoing basis rather than on an operational basis.” – Rik Ferguson, Trend Micro

Experts Question Effectiveness of Botnet Takedowns

The New New Internet – 3/9/10

RSA Conference

Trend Micro's Raimund Genes examines the pent-up need for companies to outsource their security solutions. (Video, running time: 00:47)

Security as a Service

Internet Evolution – 3/11/10

Trend Micro says it will create a private cloud within the public cloud to let customers store confidential data, a prospect which will likely be most attractive to Internet service providers.

Cloud Computing; Hybrid Clouds Hit Data Centers

Forbes.com – 3/8/10

Security company Trend Micro forecast that Zeus would be around for years but said luck could be running out for its authors.

Software helps hackers empty corporate accounts

Financial Times – 3/7/10

One company, AVG, didn't even stop the original attack, according to NSS. Eset, Kaspersky, Symantec, Sophos, AVG and Trend Micro all failed to block a variant of the Aurora exploit.

Update: Security industry faces attacks it cannot stop

Computerworld – 3/11/10

Large security vendors, including Trend Micro are already aligning product strategies to not only offer cloud-based security offerings, but to also secure new cloud-based infrastructure strategies.

Innovation is discovered at RSA 2010

Computerworld Blog: Security Impact – 3/5/10

Trend Micro Mentions

Trying to fix a badly infected PC without HijackThis is sort of like going into surgery without a scalpel; it’s the only tool for the job when all other measures fail.

How To: Root Out Stubborn Malware with HijackThis

MaxiumumPC – 3/2/10

The NSS Labs report claims "53 percent of malware is now delivered via Internet download versus just 12 percent via e-mail according to statistics from Trend Micro.

It's Time to Finally Drop Internet Explorer 6

PC World – 3/11/10

Only McAfee Internet Security 2010 with SecurityCenter, Version 9.15.160, stopped the variants. Other products tested were … and Trend Micro Internet Security 2010 Version 17.50.1366.0000.

Only One in Seven Consumer AV Tools Catch New 'Aurora' Variants; NSS Labs says its new test shows antivirus' exploit detection emphasis flawed, but others disagree

Dark Reading – 3/11/10

One option I'm considering is port blocking. I'm going to start looking at vendors in that market, including Trend Micro, which is our antivirus and antispyware provider.

Just Watching Is No Longer Enough; It may be time to supplement monitoring the network with endpoint security.

ComputerWorld – 3/8/10

As reported by leading virus security company Trend Micro, TinyURL has become a popular tool for spammers and phishing scams.

WARNING TO HOTELS... Don't Use Free Link Shortening Services in Your Marketing

Hospitality.net – 3/11/10

You’ll also find a full version of Microsoft Works and 60-day trials of Microsoft Word and Trend Micro’s antivirus software. (You'll want to replace the latter right away to increase performance.)

Asus Eee PC 1008P Seashell (Karim Rashid Collection) Review

ComputerShopper.com – 3/8/10

It's an approach that software security vendor Trend Micro announced support for late last year

Report: IE 8 Leads in Malware Protection

Redmondmag.com – 3/9/10

Security companies that have partnered with Crossbeam to deploy their software include Check Point, IBM, Imperva, Sourcefire, Trend Micro and Websense.

New Crossbeam CEO Sees Wave of Security Consolidation

ITBusinessEdge – 3/9/10

A host of smaller players, like Trend Micro, CA and Kasperskey Lab, are out there in the field.

Initiating Symantec with Neutral

Zacks Analyst Blog – 3/11/10

Trend Micro Quotes

Processor

March 12, 2010

Conducting Online Banking Transactions

Take Action To Secure Your Business

In December 2009, the ABA (American Bankers Association) issued a warning to small and midsized companies concerning Trojan horse attacks targeting online banking. Sadly, the ABA’s recommendations got mangled in the telling.

According to Doug Johnson, vice president and senior advisor for risk management at the ABA, earlier news reports that the ABA recommended a dedicated PC for online banking greatly oversimplified joint recommendations of experts from banking, government, and the FBI.

Not Just Hype

The ABA’s warning is well-founded, even though statistics about successful Trojan horse attacks against online banking are scarce.

“Particularly in the case of small to medium-sized companies, they usually don’t have shareholders to answer to, so they keep the information private, which is within their prerogative to do,” says Marc Fossi, manager of research and development for Symantec Security Response (www.symantec.com).

Bob Hansmann, senior manager of product marketing for Blue Coat Systems (www.bluecoat.com), agrees. “Trying to quantify [the] cost of such attacks is always difficult since banking customers—unlike banks—are not required to report such incidents,” Hansmann notes.

“We have seen an increase in the successful breaches of bank accounts of small to medium enterprises through the use of malware, most notably due to the Clampi Trojan as well as the Zeus (Zbot) Trojan,” says Bradley Anstis, vice president of technical strategy for M86 Security (www.m86security.com), a global provider of Web and messaging security products.

Means & Motives

Although the identities of the criminals behind the attacks are not public knowledge, their methods are known.

Anstis says M86 Security often sees Trojan horse command and control servers based in Eastern Europe, mainly Russia and Ukraine, and also in China. These servers, which watch over compromised machines, are detected less often in Western Europe and the United States, which may be related to the computer crime laws of particular countries, Anstis notes. Surprisingly, in most cases, the attackers are not professional hackers but are criminals who purchased ‘equipment’ such as Trojan horses and attack toolkits, Anstis says.

Ferguson says people who are allowed to engage in risky Internet behavior on company PCs are inviting trouble for their organizations.

“End users will use company computers to perform tasks other than the work they are assigned,” Anstis says. “Whether it’s to check personal email accounts, play games, or browse through various social networks, these types of activities have their own inherent risks associated with them, and cybercriminals are aware of this,” Anstis notes.

According to Paul Wood, MessageLabs Intelligence senior analyst for Symantec Hosted Services, the danger comes from uncontrolled end-user access to Web sites and email content. He advises SMEs, “Having the right level of protection in place will help to mitigate against this, but it must be balanced with the appropriate acceptable usage policies as well as the monitoring of their use.”

Secure Your Business

These experts agree that antivirus and antispyware software should remain a part of your malware defenses, but more solutions should be considered. Hansmann recommends starting with Web filtering.

"This once-optional technology, originally introduced to deal with liability, productivity, and other concerns, is one of the best ‘front line' defenses against today's rapidly evolving malware," Hansmann says. He says even if a user has been tricked into clicking a malware link, a Web filtering solution will likely know if the site is bogus and can block the connection before the user can become infected.

Wood recommends talking to your bank about two-factor authentication. Conventional passwords offer a single factor of authentication, based on something you know. Two-factor authentication raises the ante for the bad guys by requiring another level of authentication based on something you have, such as a key fob that periodically generates a unique number.

“This is something a lot more business users are demanding of their banks, and consider changing to another bank if your bank does not offer it,” Wood says. In addition, Wood says your organization can be safer online by having the right approach to computer security.

“Security isn’t just a technology problem, though; it also covers how we behave, and if we can minimize the risks by thinking about them and reducing them, then we can be safer,” Wood says.

Wood also suggests first limiting the number of users who can access the online banking facility and then auditing the access regularly.

By Bill Hayes

Tips For Safeguarding Online Banking

Paul Wood, MessageLabs Intelligence senior analyst for Symantec Hosted Services (www.symantec.com), recommends simple tips to help keep the dedicated online banking PC safe.

• Secure your network. Use a router outside your network with a built-in firewall that is configured and managed by your ISP.

• Use security software. Antivirus software will scan your computer for anything bad that has arrived on your computer, especially emails and programs that you may have downloaded from Web sites. Consider using a special email address for the business banking accounts that is not used anywhere else, and ensure you have monitoring software in place and configured to audit the access of your computers.

• Be wary of what you see. Never click hyperlinks in emails or instant messages that you haven’t subscribed to or aren’t expecting because they may be phishing attacks.

• Stay up-to-date. Make sure your computer is updated with the latest patches for your operating system and also for the applications that you use, including your Web browser and browser plug-ins. Staying up-to-date also means keeping track of the news and blogs from your antivirus provider and other technology news sites to keep abreast of the latest threats.

• Perform regular backups. Use a DVD burner, an external hard drive, or cloud-based storage to archive important documents.

• Avoid ID theft and fraud. Keep your personal information just that—personal. Never divulge anything such as PINs or passwords online. Don’t use the same passwords and be sure to change them regularly.

http://www.processor.com/editorial/article.asp?article=articles%2Fp3206%2F31p06%2F31p06%2F31p06.asp&guid=&searchtype=&WordList=&bJumpTo=True

Return to top

Help Net Security

March 10, 2010

9 million ZeuS attacks blocked in the last 6 months

Trend Micro has seen a recent rise in average of around 300 unique ZeuS samples per day, according to a recent threat report that examines the Eastern European criminal enterprise behind one of the world's most prolific crimeware kits designed for wholesale monetary theft. Trend Micro witnessed more than 13,000 unique ZeuS samples within January 2010 alone.

"ZeuS is nothing new – we've seen it at work for years. But what's alarming is the recent rise in attacks," said Raimund Genes, CTO of Trend Micro. "In the last 6 months, we've blocked about 9 million ZeuS attacks and we're not stopping."

Latest developments

For the greater part of last year, Trend Micro discovered that ZeuS variants were also distributed via the Avalanche botnet – a fast-flux botnet -- which sent spammed messages en masse. The spam runs imitated several popular social networking sites. The cybercriminals behind the operations even tried to copy email messages and Web sites of U.S. government institutions like the Federal Deposit Insurance Corporation (FDIC), the Centers for Disease Control and Prevention (CDC), the Social Security Administration (SSA), and the Internal Revenue Service (IRS).

Another significant feature that was recently added to the current ZeuS versions is the "Jabber" functionality. Jabber is an open source instant messaging protocol and JabberZeuS is a ZeuS variant where the credentials stolen during a banking session are relayed in real-time to the ZeuS botmaster via instant messages so she can immediately log in to the same account undetected using the same credentials as the victim.

ZeuS-BREDOLAB connections

According to Trend Micro research, BREDOLAB and ZeuS are individual tools that are freely available in the cybercriminal underground. Their uses complement each other, which is why they're often seen together. While ZeuS specializes in stealing information from infected systems, BREDOLAB enables cybercriminal organizations to deliver any kind of software to its victims. Once a user's machine is infected by BREDOLAB, it will receive regular malware updates the same way it receives software updates from the user's security vendor.

Poor economy fueling ZeuS

The success of ZeuS is partly attributed to cybercriminals' ability to recruit money mules that move their stolen money around through bogus work-from-home scams. Given the current economic situation in the United States—with millions of people out of work—cybercriminals know they have a high success rate in recruiting accomplices.

Work-from-home recruits are instructed to provide bank account information, which the cybercriminals use to access compromised online bank accounts and to wire money amounting to less than US$10,000 to money mules, indicating that they are fully aware of banking alert limits. The money mules then wire the money back to Eastern Europe.

To read the report, go here.

http://www.net-security.org/malware_news.php?id=1251

Return to top

The Tech Herald

March 11, 2010

ISP takedown deals smashes Zeus botnet – for a few hours

By Steve Ragan

The Zeus botnet was smacked around on Wednesday, after Group 3 and Troyak, two ISPs linked to C&C servers for Zeus, were de-linked from the Internet, severing the connection between the servers controlling the bots and the infected hosts. Unfortunately, Troyak returned online just a few hours later.

Zeus is the king when it comes to botnet creation kits. The Zeus kit sells for as little as $300.00 USD, or as much as $2,000 USD. It is the base for many other botnet kits online and is so popular it’s even targeted by other botnet systems. The Malware created by the kit is used to infect systems and harvest financial data, as well as other personal information including passwords.

When it comes to the takedown, the person or persons behind the action to have the ISPs taken offline are unknown. Those who are familiar with the operation as it were will not speak on the record. For the most part, the takedown, despite the fact that one ISP came back online rather quickly, is seen as a positive, hailed as another win in the fight against the botnets online.

Truth is, over the last 24 hours Troyak has had two different upstream providers, so it looks as if they are able to re-establish an Internet connection rather quickly, only to have it taken away again.

On the plus side, while the botnet friendly ISP is coming and going, Zeus is taking some serious hits still. As of 12:00 EST (3-11-10), Zeus Tracker reports that there are 181 Zeus domains, 148 Zeus configuration domains, 102 drop zones, and 62 binaries online for Zeus.

These numbers are a fraction of what was live just four days ago. As for Troyak, Zeus Tracker reports that all of the C&C hosted by the ISP are still down at this time. It could be that the bot masters have left the ISP for greener pastures.

Just before the takedown and drop in activity, Zeus was highly active over the past weekend. Adding to that is a Trend Micro research paper that noted an average of around 300 unique Zeus samples per day crossing their Malware collection points. Overall, they witnessed more than 13,000 unique Zeus samples within January 2010 alone.

The takedown of the Zeus ISP’s and the struggle for it to return in full force is just the latest botnet action taken for this year. Microsoft recently went after the Waledec, and just last week Panda Security helped take out the ringleaders behind the Mariposa botnet.

The last time an ISP being de-linked impacted a botnet was in 2008, when McColo was shut down. At the time, the ISP's closure led to a global drop in Spam, which surged back to regular levels before the end of Q1 2009, a trend that doesn’t sit well if you consider it in parallel to Troyak and Zeus.

http://www.thetechherald.com/article.php/201010/5363/ISP-takedown-deals-smashes-Zeus-botnet-%E2%80%93-for-a-few-hours

Return to top

The Register

March 8, 2010

Botnet takedowns 'don't hurt crooks enough'

Punching fog

By John Leyden • Get more from this author

The takedowns of the Mariposa and Waladec botnets last week were victories for the good guys, but security experts warn that although cybercrooks suffered a bloody nose they collectively retain the upper hand in their ongoing conflict with law enforcement and its security industry allies.

"We have had significant victories against several botnets in the past but that hasn't stopped the growth in malware or the growth in spam or in information theft," said Rik Ferguson, a security consultant at Trend Micro. "So, while we continue to win significant battles, winning the war will need closer cooperation between governments [and] law enforcement agencies on an ongoing basis rather than on an operational basis."

Ferguson thinks that white hats remain outgunned by cybercrooks. He called for harmonisation of e-crime laws, to get rid of safe havens, and closer international cooperation in fighting internet crime. He added that ISPs have a vital role to play in curbing the botnet scourge. He continued:

I'm not convinced we're winning this - it still needs organisations like ISPs to be willing to identify affected machines and quarantine them while informing customers of this. There is also a need for the harmonisation of laws. there are some countries where it isn't illegal to engage in online criminal activities - or countries where laws are outdated or different to other countries, so there is no harmonisation. Once harmonised, it'll be easier to prosecute and apply common laws across geographical boundaries.

Intelligence sharing between national governments on matters of cybercrime will also be key. There is already intelligence sharing for other types of crimes, why not for cybercrime?

Gunter Ollmann, vice president of Research at security firm Damballa, said that going after the crooks in controls of running botnets rather than the domains they used was the only truly effective strategy. Even then difficulties abound.

I've found the takedown of the domain names used by the botnet operators to be ineffective. The bad guys simply register new ones and carry on with their business. For example, one botnet that we track has used over 80,000 different command and control domain names since we've been monitoring them over four years. At any point in time they have around 5,000 live and in use. No sooner is one domain name closed, sinkholed, or hijacked, than they simply register some more and continue business.

Ollman, a computer scientist and security expert of many years standing, has published a number of research papers over recent months about botnets in corporate environments. His research suggests that even if one cybercrime ring is brought down other crooks will step in to exploit gaps in the market. Nonetheless pursuing the bad guys is a worthwhile endeavour.

This process is complicated by the fact that ownership of compromised systems often changes hands very quickly in the digital underground, he explained:

It is important to focus on the criminal operators themselves - it's the only way to shut down the botnet. However, it doesn't pay to delay in taking down the operators. Given the trend in buying/selling/renting and horse-trading (eg trading botnet victims in one country with a botnet operator that has botnet victims in another) access to the victim hosts can change hands rapidly. As part of the handover of victims or sections of the botnet, the new operator installs their own (new) botnet agent.

Building and running botnets is a highly competitive business. If one operator goes down, it creates new opportunities for the other botnet operators. It's not as if the victims have suddenly become secure in the interim.

http://www.theregister.co.uk/2010/03/08/botnet_takedown_analysis/

Return to top

Ecommerce Journal

March 9, 2010

War against botnets is everlasting, endless and fruitless

Last week Internet community rejoiced over the take down of the Mariposa and Waladec botnets. Still many security experts think this is not the definitive victory and in fact the winning is too small. It is the prosecution of the orchestrators behind such criminal schemes that will make the fight against botnents efficient.

“I'm not convinced we're winning this - it still needs organisations like ISPs to be willing to identify affected machines and quarantine them while informing customers of this. There is also a need for the harmonisation of laws. there are some countries where it isn't illegal to engage in online criminal activities - or countries where laws are outdated or different to other countries, so there is no harmonisation. Once harmonised, it'll be easier to prosecute and apply common laws across geographical boundaries.

“Intelligence sharing between national governments on matters of cybercrime will also be key. There is already intelligence sharing for other types of crimes, why not for cybercrime?”

Meantime, Gunter Ollmann, vice president of Research at security firm Damballa, keeps to the view that going after the crooks in controls of running botnets will bring more significant results.

He says: “I've found the takedown of the domain names used by the botnet operators to be ineffective. The bad guys simply register new ones and carry on with their business. For example, one botnet that we track has used over 80,000 different command and control domain names since we've been monitoring them over four years. At any point in time they have around 5,000 live and in use. No sooner is one domain name closed, sinkholed, or hijacked, than they simply register some more and continue business.”

He continues: “It is important to focus on the criminal operators themselves - it's the only way to shut down the botnet. However, it doesn't pay to delay in taking down the operators. Given the trend in buying/selling/renting and horse-trading (eg trading botnet victims in one country with a botnet operator that has botnet victims in another) access to the victim hosts can change hands rapidly. As part of the handover of victims or sections of the botnet, the new operator installs their own (new) botnet agent.

“Building and running botnets is a highly competitive business. If one operator goes down, it creates new opportunities for the other botnet operators. It's not as if the victims have suddenly become secure in the interim.”

http://www.ecommerce-journal.com/node/27291

Return to top

The New New Internet

March 9, 2010

Experts Question Effectiveness of Botnet Takedowns

By Michael Cheek

Recently, two major botnets have been brought down through legal channels and arrests. Microsoft used a court order to take out one botnet and Spanish authorities arrested the administrators of the Mariposa botnet. Despite these recent successes, some security researchers have begun to question the how effective taking out a botnet really is, according to an article on TheRegister.co.uk.

Security experts have pointed out that using the current channels to disrupt a botnet may not be effectively hurt cyber criminals.

Rik Ferguson, a security consultant at Trend Micro, said “We have had significant victories against several botnets in the past but that hasn’t stopped the growth in malware or the growth in spam or in information theft.”

The disrupting the domains used by criminals is only temporarily effective. Gunter Ollmann, vice president of Research at Damballa, believes that authorities should concentrate on going after the criminals themselves.

“I’ve found the takedown of the domain names used by the botnet operators to be ineffective. The bad guys simply register new ones and carry on with their business,” he said.

Return to top

RSA Conference

Internet Evolution

March 11, 2010

Security as a Service

Trend Micro's Raimund Genes examines the pent-up need for companies to outsource their security solutions.

See video @

http://www.internetevolution.com/video.asp?section_id=931&doc_id=188808

Return to top

Forbes.com

March 9, 2010

Cloud Computing

Hybrid Clouds Hit Data Centers

Merging public and private cloud computing infrastructures

By Charlotte Dunlap

There was much buzz about merging public and private cloud infrastructures at last week's RSA Security Conference in San Francisco. As enterprises use virtualization to step up the creation of private clouds around their data centers, security vendors are working to steer customers toward merging private and public clouds for a hybrid cloud approach.

Some security and infrastructure providers realize that private clouds are an important first step toward increasingly moving customer workloads to public clouds as the technology and security catches up.

Private cloud infrastructures are necessary for companies that are regulated under compliance mandates, but CIOs see the value of being able to tap public cloud services for obvious reasons: lower total cost of ownership (TCO), simplified management and access to dynamic global threat intelligence, i.e., malware alerts. Of course, enterprises are still very concerned about the security, reliability and governance issues associated with public clouds, but CIOs are going to be hearing a lot more about hybrid or internal/external cloud options in coming months as a way to appease concerns.

An example of a hybrid cloud solution is the merging of an internally built or private cloud infrastructure with a security vendor's public network of threat intelligence. Examples of global threat intelligence delivered through public cloud services include Trend Micro's Smart Protection Network and Cisco ( CSCO - news - people ) Ironport SenderBase Security Network.

Over the past year security vendors have focused their cloud messaging primarily around Software-as-a-Service offerings targeting specific pain points, such as secure messaging, namely anti-spam. CIOs should anticipate more vendor messaging focused around hybrid cloud computing, targeting those large enterprises--not to mention European customers--that are required under governance to keep company data within the folds of the private cloud infrastructure. Security service providers are acknowledging customers' need to keep data in-house, but they're also providing options to couple private with public infrastructures and allow customers to off-load more of the security burden.

Later this year Trend Micro has plans to expand its private cloud services to include new protocols, such as Web reputation. Trend Micro says it will create a private cloud within the public cloud to let customers store confidential data, a prospect which will likely be most attractive to Internet service providers.

http://www.forbes.com/2010/03/08/cloud-computing-security-technology-virtualization10-hybrid.html?boxes=Homepagechannels

Return to top

Financial Times

March 7, 2010

Software helps hackers empty corporate accounts

By Joseph Menn

A new wave of sophisticated computer attacks is draining the bank accounts of small and medium-sized businesses, with the latest version of the most widely distributed criminal tool expected to worsen the losses, according to researchers and regulators.

Losses among US banks and their customers from computer intrusions and falsified electronic transfers were about $120m in the third quarter, more than triple the level of two years ago, according to a Federal Deposit Insurance Corporation specialist. David M. Nelson, a technology expert at FDIC, said that represented an increasing share of overall identity fraud, including bad cheques, that was costing the system about $700m per quarter.

As much as half of the new fraud is blamed on a stealthy “Trojan” program called Zeus or Zbot, which has more than 1,000 versions that can be modified to target accounts at different institutions. The program can intercept financial data and make withdrawals simultaneously.

Older versions of Zeus, typically installed through trick e-mails or links sent on social networks, are free in hacking circles but more likely to be detected by security software.

More recent iterations – sold for thousands of dollars by their authors in eastern Europe – are harder to catch and more pernicious, defeating security at big banks including SMS text-message authentication and physical tokens with changing passwords.

A premium version of Zeus completed in November allows buyers to capture SMS codes and other extra verification data by opening fake data-entry fields in the Internet Explorer web browser during real transactions. When a user types in the password, the criminal sees it.

Kevin Stevens, a researcher at SecureWorks, said the next version, Zeus 1.4, would expand that capability to the Firefox browser. He cited electronic chats by Zeus 1.4 testers. Mr Stevens said it would also change its digital appearance with each new PC infected, making it extremely hard for security scans to catch.

Law enforcement officials, who have made combating Zeus a top cybercrime priority, said that the hundreds of thieves running Zeus operations focus on small businesses because they have larger bank accounts and less robust electronic security.

Banks typically do not extend them the same fraud guarantees that they do for consumers. Little & King, a New York marketing company, said last month it might file for bankruptcy protection after a Zeus Trojan grabbed $164,000.

A small but expanding number of businesses have sued their banks, which are required under liability law to have “commercially reasonable” security measures. PlainsCapital Bank in Dallas pre-emptively sued a customer called Hillary Machinery that lost $230,000 through overseas transfers to accounts in Kiev, Moscow and elsewhere.

“We’d never wired money or done business with anyone overseas,” said Troy Owen, Hillary vice-president. “I expected them to return the money to our account, much like if someone used a credit card without authorisation, but they said they were not responsible.” The bank says Hillary was at fault. PlainsCapital had asked clients to register computer addresses they would use to make transactions and received e-mails appearing to be from Hillary that registered new addresses just before the bogus transfers. Hillary’s computers might have been compromised, it said, but the bank’s were not. Hillary countersued in February, contending that “it was not commercially reasonable for PlainsCapital to fail to implement security measures to secure electronic funds from known criminal endeavours”.

Patrick Peterson of Cisco Systems and others speaking at last week’s RSA IT security conference in San Francisco urged banks to do more to verify transfers.

Security company Trend Micro forecast that Zeus would be around for years but said luck could be running out for its authors. Because the crew embedded commercial-grade controls to monitor the spread of private versions, authorities believe they have been able to track down and identify members of the gang.

Officials in Russia, the Ukraine and in the west might be able to make arrests in the coming months, according to people involved in the case.

http://www.ft.com/cms/s/0/9d3e5c3e-2a1a-11df-b940-00144feabdc0.html

Return to top

Computerworld

March 11, 2010

Update: Security industry faces attacks it cannot stop

By Robert McMillan

(Adds quote from an AVG spokeswoman.)

March 11, 2010 (IDG News Service) At the RSA Conference in San Francisco last week, security vendors pitched their next generation of security products, promising to protect customers from security threats in the cloud and on mobile devices. But what went largely unsaid was that the industry has failed to protect paying customers from some of today's most pernicious threats.

The big news at the show had to do with the takedown of the Mariposa botnet -- a massive network of hacked computers that has infected half of the Fortune 100 companies. So-called advanced persistent threat (APT) attacks, such as the one that compromised Google systems in early December, were another hot topic.

Both Mariposa and the Google attacks illustrate the same thing, however. Despite billions of dollars in security spending, it's still surprisingly hard to keep corporate networks safe.

That's because for these advanced attacks to work, the bad guys need to find only one vulnerability in order to sneak their malicious software onto the target network. Once they get a foothold, they can break into other computers, steal data, and then move it offshore. The good guys have to be perfect -- or at least very quick about spotting intrusions -- to keep APT threats at bay.

Traditional security products are simply not much help against APT attacks, said Alex Stamos, a partner with Isec Partners, one of the companies investigating the APT attacks. "All of the victims we've worked with had perfectly installed antivirus," he said. "They all had intrusion detection systems and several had Web proxies scan content."

The problem is that the bad guys can buy this technology too, and test and re-test their attacks until they slip through. "Anybody can download and try every single antivirus engine against their malware before they ship it," Stamos said.

Emphasizing this point, antivirus testing company NSS Labs created a variation on the known Internet Explorer 6 attack, used in the Google incident, and tested it against seven popular antivirus products. NSS also tested the original attack code against the same antivirus products. The tests, conducted two weeks after the bug was made public, found that only McAfee's antivirus product stopped the new variant of the attack.

One company, AVG, didn't even stop the original attack, according to NSS. Eset, Kaspersky, Symantec, Sophos, AVG and Trend Micro all failed to block a variant of the Aurora exploit.

But AVG said in response that its products detect the Aurora attack. A spokesman said the results were due to flaws in NSS's testing methodology. However, the company does not dispute the claim that its product failed to detect variants of Aurora.

That's because it hasn't been able to verify the NSS tests, an AVG spokeswoman said Thursday. "We don't know what variant they created because they won't show us any of their data," she said.

Antivirus companies could "definitely be doing a better job," said NSS President Rick Moy. "They should be implementing more vulnerability-based detection. There's a little too much focus on the malware payload."

Paul Roberts, an analyst with industry research firm the 451 Group, put it more strongly: "Enterprises are very dissatisfied with the level of protection they're getting from their end-point antimalware suites," he said. While antivirus companies are experimenting with ways to block programs based on an analysis of different factors, such as the file's behavior, its age, origin and how widely it is being used, these features are often turned off because they end up blocking legitimate programs, Roberts said.

Many security experts now agree that patches, up-to-date antivirus, plus intrusion detection systems are not enough to protect companies from the worst of today's cyberthreats.

"The security industry's going to have to think about selling solutions that actually work with this type of environment," Isec's Stamos said. "Basically nothing that people have bought over the last 16 years is going to help them stop a single guy sitting at a computer who is a Windows shellcode person targeting one person, and spending months to break into that computer." Shellcode is the initial payload program hackers use to install further programs, once they have hacked into a system.

But that message hasn't quite sunk in everywhere in the corporate world, said Paul Melson, information security manager with Priority Health, in Grand Rapids, Michigan. "A lot of companies have either turned their security teams into compliance teams or are still fighting the same fight they were fighting six or seven years ago."

The antivirus vendors argue that their products still serve a purpose, and indeed, nobody in the corporate world is turning them off.

Antivirus blocks "the vast majority" of all attacks that McAfee tracks every day, said Dave Marcus a McAfee director of security research. Antivirus vendors are developing new systems -- white-listing products and cloud-based security offerings such as McAfee's Artemis -- to keep pace with rapidly changing threats. But ultimately, enterprises must also develop ways of responding to new threats and intrusions. "When you've got the determined attacker who can profile their victim, they have a high level of succeeding," he said.

Advanced attacks such as APT scare Jason Stead the most. Stead is the Phoenix-based manager of information security with Choice Hotels. His industry has come under targeted attacks over the past few years as hackers have broken into point-of-sale systems in many different hotels. They often succeed by discovering one vulnerability and replaying the attack on hotel after hotel. In the hotel business, one data breach at a franchisee can cause serious damage to a company's brand.

That means that the integrity of a company's brand can depend on people who simply don't have the resources to stop determined attackers. "Your franchisees are traditionally mom-and-pop shops," Stead said. "They don't have the technology experience to protect themselves."

Technology vendors want to sell a complete product, but it's really not possible to buy your way into a secure environment. That takes a bigger commitment. "It's all about user awareness and procedures," Stead said. That means teaching employees about risky online behavior; and building a security team that can get the most out of the security tools it has.

According to Priority Health's Melson, the problem extends beyond the security companies. "If you're going to hold the security industry responsible, you have to also hold the operating system and client software vendors at least as responsible," he said. "You've got platforms that still make it possible for someone to make software that's not part of the design, and not known to the end-user."

"I think that at the end of the day the lesson you get from something like the Aurora incident is that you have to have incident responders," Melson said. "If you're not prepped for incident response and incident containment, if you're not using actual people to do security analysis in your environment, the advanced persistent threat is going to walk right through."

http://www.computerworld.com/s/article/9169658/Update_Security_industry_faces_attacks_it_cannot_stop

Return to top

Computerworld

March 11, 2010

Security industry faces attacks it cannot stop

By Robert McMillan

March 11, 2010 (IDG News Service) At the RSA Conference in San Francisco last week, security vendors pitched their next-generation of security products, promising to protect customers from security threats in the cloud and on mobile devices. But what went largely unsaid was that the industry has failed to protect paying customers from some of today's most pernicious threats.

The big news at the show had to do with the takedown of the Mairposa botnet -- a massive network of hacked computers that has infected half of the Fortune 100 companies. So-called advanced persistent threat (APT) attacks, such as the one that compromised Google systems in early December, were another hot topic.

Both Mariposa and the Google attacks illustrate the same thing, however. Despite billions of dollars in security spending, it's still surprisingly hard to keep corporate networks safe.

One company, AVG, didn't even stop the original attack, according to NSS. Eset, Kaspersky, Symantec, Sophos, AVG and Trend Micro all failed to block a variant of the Aurora exploit.

Many security experts now agree that patches, up-to-date antivirus, plus intrusion detection systems are not enough to protect companies from the worst of today's cyberthreats.

The antivirus vendors argue that their products still serve a purpose, and indeed, nobody in the corporate world is turning them off.

http://www.computerworld.com/s/article/9169598/Security_industry_faces_attacks_it_cannot_stop

Also @ San Francisco Chronicle

http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2010/03/11/urnidgns852573C400693880852576E3007E3A19.DTL

Return to top

Computerworld Blog: Security Impact

March 5, 2010

Innovation is discovered at RSA 2010

By Eric Ogren

The RSA Conference is wrapping up, and it was a much more upbeat experience than the past couple of years. Exhibitors were happy with the booth traffic, many interviewed executives reported sizable year-over-year revenue gains, and most were optimistic about prospects for the balance of 2010. A by-product of the ugly 2009 business climate is that innovation – something I had given up on ever seeing again – has returned to the security industry. Following are just a few of the many interesting announcements that helped make RSA Conference 2011 a must attend event:

Check Point announced an innovative virtual workspace capability consisting of a VPN client, application control, and transparent encrypted storage all delivered on a secure SanDisk USB stick. The Abra product allows users to securely and easily connect to corporate applications, regulated and confidential data remains protected at the end-point, and the environment is isolated from most malware that may exist on the endpoint. IT centrally provisions the remote access environment with usage enforced by Check Point firewall checks. IronKey has also shown leadership with virtual workspaces on a USB stick that provide a protected browsing environment targeted for banking applications. Virtual workspaces should be a top priority for IT teams with requirements for easy to administer secure remote access.

AppRiver announced a relationship with Akamai whereby email servers will be hosted in the cloud. This could signal the beginning of a shift of corporate data from on-premise data centers to cloud servers that place the data close to users with performance benefits to users and cost savings benefits via shared resources. Large security vendors, including Trend Micro are already aligning product strategies to not only offer cloud-based security offerings, but to also secure new cloud-based infrastructure strategies.

SonicWALL has many interesting features and performance enhancements in its recent announcement, with its application intelligence delivering an interesting cross-over of security and network operations features. While SonicWALL inspects packets for the presence of malware, it also characterizes the presence of up to 1100 applications allowing IT and security teams to monitor application activity. Applications, including peer-to-peer and botnets, cannot hide amongst authorized port 80 and 443 traffic. Other firewall vendors, including the App-ID features offered by Palo Alto Networks offer similar features. The SonicWALL release is a healthy example of network security crossing over to integrate with network management.

Cisco announced its secure borderless network, with emphasis on securing mobile device access to corporate applications with the same Cisco infrastructure that customers use to protect laptop-initiated VPN sessions. The VPN client and ASA firewall allow users to seamlessly use, or even switch in real-time, between laptop and mobile device VPN sessions without re-authentication or recovering application steps. This capability is sure to appeal to enterprises standardizing on a Cisco networking infrastructure, and serves as an innovative example of embracing mobile devices for business connectivity.

Silver Tail and HyTrust were the two start-ups from the Innovation Sandbox that I found most intriguing. Silver Tail captures http traffic on the wire inspecting packet contents for fraudulent transactions. Like Cyota, Silver Tail focuses on anti-fraud mechanisms more than anti-malware to give the security vendor and its customers a clear ROI story that goes right to the bottom line. HyTrust secures the management of a virtual infrastructure. The approach intercepts all VMware administrative commands and responses for access control and compliance auditing of privileged users. The HyTrust management allows corporations to extend the use of virtual datacenters, including use of motion for performance and disaster recovery.

Every vendor seemed to stress a virtualization and/or cloud vision, even using the terms interchangeably. There were many more exciting announcements and discussions than the few highlighted above. Plan ahead - I understand that next year’s RSA Conference starts on Valentine’s Day.

http://blogs.computerworld.com/15704/innovation_is_discovered_at_rsa_2010

Return to top

Trend Micro Mentions

MaxiumumPC

March 2, 2010

How To: Root Out Stubborn Malware with HijackThis

By Paul Lilly

Trying to fix a badly infected PC without HijackThis is sort of like going into surgery without a scalpel; it’s the only tool for the job when all other measures fail. New spyware strains and increasingly complex viruses emerge every day, and your PC’s immune system (i.e, antivirus software) isn’t always able to keep up. And if you’re performing emergency surgery on someone else’s PC, you may find that they didn’t have any AV software installed to begin with.

No matter how bad the infection, HijackThis gives you the means to dig deep into Windows to root out whatever it is that’s wreaking havoc. It’s not a cure-all, however, or even a cure-little. In fact, HijackThis doesn’t cure anything on its own. What HijackThis does do is give you a snapshot of the system’s registry and file settings, putting particular emphasis on the browser. It doesn’t discern between safe and malicious settings, so it’s possible to unintentionally inflict real harm if you don’t know what you’re doing. Follow along as we show you how to properly wield HijackThis.

1. Download and Run HijackThis

Originally developed by Dutch programmer Merijn Bellekom, HijackThis has since been sold to Trend Micro, a security firm better equipped to maintain and update the program. But don’t worry, HijackThis is still free and you can download it at http://free.antivirus.com/hijackthis/ where you’ll find both a stable and beta version. We haven’t run into much trouble using the beta, but it’s currently only available as an installer. With the stable version, you have the option of downloading just the executable and plopping it on your USB thumb drive.

Once installed, fire up the program and choose ‘Do a system scan and save a logfile.’

After you do this, you should see a bunch of seemingly obscure settings in the program’s main window, (Image 2) which will also be listed out in a separate text file generated on the fly. If the text file that appears is empty, try using the stable release instead of the beta.

2. Understand the Results

Keep in mind what we said earlier, in that HijackThis doesn’t discern between safe and malicious entries. Even on a badly infected system, many, if not most, of the settings will be legit and altering them could affect the functionality of your PC.

If you consider yourself a savvy user, you can scroll through the settings on your own and look for any suspicious or harmful settings. In some cases, this will be obvious, but not always, so you want to be sure to Google (or Bing) any entries you’re unsure about before nuking them.

3. Hop Online for a Second Opinion

No matter what your level of expertise, it never hurts to get a second opinion. One way to do this by posting your log contents on your favorite PC tech support forum. Mash the AnalyzeThis button to see a list of forums to choose from, or just hop over to Maximum PC’s board.

If you strike out on a bulletin board or need instantaneous feedback, German Website www.hijackthis.de will oblige. Just copy your entire log contents to the clipboard (right-click>select all>copy), paste it into the site’s textbox, and press the Analyze button. Within a few moments, the site will spit out the results and alert you to any potential problem areas. Anything with a green checkmark is most likely safe, while the opposite holds true for any red Xs that are displayed. You may also see orange question marks, which are unknown files or entries that require further investigation.

Rather than toss all your eggs in one basket, double-check these results by heading over to http://hjt.networktechs.com. Just like before, you’ll paste your log file’s contents and press the Parse button. All the results are color coded so you can see any potential pitfalls at a glance. Hover your mouse cursor over these to learn why they’re being flagged and what the recommended course of action is.

4.Get Offline Help with HijackReader

The problem with relying on a Website to sift through your HijackThis log is that an infected PC doesn’t always let you have access to the Internet. In some cases, you may be able to hop online, but your Web browsing attempts either gets constantly rerouted, or pages load too slow to be of any help.

In this case, arm yourself with HijackReader , another free third-party app which works in conjunction with HijackThis. There’s no installation necessary – just unzip the archive to your hard drive or portable flash drive and run HijackReader.exe. Copy the HijackThis log file to your clipboard and mash ‘Paste log,’ followed by the ‘Check!’ button.

When HijackReader finishes, it will save the results as an HTML file and prompt you to give it a name. Open this file to see the results. HijackReader tends to know less about individual entries than the online sites do, but for the ones it does recognize, it tends to be a bit more informative. No matter which method you use (or combination thereof), it’s a good idea to double-check any iffy entries with Google before you go blasting away registry and system settings.

http://www.maximumpc.com/article/howtos/how_root_out_stubborn_malware_hijackthis

Return to top

PC World (via Yahoo! Tech)

March 11 2010

It's Time to Finally Drop Internet Explorer 6

By Tony Bradley

Published exploit code for the latest Internet Explorer zero-day flaw on the Web and Microsoft is warning that more attacks against the unpatched vulnerability can be expected in-the-wild. One thing seems to be more apparent with each passing Internet Explorer (IE) vulnerability: its time to upgrade the Web browser.

This zero-day exploit of Internet Explorer is just the most recent demonstrating that IE8 is more secure than its predecessors--especially IE6. Security aside, Web hosts and developers generally despise IE6 as well. For evidence of this fact you need look no further than the extensive list of supporters displayed on the IE6nomore.com site.

IE6 is Note Secure

Wolfgang Kandek, CTO of Qualys, noted via email "IE6 is a 10-year old browser, with its architecture designed when the Internet was a much more innocent place. IE8 has many additional security features and had the Microsoft SDL [Security Development Lifecycle] applied throughout. Its CSS and JavaScript support are much better than IE6, or even IE7, and it is a much more robust interface for the new Web 2.0 type applications."

Joshua Talbot, Security Intelligence Manager, Symantec Security Response agreed "IE 6 does not have the security features implemented in later versions of IE; for example, Data Execution Prevention (DEP) and Protected Mode. DEP makes it more difficult for attackers to successful exploit memory corruption vulnerabilities, while Protected Mode limits what an attacker can do if they are able to gain control of the IE process."

This is the part where many readers stop reading and jump over to the comments to express their opinion--sometimes quite passionately--that everyone should just stop using Internet Explorer completely and that anyone who chooses to continue using IE as their Web browser deserves the issues and security concerns that come with it.

Judging from the Web browser market share trends, there are many who subscribe to the "drop Internet Explorer" mantra. Microsoft has seen steady--although minute--declines in market share month after month, while rival Web browsers such as Firefox and Chrome continue to make gains. Still, Microsoft holds a dominant stake at almost 62 percent--more than double the share held by second-place Firefox.

If you drill a little deeper in the browser market share data, though, you will find that not only is Internet Explorer the number one browser, but IE8 specifically is at the top of the list with more than 22 percent of the browser market. Not too shabby for a browser that will celebrate its one-year anniversary next week.

What is concerning is that the number two browser is the nine year old IE6 at almost 20 percent of the market. Although IE7 has been available for almost four years, it is the number four browser, coming in behind Firefox 3.5 with a meager 13.57 percent.

Wean Off of IE6

IE6 is simply not secure and businesses and IT administrators should make it a priority to upgrade the Web browser as soon as possible. The Web is a major vector for cyber attacks and the Web browser is the Achilles heel that makes organizations vulnerable and creates the weakest link in the security chain.

Of course, it's not quite that easy. Many organizations that still rely on IE6 would like to make the switch to IE8 but can't. Kandek explained "In the corporate environment, software is managed, and IE6 or IE7 are part of the initial, approved build that works on all internal applications. Requalifying that build against all internal applications is a large effort that many companies do not have resources for."

"If they do, they might find applications that specifically use IE6 features that are incompatible with other browsers. Recently one of our larger customers told me that they had dozens of applications that do not run under IE8," continued Kandek.

Symantec's Talbot shared the same concerns "For enterprises, not only is there a cost to purchase software, there is also the cost to deploy and maintain. An enterprise must quality-assure software to ensure the new version meets the current needs and that there are no compatibility issues. They must also allocate IT resources to deploy the update. Then there is also an education component that must be provided for users to address differences between versions and how to handle known compatibility issues."

A Microsoft spokesperson commented via e-mail to say "Microsoft has consistently recommended that consumers upgrade to the latest version of our browser. Internet Explorer 8 offers improvements in speed, security and reliability as well as new features designed for the way people use the web. While we recommend Internet Explorer 8 to all customers, we understand we have a number of corporate customers for whom broad deployment of new technologies across their desktops requires more planning."

I understand that it can be a daunting undertaking to ensure that all commercial software and custom internal applications used by the organization will work properly under a newer Web browser--or find and implement alternate applications that will. Continuing to run IE6, though, is like leaving your car unlocked with the keys in the ignition.

Internet Explorer 8 Wins Against Social-Engineering Attacks

A recent report from NSS Labs illustrates why moving from IE6 (or even IE7) to IE8 should be a priority for IT administrators. It also contradicts the IE-bashing wisdom and shows that IE8 is actually the most secure Web browser when it comes to protecting systems against social networking and Web 2.0 attacks.

Socially-engineered malware attacks--or phishing attacks--pose an increasing risk to organizations. These attacks use social engineering and exploit the trust of the end-user to compromise, steal, or damage sensitive information.

The NSS Labs report claims "53 percent of malware is now delivered via Internet download versus just 12 percent via e-mail according to statistics from Trend Micro. And, according to Microsoft, as many as 0.5 percent of the download requests made through Internet Explorer 8 are malicious."

NSS Labs tested five Web browsers (IE, Firefox, Safari, Chrome, and Opera) over the course of 18 days. Testing was conducted 24x7 during the evaluation period, attacking the browsers with more than 550 socially-engineered malware links.

This was the third time NSS Labs has conducted these Web browser security tests. According to the report, "Over the three tests, Windows Internet Explorer 8 provided the best protection against socially-engineered malware and was the only browser that improved its block rate test-over-test, successfully stopping 69 percent, 81 percent, and 85 percent of threats in each respective test."

Talbot explained that there is nothing magical that makes any Web browser inherently superior to the rest. "Applications and operating systems from any vendor typically don't have anything special in terms of their code that makes them impervious to vulnerabilities and therefore attacks."

"It really comes back to the fact that the more popular software is the more it will be targeted. Thus, if everyone in the world switched to some obscure browser with very little market share, attackers would start targeting it. Attackers go where the money is, and the money is wherever the people are," summed up Talbot.

Tyler Reguly, lead research engineer for nCircle, also responded by e-mail and expressed similar sentiment that the browser itself is not the issue. "The insecurity these days comes from a lack of ‘smart browsing' or ‘safe browsing'. People are too willing to browse the seedy underbelly of the internet. Many people wouldn't walk down a dark alley and purchase items from a guy sitting in the dark, but they're willing to visit (and purchase from) websites that are the cyber-equivalent."

To sum it up--stop using Internet Explorer 6. You will be doing yourself, your company, and the rest of the world that shares the Web with you a tremendous favor. And, as long as you're upgrading away from IE6, IE8 offers a solid Web browser to switch to.

Other Web browsers such as Firefox or Chrome would also be exceptionally more secure than IE6, however organizations that are used to managing IE through Group Policy and updating it using the tools provided by Microsoft need to consider how supporting and patching alternate browsers will fit into the network infrastructure.

R.I.P. IE6. We knew thee (too) well.

Tony Bradley is co-author of Unified Communications for Dummies. He tweets as @Tony_BradleyPCW. You can follow him on his Facebook page, or contact him by email at tony_bradley@pcworld.com.

http://news.yahoo.com/s/pcworld/20100311/tc_pcworld/itstimetofinallydropinternetexplorer6

Return to top

Dark Reading

March 11, 2010

Only One in Seven Consumer AV Tools Catch New 'Aurora' Variants

NSS Labs says its new test shows antivirus' exploit detection emphasis flawed, but others disagree

By Kelly Jackson Higgins

DarkReading

Most antivirus products don't detect new variants of the exploit used in the so-called "Operation Aurora" attacks on Google, Adobe, and other U.S. companies, according to a new test conducted by NSS Labs.

NSS Labs created variants of the Aurora malware and payloads and tested whether seven consumer AV packages would catch the exploits and their payloads. The exploits attacked the Internet Explorer vulnerability used in the Aurora attacks. Only McAfee Internet Security 2010 with SecurityCenter, Version 9.15.160, stopped the variants. Other products tested were AVG Internet Security Version 9.0.733; ESET Smart Security 4 Version 4.0.474.0; Kaspersky Internet Security 2010 Version 9.0.0.736; Symantec Norton Internet Security 2010 Version 17.0.0.136; Sophos Endpoint Protection for Enterprise Anti-Virus Version 9.0.0; and Trend Micro Internet Security 2010 Version 17.50.1366.0000.

"Vendors need to put more focus on the vulnerability than on exploit protection," says Rick Moy, president of NSS Labs. "They pay more attention to the payload, and that's the problem."

Moy says vulnerability-based protection from AV companies basically serves as a way to plug the hole in the door. "And if you patch, the door goes away altogether," he says. He says he was surprised that given the time that has elapsed since the attacks and the widely published information on the malware that most if not all of the AV tools would detect variants off the malware.

But not everyone agrees. Marc Maiffret, chief security architect for FireEye, says it's the reactive approach to catching malware that's all wrong. "The thinking on this [test] is very old-school: vulnerability-based protection is stupid because you're saying you have to know about the vulnerability. The whole point of Aurora and most modern, significant attacks is that we don't know about the vulnerability," Maiffret says. "They should have been testing to see who actually would have stopped Aurora regardless of known vulnerability prevention. Reactive vulnerability signatures are just another losing battle."

Maiffret says it's a systemic problem. "One of the biggest farces in our industry recently is that all of these vendors are claiming zero-day protection, but what they are really saying is that they went from writing reactive signatures for exploits to writing reactive signatures for vulnerabilities."

Randy Abrams, director of technical education for ESET, says vulnerabilities must be patched by the vendor, not protected by the AV product. "We all detect some attempts to exploit vulnerabilities, but this isn't always feasible with every attempted exploit. In some cases, such scanning would bring systems to their knees," Abrams says. "In some cases, there would be false positives induced as some programmers do not realize they have found a vuln and write in-house programs that make use of the vuln," which sometimes happens, he says.

Abrams says it's all about defense-in-depth. "Right now one of the biggest battles is to simply get people to patch in a timely manner," he says. "Conficker showed how bad patch management is at the corporate and governmental levels. Aurora demonstrated that it really is important to use current Web browsers."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

http://www.darkreading.com/vulnerability_management/security/antivirus/showArticle.jhtml?articleID=223600014

Return to top

Hospitality.net

March 11, 2010

WARNING TO HOTELS... Don't Use Free Link Shortening Services in Your Marketing

A few months ago we wrote about the many reasons why hoteliers should not be using free link shorting services such as TinyURL and Bit.Ly. While there are numerous free services available, most put your hotel at risk and may cost you dearly in lost business opportunities. The Internet is still a little like the "wild wild west" and our reasons for not using free link shortening services remains true - doing so puts your hotel at risk in many ways.

Free Link Shortening Services Create Security Risks for Hotels

The biggest issue for hotels presents itself as a serious security threat. As reported by leading virus security company Trend Micro, TinyURL has become a popular tool for spammers and phishing scams. Spammers have used TinyURL to create short non-discript links, which redirect users to malicious websites where unsuspecting users become victims of phishing attacks. Read Trend Micro-TinyURL Becomes Popular for Phishing.

Free Link Shortening Services Provide No Support for Hotels

If the aforementioned security concerns don't convince you that free link shortening services are risky, maybe our next point will. What happens to all those free links your created if the free service is "down" or out of business? Who do you call...can you call anyone, or do you have to rely on emailing support? In the meantime, those free short links you created are in your printed ads, emails and in online Twitter, YouTube and Facebook posts! This has all happened before, and it's not pretty. Read:TinyURL Outage Illustrates the Service's Risk. Read:Bit.ly + TinyURL = Fail

Other Reason to Never User Free Link Shortening Services

* There is no branding. When you see a TinyURL your are clicking blindly. You have no idea what kind of website you're being taken to;

* Links are forgettable! How do you remember a link like this: http://bit.ly/10HYCo;

* No control over the URL shortening service. Do you trust TinyURL? How long might they be around for? What happens if they have a massive data outage tomorrow and all your URLs go to 404 error?

The Right Way For Hotels to Create Short Links -

Link2Brand.com enables hotels to effectively and safely create short marketing links and to build online brand equity. More specifically, Link2Brand:

* is a paid service, thereby eliminating all spam or phishing activities;

* offers unique branding opportunities with over 20 selectable relevant domain names that relate to hotels and every link created includes the hotel's name;

* provides real-time click tracking on all links created, enabling link ROI analysis;

* enables auto-expiring links, which automatically become disabled on a pre-set date managed by the hotel;

* offers hoteliers an online dashboard to organize and manage all links created;

* enables the creation of sub-users for each hotel account, allowing for multiple users to share one account;

* is supported by Lodging Interactive, a multi-million dollar hospitality focused interactive agency.

"Hundreds of hotels worldwide are doing it right and leveraging the power of Link2brand.com in their marketing and communications," said Mr. DJ Vallauri, Founder & President of Lodging Interactive. "Furthermore, Link2Brand.com is a great tool for hotels to use to promote loyalty amongst local businesses and organizations."

Hotel Sales & Marketing Directors, can also use Link2Brand.com to create vanity URL links specifically for local corporate accounts to book reservations without having to remember booking codes or SRP codes.

Interested hoteliers can try Link2Brand for free by visitingLink2Brand.com.

About Lodging Interactive

Lodging Interactive, headquartered in Parsippany, NJ, is a leading provider of Internet Marketing Services to the hospitality, spa and restaurant industries. The company provides a portfolio of effective hotel internet marketing services to hundreds of hotels, resorts, timeshares, spas and restaurants. Clients include branded hotels from nearly every major brand as well as prestigious, landmark independent hotels.

Through itsCoMMingle Social Media Marketing Agencyoperating division, the Company offers hospitality focused and fully managed outsourced hotel social media marketing.

Lodging Interactive is a member of the American Hotel & Lodging Association (AHLA) and is a proud supporter of the Hotel Sales & Marketing Association International (HSMAI). For more information contact Richard Walsh, Vice President of Business Development atsales@lodginginteractive.comor at 877-291-4411. The company's website is located at http://www.lodginginteractive.com/.

http://www.hospitalitynet.org/news/154000320/4045776.html

Return to top

ComputerWorld

March 8, 2010

Just Watching Is No Longer Enough;

It may be time to supplement monitoring the network with endpoint security.

By Mathias Thurman

HIGHLIGHT: It may be time to supplement the monitoring of the network with endpoint security.

Trouble Ticket

At issue: The company's intellectual property has to be secured.

Action plan: Endpoint technology is attractive in theory but hard to implement. For now, port blocking might be all that can be done.

When I visit my company's overseas offices, I'm often asked what we can do to control USB ports and other external connectors in order to prevent the loss of intellectual property. That's a goal I'm always interested in pursuing.

I would say that at this point we have a fairly mature network data leak prevention (DLP) infrastructure. Not that it's near where I would like it to be. We don't have 100% coverage of every egress point in the organization. We're not monitoring our internal LAN traffic, and we don't have all the product divisions signed up to use our DLP tools. But I still consider the infrastructure mature, since we have processes in place for monitoring the network and conducting investigations once we do implement endpoint security technology.

A strong case can be made for doing that, but implementation can be a nightmare. I have the battle scars to prove it.

A couple of years ago, we were swept away by the sales pitch from a fairly new vendor whose offering, it turned out, was rather immature. We decided to try it, and the only good news about what happened next is that the deployment was limited.

Deploying endpoint technology is never easy, and that may be especially true in my company. With so many engineers, we can't maintain a standard operating system profile across the enterprise. And because users have administrative access to their PCs, they are free to install programs; that makes it difficult to keep up with what applications need to be tested with the endpoint DLP technology. Finally, our engineers are often engaged in computer-aided design and source code development, which are intensive applications.

In any event, thinking we had a stable release to try out, we decided to remotely deploy the start-up's technology to our development office in Moscow, where we have 50 software engineers. Many of those engineers' PCs froze or blue-screened. We lost several development cycles as a result and missed the launch date for one of our products.

Naturally, we abandoned that project, but to this day many people here get a bad taste in their mouths if endpoint DLP is brought up, and the mere mention of that vendor's name makes some of us cringe.

No Disruptions

The problem is that endpoint software is a disruptive technology, since it works by intercepting system calls and replacing other system files. It has to do this if it's going to identify, track and secure data at rest, in use and in motion, no matter what application is used. And it needs to be aware of every application in use in the enterprise, including Exchange and webmail, instant messaging, Skype and Windows File Sharing, as well as the movement of data to CD, DVD or USB devices. And the technology needs to be sophisticated enough to allow the use of benign USB devices such as keyboards and mice.

Yet another roadblock to endpoint DLP adoption is that the technology isn't one-size-fits-all; it needs to be tuned to each set of employees. Managing that sort of thing would take additional staff and new training for the help desk. So, although we're currently evaluating some DLP vendors, I'm inclined to look elsewhere for the protection we need right now.

One option I'm considering is port blocking. I'm going to start looking at vendors in that market, including Trend Micro, which is our antivirus and antispyware provider. It could be convenient if we can do it all from one Trend Micro Control Management console. But I would be remiss if I didn't check out other vendors as well.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at computerworld.com/blogs/security

Return to top

ComputerShopper.com

March 8, 2010

Asus Eee PC 1008P Seashell (Karim Rashid Collection) Review

Reviewed by: Catharine Smith

Review Date: March 2010

It's no surprise: In tech, as in so many things, you have to pay for pretty. An exceptionally designed netbook, such as the Asus Eee PC 1008P Seashell (Karim Rashid Collection), will generally cost a premium over an ordinary-looking model with the same hardware inside. In the case of the 1008P, though, the outside is stunning, but what's inside is plain-Jane. This portable's performance falls far enough below the average netbook’s that even those with the extra cash should seriously consider whether its good looks are worth the splurge.

The 1008P is built around Intel’s N450 Atom processor, part of the energy-efficient Pine Trail architecture that includes integrated Intel GMA 3150 graphics. The $499 system is super-slim and lighter than many other netbooks. It measures exactly 1 inch thick when closed and weighs only 2.5 pounds. The system is powered by 2GB of RAM and offers 320GB of storage, both above-average for a portable this size. The outer shell of our test unit featured a snazzy, two-dimensional brown weave pattern created by fashion designer Karim Rashid. (This model also comes in pink.) Interestingly, the brown weave pattern covers both the screen lid and the bottom of the chassis—a design touch seldom seen.

When you open the lid, you’re greeted by the 10.1-inch display, which is frameless and LED-backlit. Under bright office lighting, the glossy screen picked up a lot of glare. The 1008P’s native resolution of 1,024x600 seems like a step back nowadays, when so many netbooks feature 720p (1,366x768) resolutions. We also noticed that streaming video on Hulu looked a little choppy, but we’ve seen much worse from other netbooks.

To go with the chic look of the edge-to-edge display is the matte-black Chiclet-style keyboard, which houses keys that are springy, responsive, and quiet during typing. And while the key bed is sturdy, the keyboard is reduced in size, which makes for a tiny right-Shift key and cramped arrow keys. Below the keyboard, you’ll find the touch pad, which has a rubbery texture that we liked. It supports multi-gesture functions, which we found worked reliably. (That's not a given.) We weren’t as pleased, though, by the slim metallic button bar; it has an uncomfortably shallow plunge.

Along the left side of the chassis, only the power port and the media-card reader are visible; a USB port and a mini-VGA connector are hidden behind a protective door. On the right side, a double-door niche hides the Ethernet jack; another protective door houses a second USB port, a microphone jack, and a headphone jack. The system is also equipped with WLAN 802.11b/g/n and Bluetooth 2.1. Both functions share the F2 key to toggle them on and off, but only the Wi-Fi symbol is marked on the key.

To keep the system thin and compact, Asus did not include a VGA port along the side of the chassis. Instead, you get a removable mini-VGA dongle, which is stored in a hollow recess on the bottom of the unit. (You can see the storage bay below, at right.) You plug the dongle into the mini-VGA connector on the left edge. Fitting the dongle back into place when you're done with it is tricky, though. And incidentally, while we were wrestling the dongle back into place, we noticed that the area surrounding the compartment can get pretty hot.

Some of the ancillary hardware was a pleasant surprise. Nestled into the screen’s glass is the 1.3-megapixel Webcam, which offers some of the best images we’ve seen in a while from a netbook. The picture is clear, and skin tones are accurate. Motion capture is a little blurry, but it’s better than we expected. The microphone, however, records uneven sound that crackles during playback. And the speakers, located along the beveled front edge, are some of the loudest we’ve ever encountered on a netbook. Soft surfaces like a couch or lap won’t dampen the sound, even though the speakers project downward. On a desk or table, the sound quality is a little hollow at maximum volume, but at medium volume it's much better and nearly loud enough to fill a small room.

Like many netbooks, including all the Pine Trail–equipped models we've tested (those with an Intel Atom N450 CPU, such as the Asus Eee PC 1005PE, Acer Aspire One AO532h-2Dr, HP Mini 5102, and the MSI Wind U135), the 1008P cannot support our PCMark Vantage test (which measures overall system performance) because of the limited vertical resolution of the LCD screen. In general, though, the Asus Eee PC 1008P’s performance lagged behind the rest of the Pine Trail netbooks we've seen.

To put the 1.66GHz Intel Atom N450 processor through its paces, we ran two CPU-centric tests: iTunes and Windows Media Encoder (WME). On our iTunes conversion test, the 1008P took an astonishingly long 40 minutes and 33 seconds to convert 11 songs from MP3 to AAC. This is the slowest time for this netbook and double the average of 20:23. For this reason, we decided to run the test again after uninstalling the antivirus trial software that came installed. This helped considerably, and the test completed in 22:07, which is at least in line with the competition, albeit still on the slow side. On our WME test, the 1008P converted a video file in 35 minutes and 19 seconds, a good 10 minutes slower than the average netbook. Rerunning this test after removing the resource-heavy software helped, but not as much as with the iTunes test. The new score was a still-slow 31:35, about 5 minutes slower than average. More specifically, the Acer Aspire One AO532h-2Dr, the Pine Trail–equipped netbook that delivered the best time on the WME test, completed the test in 25:39.

To test how well the CPU and GPU work together, we use Cinebench 10, and this gave the 1008P a chance to shine—a little. It scored 828 with its Intel GMA 3150 integrated graphics. This number is a touch better than the average netbook’s score of 801. It even beat some of the other Pine Trail–equipped netbooks, such as the HP Mini 5102 (score: 827), the Asus Eee PC 1005PE (708), and the MSI Wind U135 (726).

We then moved to our 3DMark06 graphics test. The 1008P scored 154, almost exactly what the other four Pine Trail netbooks did. That score is well below the average netbook’s score of 229. Clearly the 1008P, like most netbooks, is not meant for gaming. It just doesn't have the graphics muscle—no surprise, considering the Intel integrated graphics.

The 1008P also comes in a flashier pink.

The thing is, while integrated graphics chips like the one in the 1008P often help conserve battery life, that's not really the case here. Asus ships the 1008P with just a three-cell battery, and no six-cell upgrade is available. During our strenuous battery-rundown test, in which we stream video wirelessly until the battery dies, the 1008P lasted only 2 hours and 49 minutes. We typically expect closer to five hours for a netbook, so this is a disappointment. You can buy an additional three-cell battery for $50, however, to swap out while on the road (though that will require a reboot). Running light tasks and using Wi-Fi judiciously will boost the 1008P’s battery life by at least an hour, maybe two. Even still, you probably won’t make it all the way through a transatlantic flight without an extra battery handy. For what it’s worth, the 1008P has some custom power/performance settings, which you activate by pressing Fn+spacebar. We set the system in Power Save mode and reran our battery test, but it didn’t improve the battery life.

What the 1008P lacks in sheer hardware performance, it makes up for, in part, in software and extras. The system comes with Windows 7 Home Premium, but if you’re in a rush and don’t want to wait for that to load, you can launch the Asus Express Gate interface, which bypasses Windows startup and gets you into a preboot environment in less than five seconds. It launches five applications: a Web browser, Skype, Photo Manager, Chat (for MSN, Yahoo, Google Talk, AIM, QQ, and ICQ), and Online Gaming. The rest of the software isn’t bad, either. We were pleased with CyberLink's YouCam, which is a fun, handy, easy-to-use Webcam application. You’ll also find a full version of Microsoft Works and 60-day trials of Microsoft Word and Trend Micro’s antivirus software. (You'll want to replace the latter right away to increase performance.)

We’re pleased to see that Asus continues to offer one free year of 500GB of Eee Online Storage to complement the 320GB hard drive. Asus also offers a one-year global warranty on the system and six months on the battery and accessories, as well as free 24/7 technical support.

If you have $500 to spend on an Internet-ready fashion accessory, the Asus Eee PC 1008P Seashell (Karim Rashid Collection) will definitely make your co-workers jealous. It wins major points for its slim build, gorgeous design, sturdy keyboard, and blaring speakers. While its Chiclet-style keyboard and 10.1-inch screen are standard netbook fare, the 1008P’s three-cell battery, limited resolution, and subpar performance are no-doubt drawbacks. Other Pine Trail–equipped notebooks are not as pretty as the 1008P, but they perform better and cost less.

Price (at time of review): $499 (mfr. est., as tested)

usa.asus.com

888-678-3688

http://computershopper.com/laptops/reviews/asus-eee-pc-1008p-seashell-karim-rashid-collection

Return to top

Redmondmag.com

March 9, 2010

Report: IE 8 Leads in Malware Protection

By Kurt Mackie

Microsoft's Internet Explorer 8 outperformed four other Web browsers in protecting against malware spread by social engineering techniques, according to a Microsoft-funded NSS Labs report.

NSS Labs is an independent product testing firm, but it received support from seven test infrastructure partners for the study, "Web Browser Security Socially-Engineered Malware Protection -- February 2010" (PDF). Microsoft is not listed in the study as a sponsor, but a spokesperson at Microsoft confirmed the company's sponsorship by e-mail.

The main reason why IE 8 beat out the competition -- which included Apple Safari 4, Google Chrome 4, Mozilla Firefox 3.5 and Opera 10 -- appears to be Microsoft's use of its "SmartScreen Filter" technology. SmartScreen is a reputation-based URL comparison service that warns users of known threats, such as a Web page that attempts to get users to download malicious programs. Chrome, Firefox and Safari all used Google's "Safe Browser feed" service instead. The report did not explain what URL reputation service was used by Opera.

According to the report, IE 8 caught 85 percent of live threats. Other browser fell way behind in protection against socially engineered malware. Safari caught 29 percent of live threats, tying with Firefox. Chrome caught 17 percent, while Opera caught less than 1 percent.

Opera finished dead last in this report's overall comparisons of protection against socially engineered malware. This report is actually NSS Labs' third release on the subject, and Opera similarly trailed in the previous reports, published on July 20, 2009 (PDF) and March 12, 2009 (PDF). Back in March 2009, an Opera Software blog described NSS Labs' report as "just another Microsoft marketing trick." The blog questioned NSS Lab's methodology and suggested that statistical tricks were used.

NSS Labs methodology for the February study is described as a "proprietary Live Testing" approach. The objective is to insert the freshest samples of malware into the testing process over a set period of time. It's an approach that software security vendor Trend Micro announced support for late last year.

The report measured browser protection against malware only when spread by social engineering techniques. It excluded other means of spreading viruses, trojans and worms. Consequently, just 562 URLs passed the NSS Labs' criteria and were used in the study.

Browsers that scored well on the tests essentially had to show protection against trickery used by hackers to get users to click on a link or visit a malicious Web page, thereby downloading a malicious program. Malware associated with browser plug-ins (also called "add-ons") was excluded from the report. The report also did not test for "clickjacking or drive-by downloads."

About the Author

Kurt Mackie is online news editor, Enterprise Group, at 1105 Media Inc.

http://redmondmag.com/articles/2010/03/09/ie-8-leads-in-malware-protection.aspx

Return to top

ITBusinessEdge

March 9, 2010

New Crossbeam CEO Sees Wave of Security Consolidation

By Michael Vizard

Crossbeam Systems, in the wake of the untimely passing of former CEO Peter Fiore, today named Mike Ruffolo, most recently CEO of Liquid Computing, as its new CEO.

Crossbeam makes an X-Series platform based on an architecture that has been specifically optimized to run security software. Security companies that have partnered with Crossbeam to deploy their software include Check Point, IBM, Imperva, Sourcefire, Trend Micro and Websense.

As IT organizations look to rein in security costs, many of them want to consolidate the number of systems they are running security software on. The Crossbeam platform allows them to run multiple security applications from different vendors on the same platform, thereby saving on the cost of deploying and managing dedicated hardware for each piece of security software.

Crossbeam’s biggest competitors are Juniper Networks and Cisco Systems, both of which are making a case for consolidating security software directly on top of routers and switches. Ruffolo argues that while there is much to be gain from consolidation, especially when it comes to energy costs and power consumption, performance requirements dictate that having a central security platform is the more efficient way to achieve that consolidation.

Ruffolo says that smaller organizations may still have a need for dedicated security appliance, but any large IT organization that is pursuing a defense-in-depth approach to security that involves multiple vendors is likely benefit from hardware consolidation that ultimately lowers costs and improves overall performance.

http://www.itbusinessedge.com/cm/blogs/vizard/new-crossbeam-ceo-sees-wave-of-security-consolidation/?cs=39900

Return to top

Zacks Analyst Blog

March 11, 2010

Initiating Symantec with Neutral

By Zacks Equity Research

We are initiating coverage on Symantec Corporation (SYMC - Analyst Report) with a Neutral rating and a price target of $18.00, representing a P/E multiple of 12.9x our 2010 EPS estimate. We believe Symantec Corp. is fairly valued at its current P/E multiple of 12.6x our 2010 EPS estimate of $1.39, which is a substantial discount to the industry average. Historically, the stock has traded in a 5-year trailing twelve month P/E range of 9.5x to 27.5x, and we expect the company to trade in the same range going forward.

Symantec delivered decent third-quarter results with non-GAAP revenue of $1.551 billion, up 1% from $1.535 billion reported in the year-ago quarter. The sequential improvement in revenue can be attributed to the good momentum in the consumer business, improvements in the company's license revenue and stabilization of maintenance revenues. The company's third-quarter EPS of $0.40 exceeded the Zacks Consensus Estimate of $0.33.

Symantec provided decent guidance for the fourth quarter and expects non-GAAP revenue in the range of $1.510 billion to $1.525 billion, diluted earnings per share between $0.36 and $0.37, and deferred revenue in the range of $3.175 billion to $3.205 billion.

Symantec is undoubtedly the leader in the Internet security market. According to the research firm Gartner, the company remains the overall security market leader, with just about double the market share of McAfee, its closest competitor. Symantec has an even bigger lead in the consumer market, with a 52.0% share and $1.8 billion in revenue last year, compared with 18.0% market share and $624 million in revenue for McAfee.

A host of smaller players, like Trend Micro, CA and Kasperskey Lab, are out there in the field. However, we believe that the company's portfolio of compelling solutions, aggressive marketing strategy as well as the revival in IT spending will enable it to continue growing its market share. On the other hand, we are a bit concerned about the company's high debt balance and enhanced level of security offered by Windows 7, which may pose some challenges going forward.

Cupertino, California-based Symantec was founded in 1982, and has operations in more than 40 countries. Symantec offers a wide range of application and software products for firewall, virtual private network (VPN), virus protection, vulnerability management, intrusion detection and security services. The company has organized its business and offers products under various segments, such as Consumer, Security and Compliance, Storage and Server Management and Services.

http://www.zacks.com/stock/news/31540/Initiating+Symantec+with+Neutral

Return to top