Increase Employee Productivity through Computer Security

A new Maritz Poll highlights the relationship between productivity and security. The Poll, which surveyed IT managers in small and medium businesses, attempts to reveal the repercussions of computer viruses and other security problems and their correlation to downtime on the job. Of those surveyed, nearly all (92 percent) reported that computer performance levels were affected by up to 50 percent due to security issues.

According to the poll, some of the security issues presented affecting productivity include:

— 75 percent of small and medium businesses were hit by at least one
virus, with some affected over 100 times, in the past year.
— 40 percent of respondents have been hit by hackers at least once, with
some targeted more than 200 times, in the past year.

This is compounded by the common knowledge that virtually every computer with Internet access is assaulted with a barrage of adware, spyware and spam daily.

Despite these serious security and spam issues and the obvious reduction in employee productivity some respondents still are not defending themselves against potential threats:
— 29 percent don’t use anti-spam software.
— 34 percent don’t use spyware software.
— 4 percent don’t use anti-virus software.
— 47 percent don’t use adware software.
— 9 percent don’t have Internet firewalls.

While many small and medium businesses do utilize protective software, many are not doing all they can to stay protected and maintain employee productivity. For example:

— Nearly 10 percent do not automatically update their anti-virus
software.
— Only 23 percent of those that are updating it manually are doing so
daily.
— Only 82 percent plan to invest in anti-virus software in 2005.

These poll results certainly make me appreciate an IT Department that implements antispam, antivirus, and antispyware solutions that ensure that my computer and the data on it is protected. Without it, my job would be a heck of a lot harder.

Laurie Murrell
Communications Manager

Some musings on the 40,000 million credit cards debacle

So only “68,000 customers are at high risk

As pretty much everyone knows by now, Cardsystems, a credit card processor, has had a security breach which exposed up to 40 million credit card numbers. MasterCard is now saying that 68,000 customers are at “high risk”.

Ok, so check your bank statements (and why isn’t there a website where you can put in your CC number and see if you’re at “high risk”?).

What was the cause? Apparently a “virus” that captured customer data (probably a misnomer on their part, more likely a simple keylogger).

At Tech.Ed a couple of weeks ago, Microsoft showed a hardened Windows network being completely compromised in a matter of minutes. So no surprise on our part.

In the US, we have strict laws like HIPAA providing statutory requirements on the protection of health care data. But credit card companies apparently don’t have these types of protections. Heck, a UPS shipment with almost 4 million unencrypted credit card numbers was lost recently.

MasterCard had some system in place to detect this. They did see the breach through their fraud analysis, which assumes that some of these cards may have been used already…

Interesting posts on Slashdot. As can be expected on Slashdot, there are posts about the front end to Cardsystems being Microsoft . Points are also made that the major credit card companies may have great security in place, but they have a large amount of data going to other partners, like credit card processing companies, creating multiple points of entry.

We can have all the protections in place. But the way to run security is not only to create a moat around the castle, but to insure that if an attacker gets in, sensitive data is not compromised. Assume the worst.

My observation is that securing this type of private information is a multi-pronged approach:

Make the data useless — If the information is stolen, it shouldn’t matter in the end. You could, for example, split up a credit card number with the attendant customer data into multiple parts, each stored in their own secure database, concatenated for ultimate use. A hacker gets in, he sees only gibberish. He only sees one part of the picture.

Storage – This one is obvious but, well, obviously it wasn’t followed by Cardsystems. And you have to harden the data through multi-layered security the systems where the data is stored at all points of the supply chain. Card processors, merchants, member banks, etc.

Transport – Harden the methods of data transportation to 3rd party providers. There are multiple points of entry in the world of consumer privacy. Data is shared between many providers. The methods of sharing the data have to be rock-solid. I’m not talking only about electronic transport. Let’s not ship, for example, sensitive credit card information by UPS in unencrypted form. Treat your own customer data as carefully and as conscientiously as you would treat your own.

End use – Another critical point of entry is the actual use of the data. There’s some multiple validation points in place already, which help against fraud. Credit card companies have instituted address checking and the use of Card Identification Numbers, which are multi-pronged security techniques (you have to a) have the card in possession and b) know the address of the person it was stolen from in order to use it). But this probably needs to go further, without making it unnecessary painful for customers to actually buy things. If you make a credit card useless to a thief, there’s not much incentive to steal it. (And there are still online merchants who don’t use Card Identification Numbers. Credit card company to merchant: You want to accept MasterCard and Visa? You better have these systems in place. )

Fight back – In the end, make it so that the mistakes of others don’t affect you. Use only one credit card, and pay if off every month (ok, I know paying off the card every month is hard for many, but at least try to keep only one card in active use). Fight intrusive government legislation like Real ID, which will make it easier for personal information to be exposed to criminals (and is highly intrusive on your own privacy to boot). Support legislation like HR 25, the Fair Tax, which gets rid of the Income Tax and makes every taxpayer anonymous. Support groups like EPIC, which are fighting very hard for electronic privacy rights.

One other thing: Credit card companies are incredibly profitable. So theft might simply become a risk-management issue. They plug in an assumed 2% fraud rate and up the APR on the card. Ok, that’s incredibly cynical on my part, and not entirely fair. But we just need to make sure that our lives don’t become risk management statistics.

I hope this gets cleaned up fast so we don’t have more legislation on the matter.

Alex Eckelberry

Metrix Marketing Group site hacked!

oWnzEd to be more exact!



Click to enlarge
Warning: Very foul language

Previously we had blogged that Metrix Marketing Group was apparently behind some nasty BitTorrent adware infestations (see here and here). This was uncovered by spyware research guru Paperghost.

eWeek ran with the story and now… Marketing Metrix Group has been hacked. A nasty one, too.

At 4:11 EST the hack is still live.

Alex Eckelberry
(Thanks Eric)

Cyber Security Industry Alliance on Consumer Views on Spyware and Identity Theft

Link to beSpacific blog.

From the press release:

• The majority of Internet users (83%) have heard of spyware, although the level of awareness is not as ubiquitous as spam (93%). Of those not familiar with the term, 81 percent have experienced at least one of its symptoms, such as pop-up ads or decreased computer performance.

• The more voters learn about spyware, the more it scares them. Without the benefit of a statement describing spyware, two-thirds of voters rated it a serious problem. When fully informed of the nature of spyware, nearly all voters (93%) considered it a serious problem.

• Not all software that operates in the background is perceived as harmful by Internet users. For example, 67 percent of Internet users think the benefits of automatic security updates outweigh the possible risks.

• More Internet users think small-time con artists and delinquent teenagers are the biggest threats to the safety of the Internet (45%) than enemy nations, organized crime and terrorist organizations (36%).

• Only 28 percent of voters think government is placing the right emphasis on protecting our information systems and networks, as opposed to 64 percent who think that government needs to make protecting our information systems a higher priority.

• Voters are much more likely to believe that privacy protection should be left to the U.S. Congress (60%) than to state legislatures (35%).

• Despite the call for a legislative solution, only 32 percent of voters trust the Congress to do what’s right for the Internet. On the other hand, 63 percent trust consumer groups like the Better Business Bureau.

Bittorent users beware

Earlier we blogged on a massive Bittorent adware infestation propogated (apparently) by a group called MarketingMetrixGroup. The story was broken by the tireless MVP Paperghost.

This story has now broadened. Someone (apparently MarketingMetrixGroup) is distributing a payload of adware along with Bittorent files.

Link to Paperghost’s latest adventures here.

Alex Eckelberry
(Thanks Eric)

IE Security guy at Microsoft talks about IE security

Rob Franco, Lead Program Manager for IE Security posted some interesting stuff on the Internet Explorer Blog last week.

From the blog (with emphasis and edits added by me):

“Low-Rights IE” is one of several new features that we’re working on to help keep users safe…meant to back up and support the many other security features.

…Low-rights IE will only be available in Longhorn because it’s based on the new Longhorn security features that make running without Administrator privileges an easy option for users (“User Account Protection”). When users run programs with limited user privileges, they are safer from attack than when they run with Administrator privileges because Windows can restrict the malicious code from taking damaging actions.

We are using the same Longhorn security infrastructure to limit IE to just enough privileges to browse the web but not enough to modify user files or settings by default. As a result, even if a malicious site attacks a vulnerability in IE, the site’s code won’t have enough privileges to install software, copy files to Startup folder, or hijack the settings for the browser’s homepage or search provider.

Second, the primary goal of Low Rights IE is to restrict the impact of a security vulnerability while maintaining compatibility. Low-rights IE doesn’t “fix” vulnerabilities, but it can limit the damage a vulnerability can do. In that way, it’s like the “Local Machine Zone Lockdown” feature in XP SP2. That lockdown prevents cross domain vulnerabilities from installing malicious software on users’ machines. We expect Low-rights IE to protect users from other classes of vulnerabilities.

I also want to point out two other scenarios that some people have confused with Low-rights IE. Low-rights IE does not prevent users from downloading and installing software that turns out to be malicious. Any programs that the user downloads and runs will be limited by User Account Protection, unless the user explicitly gives the program Administrator privileges. Microsoft and other software makers provide tools to help protect against spyware downloads. Another issue to clarify is that Low-rights IE will not change IE security settings for ActiveX and script as the Enhanced Security Configuration for IE on Windows Server 2003 did

Some websites and browser add-ons may expect users to run with Administrator privileges. Our goals are to be as secure and compatible as possible and we’re doing work to help sites and add-ons continue to work as users expect.

I want to be clear that Longhorn and IE7 have many other facilities in addition to Low-rights IE for keeping users safe….”

Alex Eckelberry

GOA report on security threats

The Government Accountability Office has released a report entitled “INFORMATION
SECURITY: Emerging Cybersecurity Issues Threaten Federal Information Systems“.

From the report:

Spam, phishing, and spyware pose security risks to federal information
systems. Spam is a problem not only because of the enormous resources it
demands, but also because it now serves as a means for other types of
attack. Phishing can lead to identity theft and loss of sensitive information;
it can easily result in reduced trust in and therefore use of electronic
government services, thereby reducing the efficiencies that such services
offer. Phishers have targeted federal entities such as the Federal Bureau of
Investigation (FBI), Federal Deposit Insurance Corporation (FDIC), and
the Internal Revenue Service (IRS). Spyware threatens the confidentiality,
integrity, and availability of federal information systems by capturing and
releasing sensitive data, making unauthorized changes to systems,
decreasing system performance, and possibly creating new system
vulnerabilities, all without the user’s knowledge or consent. The blending
of these threats creates additional risks that cannot be easily mitigated with
currently available tools.

Agencies reported varying perceptions of the risks of spam, phishing, and
spyware. In addition, many agencies have not fully addressed the risks of
emerging cybersecurity threats as part of their required agencywide
information security programs, which include performing periodic
assessments of risk; implementing security controls commensurate with
the identified risk; ensuring security-awareness training for agency
personnel; and implementing procedures for detecting, reporting, and
responding to security incidents. An effective security program can assist
in agency efforts to mitigate and respond to these emerging cybersecurity
threats.

Several entities within the federal government and the private sector have
begun initiatives directed toward addressing spam, phishing, and spyware.
These actions range from targeting cybercrime to educating the user and
private-sector community on how to detect and protect systems and
information from these threats. While the initiatives demonstrate an
understanding of the importance of cybersecurity and emerging threats and
represent the first steps in addressing the risks associated with emerging
threats, similar efforts are not being made to assist federal agencies.

Alex Eckelberry
(Thanks to BeSpecific)

Bittorrent file used for massive adware infestation

Why is Aurora (Direct Revenue’s latest adware) so prevalent?

Microsoft MVP spyware researcher Paperghost broke this story.

WOW. And what a story it is.

A 175MB Bittorrent file spawns massive adware.

Here’s what seems to be the story:

1. The file was a Family Guy cartoon wrapped in an adware installer. Paperghost found this BT file by trawling the net. No knowledge if the Family Guy cartoon is pirated or not.

2. With the Family Guy cartoon, comes a payload of adware (Direct Revenue stuff).

3. The group behind the Family Guy package is apparently Marketing Metrix Group.

Read all the juicy details here.

Hats off to Paperghost.

Alex Eckelberry

Hotbar to be upgraded in Sunbelt database

After our initial response to Hotbar, our spyware research team spent a more time researching Hotbar’s practices. We will be upgrading their threat level and default action in our database.

  • Hotbar will be re-classified from “Low Risk Adware” to “Adware.”
  • Hotbar’s “Threat Level” will be changed from “Low Risk” (5) to “Moderate Risk” (4).
  • The “Default Action” for Hotbar will be changed from “Ignore” to “Quarantine.”

Click here to read our internal research paper. From the report:

Recommendations

Hotbar’s Web Tools software package exhibits a number of troublesome qualities. First, Hotbar’s less-than-fully-transparent installation practices make it likely that the software could be installed without users’ full, meaningful knowledge of and consent to the software’s key terms and functionality. Moreover, although Hotbar’s several types of advertising are labeled in some way, this labeling is not as clear and prominent as it ought to be. Finally, though the software can be uninstalled from the “Add/Remove Programs” Control Panel applet, Hotbar uses a randomly named resuscitator program to resist removal by anti-spyware software.

In light of these problematic practices, Sunbelt Software is entirely justified in offering Hotbar and its related programs as a detection to users. Until now, Sunbelt has classified this software as a “Low Risk Adware” program (http://research.sunbelt-software.com/threat_library_browse. cfm?Low Risk Adware). The practices and qualities described earlier in this review do not fit a “Low Risk Adware” program, though, especially given the misleading notice, disclosure, choice, and consent practices employed by Hotbar in several of its installations.

Thus, the Sunbelt Research Team recommends that Sunbelt Software reclassify Hotbar as an “Adware” program (http://research.sunbelt-software.com/threat_library_browse.cfm?Adware) and adjust the “Threat Level” and “Default Action” for this software accordingly.

1. Threat Type

Hotbar should be re-classified from “Low Risk Adware” to “Adware.”

2. Threat Level

Hotbar’s “Threat Level” should be changed from “Low Risk” (5) to “Moderate Risk” (4).

3. Default Action

The “Default Action” for Hotbar should be changed from “Ignore” to “Quarantine.”

By making these changes, Sunbelt Software can more effectively alert its users and customers to the presence of software they may not fully understand and provide advice that more appropriately reflects Hotbar’s several troubling practices.

Alex Eckelberry

Adware vendors and Jedi mind control tricks

Ray Everett-Church writes a great article here.

Notable quote: “But all the public relations whitewashing cannot change the underlying facts: Spyware and surreptitious adware remain a scourge for many millions of unsuspecting users. The purveyors of these insidious programs can play all the word games they want, but as long as they are in the business of harassing users with unwanted intrusive software, their campaign of disinformation will always be undermined by truth.”

Alex Eckelberry
(Thanks Ben Edelman)

Hanging out with 10,000 IT techies

While others were doing lofty pronouncements about security at the Gartner Security Symposium, we decided to spend the week hanging out with 10,000 fellow techies at Microsoft Tech.Ed.

Many of these techs live in the trenches, fighting the bad stuff every day.

It was a blast. We gave out a custom made chopper and generally had the time of our lives. The draw for the chopper giveaway was huge–we must have had several thousand people at the booth (see pics).

We also got to hang out with some pretty cool people from Microsoft and got to meet MVP Calamity Jane, well known in antispyware circles as a tenacious spyware fighter.

Some pics below. Plus a video here!



Click to enlarge



Click to enlarge



Click to enlarge



Click to enlarge



Click to enlarge



Absolute mayhem ensues when we give out the chopper
Click to enlarge



Click to enlarge


Click to enlarge


The winner, Martin Yee of Wells Fargo. Congratulations Martin!
Click to enlarge


Click to enlarge

Alex Eckelberry

Greetings from Tech.Ed

It is a great show. If you are here, you should come out to the booth and visit us. Today is the day we give away the motorcycle. Enough plugging us, now on to the show…..

Lots of interesting people, sessions and exhibits at the show. As some people say, “So much to do, so little time.” My three favorite sessions have been:

1) Q&A: Malware
2) Understanding and Fighting Malware: Viruses, Spyware and Rootkits
3) Anatomy of a Network Hack: How to Get Your Network Hacked in 10 Easy Steps.

All three of them were packed, SRO. Just another indication of how important this area has become.

Mark Russinovich was involved in the first two sessions listed above. Many of you may know him from his free tools Filemon, Regmon, etc. I was very impressed with his preparation and knowledge of the issues everyone faces when dealing with spyware. His presentation on the topics of buffer overflow attacks and rootkits was especially interesting. It is worth a look, and as of this morning, it was online for free download.

Well, back to the show.

Dave Bove
Manager of Spyware Research

RTFS (Read the “Fine” Screens)

It gets a little frustrating dealing with certain “software developers”. These “software developers” want to be “quickly and fairly” identified by the Anti-spyware community. Great. No problem.

We think, “How about putting a place on our website for them to contact us in a non-contentious way, so that we can give them a fair review and, if warranted, change how we classify, identify, label, etc. their programs?” Sounds rough, right?

How do some “software developers” respond? A cease and desist letter. Nice. I guess they just couldn’t read the “fine” screens……

What does this mean? Well, instead of having my research group look at the proposed name changes and releasing a definition update with these changes in just a few days (with the new names), we have to go through lawyers and red tape and bureaucracy. Fun.Fun.Fun.

The Net Result?

It took longer for the “software developer” to get their changes implemented, it cost both them and us money in lawyer fees, and they did not make us feel intimidated, but rather we became less likely to think kindly of them in the future.

Just because they didn’t read the “fine” screens we had put up for them.

Dave Bove
Manager of Spyware Research

An advance peek at Project Ninja

(TM)

A while back, I blogged on a major new project we’ve been working on for a long time at Sunbelt, code-named “Ninja”.

Well, the code name stuck and is going to be the actual product name — Sunbelt Messaging Ninja. We’re releasing it in a few weeks.

We’re going to be showing the product at Microsoft Tech.Ed next week, but I figured I’d give you an advance look at some screen shots.

Ok, so I know I’m not really supposed to hype stuff on our corporate blog, but this product is just a beauty. Dual-engine AV protection, dual-engine antispam protection, attachment filtering. An elegant plug-in architecture.

And (to my knowledge), the world’s first policy based enterprise messaging security product.

If you want an understanding of what this means, take a look at this picture:



Click to enlarge

Each user is getting their own policy, for antispam, or antivirus.

You can see screen shots of Ninja here. Note that this is pre-release stuff, so not everything is all perfect. But you get a good idea looking at the screens what we’re doing.

Also, here is a preliminary datasheet.


Click to enlarge


Click to enlarge

Click to enlarge

Click to enlarge


Click to enlarge


Click to enlarge


Click to enlarge


Click to enlarge


Click to enlarge


Click to enlarge


Click to enlarge

More details are at the show and will be published in the coming weeks.

Alex