I watched a MessageLabs HTTP Security Webcast earlier today. I have evaled their product both when they were reselling Scansafe and once since they implemented their own solution.
As anyone reading this site already knows, there was a big uptick in malware served by legitimate sites at the end of 2008. SQL injection and other tricks were used to get malicious code to load from legitimate websites. The old advise about “dont click on this or that” just doesn’t work when its a common site compromised to serve the malware.
Spyware is even more sneaky. They use boxes that appear to be Windows Update. They pretend to be a needed codec. They masquerade as security software. They even get accepted as advertisements on legitimate banner ad networks.
As user details are stolen (such as in the Monster.com hack) or voluntarily disclosed on social network sites, a treasure trove of material for a targeted attack is put into the bad guys hands. That combined with public data found on genealogy sites and voter registration rolls, makes it possible to craft emails that appear to be legitimate because they already know so much about you. The questions used to reset the password on your accounts are easy to find answers to as many celebrities have experience much to their chagrin.
The need for advance web security is obvious. With MessageLabs web security, they use two antivirus engines and a pared down version of their Skeptic heuristic engine. Its my belief that this will provide better security than competitors.
What has kept me from implementing this solution in the past is the desire to avoid using a direct proxy. Transparent proxies work better in my opinion. MessageLabs provides a proxy for the corporate network so that internal usernames and IPs can make it to their logs (otherwise with NAT they’d only have your firewall IP as the source). I hear this proxy is a customized Squid proxy. While Squid supports WCCP, this is not something MessageLabs has supported to my knowledge. I looked at their instructions for Checkpoint to forward traffic transparently to MessageLabs. That did not solve the problem of their logs only having the firewall IP address.
While Direct versus Transparent is still a challenge, I did learn in this webcast that MessageLabs is going to be announcing a new feature next week that I’ve been looking forward to. While they didn’t say not to pass it on, I’m going to self-embargo. So hopefully I’ll get another blogging opportunity after I’ve check out the new features.
Archive for January 2009
Step Back, I’m certified
I’m referring to one of my favorite Dilbert strips in the title of this entry.
I passed the Certified Ethical Hacker ECO-350 exam this morning.
There seems to be a few set reactions to the CEH.
1. “Not the H(acker) word”. These are the same people who get upset when colleges teach their students how to defend a network or system, by teaching them how to break into it. They probably think they are safer in a gun free zone.
2. HR departments and recruiters seem to love the cert.
3. Some think its a poser cert. I dont know about that. I think its a beginner cert, and I found it really easy. As with any certification the quality of the person holding the cert is not guaranteed.
4. Some think EC-Council (the group administrating the CEH) is a scam. That is traced back to a blog post by securitymonkey in 2006. Personally I think he makes a poor case.
The CEH does not require the classroom training or purchasing study material from them. Most of my studying is in being an information security professional for many years. There are a couple things that I’d point to as particularly helpful.
1. Sensepost – Hacking by the Numbers at Blackhat. That was at the first Blackhat Federal. I forget the year.
2. A Masters level course at James Madison University in which the semester was essentially a capture the flag/ defend the flag exercise. That was in 2006 (man time flies).
3. Read the Official CEH book.
I dont necessarily like getting too many certs, but its one way to demonstrate continued learning and development to management types. Unfortunately, I think career wise I’d be better off with a soft skills certification than any more technical ones. Anyone have any suggestions that wouldn’t cause me to submit comic strip ideas to Dilbert because it is so absurd?
Moving
A little housekeeping blog post.
I’m moving webhosts this week. My old host is progressively more annoying. A few years ago the owners sold out to a company that operates many web hosting brands. After quite a bit of migration headache, things seem to have stabalized. Nevertheless, my contract is finally up, and I’ve decided to move on. I have a real problem with the attitudes displayed by the moderators on the hosting companys forum. It was once a place of help. Now all they do is quote “we are not $company employees, contact $company support.” So much for peer to peer help. The last straw for me was when many customers were hacked and the company didn’t communicate beyond forcing a mass password change.
The new host has SSH access which should make routine maintenance a bit easier. They also offer 50 GB of space off for non-website related things like backups.
During the transition, I decided to refresh my style a bit. (although I am worried that this one is used by too many people already). The new style caused my AJAX comments to not work. So we’re back to the default comment submission method. That means more spam in the moderation queue.
So pardon the dust as I find widgets to add/remove.
EV Certs and IE7
I ran into an interesting problem on Tuesday.
I installed Extended Validation SSL certificates on three of our IIS servers, and the ISA front end. Yes, yes, I know. “EV SSL is a scam.” They weren’t that expensive at Digicert and I thought it would be cool to turn the address bar green.
After implementing, I found Firefox computers and non-corporate computers with IE 7 could see the address bar turn green successfully when I browsed to my newly secured site. Surprisingly, IE7 from corporate owned computers could not.
What I realized is that IE7 on XP uses the phishing filter to verify that the site is EV validated. The phishing filter is not on by default for the Internet Explorer Intranet zone. We have *.ourdomain.org in the Intranet zone, therefore no green bar for IE7 XP users.
Vista and IE7 works fine because it supports OCSP.
This is where it got kind of annoying. I expected group policy to be able to enable the phishing filter for the intranet zone. Unfortunately, Microsoft hasn’t provided that for XP. This blog seems to be accurate – http://www.frickelsoft.net/blog/?p=80
So my choices are create an ADM and import it, or open my XP group policy in Vista. This will upgrade the policy, I”ll be able to see the option to enable the phishing filter in the intranet zone, and it will apply to IE7 on XP computers. I’ve been a bit leery of “upgrading” my policies in this way ever since I opened Group Policy from a XP computer and then I couldn’t open the policies at the Windows 2000 Domain Controller (until a patch was deployed from Microsoft).
PowWeb Mass Hack
I logged into PowWeb (my web host)’s forums and found they were majorly owned last night. The powers that be aren’t saying anything at all, but other users are reporting malicious javascript (detected as Psyme) was added to many of their webpages, particularly index pages.
PowWeb reset all passwords used for Ops (their web control panel) and mailed one time passwords to users. They have now removed the viral code added to the user files. They have not reported how this occured.
My sites don’t seem to have been effected at all.
Targeted attacks on Wordpad Zeroday
Computer Associates blogged over the weekend on increasing attacks on the Wordpad zero day originally reported in December.
In the attack a malicious document is created with the extension .DOC, .RTF or .WRI. You must manually open the document for the attack to take place. If Office is installed, .DOC files will likely open in Microsoft Word which is not vulnerable. However .WRI files will likely still open in Wordpad.
Microsoft reports that this issue does not affect Windows XP Service Pack 3, Windows Vista. Really you should have that installed by now. To obtain this update go to http://update.microsoft.com.
User Education
Over at the impactalabs blog, Kevin Lam comments about a company that sent an all employee email waring users about a IKEA phishing/malware email.
This hit something that I’ve been forced to re-examine this week. Is it effective to send all employee emails warning about the latest virus attack on the internet.
I believe that if you find yourself sending all employee emails about security to users regularly then you should examine the technology you’ve chosen. Why is it leaking like a sieve. To send an emergency email about a security threat, the email should be timely and actionable. In our case, if we dont know of a single email getting through to the users is it really necessary to warn them? The only answer I see is that they may infect us through using the ISPs webmail or checking personal email when outside our firewall.
Is it really necessary to raise security awareness through dire warnings about things that dont effect the user anyway? It seems more appropriate for a Security Awareness newsletter or website. That is assuming users are trainable, which is a whole ‘nother story.
AIM 6.8 login fails through IM Manager
Beginning yesterday, AIM 6.8 clients couldn’t log in through Symantec IM Manager. This was caused by a change in AOLs SSL certificate for kdc.uas.aol.com and IM Manager could not longer validate the cert. IM Manager is an enterprise IM security and logging product.
A workaround is posted on the IM Manager knowledgebase.
20080109
I read a couple of interesting blog posts today about sites getting hacked.
Sunbelt Blog had an example of a hacked site, where the site redirected you to malware if you got to the site through a link (such as from a search engine). Otherwise the site displayed normally.
The Kaspersky Analyst diary had more information. In a dark form of search engine optimization, the attackers would find search results for a search term, and then compromise the popular results that they could. Adding an iframe is so 2006, so they’d modify existing javascript on the page to run their code and redirect users to Antivirus 2009 websites.
