» AntiSpyware - Roger's Information Security Blog

Posts tagged ‘AntiSpyware’

16 Percent of Companies Aren’t Concerned about Spyware

March 24, 2007, 12:59 pm

http://www.networkworld.com/columnists/2007/032607edit.html

In a recent study about spyware by Nemertes Research, Senior Vice President Andreas Antonopoulos was surprised to find that 16% of the companies examined were not concerned about the threat.

The article notes that the reason for this isn’t lack of computer security spending at the companies in question. Nor is it because the companies are small. Frustratingly the article doesn’t explore further why this is the case. Perhaps its in the study, but since that study is cited but not linked we are left to speculate.
Perhaps the companies are not concerned because they’ve solved the problem.
Eugene Kaspersky believe that spyware should be addressed by antivirus vendors, not a separate product. Perhaps these companies feel their antivirus is good enough.
Perhaps they use HIPS and feel that prevents the spyware from being installed in the first place.
Perhaps uses aren’t given local administrator right.
Perhaps they just have bigger concerns.
At our company we’ve used an anti-spyware product ever since enterprise ready anti-spyware became available.

Tags: AntiSpyware, Antivirus
Category: Spyware | 1 Comment

Eschelbeck Slams Windows Defender

January 25, 2007, 8:11 pm

I was a fan of Gerhard Eschelbeck when he was with Qualys. He’s been pretty much off my radar sense he took the CTO position at Webroot. Today he comes out swinging against Windows Defender as reported in Information Week.

“If you look at the [Defender] data points, they speak for themselves,” says Eschelbeck. “Defender didn’t block 84% of the tested malware. That’s not the kind of performance users are hoping for.” Eschelbeck says that his firm’s research team tested Defender against a suite of Trojan horses, adware, key loggers, system monitors, and other unwanted programs, all of which were gathered from in-the-wild threats. Webroot’s own Spy Sweeper blocked 100% of the threats.

Hmm, so in tests where they gathered the malware, their own antispyware program detected everything and the competitors didn’t do so well. That’s quite a shock.
Take a look at Sunbelt Software’s response when Webroot and Veritest released results last spring.

Eschelbeck also slammed Windows Defender, and by connection, Vista’s security, for infrequent updates. Microsoft currently issues spyware definition updates every seven to 10 days, he says. Webroot, meanwhile, identifies approximately 3,000 new traces of spyware every month. “Users can’t wait for a week or so to have their anti-spyware signatures updated,” says Eschelbeck.

So Eshelbeck is comparing frequency of updates to number of detections added. Apples/Oranges anyone? Hopefully that is the writer’s mistake.
I know nothing about Windows Defender frequency of updates. I do like that it uses an established update channel like Windows Update. However, I prefer my anti-malware apps on the desktop to check for updates hourly.

Tags: AntiSpyware, Apple, Microsoft, Webroot
Category: Spyware | 2 Comments

Holy Cow, Sunbelt Doesn’t Pile on MS

December 21, 2006, 9:37 am

Its posts like this that keep Sunbelt in the list of blogs I read regularly. In the post they explain why a recent security writers claim “IE7 is still the spyware writers dream” is actually hype.
The vulnerability is that if the bad guy has write access to your computer, he can get a dll run by IE7 because they are not requiring FQDNs to load a dll. While this might make it tougher to clean your computer, the bad guy must already have infected your computer to have write access. This is not like the WMF exploit or all the bad activeX controls that were in previous IE versions.

Tags: AntiSpyware, DNS, WMF
Category: General | Comment

SANS 2.2 Desktop Encryption

December 7, 2006, 11:04 pm

This is a 5 company report on their lessons learned and experience.
Rhonda Maluia from the Naval Special Warfare Development Group spoke on their use of hardware based encryption. They use Flagstone which is a British company (opening U.S. offices shortly).
I took less notes on this talk due to the dark background of the slides. Encryption on the hardware device is a very interesting concept that takes encryption out of the hands of the user completely. They don’t even need to know its going on.
They were seeking a secure solution with ease of use and the ability to fail securely.
They defined a secure solution as FIPS compliance AES 128 bit Full Disk Encryption with pre-boot authentication, tamper evidence and it works.
The more the user has to do, such as putting data in a “secure” folder, the less a solution works. The wanted minimal user intervention and moving parts. A low learning curve and good performance.
The device locks after 5 failed logon attempts. After 5 recovery attempts, the data is gone.
Obviously you still need antivirus, personal firewall, antispyware, etc.
Monty McDougal is speaking on behalf of TrueCrypt. This is a free open source solution for Linux and Windows.
I didn’t take a lot of notes because I’m not interested in this product. One thing that I think would be true across the board is that unexpected power outages can be devastating to the file system. This is harder to recover from with full disk encryption. Backups are key.
Matt Norris
Matt uses Netapp Decru to address the problem of Tape Backup Encryption.
Most people are not addressing the issue of tape backup encryption. This is a real issue.
q. Do you encrypt all backups
a. yes
Tape backup encryption is tough. We’ve all heard stories of needing to recover from 10 year old backups and trying to install the backup software and find the license key. Now imagine that with encryption.
Regarding performance issues, he says that tapes aren’t wired speed anyway.
The netapp appliance connects to the fiberchannel switch and is passed the data.
I don’t have any notes on the other two speakers.

Tags: AntiSpyware, Antivirus, Backup, SANS
Category: General | Comment

SANS Section 1.3 Top Mistakes in Deploying Mobile Data Encryption

December 6, 2006, 9:42 pm

Again these are my notes from the SANS Secure Storage and Encryption Conference. In Session 1.3 four companies discuss their experiences deploying encryption.
JP Morgan Chase – Guardian Edge EPHD
48k laptops deployed.
They found problems due to standardization issues and multiple support teams.
Key Challenges
- If your goal is to encrypt data on laptops specifically you need to be able to find the laptops and know how many you have.
- multiple support organizations
- New login for users
I didn’t quite understand the login issue. Are their users now faced with a dual login where they authenticate to the encryption software and then again to Active Directory?
Reports! Produce reports showing install rates. Highlight the departments doing good.
Your biggest problem will be the guy who likes to screw around with hacker tools even though its not part of his job.
You need to be able to validate that encryption has occurred and continues to occur.
Backups are crucial.
They found that if you boot to safe mode and run defrag you will kill your master boot record. I wonder what that says about booting to safe mode to fix spyware issues. HMMMM.
People think this will slow down their PC. They wont do it on their own. (I would say that the users who have customers demanding it will do it.).
Q – How do you deal with the engineer/hacker wannabe who thinks they know better
A – Log agent with central aggregator.
Northrop Grumman – also using Guardian Edge
High level buy-in is key
They had lots of pushback initially, but the installs turned out to be not that big of an issue.
You don’t want your customer coming back to you and saying your encryption isn’t good enough. That is why they did full disk AES 256.
They spent a lot of time with legal on export control issues. We all know about the axis of evil countries where you cant send export software. But what about less known laws where bringing an encrypted laptop in can cause problems. They have a list of 20 countries that they cant go with their computer. Corporate Security and the Travel office coordinate so people going to these countries dont have sensitive info and use a vanilla PC without encryption.
Communication is key in the deployment. The initial encryption time can be an issue.
Northwest Mutual - Safeboot, Credent Mobile Guardian
q – how did you verify that the solution is installed
a – They used altiris to look for specific EXEs.
Q – how did you handle multi-user pcs
a- I didn’t quite get this. It sounded like you have to assign each user the rights to logon.
use full disk encryption – you dont want to leave the decision in the user’s hands.
users would reboot on their way out for the day. As a result unattended SMS installs did not work. They had to change user behavior.
FDIC Credent Mobile Guardian
Credent does GINA Chaining
In your project you need to give users the confidence that you aren’t going to disrupt them.
Don’t go for the big bang. Test in small groups and deploy.
Lessons Learned -
-Confirm product’s ability to encrypt data regardless of location type and structure. Fill in the gaps where necessary. ( my comment. it can be a real issue when the project scope is defined one way and people start asking about other features)
- Don’t deploy to many things at once. Everything will get blamed on the encryption.

Tags: AntiSpyware, Backup, SANS
Category: FDE | Comment

Myspace-qucktime-zango phishing worm

December 2, 2006, 5:10 pm

Several sites are reporting a worm infecting Myspace profiles and attempting to phish passwords through the use of javascript in Quicktime files. The vulnerability sounds similar to the Word URL autolaunch vulnerability or the same problem in Adobe.
An exploited user profile in Youtube will contain a Quicktime file. The Quicktime will likely play without user interaction when they go to the webpage. This will use javascript to open a popunder and also infect your Youtube profile if you have one.
More info is available:
F-Secure Weblog
Websense
SpywareGuide

Tags: Adobe, AntiSpyware, F-Secure, Passwords, Phishing, Quicktime, SANS
Category: General | Comment

The IM Blocker is working

November 9, 2006, 11:18 am

Getting hit with some spyware laden links here at work. Our blocker got it no problem. But for everyone without IM protection watch out for
hxxp://nsl-school.org/?id=18388
hxxp://nsl-school.org/?id=winning_list
hxxp://mytermex.com/?news_id=18388
hxxp://mytermex.com/?id=virus_shield
hxxp://nsl-school.org/?id=news X-(
http changed to hxxp to avoid anyone accidently infecting themselves. If you go to the sites, you’re on your own.

Tags: AntiSpyware
Category: Spyware | Comment

Practicing Safe Surf

October 18, 2006, 10:49 pm

In other news the sky is blue. Porn sites are sleazy. and everything isn’t as it seems on myspace.
http://sourcewire.com/releases/rel_display.php?relid=27686&hilite=

A survey of over 600 UK respondents showed that young men are significantly more likely to be infected with spyware than their female counterparts. The likelihood of infection was increased by the risky online behaviour of young males, such as opening instant messages (66%), downloading files (65%) and visiting adult entertainment sites (56%).

“The chances of becoming infected with spyware rapidly increase when performing certain online behaviour, such as visiting adult entertainment sites or social networking sites such as MySpace.com”, said David Moll, CEO of Webroot. “These sites have become a breeding ground for spyware.”

Tags: AntiSpyware, Webroot
Category: Spyware | Comment

MVP in Spyware pushing?

October 5, 2006, 8:02 pm

Sunbelt Blog asks if newly minted MVP Patchou is an adware pusher.

Tags: AntiSpyware, Microsoft
Category: Spyware | Comment

Yet Another Zero Day: Vulnerability in Vector Markup Language

September 19, 2006, 9:10 pm

Microsoft is reporting that there is a zero day in Vector Markup Language. This can be vulnerability can be exploited to install software (such as spyware) without your knowledge when your visit a website in IE or open an email in Outlook.
Currently there are some workarounds and Microsoft is planning on releasing a patch on patch Tuesday in October. By implementing the workarounds, websites that use Vector Markup Language will no longer work correctly. I have not seen any reports of just how bad that would be.
The mitigation options are deregister the VML DLL or change the ACL for that dll so the everyone group is denied access.
Jesper has an example of how to create a security template to deploy this file permission through group policy.
The problem with these methods is that you are making a security change that is really weird, and you dont know how it will effect the patching process when an official patch is released. With the WMF patch, the people who disabled this, needed to re-enable it in order to apply the patch IIRC. While that may be easy on an individual computer, is kind of worrisome for a enterprise.

Tags: AntiSpyware, eMail, Microsoft, Patching, WMF, Zero Day
Category: Microsoft | Comment

Roger's Information Security Blog