Hundreds click on ‘infect me’ Google ad

March 8, 2008 – 6:49 PM

Hundreds of users have clicked through to a Google AdWords advertisement offering to infect users with a virus, according to a blogger.

The experiment, run by Didier Stevens, a blogger who says he works for the consultancy group Contraste Europe, is the latest, if slightly puzzling development to reinforce the growing danger from drive-by downloads.

To see how easy it was to lure in users via Google’s AdWords, Stevens bought the drive-by-download.info domain and placed an AdWords ad reading:

Drive-By Download
Is your PC virus-free?
Get it infected here!
drive-by-download.info

Stevens has run the campaign for six months now, with 259,723 ad displays, and says he has had 409 clickthroughs.

The ad has cost him only 17 euros so far, which by Stevens’ reckoning adds up to 4 euro cents per potentially compromised machine. Most of the systems visiting the site, 98 percent, ran Windows.

“I’m sure I could get much more traffic with a higher Google Adwords budget and a better-designed ad,” Stevens said in a blog posting.

Stevens said he deliberately made the ad look fishy, but encountered no problems from Google. Google might counter that it took no action because the site is not actually dangerous – Stevens’ site doesn’t itself contain any malicious software.

Drive-by downloads, often placed on seemingly innocuous sites without the site owner’s knowledge, exploit known vulnerabilities to place malicious software on a user’s computer.

The sites are increasingly even making use of prominently placed advertisements on Google and elsewhere to lure in their victims.

Stevens’ site is still running, but he decided to write up his results thus far because of recent publicity around the issue, including a Google study which found that hundreds of thousands of sites have now been infiltrated by drive-by download mechanisms.

www.techworld.com/security/news/index.cfm

Security Isn’t Just Avoiding Microsoft

March 8, 2008 – 6:48 PM

I’ve had to listen to clients kvetch for hours on end about how Microsoft makes their lives miserable and how everything would be better in a Microsoft-free world. Tony Bove wrote a whole book with that theme, Just Say No to Microsoft, and plenty of blogs have taken up the cry.

It’s time for all the people who have entertained this fantasy to stop deluding themselves.

How would life without Microsoft be different? It wouldn’t be in any meaningful way for those in charge of network security; there would just be a different vendor peddling the dominant operating system.

Networks in a world in which Apple had won the operating systems wars would still be insecure. What’s that, you say? The Macintosh has had far fewer bugs reported and patched than Windows? That’s true, but it’s a consequence of the minuscule market penetration of Mac OS. If the Mac had enjoyed a market share of upwards of 80% for the past couple of decades, it would have been the focus of every hacker and script kiddie on the planet. And you might be lamenting the minuscule market share of that scrappy operating system vendor in Redmond, Wash.

If you put computers on a network and open that network to the outside world via the Internet, you’re going to have security problems, regardless of whether you’re running Windows, Mac OS, Linux or an operating system you created in your spare time. By all means, we need to run the safest operating system we can, fortify our networks and police the whole thing. But once we’ve done all that, we’re left with one unalterable fact: Users will still make errors galore. Training can help. But for a bit of perspective, consider commercial air transportation. The hardware is about as safe as possible, and pilots are trained as thoroughly as surgeons. But accidents happen, and they’re usually the result of pilot error.

User errors have long been the bane of security. In a sense, true security requires a paranoia honed to a fanatical edge, but sometimes even fanaticism isn’t enough. After all, no one has surpassed the Nazis when it comes to fanatical paranoia. Yet even the well-trained German soldiers of World War II broke a fundamental rule of cryptography and reused the same keys. That mistake might be the only reason this article wasn’t written in German.

So, what needs to be done? You must require users to attend formal information security training and awareness programs. No one should be left out. Set minimum security training and awareness requirements that all workers must meet — even janitors and others who have no system access. Step up the requirements for those who have access to corporate information systems (most workers would fall into this category), and establish exhaustive requirements for employees in computer-related positions of trust, such as security staff and systems programmers.

Your first step, if you haven’t already done it, is to write down your information security policies. You can’t design an effective training and awareness program without them.

Once you’ve set up effective training, you have to maintain it. Keep it consistent, and make sure users are up to date. It won’t be easy. In fact, it’s a lot easier to just blame Microsoft. But don’t feel that all that kvetching didn’t help. It took lots of people kvetching loudly for many years for Microsoft to realize that it had to do more, and it has made great strides since 2002, when it announced its Trustworthy Computing initiative.

Now it’s your turn to do something similar within your own organization.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=291226&source=rss_news50

Is Desktop Antivirus Dead?

March 8, 2008 – 6:47 PM

Some industry analysts are proclaiming the traditional antivirus method for detecting and eradicating viruses, trojans, spyware and other baneful code by matching it against a signature to be “dead.”

They say signature-based checking can’t keep up with the flood of virus variants manufactured by a criminal underworld that is beating the antivirus vendors at their own game. And they are arguing it’s time for companies to adopt newer approaches, such as whitelisting or behavior-blocking, to protect desktops and servers.

“It’s the beginning of the end for antivirus,” says Robin Bloor, partner at consulting firm Hurwitz & Associates, in Boston, who adds he began his “antivirus is dead” campaign a year ago and feels even more strongly about it today. “I’m going to keep beating this drum. The approach antivirus vendors take is completely wrong. The criminals working to release these viruses against computer users are testing against antivirus software. They know what works and how to create variants.”

The fundamental problem “isn’t about viruses, it’s about what should be running on a computer,” Bloor says.

Instead of antivirus software, he says, users should be investing in whitelisting software that prevents viruses from running because it only allows authorized applications to run.

Whitelisting products are available from SecureWave, Bit9, Savant, AppSense and CA, the first traditional antivirus vendor to see the light, in Bloor’s view.

Others are joining Bloor’s way of thinking. Andrew Jaquith, a security analyst at Yankee Group, in December published a research paper entitled “Anti-Virus is Dead: Long Live Anti-Malware.” Yankee Group’s research indicates that there’s an “explosion” in cumulative malware variants, with 220,000 cumulative unique variants expected in 2007, a tenfold increase over 2002 levels.

The antivirus vendors simply can’t keep up, Jaquith says, noting that some antivirus lab managers privately complain this flood of virus variants, which force signature changes every 10 minutes, adds up to the equivalent of a denial-of-service attack against them.

“Most antivirus labs work the same way; they get more samples than they can handle on a daily basis,” Jaquith says. “They triage based on severity. The antivirus people are like folks with nets trying to catch the big fish, so if you’re a bad guy, you want to be a minnow and get through the driftnet.”

The best thing about antivirus signatures is that “they’re accurate and the false positives are very low,” Jaquith says. But the purpose in writing the “Anti-Virus is Dead” paper is to “bust everybody’s bubble that this stuff is keeping people safe and the notion it will solve your malware problem.”

Jaquith says he’s enthusiastic about behavior-blocker technology incorporated in Sana Security’s Primary Response or Prevx’s Prevx1.

Behavior-blocking antimalware software works by observing the behavior of applications running in memory, and blocking those deemed harmful. Sana Security’s CEO Don Listwin says Primary Response looks at 226 software characteristics deemed to be bad behavior and stops code trying to execute.

“We indict them and take them out,” Listwin says. But he acknowledges there can be false positives, adding that antivirus scanning is “complementary” to what Sana Security provides in behavior-blocking.

Not all analysts are ready to jump on the antivirus-is-dead bandwagon.

“Antiviral on the desktop is certainly still a must have, though mostly as a removal tool,” says Gartner analyst John Pescatore. He says his firm advises clients to buy antivirus integrated with some host-based intrusion-prevention system (IPS), noting McAfee, Symantec and others have started adding IPS to block malware where signatures don’t exist.

When is the funeral?

If antivirus is dead, the question is when to hold the funeral.

Jaquith’s paper points out that “antivirus products enjoy a privileged position in enterprise budgets” and “no other security product boasts nearly 100% penetration.”

Research firm IDC estimates the antivirus market today accounts for US$2.1 billion on the consumer side and $3.1 billion for the enterprise. That’s expected to grow to $3 billion and $4.5 billion respectively by 2010.

While traditional antivirus vendors are willing to acknowledge there could be improvements, they are somewhat taken aback to hear industry analysts proclaim antivirus is dead.

“That’s a bit radical,” says John Maddison, general manager of network security services group at Trend Micro, which has no immediate plans to adopt whitelisting or behavior-blocking. Trend Micro is innovating with what it calls reputation services to check IP addresses and e-mail to determine if incoming code originated at a reputable source.

“If you asked people to give up antivirus, you’d find few that would do that,” Maddison says.

Many corporate security managers concur.

“I wouldn’t let go of our signature-based control,” says Doug Sweetman, State Street’s senior technology officer in corporate information security, who adds State Street has licenses with five antivirus vendors because the competition is beneficial during negotiation time. But he adds: “It’s a commodity.”

Sweetman also says State Street has embarked upon a “desktop lockdown” that will not allow unauthorized applications on employee computers to run.

Kathy Larkin, director of information security at Prudential Financial, said she doesn’t find the argument that desktop antivirus is dead to be convincing. “I think antivirus is worthwhile and will be around for a long time.”

However, some antivirus vendors, when asked how fast it takes to turn around a virus signature, acknowledge it’s tricky.

“It takes two to four hours to turn around a signature for a severe rating,” says Brian Foster, Symantec’s senior director of product management. He adds that he can’t say how long it might take for anything else. The majority of antivirus malicious code tracked by Symantec are variants “where someone has tweaked it, changed the payload,” Foster says.

While Symantec’s antivirus software can catch and stop variants through heuristics, a signature is needed to eradicate the specific variant code from the machine.

Foster says Symantec is adapting by incorporating new technologies, such as IPS, into its products and notes the antivirus products of the future will be working through far more than signature-based eradication.

Jaquith is ready to give credit where he thinks it’s due, and his paper cites McAfee and Symantec as traditional antivirus vendors that are moving to augment signatures with adjunct technologies that include behavior-blocking.

Taking the plunge

While most network executives probably wouldn’t be willing to jettison traditional antivirus software for alternatives such as white-listing or behavior-blocking, there’s evidence a few are taking the plunge.

“There is that thought, that you still need antivirus and it’s something you should have,” says Brent Rickels, senior vice president at First National Bank of Bosque County, in Valley Mills, Texas. “It’s been around so long but it’s no longer adequate in this fast-changing world.”

The bank, which has about 6,000 customer accounts, still uses gateway-based antivirus filtering and restricts Web surfing among employees to reduce risk of downloading malware.

But the bank jettisoned its Symantec desktop antivirus about a year ago in favor of SecureWave’s Sanctuary product for the desktop, which Rickels says is less expensive.

“It builds a whitelist of [Dynamic Link Library] files allowed to run, and if it hasn’t authorized the file, it won’t run,” Rickels says. The only downside he has found in using it for more than a year is that it takes administrative time to adjust the Sanctuary software to recognize the propriety bank applications or software patch updates from Microsoft.

But Rickels says the tradeoff is worth it. “We go through those drills, but I can control that vs. the unknown of viruses. Signature-based antivirus is like using a shield with holes in it.”

http://www.pcworld.com/article/130455-1/article.html?tk=nl_dnxnws

Repartition your hard disk on-the-fly with Vista

March 8, 2008 – 6:47 PM

As you know, the Disk Management console tool in Windows XP will allow you create a new partition using any unallocated, or free, space on a hard disk. However, if there is a single partition that takes up the entire hard disk, you can’t use the Disk Management console tool to repartition the hard disk into two or more smaller partitions. If you want to accomplish this task in Windows XP, you will have to invest in a third-party console tool such as PartitionMagic. Of course you can back up the disk, reboot with a DOS startup disk, and then use DOS FDisk command to repartition the disk, but then you’ll have to reformat and reinstall, which is a lot of work.Fortunately, Windows Vista?s Disk Management console tool will allow you to repartition your existing hard disk any way you want. In other words, it will now allow you to shrink, extend, create, and format partitions without putting your data in jeopardy. Of course, before you perform any of these operations, you should back up, just in case.

In this edition of the Windows Vista Report, I?ll show you how you can use Windows Vista?s Disk Management console tool to repartition your hard disk.

Full article with screenshots…

Free Security Tool Attracts 38 Million Downloads

March 8, 2008 – 6:46 PM

SiteAdvisor is available to users free of charge.An Internet scorecard application which rates potential risks on Web sites has been downloaded more than 38 million times since it was launched 12 months ago.

The application, SiteAdvisor, which was introduced by McAfee Inc., integrates with Firefox and Internet Explorer.

It applies 320 million daily potential risk ratings to Web sites for search results, browsing and e-transactions, and is based on scanning results for spyware, adware, exploits, excessive pop-ups and spam.

SiteAdvisor staff analyze and collate data retrieved from Web site scans and from user volunteered feedback to produce a scorecard indicative of the potential dangers of a given site.

McAfee Australia sales director, Monica Kelly, said the high adoption rate reflects the increasing need for online security.

“SiteAdvisor has enjoyed very strong adoption since its launch last year and has demonstrated the urgent market need for this technology,” Kelly said.

http://www.pcworld.com/article/130122-1/article.html?tk=nl_dnxnws