Thursday, February 26, 2009

I love Facebook but ...

A week ago the company published new terms and conditions for being a Facebook user which included a perpetual retroactive license to use your content nearly anyway they see fit - even after you "delete" your account. Thousands cried foul and there was even a threaten to file a complaint with the FTC. Facebook has since backed down and reverted to its previous user agreement. Nevertheless the issue points out the severe risks of using social networking services - especially Facebook. Some might say that the site operates in a fashion similar to a gigantic information gathering operation that lures people in by offering fancy tools that allow them to exercise the egos to various extremes. Others might just think it's "cool" and a "must-do" sort of thing because their peers expect them participate. The bottom line here is that Facebook has demonstrated a clear intent to leverage you and your content to their own advantage.
So my advice is this: Don't use Facebook too much... But if you can't resist then don't post anything on Facebook that the majority of people don't already know about you. In fact you might consider adopting as part of your company security policy a ban that prohibits employees from mentioning anything about your company in their Facebook profiles. One tiny data leak could be used against you and there'd probably be little if anything you can do about it.

I love Facebook but like everyhting else, don't exagerate and that's exactly what everyone is doing. And I haven't even spoken about the (in)security of possible 'Facebook'-applications and other related security problems.

Wednesday, February 25, 2009

Adobe Reader/Acrobat JBIG2 Indexing Zero Day Vulnerability.

I hope you are aware of the 0-day vulnerability currently being actively exploited in Adobe Reader/Acrobat. I initially heard rumours about this 0-day vulnerability on 16th February 2009. Three days later, Adobe confirmed the existence of the 0-day vulnerability and Secunia issued an advisory. Over the last couple of days, I have seen many sources recommend users to disable support for JavaScript in Adobe Reader/Acrobat to prevent exploitation. While this does prevent many of the currently seen exploits from successfully executing arbitrary code (as they rely on JavaScript), it seems that it does not protect against the actual vulnerability. Secunia managed to create a reliable, fully working exploit which does not use JavaScript and can therefore successfully compromise users, who may think they are safe because JavaScript support has been disabled.
Bottomline: All users of Adobe Reader/Acrobat should therefore show extreme caution when deciding which PDF files to open regardless of whether they have disabled JavaScript support or not. I hope that Adobe will be issuing patches very soon.
To be continued ...

Tuesday, February 24, 2009

Some malware predictions for the next 10 months of 2009.

A little bit late I know ... but it seems that working for a security vendor takes more time than I thought! ;-)

Just to sum it up in a couple of lines, these are a couple of my own predictions:

. Threats on Social-Networking Sites. Cybercriminals no longer deliver threats only via spam. They are taking advantage of Facebook, MySpace, and other popular social-networking sites. I expect this trend to continue throughout 2009, eventually displacing more traditional ways of malware distribution such as email which is already the case today.
. Personalized Threats Speak Your Language. I expect to see the continued expansion of malware in languages other than English like Dutch, etc... Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.
. Malware Targets Consumer Devices. I expect to see increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.
. Security Software Scams. The malware underworld is using mainstream practices in an effort to "sell" security software that is either misleading or outright fraudulent. This trend will continue.
. Abusing Free Web-Hosting/Blogging Services. Websites such as Geocities, Blogspot, etc allow anyone to create a public website for free, without the authentication necessary when purchasing a domain-name website. This gives spammers the opportunity to run their underground business with minimal expense. Spam from do-it-yourself social-website-hosting providers arrives at its destination with far greater frequency than links pointing to domain names assigned by legitimate registrars. With little to no threat of punishment for their hosted content, and the new restrictions on short-term domain tasting, the attractiveness of free bandwidth offered by these sites will undoubtedly draw greater focus from malicious parties.
. More Targeted Phishing and Corporate Blackmailing. Botnets via zombie computers, that spread into corporate networks and financial datacenters will increasingly be used to gather sensitive information that can be used for blackmail or sold on the underground market.
. Browser-Based Attacks. Cybercriminals will increasingly attack via web browsers as they are the least-protected and, therefore, easiest way to transfer malware.
. Security Breaches of Confidential Data. Information that is managed by partner and subsidiary companies of bigger companies will be exposed more frequently, forcing an overhaul of data-security practices.
. More Scams Involving Home Businesses. "Legitimate" home business scams generally involve either a pay-up-front and do-it-yourself kit, or a pay-to-play shell game of training and certification. We'll see more of it on television, and the same infrastructure that supports diploma spam and confidence fraud will adjust to the new unemployment reality and will offer people some new bait on the old check-cashing scam.
. Increase in Forging and Abuse of Free Email Services. The free email services have started to allow accounts to send mails with arbitrary "from" addresses. This has increased the usability of these services significantly to businesses, but has also increased the "abusability" by spammers.

Friday, February 20, 2009

Eddy Willems in S.Crimineel on S.Televisie

What a week.. pff.. 5 days looked like 5 minutes, do you know the feeling?
Of course there was a climax with Eugene Kaspersky our CEO, and my boss, coming to the IDC European Security Conference. After a terrific panel session with several other experts and loads of interviews with the press including a very nice one with Kanaal Z we went out for a good diner in the known Beenhouwerstraat in Brussels.
Returning home and zapping to all the tv-channels I realised that not only Eugene was on it (Kanaal Z), I saw myself showing up in S.Crimineel on S.Televisie, a 3 times in a day repeated show about criminality and law in general. A quite long show and interview for about 23 minutes in one long shot taken without cutting. You still can watch the show until next Thursday if you have cable television from Telenet, a known ISP and cable provider in Belgium.
So everybody will at least see somewhere something from Kaspersky! For the people who don't have cable tv or Telenet I will put a link to the show shortly on my site on the press page.
So lets see what the next week will bring after this strange and quick week and of course .. the hacks of the websites from Kaspersky, Bitdefender, F-Secure and Symantec .... but that's another story.

Wednesday, February 11, 2009

About testing anti-malware products...

Kaspersky Lab is an enthusiastic supporter of this initiative, and several members of the research team attended the AMTSO meetings already. And AMTSO seems to get there... Recently there was a meeting in Cupertino. Major progress was made on a number of papers I’d say are pretty important: these include not only a glossary, but also papers that discuss such topics as gathering samples, sample validation, in-the-cloud testing, issues with malware creation or modification for testing purposes, and whole product evaluation, and I expect to see quite a few of these finished and approved before the next AMTSO meeting.
Standardization on good practice is good for the industry, of course, and continuing cooperation between the antimalware and testing industries benefits both parties. But if we do this properly, it will be even more beneficial for end-users and prospective and actual customers. Not because what’s good for the industry is good for its customers, but because what we’re aiming for is to make it easier for them to distinguish between good and bad testing.
So this is indeed a good thing protecting everybody from bad testing.
What did you say?
Oh yes I've seen a lot of bad tests in the last 2 decennia...

Tuesday, February 10, 2009

Kaspersky US Site hacked, so what?

In the Kaspersky US hack, which was discovered last Saturday, no sensitive or customer data was compromised but to allay concerns about the severity of the problem, Kaspersky Lab has hired David Litchfield, an expert in database security, to conduct an independent audit of the systems involved. A section of Kaspersky's new U.S. support site was breached by someone using a SQL injection attack. After conducting the attack, the attackers decided to show off their ‘great code of ethics’ by sending Kaspersky Lab an email - on a Saturday to several public email boxes. They gave us exactly 1 hour to respond. And posted on their blog without having received a response. Obviously I am of course not happy about this and Kaspersky Lab is in the process of making the review process stricter than it currently is. Kaspersky Lab is doing everything to do the best forensics on this case and to prevent this from ever happening again.

At least some keypoints to remember in this case:
• NO data was compromised and KL hired a 3rd party organization to do an independent audit to confirm this.
• The attack happened on a subsection of the US site with no link to the ecommerce or global site. No KL websites other than the US site was attacked.
• This attack has nothing to do at all with the quality of our products of course!

You can read more about what really happened at the official Kaspersky blog.

Interesting for the more technical reader ... it seems that a variant of the Acunetix tool was used to facilitate the attack.
Isn't that not a 'special' form of promotion? ;-)

And oh yes, I'm a little bit sick today (possibly catched a cold) but I'm using 'Sinutab' to clear up my personal health problem today.
So, does this change me, am I a different person now?
No, I'm still the old good Eddy with all his known skills. (I suppose so)
Do you know what I mean?

Wednesday, February 04, 2009

A day in the Life of a Kaspersky Lab Security Evangelist...

A day in the life of an Security Evagelist is sometimes unbelievable overloaded.
Today I answered 150 emails on a total of 479 I've got and the day isn't finished yet. I spoke to a couple of journalists. I traveled to Hilversum in the Netherlands where I'm writing this short blogpiece. I have a hotel just in front of the 'mediapark' where I will have an interview tomorrow with an 'NOS' journalist for the evening TV journal and radio journal about the Shadowbotnet case. Indeed the case comes in a second phase as Friday will be the preview of the real case before coming to 'Justice'. I also arranged today an interview with 'S.televisie' a Telenet Cable channel in Belgium next week where I will be interviewed in the program 'S.Crimineel' about internet crime. Tomorrow in the afternoon I will present 'A Virus Analyst in 15 Minutes?' at IT Security Heliview in Hoevelaken, the Netherlands.
And possibly after that I will travel back home with my car where I will encounter several traffic jams....

And guess what, my Kaspersky Lab anti-malware program is just detecting and blocking an intrusion to my laptop ... just at the end of the end of this blog.
Nice isn't it, working with a not protected internet connection from this hotel.. well at least I know what to do and I'm good protected but is that the case with everyone in this hotel? I don't think so.
This was a normal day in the normal life of a Security Evangelist and there are people who think that I got an easy job.