Marshal TRACE Midyear Threat Report Warns 45 Percent of Internet Users Are at Risk From New Cyber Criminal Tactics

Cyber criminals are using 'blended attacks' to distribute malware and links to hacked websites via email on an unprecedented scale. Unpatched browsers are putting more than 45 percent of Internet users at risk when they visit legitimate Websites infected with malicious code. Three botnets are responsible for 75 percent of all spam, pumping out billions of messages every hour through zombie clients and being used to launch mass attacks on Websites. These are the key findings of the Marshal Threat Research and Content Engineering (TRACE) report for the first half of 2008.

In an alarming new development, spam sent from webmail accounts that had been automatically created using CAPTCHA-breaking technology was seen to be on the increase, rendering common anti-spam defenses such as reputation less effective. CAPTCHA or Completely Automated Public Turing Test to tell Computers & Humans Apart was developed by Carnegie Mellon University to prevent spam robots exploiting Web forms.

A staggering 94% of companies admit that they are powerless to prevent confidential data from leaving their company by e-mail, according to a new study from Mimecast.

It found that only 6% of respondents were confident that anyone attempting to send confidential information by e-mail out of the organization, would be prevented from doing so. The study also showed that 32% of companies would not even be aware that confidential information had been leaked, and therefore would be unable to take steps to minimize the damage or track down the source of the information.

However 62% said they would be able to retrospectively identify the e-mail leak once the information had been sent, but they did confess to being unable to prevent its disclosure.

"The figures show that organizations haven't nailed down the e-mail channel," said Tim Pickard, marketing director at Mimecast. "E-mail protection is catching on as a technology that manages information, as the industry moves away from protect-and-defense, to becoming more aware how information flows around the organization."

This comprehensive article from itsecurity.com presents 25 most common mistakes email users make and useful tips on how to prevent them, or as they say "25 tips to bring newbie Internet users up to speed so they stop comprimising your network security." Here is what you should keep in mind:

Properly managing your email accounts
1. Using just one email account.
2. Holding onto spammed-out accounts too long.
3. Not closing the browser after logging out.
4. Forgetting to delete browser cache, history and passwords.
5. Using unsecure email accounts to send and receive sensitive corporate information.
6. Forgetting the telephone option.

There is a general paranoia about server virtualization in the security community that goes something like this. The server virtualization hypervisor acts as a resource switch enabling multiple virtual hosts to share a single physical system. In theory, if you compromise the hypervisor, you gain access to every virtual host along for the ride. Imagine an instance where 50 hosts live on a single Intel server and you can see that a hypervisor attack could have extremely serious ramifications.

Yes, this is theoretically possible, but virtualization vendors understand this threat and are pretty conscientious about protection. [..] So what is it about server virtualization that should really keep chief information security officers up at night? A more pedestrian worry--lack of control. In a virtual server world, IT administrators can clone virtual hosts, move them around, or turn them on and off by accident or with malicious intent. What happens when an IT administrator moves a critical database server instance without re-configuring application servers or the network?  How about when someone mistakenly adds a test server to the production network? The security "uh-oh" possibilities are endless.

Spam and virus threats to enterprise messaging security and compliance may level off this year compared to 2007, but social engineering techniques are evolving to challenge businesses and security software providers, according to a new report released by Google's Postini team.

The report, released March 6 after Google's Postini team commissioned the study to survey 575 IT professionals, found that Postini data centers recorded 57 percent more spam and virus attacks in 2007 compared to 2006.

The size of spam e-mails also increased considerably as spammers included images, .pdf files, documents, spreadsheets and even multimedia files to spoof spam filters, according to report author Adam Swidler, senior solutions marketing manager for Postini.

Understand the basic facts about email management -- what it is and why you need it.

What is email management?
Email management encompasses four areas: Security, Backup/Storage/Recover, Spam and Virus Protection, and Compliance. Each of those categories can be subdivided by technology class and coverage. While not every company will need top of the line products in all categories, no business, regardless of size, should be completely vulnerable in any area. As with almost all business decisions, the trick is finding the solution that matches a business' needs without providing unnecessary features or costs.

During a security assessment, I found that I could connect to the SMTP gateway using Telnet. I tried sending mail from a fake domain, but it was detected as a mail relay and stopped. When I sent messages to fake employees inside the organization's domain, however, the mails were accepted. Can this be termed as a mail relay vulnerability? Can this be exploited for purposes other than social engineering? Most importantly, what is the best possible resolution?

What you describe is actually a very common situation and is not a cause for alarm. You can Telnet to most mail servers on TCP port 25 and send messages to the organization that uses the particular server. But, you should not be able to send email to other organizations. If you could, a spammer would find that mail server and use it to relay spam.

So, what actions should the mail server take if the destination email address is fake?

IP Reputation and Blacklists are one of the most effective and common forms of blocking Spam from ISP and Telco email servers, but which ones are effective and how do they compare.

Well, it depends of course on the type of ISP and the demographics of it's users, for instance ISP's with a large user base on one domain will suffer from different patterns than the ISP with hundreds of domains, but only 1000 accounts.

LinuxMagic MagicMail Servers have had a built in ability to monitor the performance of individual blacklists in use fro some time now, and it might be helpful to other administrators to look at example stats from live environments to compare how their choices in active blacklists or IP reputation blocking may stack up. Blocking by IP reputation can reduce the overhead, and bandwidth significantly, vs traditional filtering.

In the first example, an ISP of more than 100k users was examined, and compared with one of the leaders in the industry, Spamhaus which was still the single most effective list tested. The stats do show that a combination of lists is the most effective blocking app.

75% of all inbound connections. (Rate limiting prevents the worst offenders otherwise this number would be much higher) Spamhaus has several lists available, and at the time of writing, comparison was only made against the XBL List for the larger ISP. (It should be noted that ZEN will have a higher rate of blockage) XBL alone could block app. 50% of the traffic.

The second most effective list would be the UCE-PROTECT lists, at app. 30-50% depending on the use of UCE-1 or UCE-2. PSBL and SORBS-DUL came in around 27% and SPAMRATS came in around 12%. Many IP addresses on various lists overlap, with unique counts generally being less than 10%.

One noted exception is MIPSPACE, but this is not a blacklist per se but a listing of companies and networks allowing or engaging in commercial email marketing, vs the more traditional sources of Spam. Over the last year, this type of email is becoming the most agressive increase, reaching 10% of all inbound connections. Looking at a smaller ISP with many domains, eg hosting companies, we see a different trend. IP reputation is much more important. 88% of all inbound connections are blocked with IP reputation, and in this case we have numbers on SPAMHAUS Zen, which show this as the single most effective list, with 80% blockage rates. (Again, these numbers may have been higher without rate limiters in effect) UCE again is the second most effective, with app. 40-50% blockage rates, depending on the use of UCE, 1,2,3. PSBL shows a higher capture rate in this environment as well, with app. 40% blockage rates, as with SORBS-DUL at 38%.

SORBS also shows a slightly higher rate of uniques in this environment as well. SPAMRATS in this case also increase to 18%. There are many other reputation lists available, and it is up to individual administrators to weigh their effectiveness vs a risk of false positives, but it is still obvious that IP reputation checks in the email servers is still the single most productive tool at your disposal. Even the smallest list tested had over 1 million IP's that have been determined to have been used to launch either Spam attacks, or dictionary attacks.

A short presentation of MailScanner and ClamAV, as free email scanners alternatives for Linux, from ServerWatch:

I've never been comfortable with Windows-based e-mail scanners because they run on the same porous, malware friendly platform they're supposed to protect. Paying big bucks for software licensing fees year after year isn't a very attractive proposition either.

Fortunately, there are powerful, free alternatives, like MailScanner and ClamAV. Using these two together delivers stout protection again viruses, spam, phishes, and all manner of e-mail-borne malware. Both run on just about any Linux or Unix-type operating system, so you have the benefit of choosing your favorite operating system as well as the benefits of superior security, efficiency and performance.

ClamAV just keeps getting better. It installs with a nice set of default options, and thus requires minimal tweaking. It defaults to checking for new virus signatures several times per day, and it can scan outgoing mail. You should definitely scan outgoing e-mail — if this were a routine practice, 90 percent of e-mail would not be spam or malware.....

This article describes an attack method against Web applications that communicate with mail servers, particularly WebMail applications. Some of the applications that are vulnerable to the mail injection threat can be exploited and forced to send arbitrary commands through e-mail protocols such as IMAP and SMTP. Hopefully, this information will prove useful to auditors and mail server code developers.

Microsoft Thursday shipped Exchange 2007 Service Pack 1 that includes support for the forthcoming Windows Server 2008 and enhancements to real-time communication and mobile device integration. Microsoft also made available Forefront Security for Exchange Server 2007 SP1, which includes improved content filtering and management, and support for Windows Server 2008. Even though it's a little later than previously announced, hopefully, this patch will straighten out some issues.

Most people lock their doors and windows, use a paper shredder to protect themselves from identity theft, and install antivirus software on their computers. Yet they routinely surf the Internet without giving a second thought to whether their browser is secure and their personal information safe. Unfortunately, it's easy for someone with nefarious intentions to use a Web site to glean data from -- or introduce spyware to -- your computer. Even worse, sometimes all you have to do is randomly click on a site to have your data probed in a most unwelcome way.

(Joel Snyder, TechTarget) Some email managers have asked for the ability to stop certain types of files from coming through the system. The premise is simple: some types of files are rarely legitimately sent. A good example would be a file with an extension of .BAT. Yes, IT people do occasionally and legitimately send .BAT files. But all of the non-IT people in an organization should not be getting .BAT files. And if they do get .BAT files, then they are probably getting into trouble with them.

This leads to a lot of antivirus configurations that delete certain body parts from email messages. Good products let you do this in three different ways:

1. By the filename of the body part (such as *.mp3)
2. By the MIME label (such as MIME type "audio/mpeg")
3. By the fingerprint of the file as detected by the email gateway (such as "audio files").

A key consideration: The only reason to look at types of email body parts is to block them from entering your organization. Don't use these features to exempt certain types of data files from virus scanning. Remember: Computers are cheap, people are expensive, and (more importantly) attackers are constantly moving their attack vectors. Any attempt to optimize your antivirus configuration to speed performance is going to eventually compromise security.

Blocking certain types of files from entering via email is more of a business-by-business decision. Going one way or the other can't be classified as a best practice.

(Kevin Beaver, CISSP TechTarget) As businesses continue to integrate Linux into their existing Windows infrastructures, extending Active Directory functionality to accommodate these systems is becoming more appealing. Many shops already run some combination of Samba/Winbind, PAM, and OpenLDAP that offer up Windows authentication services, among other things. Although some admins are looking ahead for ways to replace Active Directory altogether (a goal of Samba 4), don't hold your breath - Samba 4 has been four years in the making. There are commercial solutions for Active Directory/Linux integration available from vendors such as Quest, Centrify, and Likewise. So the need and the solutions are there. But, of course, it's not that simple - at least if security is on your radar.

Whether you've already started down the path of integration or have it on the docket for the near future, there are some Active Directory-centric security issues you need to be aware of. Like acquiring a new company and taking on its business processes and codebase, you're going to get the warts and all when you incorporate Active Directory into the Linux realm (or vice versa). You'll suddenly have all the security issues that come along with Active Directory – some of which will undoubtedly have some unintended consequences in your environment.

First off, dependence on Active Directory as your sole directory service and security policy enforcer can create a single point of failure. When Active Directory goes down – or goes away – because of some unintended outage, design oversight, or mismanagement, your network services can come to a halt. This is the least likely of scenarios - but you still need to consider it.

Another common weakness with Active Directory is the lack of separation of duties. Simply put every admin has full access to the system and there's no real accountability. Be it via general security groups or admin access at the OU (or similar) level, there needs to be some sort of separation if multiple hands are allowed access.

You also have issues with password policies – or lack thereof. This is probably the most common weakness I see related to Active Directory security. Interestingly, admins will go out of their way creating well thought-out security controls such as one-way trusts, GPOs (group policies) for locking down workstations and so on but minimal – and reasonable – password requirements are often missing.

(Michael Kassner, TechRepublic) The complexity of today’s IT environment makes it easy for computer malware to exist, even flourish. Being informed about what’s out there is a good first step to avoid problems.

With all the different terms, definitions, and terminology, trying to figure out what’s what when it comes to computer malware can be difficult. To start things off, let’s define some key terms:

1. Malware: Is malicious software that’s specifically developed to infiltrate or cause damage to computer systems without the owners knowing or their permission.
2. Malcode: Is malicious programming code that’s introduced during the development stage of a software application and is commonly referred to as the malware’s payload.
3. Anti-malware: Includes any program that combats malware, whether it’s real-time protection or detection and removal of existing malware. Anti-virus, anti-spyware applications and malware scanners are examples of anti-malware.

One important thing to remember about malware is that like its biological counterpart the number one goal is reproduction. Causing damage to a computer system, destroying data, or stealing sensitive information are all secondary objectives.

Is it even possible to reduce the harmful effect malware causes? Here are a few thoughts on the subject:

1. Malware isn’t going away any time soon. Especially when it became evident that money, lots of money can be made from its use.
2. Since all anti-malware applications are reactionary, they are destined to fail.
3. Developers who create operating system and application software need to show zero tolerance for software vulnerabilities.
4. Everyone who uses computers needs to take more ownership in learning how to react to the ever-changing malware environment in.
5. It cannot be stressed enough, please make sure to keep operating system and application software up to date.

(Joe Rosberg, TechRepublic) Most of us have seen those spoof e-mails, when a personal e-mail address has been commandeered for the purpose of sending spam, but in this case, to everyone in your Address Book.

Here are a few ways it could happen:
Malware of some sort found its way onto your computer, and its sole purpose is to harvest e-mail addresses, which are then sent along to someone else for the purpose of sending spam e-mails.
Someone who has your e-mail address in their Address Book actually has the malware on their computer.
Some Web sites actually harvest e-mail addresses from a computer, especially those that presume to share things with others or invite friends, and so on; or perhaps people who are members of those sites have ways to harvest e-mail addresses from their friends.

What to do:
Scan your system for malware. Two tools I might recommend are Malwarebites and Hijackthis. And since some malware might resurrect itself through a Registry entry, perhaps running CCleaner would be prudent as well. However, consider the risks of running a Registry cleaner.
Make sure your antivirus software is installed and is up to date with the current virus definitions.
Make sure your Windows OS is current with all security updates.
Be careful of (or avoid) some (or all) of those social Web sites, especially ones that share e-mail addresses.
If your computer is clean, and you’re certain you weren’t compromised at a social networking site, send an e-mail to all the people in your Address Book to give them a heads-up that someone in your e-mail circle might be compromised. I would suggest sending them one at a time or with a blind CC, however, since I advise people to never send mass e-mails — although we probably all do it from time to time in certain cases.

(Paul Mah, TechRepublic) What kind of security policies do you enforce on mobile devices and smartphones that employees bring into the office? Are unsecured mobile devices opening up a back door into your corporate network? A study conducted by Credant Technologies shows that the use of mobile phones or devices for work-related matters is on the upswing. In a manner, this is surely good news, since what it means is that workers are increasingly being able to maximize their time — especially since shipments of smartphones have been projected to continue increasing.

Some of the statistics from the survey are as follows:

• 35 percent receive and send business e-mail
• 30 percent use them as a business diary
• 17 percent download corporate information, such as documents and spreadsheets
• 23 percent store customer’s information

In all, 600 commuters were interviewed at London railway stations. Interestingly, while 99 percent use their personal phones for some sort of corporate use or other, a quarter of them have actually been asked by their employer not to do so. The reason for that is simple enough — the possibility of losing one’s mobile phones to theft or carelessness could open the way to devastating data leaks.

In addition, unlike laptops where stored information is usually limited to whatever is on the hard disk, mobile devices are increasingly equipped and configured to tap into storage repositories and databases inside the corporate network.

The use of unsecured mobile devices
What I thought to be of particular concern here is the fact that 40 percent surveyed in this random sample failed to protect their mobile phones with even a rudimentary password. Extrapolating from this lack of security consciousness, the contents of media cards itself are likely to be similarly unprotected. I would not be surprised if the percentages of users without password or encryption were similar elsewhere.[...]

Whatever the approach, a deliberate strategy needs to be put into place to eliminate the presence of unsecured mobile device’s ability to access the corporate network.

The absence of a mobile usage policy
While computer usage policies are common in organizations by now, the situation is different when it comes to policies pertaining to the usage of mobile devices. As it is, mobile usage policy needs to be in place and followed by the implementation of security controls. This is hardly as easy as it appears to be, since these controls have to span the entire organization hierarchy in order to be effective. In addition, loss remediation procedures need to be drawn up and made known.