Simon Heron – SecureNet

Google has analysed 240 million web pages over a 13 month period and discovered that fake anti-virus programs account for 15 per cent of malicious software, according to a report by the BBC.

The study expresses surprise that people fall victim to these attacks, and even hand over credit card details. The problem is, scareware doesn’t always come in one easy to recognise form.

Most users should have an up-to-date anti-virus suite on their computers, and so logically they should realise that they don’t need any more protection, but something obviously gets in the way of the users thought process when confronted with the dreaded dialogue box.

They don’t know the risk – the user may be from a vulnerable group and easily exploited or they may be completely in the dark about computer security.

Apathy -  the user may be at the end of a long day and just want to get on with what they logged on to do – clicking on anything to make the annoying box disappear.

Panic – scareware targets people in the safety and comfort of their own homes. Often throwing out alarming warning messages, offering to perform free system scans and bringing back even more alarming results.

Design – most programs aren’t designed to make saying ‘no’ easy. There may be no visible way to close the dialogue box down without clicking on an option. Sometimes the only choice is to close the browser window down completely or use task manager to kill the process, which makes it more difficult to avoid for those who just want to be left alone.

The tendency is to click first and think later which results in the installation of malware.  So if something pops up on the screen that you’re not expecting to be there – don’t click it.

India now accounts for just under 10 per cent of the world’s viruses and 7.40 per cent of spam mail, as revealed in our threat analysis for April.

Of course, it’s no surprise that India has become a major player in the cyber crime world, a number of issues have already been identified with the nation’s IT security.

The New York Times recently reported that India is one of the countries that spammers are targeting to help them crack website captcha codes. According to the newspaper, people can make $6 every 15 days doing this work, which may not seem like much, but to students and low-paid workers it can be a valuable extra source of income. To some, the ethics of IT security will be the last thing on their mind.

And yet, India has one of the most sophisticated and fast-growing IT sectors in the world: Gartner forecasts that the IT sector will continue its rapid growth in India and that the IT security market will grow more than 20 per cent in 2010, which may go some way to tightening security.

This is a complex problem, and one that takes into account socio-economic issues as well as security. But unless IT security laws are strengthened, India will still be an attractive base for cyber criminals to launch attacks.

For more details on the April threat stats visit the Network Box website.

A recent survey by PricewaterhouseCoopers has revealed that hacking and denial of service attacks have doubled in the last two years. The survey found that 15 per cent of large organisations detected unauthorised access to their networks in the past year, and 25 per cent of large organisations have been victims of denial of service attacks.

Businesses such as sports clubs, that conduct much of their business and customer engagement online, need to be especially wary of the perils of weak security systems, as it’s not just their network at risk from attack, but the private customer and player details that they collect, too.

We work with a number of sports clubs, and have just released a free guide which details how sports clubs can secure themselves from the major threats that they face online. We’ve also addressed how best to manage bandwidth, which is vital for clubs that stream video on their websites. If you’re involved in the sports business, please do take a look at it and let us know what you think.

Among the recommendations we make in the guide, we advise clubs to:

o    Secure external connections
o    Control what content can and can’t be downloaded
o    Secure applications and limit admin status to these apps
o    Conduct a regular review of security systems
o    Educate employees on the importance of security
o    Don’t leave computers unmanned
o    Keep all security systems updated
o    Ensure data is routed correctly
o    Check all data leaving the building
o    Keep audit logs
o    Deploy a load balancing solution to manage bandwidth
o    Seek expert advice – working with an external, managed service company can reduce costs by between 20 and 40 per cent.

The guide can be downloaded for free from the Network Box website.

In a world where we’re being constantly tweeted, messaged and emailed it can be difficult to remember that the links being sent to us can lead us to malicious sites, but nothing brings this point home more than the cyber attacks on Google last year.

The New York Times has discovered that the Google single sign-on system – Gaia – was stolen during these attacks, which took place after a Google employee in China clicked on a link sent to them via instant message. Gaia – a password system used by millions of people for email and business applications – has now been replaced by a new single sign-on system.

However, single sign-on systems, whilst making it easier for users to create and remember complex passwords, are becoming less effective. Really, there needs to be two factor authentication in place to prevent a violation of the password database otherwise all accounts under the single login would be left open to attacks.

Until this authentication is in place, perhaps businesses should think twice about placing important company data in the cloud.

If you had to guess, what do you think would be the most visited website for your business? If you answered Google, you’d be wrong. In the first quarter of 2010, Google accounted for 3.4 per cent of all URLs accessed by businesses, but came second to Facebook, which was visited twice as much at 6.8 per cent (an increase of 1 per cent from Q4 2009).

Facebook has become immensely popular as a way for people to stay in touch with friends and family during the working day. Businesses and authorities have tried banning employees from accessing it at work, and have even tried to block the site, sometimes to little effect. This is not as trivial as it may seem, some solutions are not able to cope with accesses made through proxy servers for instance. So while much of the debate about using Facebook at work has centred around its impact on productivity, the main concern should be security, as social network users are likely to download applications to add to their profiles, which can breach network security.

Banning Facebook can impact staff morale, and, as mentioned above, can lead to employees trying to access the site via proxy servers, so it’s worth taking time to formulate a response to social network usage. For more details see our free guide on the secure use of Facebook.

We’ve also discovered that the largest consumption of corporate bandwidth (as opposed to the number of hits) in Q1 2010 was YouTube, at 10 per cent, which was more than double that used by Facebook at 4.5 per cent. That’s at least 14.5 per cent of corporate bandwidth that is being used by what we can assume is a mainly non-business related activity (note that some companies may use YouTube and Facebook for business reasons).

Perhaps these figures are an indication of just how much businesses are embracing new media. Or, more likely, they show how important social media has become in our personal lives. Whether employees are accessing these sites with the full knowledge and authority of their employers or not, one thing is clear, business owners must have a policy in place for social media usage and the need to ensure that they have a solid security solution in place that will mitigate the risks involved in using these websites.

The Domain Name System (DNS) is undergoing a change that was started in December of 2009 and is intended to complete in July of this year, 2010.  In the light of a number of exploits of vulnerabilities with DNS identified over the past year or so, a more secure implementation is being brought into play which could cause problems with connectivity in some cases.

The primary issue is that DNS is not authenticated.  A hacker can insert equipment between the customer and the legitimate DNS server and intercept DNS requests and respond with an IP address to a malicious site.

The DNS is structured like a file system with the core servers at the root, this is called the “Root Zone”.  If requests to these servers can be intercepted then the false responses can filter down through the Internet steering everyone to the malicious site.

The solution is to provide some way of identifying the responses from these servers and this is being done through extensions to the DNS which are collectively called DNSSEC (Domain Name System Security Extensions).  Using DNSSEC, any DNS responses from the Root Zone servers will be digitally signed which will uniquely identify the response as valid.

So far so good, but there will be some changes required to store this extra information.  So some responses will be larger than 512 bytes.  This can be an issue with older firewalls (http://net.berkeley.edu/DNS/dnssec.html#dnssecfw).  Domain name lookups may still work but may not be as fast as they were before.  In addition, recursive name servers may be impacted and it is important to test for problems as soon as possible, see below for some suggested tests that can be done.

An aside to our customers, you do not need to worry as all Network Boxes include a full recursive name server which has been tested so that it is compatible with DNSSEC.  Also, the Network Box firewall is able to pass the required responses in a secure, fast and efficient fashion.

Testing for DNS Compatibiity

The following tests are courtesy of Mark Andrews of the ISC (http://www.isc.org/).  Companies should ensure that they have run these tests or something like them before May 5th when the major part of the work involved in changing over will be done.  If you are Windows based then ‘dig’ is included in the Bind release for Windows available, free, at:

http://www.isc.org/software/bind/96-esv/download/bind96-esvzip

L.ROOT-SERVERS.NET is the first of the root servers to switch to a signed copy of the root zone and can be used for testing. This version of the root zone has been configured deliberately so that it cannot be validated. Its purpose is to allow operators to test whether they can receive signed responses cleanly.

Test Procedure

1. First test that a basic DNS lookup works to ensure the ROOT-SERVERS can be reached:

$ dig +nodnssec +norec +ignore ns . @L.ROOT-SERVERS.NET

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9367

;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 15

…

…

2. Next test if the system can receive an answer that is greater than 512 bytes. This test simulates how named makes its initial queries.  Most signed responses fit between 512 bytes and 1500 bytes and are returned in a single un-fragmented UDP packet. This test is designed to check this case:

$ dig +dnssec +norec +ignore ns . @L.ROOT-SERVERS.NET

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60117

;; flags: qr aa; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 21

. 518400 IN RRSIG NS 8 0 518400 20100307080000 20100228070000 23763…

…

…

3. If the system returns data like that above, the next step is to see whether the system can receive a response when greater than 1500 bytes. Such responses are normally fragmented, and this test will find out whether the firewall will pass fragmented UDP packets.  Failure to pass such responses will force named to fall back to using queries which are likely to trigger the use of TCP, which should be avoided. Failure to pass such answers will also slow up the resolution process.

$ dig +dnssec +norec +ignore any . @L.ROOT-SERVERS.NET

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61647

;; flags: qr aa; QUERY: 1, ANSWER: 22, AUTHORITY: 0, ADDITIONAL: 21

. 518400 IN RRSIG NS 8 0 518400 20100307080000 20100228070000 23763…

. 86400 IN DNSKEY 256 3 8 …THIS/IS/AN/INVALID/KEY/…

…

. 86400 IN NSEC ac. NS SOA RRSIG NSEC DNSKEY

4. Finally, test that the firewall passes outbound TCP/IP DNS requests.   Even when using the extension mechanisms for DNS (EDNS), some answers will not fit into a UDP packet.  Such responses require queries to be performed over TCP.

$ dig +dnssec +norec +vc any . @L.ROOT-SERVERS.NET

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5409

;; flags: qr aa; QUERY: 1, ANSWER: 22, AUTHORITY: 0, ADDITIONAL: 21

. 518400 IN RRSIG NS 8 0 518400 20100307080000 20100228070000 23763…

. 86400 IN DNSKEY 256 3 8 …THIS/IS/AN/INVALID/KEY/…

…

. 86400 IN NSEC ac. NS SOA RRSIG NSEC DNSKEY

For each of the above tests, the ‘dig’ command will return a footer showing query time and response message size. You can verify these to ensure they make sense and that the query response time is acceptable.  You might expect the following values:

;; Query time: 384 msec

;; SERVER: 199.7.83.42#53(199.7.83.42)

;; WHEN: Mon Mar 1 09:56:36 2010

;; MSG SIZE rcvd: 1906

Round Up

If you did not receive responses like the ones indicated above, then you will have to fix your firewall.  If you did, then all is well and you should not have any problems when all the root servers are signing their responses.

If you have any questions about this then you can always post a question to us on Twitter (www.twitter.com/networkbox), email us on info@network-box.co.uk or contact your service provider for more information.

Network Box customers do not need to do anything but if you have any questions then please contact us by ticket or phone and the support team will be happy to help.

There’s no doubt that remote working is gaining in popularity. In 2009, Management Today reported that around 3.5 million people were working from home. Remote working can bring huge benefits to an organisation, in overhead reduction and productivity levels, but at what cost?

We’ve just conducted a survey of 250 companies across a variety of sectors, asking IT managers what their top priority was for the coming year – 59 per cent said it was remote working. Businesses cannot change the trend towards remote working, in fact they probably want to encourage it because of the benefits, but businesses that use remote workers must ensure that their IT department is prepared to put the required security measures in place. We’ve already produced a guide on how businesses can secure remote workers, which can be downloaded for free from our website.

When we asked what the biggest security concern was for IT managers, 43 per cent cited using social network apps as a major worry, (shockingly, 56 per cent of IT managers questioned said that employees downloaded unapproved applications) and 36 per cent were concerned about employees clicking on links send via social networks such as Twitter.

IT departments need to have a security policy which is flexible enough to change as and when new applications are approved for use, (see our free guide on application management for more details), so that businesses can keep up with the latest trends in communication, and employees can use these systems with security in mind.

We’re seeing a significant increase in phishing attacks originating from Korea (specifically South Korea). We classify phishing attacks as malware rather than spam – as the purpose and content of these emails are malicious – which gives South Korea the dubious honour of being the world’s largest producer of internet malware, above even the US.

These phishing attacks are the result of a rise in the number of compromised computers in South Korea, which are being used to send out phishing emails across the world.

It is an interesting development. South Korea hit the headlines recently with the news that the personal information of 20 million people had been stolen and sold on. While three South Koreans were arrested, the data had been bought from Chinese hackers who, as far as we know, are still at large. The South Korean authorities acted quickly and have gone on record as clamping down on this sort of data leakage, but the figures show that data has a real value to criminal gangs often working across borders. These sorts of attacks rely on the availability of large numbers of unprotected personal computers with access to the public internet.

It is a warning to each and every one of us that personal protection when accessing the internet is as important as protection of our work computers, to prevent machines being compromised and creating the market that has such value to criminals.