As most of you should know due to the amount of coverage, Google has released it’s new web-browser Google Chrome for use on Windows workstations to public beta. 8e6 has performed a thorough test of Google Chrome for it’s compatibility with the 8e6 product line. The findings of these tests are as follows:

End-user web surfing activity is completely supported with no errors detected:

• Authenticator - Pass
• AD Agent – Pass
• e-Directory Agent - Pass
• Tier 2 Authentication - Pass
• Tier 3 Authentication – Pass (May require a reinstallation of Java)
• Override Account - Pass
• Pattern test - Pass
• HTTPS traffic (all configurations) - Pass
• X-strikes - Pass
• Real Time Probes - Pass
• Google Safe Search - Pass
• Yahoo Safe Search - Pass
• AOL Safe Search - Pass
• ASK Safe Search - Pass
• Search Engine Keyword Filtering - Pass
• URL Keyword Filtering - Pass
• Extended URL Keyword Filtering - Pass
• Quota Filtering - Pass
• Warn Filtering - Pass
• Block Page – Pass
• All Web Usage Activity Logged and Reported Correctly - Pass

For Administrators accessing the R3000 GUI via Google Chrome, most features are supported. There are a small number of features within the R3000 management interface that will not work. For the time being Google Chrome is not officially supported for access to the R3000, Enterprise Reporter, and Threat Analysis Reporter management consoles. Customers should use the supported web browsers of Internet Explorer, Firefox, or Safari to access the R3000, Enterprise Reporter and Threat Analysis Reporter management consoles. Once Google Chrome is no longer considered beta by Google, 8e6 will move to support Google Chrome for use with all management interfaces.

As you know, 8e6Labs provided Olympic News and Olympic Streaming categories to our customers for the duration of the Olympics. Now that the Olympics are over we will be removing these categories from the 8e6 database. These categories will most likely make a return in two years for the 2010 Winter Olymics in Vancouver.

We will remove these categories in a library update on the night of Wednesday 9/3. You do not need to take any action, as these will be removed automatically.

I am specifically interested in how our customers used these categories. If you have a minute, please provide some feedback via the comments on how you used the Olympic categories. Did you block either of them, or were you monitoring them for over usage? Did you setup alerts in your Threat Analysis Reporter that would limit usage?

I think that these temporary categories can be a very good service that we could offer to our customers for periodic events like the Olympics and March Madness. The key is in knowing how you use them.

The past few weeks have been busy here at 8e6. I wanted to take a moment to update you on what has been happening.

R3000 2.1

I am proud to announce the release of R3000 2.1. This release has a very large number of features that will assist 8e6 customers in securing their network, and doing so on their terms. Enhancements to time-based profiles, quotas, and authentication management are just a few of the items available in this release. Get the whole list here.

Olympics

For the first time in history the technology is in place where a user can watch the entire olympics from their computer desktop. While this is an excellent pointer to the future of entertainment, it can also be an absolute headache for network and security administrators. Articles by Tech News World, SC Magazine and InternetNews have done a good job of discussing the issues that network and security administrators will be facing, so I won’t belabor the point here.

Instead I want to make you aware of what 8e6 has done to assist you with handling the Olympics on your network. We have added two new categories that will be available to all 8e6 customers for the duration of the Olympics.

Category Definitions:

• Olympics News: All sites associated with Olympics news, excluding those sites that host streaming video of the games themselves. Created so that customers can create a more granular acceptable use policy where they can allow users to visit news sites but prevent them from viewing video of the games. 
• Olympics Streaming Media: All sites that host streamlining video of the Olympic games. 8e6 has already added the primary sites that provide video of the games, and will continue to monitor and add newly created sites as the games continue.

These two categories should at the very least be monitored for use. If bandwidth becomes a problem you may want to consider blocking the Olympic Streaming category. You can also set thresholds in both the R3000 or the Threat Analysis Reporter that will block those users that are going over certain threshholds.

8e6 will continue to monitor the Internet for content related to these categories. On a side note, there has been a recent rash of sites that attempt to infect machines with malicious code masquerading as Adobe Flash Players. Streaming content such as the Olympics are a perfect avenue for attackers to target users. 8e6 will continue to monitor this, and update the library as needed.

MySpace/Facebook Worms

Web 2.0 sites continue to be a blessing, but a blessing with sharp edges. PCMag posts about some rapidly spreading worms in MySpace and Facebook. 8e6Labs has been monitoring these sites for quite some time. So far, we haven’t found any worms that wouldn’t be blocked (provided that you are blocking the Security category group) by the R3000. As always, we at 8e6Labs will continue to monitor these sites for any new activity.

New Vulnerability

A recent vulnerability report on the R3000 has been released via the normal channels (you can view it here.) We have already addressed this from a development stand point. The fix is currently being beta tested by a few of our customers and will be released in due course. If you would like to participate in the beta please contact our support department.

A recent article tells of a crafty new worm making it’s way around the Internet by fooling unsuspecting users. This worm hides as an .asf media file. Once the machine is infected, it becomes a proxy which can be used for malicious purposes.

In order to propagate itself this worm will transcode any .mp3 files into infected .asf files. These files will attempt to load a new codec which will infect any machines that attempt to play the file.

This is a worm designed to directly target users who share music files via Peer-to-Peer file sharing networks. Once a user downloads the file they will be prompted to download a new codec, when in fact the new codec will be malicious code.

Network and security administrators are advised to insure that users are blocked from accessing Peer-to-Peer file sharing networks as this threat represents the latest in a long history of infections that have targeted Peer-to-Peer file sharing networks.

A recent news story tells of two teens hacking into school computers in order to change grades and steal tests. It’s probably not “new news” and, in fact, occurs on a fairly frequent basis. It just so happens these two teens were caught. If you dig further into the story you will see one of the students performed a bit of physical breaking-and-entering as well.

But this begs a question; What tools did these kids use for the purposes of their hacking, and how can we detect students that are prone to this sort of behavior?  In general, a student who performs illegal activities does not wake up in the morning and decide to become a criminal. There is typically a pattern of behavior leading up to a serious event such as this.

Initially, we should look at the overall Internet usage of the student. There are several 8e6 categories that can assist in this, with the Hacking category being a good place to start. This category should be blocked for all customers since the sites within this category center around tools and scripts that would often be used for questionable, if not illegal, activities.

Secondly we should look at the Dubious/Unsavory, Criminal Skills, Weapons, Illegal Drugs and School Cheating categories. Once again these are categories we would recommend as blocked as they can all lead to activities that would be considered questionable at the very least. This means that activity in these categories should be cause for concern.

Thirdly, we must look at the actual Internet activity of the students. Just having these categories blocked is simply is not enough. 8e6 is quite proud of the content, the depth and the breadth of our categories. But, like every other vendor out there, we simply cannot claim 100% coverage. If a student is not monitored, as well as blocked, you are essentially putting up a speed limit sign and hoping everyone obeys the speed limit. Unfortunately, many of us, myself included, may exceed the speed limit from time to time. It is absolutely imperative you use the reports available to you for the purpose of actively monitoring student activity. Waiting until after the event, will only verify the student was at risk to begin with.

By monitoring the use of these categories through real time and forensic reporting, we can often identify, and curtail this sort of activity. I am not advocating that you spend each and every minute of your day running reports to find the problem students. There is a much easier way to identify activity such as this. Using the Threat Analysis Reporter you can create a gauge called “At Risk” and include the above categories. Once the gauges are created, you can then set a threshold for activity in those categories in totem. An alert can be configured based on this threshold that will send an email to an administrator should the threshold be reached. The few minutes you spend setting up this alert will eliminate the need to be monitor reports day in and day out.

Once the alert is set, the next step is to look at the intent of the student. Using the Enterprise Reporter, run a detailed usage report of the student’s activity. This report will show - link by link - what activity the student was performing, including the username, IP, category, full length URL and, most importantly, the terms used on search engines.  By reviewing this detailed information it will be very easy to identify the at-risk students.  If the activity shows the student is on Google and searching for “Tools to hack grades” or “How to pick a lock,” you have a pretty good indication of what the student is up to.

The real time reports and alerts provided by the Threat Analysis Reporter will identify users who warrant a closer look. This doesn’t apply to just the illegal activity described here, but could be extended to all sorts of activity such as gang, racist, or terrorist activity. 

While I do not advocate looking at reports day in and day out, I do advocate active use of the reports available to you. At the very least you should be checking the reports on a weekly basis.  When talking with customers, all too often I hear they run reports only when asked to do so.  This request is usually because something was noticed or a student was caught violating the AUP. Taking time to monitor the activity of users, especially in categories other than Adult Content, can often show you the problems when they are just “smoke” rather than a “three-alarm fire.” Just imagine for a moment one of your users was doing a weapons-related search with the intent to harm others. Would you not prefer to know about it before they use the weapons, rather than after the event as you are you run reports for the police? 

We recently sent out an email regarding this, but I thought I would post it here just in case anyone missed the email. If you have any questions, feel free to contact our support department.

All 8e6 users,

In order to provide improved access and reliability, 8e6 is upgrading its Internet connection to a multi-homed configuration. Unfortunately, this change requires the renumbering of some customer-facing systems. Consequently, some changes may be required on your networks to ensure continued connectivity to 8e6 for the purposes of downloading library updates, software patches, and technical support remote access. This is a one time only change since the new IP addresses are “owned” by 8e6 and, as such, portable with respect to future Internet Service Provider changes.

Bottom line, it is extremely important that your firewall administrator is alerted to the following items, in order to ensure continue connectivity to 8e6 update servers.

FTP Update Server EOL
Concurrent with this change comes the End-of-Life for the legacy FTP update servers. As of July 31 st, updates will only be available using the HTTPS update servers. The 2.1 software release of the R3000 (scheduled for mid-July) will remove the ability to download library and software updates via FTP, and switch the transport method of all library and software updates to HTTPS.

It is recommended that you immediately ensure that your R3000 is set to use HTTPS for library and software updates. This can be done via the R3000 GUI, and is available under Library>Updates>Configuration. If your R3000 is set to use FTP, change the method to HTTPS. Once the configuration change is made you can perform a manual update to ensure that connectivity can be established.

Library, Software Patch and CFM Updates
If your network firewall rules for outbound connectivity utilize statically assigned IP addresses for access to 8e6’s patch, update and cfm servers, modification will be required to allow access to the new IP addresses indicated below.

IMPORTANT: The changes in this section must be made prior to July 31, 2008 or you may experience an interruption in the related services. To facilitate a transition window, please maintain access for both old and new IP’s until September 30 th 2008 at which time, you can remove access for the old IP’s.

All 8e6 systems (R3000, Enterprise Reporter and Threat Analysis Reporter) should have access via HTTPS to the following systems.

patch.8e6.net (software updates)
Old
209.11.161.20
209.11.161.21
New
208.90.236.69

secureupdate.8e6.com (library updates)
Old
209.11.161.24
209.11.161.25
209.11.161.26
209.11.161.27
New
208.90.236.70
208.90.236.71
208.90.236.72
208.90.236.73

cfm.8e6.com (customer feedback module updates)
Old
209.11.161.224
New
208.90.236.75

Technical Support
Similarly, you will need to modify your firewall rules to allow SSH access from 8e6’s two newly assigned “keyserver” IP addresses listed below.

IMPORTANT: The changes in this section must be made prior to July 31, 2008 or you may experience an interruption in the related services. To facilitate a transition window, please maintain access for both old and new IP’s until September 30 th 2008 at which time, you can remove access for the old IP’s.

key1.8e6.com
Old = 209.11.160.50
New = 208.90.236.132

key2.8e6.com
Old = 209.11.160.51
New = 208.90.236.133

If you have any questions regarding the above information, please contact 8e6 Technologies Tech Support at support@8e6.com or call (888) 786-7999, menu selection #3. Thank you for your support and patience in this matter.

Sincerely,

Your 8e6 Technologies Product Management Team

In our continuing efforts to broaden the coverage of our pattern filtering and application control, we have released a new set of patterns that block some of the more well known Remote Access applications and protocols. These include Virtual Network Computing (VNC), Remote Desktop (Terminal Services), GoToMyPC and Symantec’s pcAnywhere. In addition to these newly released patterns, we also leverage our URL filtering capability against web based remote access sites.

Read the rest of this entry »

It’s that time of year again — the NCAA basketball tournament is upon us. This time of year always throws a spotlight on web filtering, as Enterprises are faced with the prospect of their employees frittering away time and valuable network bandwidth watching hoops.

The tools available on the Internet for following this year’s tournament are getting more varied and sophisticated, throwing open new security and bandwidth concerns, as well as raising the old specter of productivity problems.

Security

If you’re blocking your users from watching the tournament, then you’ve got to consider the ways that they might attempt to circumvent that policy. The key thing here is that video streaming isn’t just about web sites and media players anymore.

Read the rest of this entry »

On Tuesday, we took another step in broadening the Application Management functionality in our web filtering products. We released the first set of patterns for blocking network games, commonly called Massively Multi-Player Online Role Playing Games (MMORPGs). We wrote patterns for World of Warcraft, Legend and the Steam Network, which is used by many games.

We also block a number of games through simple URL filtering. Some games rely on HTTP or HTTPS access to certain domains, so they can be shut down that way. Second Life and Lineage II are good examples of these.

There are two obvious issues with online games that should be of interest to enterprise and education IT departments: productivity and bandwidth. Cumulatively, online games have more than 16 million subscribers, with World of Warcraft alone accounting for more than 10 million of those subscribers. Blocking these applications at the gateway provides a simple, centralized way to prevent employees and students from violating what is undoubtedly already a part of your acceptable use policy.

This is the first expansion of application management in the R3000 beyond IM, P2P and proxies, leveraging a feature in the recently released 2.0.10 version of the R3000 that allows us to extend pattern coverage to any category. In the near future, we will be expanding the scope of our pattern blocking to include remote access applications like Terminal Services (RDP) and VNC, as well as streaming media protocols like RTSP.

Please submit requests for pattern coverage of other games and applications to mudcrawler [at] 8e6 [dot] com.

As the average Internet user wises up to the the classic fraudster angles, criminals have to move to new targets. People are getting better at recognizing emails phishing for their Bank of America online banking credentials. We’ve all seen 419 scams in our inboxes, which are looking for you to front money for a bigger payout down the line (aka “advance fee fraud”).

As a result, the bad guys have had to turn their attention to new targets. In 2007, we saw attacks looking to get at employers’ Monster.com accounts, individuals’ MySpace and Facebook contacts as well as Salesforce credentials. There has also been a rise in classic phishing emails targeting smaller banks or banks in emerging economies, where the average end user isn’t as experienced at dealing with phish.

But in our hurry to stay on top of the latest trends, we can sometimes lose sight of the tried-and-true fraud techniques that still work.

And sometimes it’s easier to be fooled when the threat is directed at our employers.

I recently had the following two emails forwarded to me. Folks were asking: are these for real?

Read the rest of this entry »