Rossander’s Security Reader

In general, web filtering is the idea of setting some kind of filter on your internet connection to block users who try to browse to a site with inappropriate content. You may not care about pornography on an adult’s computer at home (and indeed, it’s protected under free speech laws) but few businesses want to deal with the reputational damage that comes from finding one of your computer’s digital ‘footprints’ in the logs of a questionable site. Web filters are commonly put in place to help keep your users within your corporate Acceptable Use policy (or, at home, to make sure that you’re kids are staying at age-appropriate kinds of sites).

Corporate examples of web filters include Websense and OpenDNS. Home tools might include NetNanny or CyberSitter.

All of these tools work by building long lists of webpage addresses and categorizing each site. Amazon gets classed as a shopping site, Playboy as adult content, YouTube as streaming media, ESPN as a sports site and the local high school as an educational institution. When a user attempts to go to a webpage, the URL is compared to the filter’s master list. If the URL is on the list and allowed, the content flows through to the user’s browser. If the URL is in a blocked category, the user gets an error message on his/her screen instead.

There might be as many as a hundred different categories. You decide whether to permit or block each category on the list based on the risks to your organization including the risk that you will interrupt the business accidentally. Block too much and you’ll find that you’ve gotten in the way of business. Or that you’ve cut off some service that your younger employees take for granted, hurting morale and making retention more difficult. Don’t block enough and you increase legal and employment risks unnecessarily. And no matter how much or little you block, there will always be some false positives – legitimate sites that are mistagged by the vendor. (Breast cancer research sites, for example, are frequently mistagged as adult content.)

The problem now is that the hackers are starting to find ways around the web filters. Inappropriate sites are often up for only a short while, then moved to a new address faster than the filter-makers can update their lists. Inappropriate content is also hidden on hijacked sites that some legitimate business or person failed to properly protect. No matter how hard they try, some inappropriate sites can always slip through. (For more about the limitations of web filters, read this article from CSOonline.)

Even with those limitations, I strongly recommend that every organization install a webfilter to stay safe from hostile workplace suits and other employment risks. It won’t be perfect but it’s still an important part of your layers of defense. I also recommend that any parent with children still living at home install a filter. Kids may seem very web-savvy but they still don’t know how to fully protect themselves from strangers, hackers and other age-inappropriate content. Help to protect them from themselves.

Bill Brenner of CSO Online ran a column recently about fear and hype by the security vendors, especially around the need to “immediately patch the latest critical vulnerability” in a piece of software.

Patches fix holes in the vendor’s software and keep hackers from being able to walk through the back door of your system. Applying patches is important. Security vendors want you to apply the patch immediately in case the hackers are pounding on your door right now. Every minute you wait is a minute of exposure.

But most of us don’t apply the patches immediately. It takes your IT shop a few days of testing to make sure the patch won’t break something else and to tweak the network so everything runs properly again. With so many companies ignoring the vendors, why haven’t we had a catastrophic zero-day attack yet?

The truth is that most responsible IT departments use a layered approach to security. They have tools and policies that will generally keep out the malicious software for long enough for IT to complete the tests and apply the patches in an orderly fashion.

So who does get hacked? According to a recent Verizon report, nine out of ten data breaches could have been prevented if the company had taken reasonable security measures, most often applying patches that had been available for years. As Brenner points out, why should a hacker bother to write a complicated new virus to exploit the latest hole when you can still make money walking through holes that should have been patched four years ago?

If you have a solid approach to computer security, you can take the time to test the latest patches properly. On the other hand, if you don’t have a dedicated IT team, you probably also don’t have the staff to conduct the testing so you should set the patches to automatically update themselves.

Of course, if you’re not guarding your infrastructure with the basics (strong passwords, current anti-virus and anti-spyware, firewalls, up-to-date on patches even if not up-to-the-minute, etc.), you need to start now.

According to a Washington Post article, Microsoft and the state of Washington recently filed lawsuits against a number of scareware vendors. They’re finally taking on the scammers who are trying to trick us into buying worthless (or worse, malicious) “security” software.

One of the lawsuits specifically charges Texas-based Branch Software with involvement in the “Registry Cleaner XP” scam. A number of other “john doe” lawsuits were filed in an attempt to learn the identities of the individuals responsible for marketing other scareware products such as WinDefender, XPDefender, Antivirus2009 and Scan & Repair Utilities.

Kudos to Microsoft for finally attempting to do something about these scammers. Now if they’d just reset the defaults in their own software so it wasn’t so vulnerable in the first place…

Until they do, make sure you keep your computer fully patched, never bypass the firewall and be cautious of any suspicious links or pop-ups – especially ones telling you that your computer needs fixing.

If your office has an IT specialist, make sure he/she is signed up for regular alerts about the latest technical security vulnerabilities. These alerts will help you prioritize which patches need immediate remediation and which can wait while you test them for unintended consequences. Here are a few that I’ve found to be reasonably thorough:

• US-CERT (US Computer Emergency Readiness Team)
• Internet Storm Center (a service of SANS.org)
• BOL Tech Talk (a service of BankersOnline.com)
• Internet Security Systems’ X-Force Threat List (recently purchased by IBM)

If you don’t have someone who can watch and evaluate these notifications, you probably need to set your patches to automatically update themselves and hope that the patch doesn’t break anything else accidentally.

Every once in a while, security geeks talk about "rootkits" in tones of fear or loathing. Here’s what we’re talking about and why we worry about them (and why you should, too).

A rootkit is a particular type of malicious software. It is different from an ordinary virus in that it is specifically designed to seize control of your computer at the highest possible level. (In the old unix terms, this was called ‘root’ access – the equivalent level of authority in Windows is ‘administrator’.) Once the hacker has a rootkit on your computer, he/she has full access to everything on the computer. More than that, the hacker can usurp control of the computer and make it run other malicious programs (perhaps as part of a botnet) or can use it as a jumping-off point to attack other data on your network. The hacker can do anything on the computer that you can do – and many things that most of us can’t.

Rootkits are also different in that they generally limit themselves to seizing and holding control of one system – a virus, on the other hand, is will try to spread itself to other computers. Rootkits are also often kits, that is, combinations of multiple malicious programs that work together. Ordinary viruses are usually single programs. That said, an ordinary virus can be sent out to infect your computer and can, as its first act, load a rootkit onto your computer. Using a virus as a component of a rootkit is a fairly common attack now. According to some researchers, as many as one in five PCs are infected with a rootkit.

Rootkits frequently masquerade themselves as other files and/or deliberately hide files from programs that are used by legitimate administrators to hunt for viruses. This makes them particularly difficult to clean out once your computer has become infected.

Not all rootkits are created by hackers. In 2005, Sony BMG included rootkit software on some music CDs in an attempt to prevent music piracy. Unfortunately, the rootkit exposed every one of their customers’ computers to exploitation by anyone who knew to look for the backdoor the rootkit created.

To defend against rootkits:

• Practice safe surfing – don’t go to virus-infected websites. Music-sharing, video, software, porn, hacker and other ‘gray’ websites are frequently loaded with virus-infected downloads. While there are some legitimate freeware sites, “there ain’t no such thing as a free lunch“. If they’re not making money through sales or advertising, they’re probably getting something else out of the deal – don’t let that something be your computer.
• Keep your antivirus program on and up-to-date. But recognize that this is probably incomplete. Rootkits are specifically designed to defeat the major antivirus programs.
• Keep all the applications on your computer fully patched.
• Keep your firewall turned on and locked down as far as you can go. This won’t necessarily stop you from picking up that first infection but it might prevent the virus from sending out the command to download the rest of the kit.
• Turn off your computer when you’re not using it. First, restarting the computer each day triggers a number of cleanup activities. More importantly, the computer isn’t exposed to exploit while it’s turned off.
• If you are infected, take your computer to an IT specialist. Rootkits are especially difficult to clean out and will often reinstall themselves if part is missed. The usual practice is to wipe and rebuild the machine – they’re that hard to get rid of.

Last month, we wrote about scareware and hackers using fake update notices. In the past few days, we’ve seen a sudden increase in one of these attacks coming from one of the former Soviet republics. This group is exploiting a "DNS hole" to hijack visitors who are attempting to visit legitimate websites (such as a hotel in a common vacation destination like Hilton Head). The hacker redirects the victim to the hacker’s virus-infected website, then automatically loads a virus onto your computer. From what we’ve seen so far, this virus first disables your existing anti-virus program, then slows down your machine and finally starts to present you with a false warning that your computer is badly virus infected and needs to run AntiVirusXP2008 to clean it up (for only $50 which they want you to send to them in Russia). The warning message lists hundreds of "infected" files on your machine. Many of those files are, in fact, on your machine but are legitimate files needed by the operating system.

At home, fix your firewall, update your antivirus and patches and practice safe surfing. If google or yahoo (or your existing antivirus program) give you a warning that you are about to go to a sight that might contain malicious code, heed the warning. Do not override it just because you think that you’re going to a "safe" site like the hotel.

At work, shut your computer off every day. (Your IT department probably pushes updates to your computer’s defenses every day but many of those updates can’t take effect until you restart your computer. If you leave your computer on for an extended period, you will be missing those critical updates.) And, of course, practice safe surfing.

If you get one of these pop-up warnings, never allow it to scan your computer. If you think you might have triggered one of these scams, call IT.