Block Viruses Distributed by Web Pages

Computer Security for Schools and Small Businesses

For a small-to-medium enterprise like a business or library, protection of its computer network is not easy.  Hackers are constantly concocting new ways to infect the network (with viruses and other malware) by way of the web pages that network users visit.  Although the enterprise can choose from an array of tools to protect its network, those tools can be expensive and cumbersome.  No tool or combination of tools is perfect.  Finding the right mix of cost, effectiveness and easy of use is a problem.

To answer this problem, CyberPatrol has developed a smart service for steering network users away from dangerous web sites.  Known as SiteSURV, the service relies on CyberPatrol’s SiteCAT system, which constantly crawls (spiders) the web to assess and categorize web pages.  The service provides two layers of filtering.  One layer examines sites according to their content and purpose, and then blacklists those that appear to be dangerous.  The second layer specifically analyzes files and downloads from each site to ascertain whether they contain signatures for known malware.

I asked Chris Overton, VP of CyberPatrol, to explain these two layers of protection.  First, he highlighted the security achieved just by keeping users away from sites of questionable content:  “Certain types of sites tend to deliver malware more than others.  Along with adult and XXX sites, “parked domains” and “warez” sites are more likely to deliver malware than other site categories.  We know this because files pulled from these sites have a higher percentage of malware infection than files from other sites.  So, we can infer that preventing access to these dangerous site categories will advance the fight against malware infections.  Preventing access to a dangerous site protects against all the malware at that site, regardless of whether anyone has developed signatures to detect any or all of the different malware there.”

Chris further described what SiteCAT does when it crawls a web site:  “SiteCAT’s algorithms analyze a web site based on several factors – content, structure, link count, link references, and so on.  Based on this analysis, our system decides which pages/files to download from that site.  Typically we’ll download the main index page of a site and analyze it; then our algorithms decide how much deeper to dig.  All files we want to analyze are pulled by the crawler and saved into our analysis archive.  Then the files feed into a malware detection engine, which looks for the signatures of malware such as a virus or a worm.  If we detect any malware when we crawl the site, we can blacklist it and prevent all of the malware the site might deliver, even malware that we have not specifically detected.”

In other words, SiteSURV allows an enterprise to adopt a conservative, one-strike-and-your-out approach toward web sites.  If a site either contains suspicious content or manifests one instance of infection, the enterprise can block it entirely.

–Ben Wright, advisor to CyberPatrol

Advertisements

Web Filtering for Hotels, Libraries, Schools

Service for Blocking Porn and Viruses

SiteSURV is Cyberpatrol’s Internet filtering service for small-to-medium organizations, like businesses.  Using a technology called SiteCAT, it filters web sites by inspecting (also known as crawling or spidering) their content and categorizing them according to their apparent purpose.  Categories include malware, pornography, drugs and so on.  User organizations can choose to filter selected categories.

I asked Cyberpatrol VP Chris Overton to discuss how SiteSURV stacks up for user organizations in terms of efficiency, effectiveness and resource requirements.  Chris said:

“Since SiteSURV is a completely in-the-cloud product, it takes up no system resources on the computers it’s protecting.  The only caveat to this is that customers with a dynamic external IP must run our Dynamic IP tool on a single computer behind their access point.

“As far as bandwidth, all the filtering decisions happen at our SiteSURV server, so we’re not using any more of the user’s bandwidth than they’d already be using to browse the web.

“The setup for SiteSURV is very simple, but our online configuration portal gives users the ability to tailor their protection to their needs.  Users that want a set-and-forget product can leave the default settings in place.  Users that want more control can adjust the filtering to their specific needs.

“Filtering the web is hard work because the web is so big and ever-changing.  Our SiteCAT technology holds many advantages over its competitors.  Notably, the categorization results from one user get applied to other users.  For example, if one user of our system tries to browse to a site that SiteCAT has never seen or analyzed, the SiteCAT crawler immediately starts analysis of that site.  The results support all users of our SiteCAT system.  This means that we’re able to find new sites somewhat faster than other systems that rely purely on spidering the web.”

–Ben Wright, advisor to Cyberpatrol

Schools & Businesses: Avoid Drive-by Downloads

Viruses Spread by Booby-Trapped Web Sites?

To distribute viruses, worms, trojans and other malware, hackers increasingly use drive-by-downloads.  They set up bogus web sites (often they trick search engines into linking to those sites), and then they infect PCs with bad code when unsuspecting visitors arrive (drive-by).

To thwart drive-by downloads, traditional anti-virus software tries to evaluate incoming code and stop the malware from causing damage after it arrives.  That strategy is less-than-perfect.

A newer strategy is to avoid visiting dangerous sites in the first place.  Cyberpatrol supports this strategy with an angle that is especially cost-effective for small-to-mid-sized enterprises (schools, churches, libraries, businesses, community centers).  Enterprise customers can use Cyberpatrol’s SiteSURV 4.0 to prevent users from browsing sites identified as malware spreaders.

Cyberpatrol’s web filtering is based on SiteCAT, a system that constantly crawls the web, categorizing sites according to their purpose.  SiteCAT has upgraded specifically to look for sites whose purpose is to deliver malware.

Cyberpatrol SiteSURV thus becomes a powerful enterprise weapon in the war against malware.

“In early June, we’ll be releasing SiteSURV 4.0,” says Chris Overton, Cyberpatrol’s VP of Research and Development. “This product takes advantage of our SiteCAT system to protect users from a broad range of online threats.  SiteSURV can typically be configured to protect an entire network in less than 15 minutes, and is extremely cost-effective when compared with other network-wide online security tools.  This new 4.0 version includes very flexible configuration options that will allow each organization to tailor the protection to its specific needs.  It also provides basic reporting features that allow a customer to see what SiteSURV is doing to protect its network.”

–Ben Wright, instructor on the law of electronic records and data security at the SANS Institute.

Facebook In-security

Warning for Business, Corporate and School Computer Networks

Is Facebook safe enough for access by office computers?  For many organizations, the answer is no.  The bad news about the popular social network grows with each passing week.  Facebook has been plagued with the Koobface worm (some call it a virus), which has through Facebook infected (or attempted to infect) work PCs.

Now Facebook faces the scrooge of the Dancing Girl.  The Dancing Girl exploit arrives as an e-mail appearing to be a typical notification from Facebook, saying someone has left you a Facebook message.  The rogue e-mail directs you, the victim, to click to see a video of a sexy dancing girl.  If the victim clicks, he is taken to a fake, Facebook lookalike page, which instructs the victim to download a software upgrade so that the video can be viewed.  But in truth the software to be downloaded is a group of damaging, malicious programs.

If an employer were to prevent (forbid) access to social network sites, then employees would not be tempted to fall for tricks like this.  To say it a different way:  failure to prohibit Facebook and Myspace can promote a lax computing environment in the office.

Local chapters of the Better Business Bureau (such as the Hawaii chapter and the Chicago & Northern Illinois chapter) have issued warnings about the transmission of malware and the propagation of other threats through social networks, especially Facebook.  Among other scams, bogus posts to a victim’s “wall” can link to dangerous external web pages, which might try to install malicious software through the victim’s web browser.

The Maryland General Assembly blocked its network users from access to social networks, especially Facebook.

Update:  Recent research compares the success rates for propagation of malware via e-mail and via social networks.  Hacker are ten times more successful on social networks sites.

–Ben Wright

At the SANS Institute, Mr. Wright teaches IT administrators how to stay out of jail.

FaceBook & Myspace Identity Theft

Fake Buddy Requests Endanger Office Computers

Protect Education & Corporate PCs

A disturbing trend threatens the security of computers in small organizations like schools, libraries and businesses. Users of social networking sites (such as Myspace, FaceBook and Friendster) are receiving buddy or friend requests from the profiles of fictitious people, or people whose identity has been stolen.

According to “MessageLabs Intelligence: 2008 Annual Security Report,” the rogue profiles are concocted by hackers seeking to propagate spam, spread viruses or steal private information. “The buddy requests appeare genuine as they originate from the real social networking site and consequently their headers [are] intact and correct.” Further, says the Report, the e-mail address associated with the fake profiles are real, though they were created automatically by software that enables the hacker to create many outlaw e-mail accounts automatically, with little effort on the part of the hacker.

A fake profile may purport to belong to a celebrity, a real friend or even a reputable business person.

The goal of these deceptive buddy requests is to trick the victim into clicking on something unwittingly. The click may deliver spam to the victim, steal personal information or slip malware (like a virus) onto the victim’s personal computer. If the victim is operating from a network at an office or a school, the malware might infect not only the victim’s laptop, but other PCs on the network as well.

Hackers seek personal information about victims so that (among other things) they can manipulate the victims (“phishing them”) into trusting the hackers and disclosing passwords or downloading malware like botnet software. (A botnet is a robotized army of infected computers that does the hacker’s evil bidding.)

Social networks are exploding in popularity.  But they are relatively new computing environments, constantly adding new functionality.  As “Web 2.0,” they emphasize interaction among users and the sharing of multimedia content like video.

All this makes the social nets fertile ground for hackers and scammers. According to the MessageLabs Report, Web 2.0 “toolkits” now empower hackers easily to create boobytraps that look like appealing media but actually deliver something unexpected and sinister to the victim’s machine.

These dangers can motivate businesses and libraries to block, restrict or at least closely monitor social sites visited from their computers.  The Maryland General Assembly, for instance, has blocked Facebook and Myspace from its computers.

–Ben Wright

At the SANS Institute, Mr. Wright teaches IT administrators how to stay out of jail.

Security Threat: Facebook and MySpace at Work

Koobface Virus Spreads among Office Workers

Employees (workers) visiting social networking sites are infecting workplace computers with viruses (or they are subjecting their computers to attempted infections).  Facebook and MySpace are known as breeding grounds for Koobface (technically classified as a “worm”).  Security is a reason for businesses, libraries and schools to block or limit access to social media web pages.

These are documented examples of Facebook being implicated in Koobface infections (or attempted infections) in the workplace or related to the workplace:

  • Richard Larmer, chief executive of RLM Public Relations in New York, had to replace his computer.
  • “[H]undreds of Boston journalists, ad execs and public relations professionals [such as Scott Farmelant of Mills and Co.] who use the popular social networking service have received a Facebook message that purports to link to compromising video of its recipient.”
  • A journalist at Washington City Paper haplessly clicked on a link purporting to be from a colleague at the paper, only to discover that the link caused an infection.

Koobface thrives in social networks because users think they can trust their friends.  The victim believes a trusted friend has left on her “Wall” a link to a video.  Her guard is down, so she clicks the link and then follows Koobface’s diabolical instructions to download a software update.  The worm infects the victim’s computer with malware that seeks to control the computer and steal personal information.

In addition to Facebook and Myspace, Koobface is reported to have infected other social networks, such as Bebo, Friendster, MyYearbook, Classmates.com and Blackplanet.  Experts predict more virus attacks through social web sites.

Although Koobface is not the first virus to spread through Facebook, it is the one that is reputed to have inflicted the most harm.

Update: Local chapters of the Better Business Bureau (BBB) are issuing warnings about the insecurity of Facebook and MySpace.

One strategy for employers is selective blocking, where only certain suspect sites are blocked, with a screen that reminds employees they are responsible for getting their work done.

–Ben Wright teaches computer security law at the SANS Institute.

Screening Twitter from Work or School

Employees Wasting Time with Micro-blogs?

Twitter is popular, and if it is not blocked or forbidden, it can depress workplace productivity.  Twitter is a free service that broadcasts text messages (also known as updates or tweets) of up to 140 characters in length.  Twitter can be addictive, as readers can enjoy the distraction of reading each little instant message as it comes in.

Twitter supports multiple media for sending and receiving.  Users can exchange tweets by way of web pages, electronic mail or mobile (cell) phones (text, IM or SMS).

Responsible use of Twitter can help employees perform their job. For example stock brokers might use Twitter to keep abreast of the latest financial gossip.

But many employers or teachers may have little tolerance for Twitter within their domains.  Although employees or students may need access to Internet-connected computers, Twitter can be a nuisance.  Administrators therefore might adopt a policy that bans Twitter, and take technical steps to block it.  Technical measures might include the deployment of software that blocks certain URLs (such as twitter.com, tweetie.com, facebook.com, myspace.com, which support Twitter or its widgets).

Further, an administrator might use Internet monitoring software to discover which time-wasting sites users are visiting – the latest access points for Twitter and other worthless chat.

An administrator who monitors computer usage is wise to warn users of that fact.

Update:  Popular services like Twitter inevitably attract the interest of hackers.  Some Twitter users contracted the StalkDaily virus.  For some employees there is no reason for them to be on Twitter at work.  Security is an additional reason to block the access of these employees to Twitter.

–Ben Wright Mr. Wright teaches data security and e-mail records law at the SANS Institute.