Salvation Data 0800 075 0720

Our Address: Salvation Data 105 Upper Lisburn Road, Belfast BT10 0LG Email us 24x 7 at sales@salvationdata.co.uk

Enabling a safer internet: the positive approach to web security

Infecting trusted sites with SQL injection attacksOne of the main threats comes from SQL injection attacks. Such attacks exploit security vulnerabilitiesand insert malicious code (in this case script tags) into the database running a site. When user input,for instance via a web form, is not correctly filtered or checked, the code peppers the database withmalicious instructions.

Websites that have been attacked in this way include:

BusinessWeek magazine - one of the 1000 busiest websites - which attempted to download malware from a Russian-based server.An area of the Adobe website designed to offer support to video bloggers, which tried todownload spyware.Sony's US PlayStation website, putting visitors at risk from a scareware attack.

Recovery from a SQL injection attack can be difficult, and there are numerous cases of websiteowners cleaning up their database only to be hit again a few hours later.

New gateways for cybercrimeThe new freedoms opened up by the web, blurring the lines between work and social interaction andoffering easy ways to share information, have opened up new loopholes for cybercriminals toexploit.Social networking sitesA favorite target for today's hackers are social networking websites. People who have learned tobe suspicious of email links are on the whole less savvy about links posted on Facebook and thelike. Hackers have found value in compromising Facebook accounts, stealing usernames andpasswords, and then using the profiles as a launching pad for mass-distributing malwareattacks and spam.

In August 2008, Facebook admitted that up to 1800 users had had their profiles defaced by an attack that secretly installed a Trojan while displaying an animated graphic of a court jester blowing a raspberry.7

One particularly active threat is Koobface, a family of worms, and its rapid evolution demonstratesthe wide range of social networks that are vulnerable. Initially targeting Facebook and MySpace, Koobface now targets a more diverse set of social networks, including MySpace, Bebo, hi5, GeoCities, Friendster and Tagged.

The malware works by directing your "friends" on your social networking site to click on a link to another sitepurporting to contain a video clip. If they are tricked into downloading an executable to watch the video at the third-party website, a message is displayed: "Error installing Codec. Please Contact Support". The malware then accesses Facebook/MySpace/etc to spread itself further.

The websites to which victims are directed use a script to check which of these social networkingsites has sent them there. The aim is to serve up malware specifically tailored to the networks of which you're known to be a member (though in fact to date these links all result in the same executable).

Blogs, micro-blogs and hackersHackers are also targeting other social media such as blogs. In much the same way that they set up malicious pages on fake websites and then use social engineering techniques to lure visitors to them, they are using free blogging services to infected blogs. Unsuspecting victims then receive emails with links to the blog, from whichmalicious software is downloaded.

A Sophos white paper Enabling a safer internet: the positive approach to web securityAt the same time, vulnerabilities in common legitimate blogging platforms - just like any other platform - can be, and are, exploited by criminals.

Of note is the micro-blogging site, Twitter, which has begun to be targeted. In January 2009, Twitter's internal systems were hacked and the accounts of Britney Spears, Fox News and Barack Obama, among others, were broken into.11 Two months later hundreds of Twitter users were hit when messages were sent from compromisedaccounts trying to drive traffic to a pornographic website.

The spread of the phishing netPhishing attacks - whereby unsuspecting users are directed to to a bogus login page which requeststheir username and password - continue to be a significant threat.

A common misconception is that phishing is just a banking problem. It remains, of course, a bankingproblem but it is now also a problem for social networking sites, such as MySpace, Facebook, Bebo and a wide range of other networks and enterprises.

A handful of examples from February and March 2009 alone demonstrate the scale of the problem.

Google A phishing campaign spread via the Google Talk chat system.13 iStockphoto a phishing attack was perpetrated across iStockphoto's online forums and via thesite's mail system.14

Gaming community The Valve Steam network was targeted by a phish offering add-ons for thenew zombie shooter Left 4 Dead.15

Paypal An unusual type of phishing attack spammed out malware within a RAR attachment.16HMRC The passing of the deadline for submitting tax returns to HM Revenue & Customs in the UK prompted a phish.17

The risks posed by anonymizing proxiesMany organizations have responded to the growing web threat by using URL filtering to curtailinternet browsing. This has motivated many users to respond by using anonymizing proxies which disguise the true nature of a website in order to trick an organization's web filter into allowing access.

Anonymizing proxies are big business in the underground economy, driven by advertising revenues and subscription fees. Hundreds of new anonymizing proxies are created daily and distributed via blogs, forums, and dedicatedwebsites. There is also a growing number of unknown private anonymizing proxies setup and maintained by individuals or small groups for their own use. This makes it extremely easy for users to access any site they want through an anonymizing proxy, but a difficult, tedious, and time-consumingtask for administrators to track and block them.

Anonymizing proxies hold significant risks for organizations:

Security: If users are browsing via anonymizing proxies, then in addition to bypassing URL filtering, they might also be circumnavigating content scanning at the perimeter, which dramatically increases the chance of infection.There are even anonymizing proxies that are themselves, either accidentally or deliberately,infected with malware.

Anonymizing proxies bypass URL filtering and create enormous security vulnerabilities.a safer internet: the positive approach to web securityLiability: Unrestricted access to inappropriatematerial or illegal downloads could haveserious legal ramifications for an organization,as could the sharing of confidential informationover the internet.Productivity: The ability for users to bypasstheir organization's web filter means theycould spend all day on, for example, socialnetworking sites rather than working, andconsume valuable network bandwidth.

The three pillars of modern web protectionInternet access creates a dilemma for network administrators - on the one hand, the risks presented by allowing unfettered access to the web are enormous, yet the internet is undeniably becoming a mission-critical business tool. Social networking sites, blogs, forums and media portals have all become important instruments for employee recruitment, viral marketing, public relations, customer interaction, and research - they cannot be blocked without seriously impacting business productivity and effectiveness.

A new approach to web security and control is required that fully supports the needs of business,equipping users with the tools they need to be more effective while eliminating the associated risks of potential infection from trusted legitimate sites. In addition to good preventive practices, such as rigorous patching and educating users about the risks of browsing, it is vital that organizations implement a comprehensive websecurity solution, comprising three key pillars of protection:

* Reputation-based filtering* Real-time predictive malware filtering* Content-based filtering.

Reputation-based filtering

Reputation-based filters are the first critical component in the fight against web-based threats.

They prevent access to a catalog of sites that are known to have hosted malware or otherunwanted content, by filtering URLs based on their reputation as "good" or "bad", and arean established and proven tool for successfully protecting against already known and locatedweb-based threats. As well as providing this basic form of preventive protection, they help optimizenetwork performance and staff productivity by blocking access to illegal, inappropriate or nonbusiness-critical web content.

Although traditional URL filters often connect to vast, regularly updated databases of sites known to host malware or suspicious content, they have several significant shortcomings. In particular, they offer no protection against malware hosted on legitimate, previously safe, sites that have become hijacked. Neither do they protect against malwareon newly created websites. Cybercriminals are well aware of, and readily exploit, the fact that traffic from these sites is not blocked and that malware, whether new or old, will be allowed into an organization.

Another significant shortcoming of traditional URL filters is that they often lack an effective solutionto deal with the enormous issue of anonymizing proxies. To prevent users from bypassing filteringcontrols, the following two components are critical in forming a defense against anonymizing proxy use:

A reputation-based service that actively seeks out new anonymizing proxies as they arepublished and updates the filtering database at frequent, regular intervals

A real-time proxy detection engine that automatically inspects traffic for signs that it's being routed through a proxy, effectively closing the door on private proxies or other proxies not identified through the reputation service.

A Sophos white paper Enabling a safer internet: the positive approach to web securityReal-time predictive malware filteringReal-time predictive malware filtering goes a long way to closing the gap left by reputationbased filters. All web traffic passes through a scanner designed to identify both known and newly emerging zero-day malware. The malwareengine is optimized for low-latency scanning and whenever a user accesses a website, irrespectiveof its reputation or category, the traffic is scanned using a combination of signatures and behaviorbasedtechnologies.

It is worth noting that this type of real-time scanning has a further advantage over traditional URL filters, in that the filtering is, almost by definition, bi‑directional - both the user request to, and information returning from, the web server are scanned. In addition to detecting known malware as it moves across legitimate sites, thisbi-directional filtering can also provide protection against new threats regardless of where they arehosted.

The use of real-time predictive threat filtering remains uncommon amongst many of the leading web filtering security solutions in the market today. Many security vendors are currently relying on signatures alone. Others who are fairly recent entrants to the market claim comprehensive solutions but lack the evidence to prove they aredelivering fully proactive protection.

Content-based filteringContent-based filtering analyzes all web traffic on the network to determine the true filetype of content coming back from a website and can allow or disallow this traffic, based on corporate policy.

Key questions to ask a prospective vendorDoes the URL database used for your reputation-based filtering have globalcoverage?

How frequently is your product updated to cover new threats?How many new threat-hosting sites are identified daily?Do you scan all incoming traffic for malware in real-time?Do you use your own technology for malware scanning or rely on third-parties?Is your malware scanning engine signature-based or does it use behavioral analysis?Is there an additional cost for real-time malware filtering?Is there a performance impact for real-time malware filtering?How many anonymizing proxies do you catalog daily?Does your solution identify anonymizing proxy use in real time?Do you analyze the true content of files, or rely on the extension or the MIME-type?Do you scan HTTPS-encrypted traffic?Can you demonstrate real research expertise in web threats?Do you have independent statistics of your proactive web threat detection rates?Can I see a demo of the admin console to see how easy it is to use?Are there on-board monitors to track software, hardware and traffic health?How are issues reported to the administrator? Via email? Via phone call?Do you provide real-time uptime monitoring to assure the system is available 24/7?

Conclusion

Every minute of every day, cybercriminals are looking to exploit web traffic for commercialgain, and since web browsing is integral to most businesses' day-to-day activities, the web gatewaymust be equipped with a security solution that enables business and users to be productive whileproviding the security essential to ensure a risk-free experience.

Organizations looking to protect against the growing threat of web-based malware need asolution that above all demonstrates its security attributes and combines powerful site and contentcontrols with low-impact, effective administration.

At the same time end-user expectations and requirements for speed, efficiency, and open access to the tools and sites they need must be met. Solutions which fail to meet these demands for security, control, performance, and accessibility will ultimately fail the organization.

About the Author

Article provided by Sophos. Sophos provides full data protection services including: security software, encryption software, antivirus, and malware.