A few weeks ago, I wrote about how you can use the IRC blocking capability of your web filter to detect the presence of bots on your network. In that post, I assumed that we all understood the threat posed by bots — why they’re different from good ol’ fashioned malware infections. I’ve been asked to expand on that a bit, so here goes.

As we all know, the Internet has become a critical business tool and criminals have taken notice. Just as there is money to be made in doing business on the Internet, there is money to be made in carrying out crime on the Internet. And as criminals have focused more on the Internet, their tools have necessarily evolved and become more sophisticated.

Five years ago, the typical virus or worm author’s sole purpose was to gain notoriety and cause end-user headaches. Liabilities were limited to business outages and user downtime. Those are significant liabilities to be sure, but they seem almost quaint in light of the new threat landscape.

Read the rest of this entry »

This is a screenshot of an unsolicited message that has recently been seen on Skype:

If you click through on the link you’ll see a web page with some cute JavaScript that makes it look like a security scan is being done on your computer. The bogus scan then reports that it found malware and recommends downloading a product called “Scan and Repair Utilities 2007″ — which is a well known rogue anti-spyware application. If you click through on that, you’ll be asked for your credit card information.

Read the rest of this entry »

The Supreme Court is considering a case today that will likely decide the fate of yet another law aimed at controlling child pornography. The specifics of the case are related to an esoteric aspect of the law — they are trying to determine what is meant by pandering — but it got me thinking about the most difficult problem surrounding this issue: defining what exactly child pornography is.

While it may seem like the distinction between adult pornography and child pornography should be easily defined, in practice, it’s actually very difficult. The individuals engaged in creating this gruesome stuff are expert at walking very thin lines and skirting attempts at legal definitions.

Read the rest of this entry »

[Note: Thanks to Satnam Narang, a security researcher in 8e6 Labs, for helping out with this post.]

Security software vendors are embracing the concept of site reputation. This is the idea that what a site or host has done in the past should be used to decide whether or not you can trust that site in the future.

Everybody is building the concept into new or existing products and services: McAfee has SiteAdvisor for end-point security; Secure Computing has TrustedSource for spam mail detection; I just talked to a small company called RobotGenius that’s taking an interesting approach to site reputation based on their own heuristic analysis of executables downloadable from that site. We here at 8e6 recently introduced the Bad Reputation Domain category into our web filter to achieve a similar objective.

There are myriad sources of data that can feed a reputation decision. Are the executables hosted on a site malicious? Does the HTML contain hidden iframes (which are generally used for malicious purposes) or does the JavaScript attempt to exploit known vulnerabilities? Does the site’s list of links in or links out include other sites with bad reputations?

Read the rest of this entry »

We added seven new categories to the 8e6 Database (aka “the Library”) in the update that went out last night. I’d like to explain the rationale behind these categories as well as talk about some things you might want to take into consideration as you decide how to update your filtering policies.  Note: Only customers running version 2.0 and later of the R3000 will see these new categories.

The categories are:
Read the rest of this entry »

I worked for many years at Symantec in the Enterprise Security Group, where I wrote a slew of code for Symantec’s antivirus and client security products. In my time there, I talked to lots of IT Admins who were tasked (saddled?) with the responsibility of managing huge deployments of desktop security.

Their most difficult problems were always in the area of installation and deployment. Things like: How can you help me find all of the computers on my network that need AV installed on them? Can your product identify the source of an infection, so I can go find that computer and clean it up? It was all about managing and probing those dark corners of the network where desktop security wasn’t already deployed.

The solution is to use the security products that are at your gateway.

Read the rest of this entry »

The RIAA just won what is likely to be a landmark case in establishing the criteria for proving intent in serving copyrighted music over P2P networks. The RIAA has brought thousands of cases against individual users - this was the first one to go to a jury trial. And it raises the stakes surrounding any organization’s liability for ignoring P2P usage on their network.

This is best illustrated by example. I was reminded of a recent issue with an 8e6 customer that Tech Support brought me in on.

Our web filter blocks peer-to-peer applications via packet signatures. There are lots of good reasons to block P2P, but this customer purchased our product because their CIO was receiving emails like this (selected excerpts):

Read the rest of this entry »

MessageLabs released a study last week on malicious emails. They found that attackers using email to distribute threats are increasing relying on users to click through on links in the email, as opposed to clicking on attachments.

This means a couple of things to me:

(1) Most everybody has deployed AV at the mail gateway.

(2) Your web filter is becoming an ever more important device in securing your network.

(3) Users need more training.

Read the rest of this entry »

The esteemed security group CastleCops was under a distributed denial-of-service attack back at the beginning of September. The DDoS apparently consisted of both a TCP SYN flood and an HTTP request flood. They posted some great data to help the community identify suspected zombie computers used to carry out the attack: an http log of suspicious web access from their site, and a list of IPs with whois data of possible bot infected hosts.

Read the rest of this entry »

This week we will be taking the final step to remove the Cults, Religious Opinion and Outdoor Recreation categories from the 8e6 Database.

These categories have been empty since March, when, the URLs in the Religious Opinion and Cults categories were moved into the Religion category and the URLs in the Outdoor Recreation category was moved into the Recreation category.

Read the rest of this entry »