The Google ‘hack’

TrojanThis past week has seen a whole slew of stories and coverage on the Google-China incident. We have labelled the malware at the heart of this ‘Trojan.Hydraq’. Symantec Security Response have written a blog on this and provid a very interesting insight into the whole  incident and how it came to pass . You can find the link to it here.

January 21, 2010 | Filed Under Security | Leave a Comment 

Is connecting to the ‘net becoming faster?

computer_networkWell according to the latest report from Akamai, yes it is. In their latest state of the internet report, make the claim that the ‘net is getting faster. Looking at the third quarter of 2009, the report found that most countries in the top-10 list for Internet performance saw an average 18 percent increase in speed from the second quarter. South Korea topped the list, with a 29 percent jump in speed to 14.6 megabits per second, while Ireland came in second for most improved, with a 26 percent rise to 5.3Mbps.

This is all very encouraging, if you are in the top tier of countries. However, during the third quarter, 103 of the 226 countries measured had average connection speeds below 1 Mbps. The slowest connection speed? Well, the ignominy of that particular title goes to the island of Mayotte, located in the Indian Ocean, with an average connection speed of 43Kps, however, I am sure given its wonderful location there are other merits.

Interestingly, the report is now going to turn its attention to mobile internet connection speeds. Akamai analysed the average connection speeds from three of the leading mobile providers within the United States. They observed speeds of circa 700 Kbps.  However, there seems to have been a lot of variability between the carriers and also in what city you are in. I am sure that this rings true with many of us.

A faster internet brings with it more users and also the ability to do more things online. It also provides more opportunity for the hackers and cyber-criminals. In a shift from prior quarters, Russia and Brazil unseated the United States and China as the two largest attack traffic sources. Cyber attacks are now a global phenomena, with Akamai observing attack traffic originating from 207 unique countries. They also noted that they believe that Conficker worm is still very active.  During the third quarter, 78 percent of internet attacks observed by Akamai targeted port 445, up from 68 percent during the previous quarter. Port 445, which is used by Microsoft Directory Services, is the same port that Conficker targets, aiming to exploit a buffer overflow vulnerability in Windows and infect the targeted computer.

January 15, 2010 | Filed Under Announcements, Market trends, Security | Leave a Comment 

What is ‘private’ any longer?

Spy_eyeThe word is getting out there, not as quickly as we would want, that people need to be careful about just how much information they provide about themselves, and to whom, via social networking sites. In all the excitement of discovering the utility of a social network site, people can unwittingly compromise themselves. This is an issue for everyone, however, a lot of the focus, quite rightly, has been on kids and youngsters to keep them out of the prying eyes of on-line predators.

Zoe Kleinman has brought an interesting perspective to all of this with an article she has written on the BBC News site. In her piece she referes to research to be presented by Dr Kieron O’Hara of  Southampton University, wherein,  he calls for people to be more aware of the impact on society of what they publish online.  Privacy law is driven by a concept of a reasonable expectation of privacy. As more of our private lives have moved online, either intentionally or not, then the expectation of privacy has changed. What is normal now? The bottom line is that, with more people putting ever more private information out there, then we not have the level of legal recourse that we think we have. However, we are part of the community and our actions do ultimately drive the social norm. Hence, the solution is down to us and what we ourselves do on-line.

January 8, 2010 | Filed Under Announcements, Identity theft, Security | Leave a Comment 

Is there a funny side to cross site scripting?

httpCross Site Scripting (or XSS) is one of the most common web-application attacks that we see today. In general, cross-site scripting refers to that hacking technique that leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content to an end-user, with the possibility of collecting some type of data from the victim.

Today, websites rely heavily on complex web applications to deliver different output or content to a wide variety of users according to set preferences and specific needs. The heart of the issue is that if mistrusted content can be introduced into a dynamic page, neither the web site nor the client has enough information to recognize that this has happened and take protective actions.

The BBC have reported on an XSS attack, wherein, visitors to Spain’s EU presidency website have been greeted by an image of hapless fictional character Mr Bean instead of Spain’s Socialist leader. It would appear that many people in Spain, feel there is a strong physical resemblance between Mr Zapatero and Mr Bean. Now, it would appear that this XSS attack was not malicious, just a prank to poke fun.

However, XSS can and is widely used for more malicious purposes. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code. Any web page which passes parameters to a database can be vulnerable to this hacking technique. So, whilst this incident with Mr Zapatero is amusing, the fact remains that XSS is pernicious and dangerous technique and really is no laughing matter.

January 6, 2010 | Filed Under Security | Leave a Comment 

File scanning – a game of hide and seek?

VirusQA (quality assurance) is a critical step in the creation of new software. It tests the code to ensure that it does what is supposed to do. Now, for the creators of malware, one of their critical QA steps is to test their code against the leading security products, to see if it can go ‘undetected’ and therefore be successful in being executed on the target system. Brian Krebs, in his blog, has brought to our attention an new underground service that lets the malware writers check their work.  There are already a few legitimate file-scanning services that have been in operation for some time. They allow users to upload a suspicious files and scan it against dozens of commercial anti-virus tools. If a scan generates any virus alerts or red flags, the report produced by the scan is shared with all of the participating anti-virus makers, so that those vendors can incorporate detection for the newly discovered malware into their products.

Now, what Brian Krebs has reported on, are a new generation of file-scanning services that do not share their results or the malware with the anti-virus community. The malware authors have to pay for this service, but what it allows them to do is to quickly test and check their software against the leading security products. However, the results of these tests and the files themselves, remain hidden. It would appear that in offering, a service such as this, hands the advantage to the malware creators. Or does it?

The ability for the malware authors to test their files against security products has always been a dynamic in our industry. Every time we bring out a new release of our products, they move quickly, to test and assess what this means for their software. They would always appear to have an advantage in this regard. However, we have always been aware that what the malware guys want to do, is in effect, try to ‘fly below the radar’ of detection. What I mean by this is, that they want to go unnoticed and undetected. The best way to do this,  is to control and limit the number and distribution of their files or binaries, so as to not attract the attention of the security community. Hence, when a file is submitted to one of the file-scanning services, it is then really known to the whole security community.  This is where Reputation based security technology really comes into its own.

With this approach, we look at all new files and binaries and when we find a new file, we assess its reputation to understand if it is to be trusted or not. In doing so, reputation based security turns the advantage of anonymity and relative low distribution of a file against the malware authors. It is a very powerful approach and effective defence. We implemented reputation based security into the Norton 2010 products. We also created a video that explains how all this works. Hence, whilst the arrival of this new generation of malicious file-scanning services is bothersome, it is not necessarily ceding the advantage to the malware authors.

January 5, 2010 | Filed Under Security | Leave a Comment 

Don’t do the crime if you are not prepared to do the time!

jailHave you ever heard of Albert Gonzalez? The chances are probably that you have not. However, he has now entered into infamy, having been convicted of the largest identity fraud scam in US history. You can get more details on him and the case using this link. In addition to having paid back $2.7M and offered up a condo, jewellery and cars as further restitution, he is now facing a jail sentence that could stretch to 25 years. They certainly wave a big stick in the US when it comes to internet fraud in the US.

The interesting thing in this case was that he was able to get his hands on the 130 million credit and debit cards relatively easily. It appears he used ‘wardriving’ as his preferred modus operandi to hack into the companies he targeted. Thereafter, he then used a sniffing program to grab the payment card details that were being used by the companies to transact with their customers.

What Albert Gonzalez brings into sharp focus is just how much money can be made from  internet crime and the sort of lifestyle it can afford to those who participate in it. It also does bring into sharp relief the downside of this activity; when you are caught you go to jail and for a long time.

January 4, 2010 | Filed Under Security | Leave a Comment 

Mobile mania?

Crystal ballMany security experts are asked to make prediction as to the new trends and exploits to watch-out for in 2010.  Having read a number of these ‘predictions’, there is a consensus, that one area to watch-over is that of ‘mobile’. The burgeoning growth in mobile apps, coupled with the explosive growth in ‘smartphones’,  has all of the security experts predicting interesting times ahead.

The past holiday season allowed me to watch some television and relax, or so I thought. However, I was quite struck by ads that were run by HSBC and Lloyds banks. They were using prime time (read for that, expensive) national television to trumpet the ability to download and use their new mobile banking apps, for free. This got me thinking. It is clear that the banks want their customers to now access and use banking services from smartphones. They are spending big on advertising to build awareness of this capability, and to generally get the word out there. Accessing services from your smartphone is the way of the future. Albeit, with initiatives like this, the future has now arrived for many of us.

There is an immutable law of  internet security, that where you have large numbers of people and there is money involved, there quickly follows the cyber-criminals. To date most of the malware written for ‘mobile’ devices have been mostly ‘proof of concept’ stuff, a sort of limbering up before the main event. We will have to see what ultimately comes to pass in 2010, but it does seem that ‘mobile’ will be interesting.

January 4, 2010 | Filed Under Security | Leave a Comment