15 February 2012

Identify a Phishing Message in Five Steps

From IT Business Edge

Spear phishing, a type of email spoof, targets individuals or departments within organizations and attempts to elicits a desired action that could install malware, compromise login names and passwords and steal data. Use Paul Mah's simple checklist to spot potential phishing messages.

From the network breach at RSA to theft of intellectual property in Operation Aurora, it is no secret that some of the most visible hacking involves the use of spear phishing. A targeted form of phishing that is custom-made for a specific organization, a spear phishing email message seeks to elicit a desired action that could result in a Trojan being loaded, or the unintended leaking of confidential or privileged data.
As Paul Mah has written in the past, defending against spear phishing is a challenging task that mandates some amount of user training. To assist organizations on this front, Paul has come up with a simple checklist to help identify a potential phishing message.

To have access to  Paul's  checklist visit the following URL:

14 February 2012

This February 14 be a Valentine not a Victim

As Valentine’s Day approaches, Better Business Bureau of Southern Arizona warns that Cupid’s arrow may be aimed directly at consumers’ wallets. Those who find themselves awash in love’s emotion should remember that con artists thrive on the fact that emotion can trump logic.

There are three categories of scams that we all should be aware of at this romantic season as well as throughout the year.

Online Dating
Their photo may be attractive and their story may sound compelling but that person you met through an online dating site may turn out to be the very opposite of your soul mate. Photos, profiles and stories can be easily faked on dating sites. One common tactic is to claim to be a successful overseas businessperson with no family.

After what seems like sincere conversation in which many questions are asked of you, the scammer can skillfully employ psychology to say precisely what you want to hear.

Once the ice is broken and a comfort level has been reached on your part, the heart of the matter is arrived at: they need financial assistance. They may want you to cash a check for them or otherwise help them out of a financial difficulty. It could be travel expenses, medical expenses or some other type of debt. At any rate it is your money less than your heart that they are after. MoneyGram, one of the major global money transfer companies, has estimated that romance scams defraud victims of over $10,000 for each occurrence. For those so victimized, whatever the amount, a website called romancescams.org can be helpful.

Online Florists
When love is in bloom many rely on the traditional symbol of thoughtfulness, the bouquet, to convey their feelings for that special person. But be aware that online florists are not always reliable. If the flowers that are actually received by your loved one are inferior arrangements from those ordered, or even not delivered at all, it can be a wilting experience.

Scammers may send you emails saying that the flowers you ordered cannot be delivered unless you log in to their site and re-enter your credit card information. These emails are sent out in large numbers hoping to eventually find the inboxes of someone who has really sent flowers to their sweetheart. They are playing on consumers emotions by planting the fear that the bouquet may not reach the intended and that person will feel forgotten on Valentine’s Day. If you think the message may be legitimate, go to the florist’s website or give them a phone call, using the original site from which you ordered rather than the link on the email.

The best way to assure that flowers reach your beloved just as you ordered them is to rely on a local florist. A website devoted to uncovering florist scammers can be found at floristdetective.com.

E-card Scams
Phishing attempts abound around the e-card industry. A frequently used technique is to email a message saying you have a card waiting to be viewed. You are then directed to a fake website that resembles a popular site like Hallmark or American Greetings.

Once you are there a prompt tells you to download the latest version of Flash Player in order to view the e-card. Click that link and a virus is quickly downloaded and attacks your computer. Instead of having your loved one steal your heart, a scammer has stolen your identity.

Consumers should always exercise care in opening emails, links or attachments from those you do not know. Especially suspicious are unsolicited messages with subject lines saying “Someone just sent you an e-card” or “Send your loved one a Valentines Card today.”

Avoid becoming victimized by scammers who rely on the old adage that “love is blind.” Keep a clear head and open eyes this Valentine’s Day. Contact BBB by calling (520)888-5353 with questions or concerns if you think someone is going less for your heart and more for your wallet.

Source Article: http://goo.gl/zaSED by   

13 February 2012

Hackers Ask 'Will You Be My Valentine?'

by Tony Bradley (PC World (US online))

With Valentine's Day around the corner, cyber criminals are ramping up spam, phishing, and other attacks targeting the lover's holiday.

There are only five days to Valentine's Day. Those of you who are shocked by that revelation are prime targets for Valentine's Day related spam and phishing attacks as hackers hope to catch you with your guard down for this day of romance.

Messages targeting Valentine's Day are expected to quadruple globally in the coming days -- in part because cyber criminals are adept at targeting holidays and current events as bait for attacks. An offer for a dozen roses for $5 might get some traction any time of the year, but with the clock quickly counting down to Valentine's Day it has much higher odds of duping frantic lovers in search of a last minute gift.

A blog post from McAfee warns, "Many consumers look for a little romance on Valentine's Day, whether it is a thoughtful gift, a romantic getaway, or a heartfelt e-card, but if you're looking for these things online, beware."
McAfee points out a number of types of Valentine's Day themed threats you should be aware of:
 Phishing Scams

Attackers will send out spam promoting bargains for flowers, romantic dinners, jewelry, or other Valentine's Day gift related themes. Clicking on the offer might take you to a malicious site that could compromise a vulnerable PC, or it could take you to a site that looks legitimate, and asks for your credit card, and other personal information to "complete the order".
Malicious eCards

Any holiday that traditionally involves giving and receiving cards is a prime target for cyber criminals. Everyone loves to receive a personalized greeting card -- especially if it seems to be from someone that may be romantically interested.
Seriously, though, what are the odds that someone you don't know decided to send you an ecard for Valentine's Day out of the blue? Right.

Mr. (or Mrs.) Wrong

Another scam to watch out for are fake profiles on online dating sites. Cyber criminals create online dating profiles designed to be as attractive as possible to lure unsuspecting love seekers. The idea is to make connections, and establish trust as a means to further criminal activity.

McAfee outlines some additional threats to watch out for in its blog post. To steer clear of Valentine's Day cyber threats, follow the basic principles of online common sense. Don't open emails or file attachments, or click on links from people or sources you are not familiar with -- and even if you do know the sender, think twice about whether that person would really send you a Valentine's Day email.

Another basic rule is that if it sounds too good to be true, it probably is. Don't fall for unbelievable last minute Valentine's Day gift ideas no matter how desperate you are for a gift.

Protect your wallet, your identity, and your heart by avoiding Valentine's Day cyber scams. 

Source Article: http://goo.gl/NEVuU

10 February 2012

Free Email Providers Launch DMARC.org To Prevent Phishing Scams

Leading free email providers like Google, Microsoft and Yahoo are teaming up in an effort to prevent “phishing” scams. As WWJ’s Rob Sanford reports, the unprecedented effort was announced this week.

The companies have created a working group – DMARC.org – to promote a standard set of email technologies that they say will lead to more secure email.

According to its website, DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance,” standardizes how email receivers perform email authentication. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC.

With the rise of the social internet and e-commerce, spammers have a tremendous financial incentive to compromise user accounts, enabling theft of passwords, bank accounts, credit cards and more. Email is easy to manipulate and criminals have found spoofing to be a proven way to exploit user trust of well-known brands. Simply inserting the logo of a well-known brand into an email gives it instant legitimacy with many users.
CNET executive editor Molly Wood said phishing is threatening the legitimacy of email.

“I think it’s hard sometimes for these companies to work together. They don’t always think it’s in their best interest to come together, but I think it’s gotten to the point now where phishing scams are so prevalent, that all of these companies are worried that their customers are going to stop trusting their legitimate email,” said Wood.

The arrangement will not stop all spam or phishing but will stop what they call a “significant chunk” of malicious messages sent.

DMARC helps email senders and receivers work together to better secure emails, protecting users and brands from painfully costly abuse. Find more information at DMARC.org.

Source: http://cbsloc.al/zhdnzo

09 February 2012

I will NEVER ask for your password

There are a lot of bad things on the Internet, and few are worse than phishing scams. But there is a certain class of phishing scam that has earned a special level of disdain and disgust, at least from me. I’m talking about the phishing scams that target Hotmail customers using my name, my picture, and even my signature. Grrrr.

Let me clear something up right off the bat: I will never ask for your password. No one from Hotmail or Microsoft will ever ask for your password. In fact, no legitimate service will ever ask for your password. If you ever get an email asking for any password to any service, you can be sure, without a shadow of a doubt, that the email is a phishing scam. Just junk it. (Or, in Hotmail, mark it as a phishing scam using the “Mark As” menu.)

Phishing scams

Spammers want to send spam. That’s what they do. As I said in my last post, we’ve made it hard for them to send spam with new accounts due to the effectiveness of our account reputation work. So, spammers have turned to hijacking customer accounts in order to send more spam.
Phishing scams are one of the simplest ways that spammers use to gain control of your account. The spammer sends an email that asks for your password, usually with a threat that your account is about to be closed. You reply, providing your password, and, Voila! Your account (and reputation) is hacked.
Spammers do this on all networks and all services – Hotmail, Gmail, Yahoo!, Facebook, AOL – spammers do not discriminate, and no service is immune.

How my picture got out there

Hotmail sends email to our customers fairly regularly to update people on various things, such as the availability of new software or features, or even to remind people about security measures, like creating a strong password or adding your mobile phone number to your account.
About a year ago, we decided that we would make these messages more personal by including my name, my picture, and my signature.
That decision has really come back to haunt me.

A gift to spammers

Almost immediately, the spammers copied that email, including my picture, name and signature, and modified the content so that it said something like “Your account is about to be shut down unless you reply to this email with your account name and password.”
This is a classic example of a phishing scam, and one of the most common ways that accounts get compromised. Here’s an example:
An example of a phishing scam
The bottom of that same email looks like this:
Phishing scams use Dick Craddock's name and picture
Yep. That’s me, all right. But that email is definitely not from me.

Even smart people fall for it

Phishing messages can look very real and convincing, so even smart, tech-savvy people fall for them. I get asked about this quite a bit.
Here’s a conversation that took place on my public Facebook page. The first person asks, “I got this message, is it really you?” In response, our Development Manager, Eliot, displayed both his penchant for pithiness and his mastery of high school French:
Facebook messages
Phishing scammers know that they’ll get better response rates by using my pictures and my signature to produce email messages that look legitimate. They even translate their scams into multiple languages to broaden their reach.

The telltale signs of a phishing message

As I’ve said, any email that asks for your password is a phishing scam and shouldn’t be trusted. You don’t need to look any further to know the message is a fake. Nonetheless, it’s interesting to see how “creative” the scammers can get. Here are some tactics scammers use to get people to provide their account info:
They copy Hotmail’s marketing images. These phishing messages usually contain the latest image from Hotmail’s own marketing campaigns, like this one:
Hotmail header
They provide a bogus reason for needing your password. The messages usually contain an introduction that offers a false explanation about why they need your password. Some of my favorites include:
  • “We are currently upgrading our data base and e-mail account center.”
  • “We are deleting all unused accounts to create more space for new accounts.”
  • “We encountered a problem with our database and a lot of records were lost, we are restoring our database to enable us serve you better.”
  • “We are having too many congested email due to the anonymous registration of Hotmail Msn-Live Accounts in our database system.”
Rest assured: NONE of these will EVER be a legitimate reason to ask for your password.
They design a subject line to scare you. The subject lines call for your immediate attention and are often intended to be scary. Here are a few common examples:
  • Some variation of “Account Alert!!!”, or “Account upgrade alert,” or “Email account alert.”
  • Some variation of “Account renewal process,” or “Verify your account details.”
  • Some variation of “Email Warning!!!”, or “Verify your email now to avoid being closed!!!!!”
(Scammers really like to use exclamation points!!!! A lot!!!)
They send the email from a bad “From” address. The “From” address in the email is often a dead giveaway. At a glance, it might look like you’ve gotten mail from the Hotmail Team. But if you look at the actual email address, it’s almost always something fishy (phishy?). Typically, scammers just use the name of a Hotmail customer account.

Get educated, educate others

In a perfect world, no one would ever give out their password, and the phishing scams would be ineffective, and would just stop. You’ve already taken a step to helping us get there by reading this post, and now you can help pay it forward by educating others.

Any email that asks for your password is a phishing scam. If anyone ever asks you, “Hey, is this email legit?” just say, “If it asks you for your password, then it is absolutely, definitely, without question a scam! Report it as junk!”

As a final note, some of you might be wondering, Why can’t Hotmail detect these scams? We can detect these scams and do detect many of them. But it’s just a numbers game, and spammers are capable of producing a huge volume of phishing scams, with enough variation in the text and images to fool our filters a small percentage of the time. In addition, it’s important for us to keep the false positives low – meaning that we don’t want to mistakenly identify a legitimate email sent from a good user as spam.

So, until we get to that perfect world without spammers, we’ll be here building better and better systems to battle the bad guys. Thanks for reading, and thanks for using Hotmail.

08 February 2012

Sir Spamalot and Lady Phishing

I am a millionaire. Actually, I’m a multi-millionaire. Or rather I could be if I helped the honorable Mr. Nagumba get his money out of Nigeria, or helped Barbara get her money out of Brazil, or picked up my unclaimed lottery winnings, or helped another half dozen people in the last month. 

I have won $1500 several times a day for the last few months. I have won a new car. I have important packages waiting to pick up from FedEx and UPS. I am being audited by the IRS and they sent me an attachment that included an executable notice with instructions. I won a 15 day cruise if I qualified – they only needed a credit card number to confirm my identity and that I am over 18. I can get my teeth whitened or Lasik eye surgery for 80% off. I have qualified for a special deal on a new BMW 335 with experimental pricing, and can get in a brand new one for under $15,000. Two of my credit cards have been compromised so I needed to log onto the included website to verify and change my account information. As a matter of fact, another credit card that I don’t even have was also compromised, and I needed to log on there too. One of my bank accounts appears to have some out-of-date information associated with it. I can get really cheap Viagra (sic) cheap online, Heather thinks I’m hot, and there seems to be way too many people interested in my manhood.

Analyzing Spam
My personal spam folder is pretty thin. I try to trim spam aggressively. Just in the last 24 hours I have received 42 emails. Three from family, 21 advertisements from retailers (it’s beyond me why I need a daily reminder from a retailer telling me that they are still open and selling the same stuff they’ve been selling for the last five years), and 18 spam. Now, I have no idea how much spam my ISP trims before it even gets to me, but I assume it is a lot. A quick search shows unofficial estimates that spam is somewhere between 60 and 97% of all email sent. By the best accounts I can find, that means around 40 billion spam emails every day (give or take a few billion). The numbers are down slightly from 2010 partially because three botnets (Rustock, Lethic, and Xarvester) have been somewhat throttled. The closure of spam specialist Spamit helped as well. But, as we all know, spam has not gone away.

Unfortunately, spam means money. Spam brings with it a variety of issues, but it also delivers chunks of money and other opportunities to those who generate it. Pay-per-click sites still exist, and if you send 100 million spam messages and get 1% of recipients to click through – ka-ching! Say you send 50 million spam messages that contain a link for a free virus scan, and you can get .5% of those recipients to follow through with a fake purchase for ONLY $29.99 – that’s $7.5million – ka-ching! Credit card information is not worth what it used to be, but if you can send 100 million fake “change your password” notices to BigBlueBank customers, and 1% of them go through your fake link and update their password – ka-ching! And even if they can’t get something from you, maybe they can compromise some low percentage of recipients with a Trojan or sniffer. The numbers add up quickly because of volume.

But spam and phishing emails are not always obvious, are they? Well, some of them are. If the email subject line includes things like “Cialis” or “Replica Handbags” I think the chances it is spam is probably something around 100%. But do we always know? I included an example of a recent phishing email I received (names have been changed). It looks pretty good at a glance, but there is a lot wrong with it if you pay attention.

Let’s look through it in detail.
Spam Example
Let’s work on the premise that the logo and all the colors are correct, and that at a glance, this looks authentic – it appears to be an email from BigBlueBank, where you have an account registered with online access. What is wrong with the email?

1. BigBlueBank Online may be the correct name, but the chances that return email address is correct is low (read “low”, think “nonexistent”). Notice that it is @onlinesvc.com. If this was really from BigBlueBank chances are pretty good that it would be @BigBlueBank.com. If the return address just shows as BigBlueBank Online, hold your cursor over the name. The actual associated email address should show in a mouse-over or in the lower left corner of your browser.

2. “To: undisclosed-recipients” - If this was genuine, it would actually be to your specific email address, and NOT show as a bulk email with hidden addressees. Check what you bank emails you now – they are all to your real email address.

3. “UPDATE YOUR INFORMATION!” – This pushes an immediate sense of urgency. Not necessarily a blazing orange flag, but it should raise your skepticism when you get an email so obviously trying to raise your personal sense of alarm.

4. “This message is a critical one…” This is obviously a person to whom English is not their primary language. Normal English phrasing would be “This is a critical message…”. If BigBlueBank is based in South Carolina this should get your attention. If they are based in Germany, it probably still should, but not quite as much.

5. “It has come to our attentions,” “This require” - The extra “s” on attention and the missing “s” are perfect examples of disagreement in tense, and errors. These are strong indicators that the writer is not a natural English speaker, and that whoever sent the email did not spend enough time proof reading and editing the content. If BigBlueBank is a top 10 bank in the Americas, what are the chances that they would not have a proof reader check everything that went out (Hint: the answer is 0%).
6. “Your Account information” and “The Account update…” – What is with the random capitalization of “Account”? Errors like this should be blazing a hole in your brain by now.

7. “Is also a new BigBlueBank” – This is just an awkward sentence. Read the whole sentence from the email. Perhaps “the account update also includes” or something similar, but again, it is an error in grammatical construction that should tell you this is not a professional email.

8. “Services security statement…” – Again with the random capitalization of “Services”? Brain. Hole. Burning.

9. “Goes according” – Perhaps if it read “is in accordance” this would not raise alarms, but the misuse of the “ing” is a common error for a non-natural English speaker.

10. “On our terms of service” – “in” our terms of service would be appropriate for an English speaker, and even more appropriate in a professionally prepared communication.

11. 5:55 AM 20/01/2012 – This is actually the first thing I saw in the email that made me say “fake”. The date is shown as day/month/year, which is predominantly European or other international convention. Standard in the United States would be 01/20/2012. I know the other way sorts better, but it is aberrant construction in the U.S. If you are not from the U.S., this probably does not bother you as much as it did me.

12. “May result on a suspension of your account” – “on” is again wrong. A natural English speaker would say “in”. This also implies a threat designed to increase your sense of urgency and decrease your vigilance.
13. BigBlueBank Upgrade Home – Look at that. How convenient it was of them to include a link back to Bigbluebank for you. Just hold your mouse over the hyperlink (don’t bother; it won’t work on the example, since the hyperlink has been removed). By now you realize the chances that the link actually has anything to do with bigbluebank is exactly 0%. In the example of this email, it actually linked to something like the following – the fact that bigbluebank is not the domain should be an obvious clue: http//generalupdates.gh.ost.de/bigbluebank/account_update/index.php.

14. 1-888-XXX-XXXX – Very nice to have an included phone number. It really does help make the whole thing look better. Especially if you dial the number and someone in a call center answers it “Big Blue Bank – Customer Service, how can I help you?” First of all, check the provided number against the customer service number on your bank statements or against the number provided on Bigbluebank’s real website. It may be close but it will not match. Your second clue is that someone actually answered the phone and you did not have to go through a Voice Response system – when was the last time that happened?

15. “Will be helping” – there is that “ing” again. “This will help us” would not raise alarm, but the improper English should have your spinal column on fire by now. You should almost expect it say to “will to be helping us” like some alien speaking through an electronic translator.

If in doubt, bring up the genuine bigbluebank.com website by typing it into your browser yourself (completely ignoring their link, if you please), and check for information there. Locate their contact information to email, or call them to ask if they sent the information. Chances are that bigbluebank has its own security group that is interested in abuse and phishing emails. They may want you to forward a copy of the email to them for their own review if you feel like going that far.

Perhaps this was not the best example because this email was chock full o’ clues. But these are exactly the types of indicators you will see in many phishing emails. The fact that you even got this email should immediately raise your level of awareness, so everything else should follow.

07 February 2012

Social Engineering Yourself A BotNet

Not too long ago the announcement about an Internet Sponsorship Law, SOPA, basically caused the Internet to blow up with people voting, supporting, and showing how much they disliked this proposed bill. The way the “Internet Community” came together is a lesson in mass influence itself, but we are going to focus on a different aspect of this drama.

BotNet Social Engineering Yourself A BotNetThe hacktivist group Anonymous reared its head in this debate to show it’s disdain for any law that would censor or prohibit the use of the Internet, and they do so using a form of social engineering.
One of the less influence based forms of social engineering involves drawing people to a website that is either loaded with malicious software/code or has downloads that are dangerous or infected. Apparently, Anonymous used this form of social engineering to create, in essence, one of the world’s largest botnets full of unsuspecting participants.

Anonymous used its legions of faithful supporters to spread shortened links that drew interested parties to certain links. Since a user can’t possibly know what to expect when they load a URL, Anonymous capitalized on this to create it’s botnet.

As users went to the list of URL’s, their browsers were hijacked and then some code was executed. Once executed it causes the users browser to make a massive amount of requests to the targets websites (in this case DOJ and FBI). When you get hundreds or thousands or even more people hitting these malicious URL’s so much traffic is sent that it DDoS’ the sites in question.

What are the implications of this type of attack? This form of social engineering is pretty malicious. Even simple curiosity can make the site visitor an unwilling participant in an act that could be considered terrorism. This, of course, is a very serious matter as traffic from home or work users becomes inundated with this malicious traffic.

In the age of shortened URL’s, this kind of a story just makes it ever more clear that the user needs to take responsibility before clicking a link. These types of attacks are how people’s computers get hacked and how accounts are compromised. Now, it’s how massive botnets are created.

06 February 2012

Be on the Lookout for Phishing Emails

Posted on: February 2, 2012 in Industry Issues by Chris Williams

If you keep up with tech news, you might have seen the story recently about a new technology standard developed by Microsoft, Yahoo, Google, and Facebook to cut down on spam emails and phishing attempts. It’s an exciting new technology that will help protect users by increasing checks and reporting on sent emails.

However, even with stricter standards for spam filtering, the occasional phishing email might still find its way to your inbox. Phishing emails are standard emails from people trying to convince you to give them information like passwords, usernames, credit card numbers, social security numbers, or other secure data. Every email user needs to know how to spot phishing emails so they can be deleted.

Here are five easy things to look for that you can use to spot phishing emails before you respond with sensitive information.
Emails from companies or people asking for information they should already have, such as accounts and passwords – a company will never ask you for your password.

Emails asking for personal identity information –  your date of birth, bank account information, social security number, or other personal information. There’s no reason to ever give personal information via email.
Emails with weird formatting, spelling mistakes, or bad grammar – most phishing attempts come from overseas, so they often contain mistakes a native English speaker wouldn’t make. Others are hurriedly prepared, so they may contain mistakes as well.

Links or attachments you didn’t request – never click on a link in an email, or open an attachment, if you didn’t request for a link or attachment to be sent to you.

Unknown senders or strange domain names – if the domain name of the sender looks strange, or the sender is unknown to you, learn more about the sender or company before you take action. If it looks strange, delete or report the email.
Here’s an example of a phishing email:
For more information on spotting a phishing email, check Microsoft’s support page. If you’re a Google user and receive phishing emails, you can learn how to report them to Google here.

Remember the first step is staying vigilant. Don’t provide personal or sensitive information through email if you can avoid it, especially to people you don’t know.

...don't forget to leave a comment... thanks.

03 February 2012

9 Reasons to Enforce Web Security within the Organization

Considering the wide range of malicious content threatening your users, implementing strong web security within the organization is a crucial part of any defense-in-depth strategy. Web security doesn’t have to mean blocking your users’ access to the Internet, but it does mean protecting them from the types of threats they will encounter every day. Here’s a rundown of the top nine threats that are there to help you understand the importance of strong web security. Some of these are threats to your users; others are threats to their productivity. All are things web security can help you protect against.

1.Compromised sites hosting malware
Every day you can read about sites that have been compromised by attackers. Hacked sites hosting malware are a common way to spread the damage to hundreds or thousands of others very quickly. Strong web security can protect your users by blocking access to compromised sites, and by scanning any downloads for malware.

2.Cross-site scripting attacks
Cross-site scripting can steal credentials, direct users to sites specifically hosting malware, and worse. Web security can detect when an XSS is attempted and protect users from the effects.

It’s common for people to register domains that are either misspelled, or simple one-offs from other sites to try to get traffic from users’ typos. Sometimes these sites simply have aggressive sales content; other times they are set up to look like the real site to fool users. Either way, web security can prevent this all too common mistake from doing damage.

4.Phishing sites
Phishing emails almost always include links to sites, where the real damage can be done. Web security can block access to these phishing sites.

5.Adult content
The last thing you need is an HR issue to deal with because someone clicked the wrong link in some search results. Web security can enforce the acceptable use policy, preventing both the intentional and accidental violations from occurring.

6.Controversial content
Adult content is not the only risk; political and religious sites may not be appropriate for users to access while at work and web security can ensure that Internet access is business appropriate.

7.Time sinks
If you have ever surfed the web, you have probably experienced the time loss that comes from a planned 30 second check-in that becomes a 30 minute catch up with what else is going on. “Just one more click…” can cost your company hours of lost productivity. Web security doesn’t have to block all personal Internet access; it can permit that within reasonable time limits.

8.Bandwidth hogs
One Internet audio stream may seem like it uses an insignificant amount of bandwidth, but with everyone streaming music, your pipe can quickly become clogged. Web security can monitor and identify the major bandwidth users, or block access to streaming media completely to save that bandwidth for important things, like customer orders.

9.Copyright violations
If a user downloads a pirated movie from your network, you could face liability. Web security can block access to these download sites, and block torrents and peer-to-peer sharing so you don’t worry about C&D letters or lawsuits.

With strong web security protection technology in place, you protect your users, your infrastructure, your data and, ultimately, your company. Look at web security as a critical component of your information security strategy.

This post was provided by Casper Manes on behalf of GFI Software Ltd.

02 February 2012

User error is the biggest threat on the Internet

Sophos unveiled a detailed assessment of the threat landscape - from hacktivism and online threats to mobile malware, cloud computing and social network security, as well as IT security trends for this coming year.

Year in review: Under attack

2011 was characterized by a rise in cybercrime. The availability of commercial tools designed by and for cybercriminals made mass generation of new malicious code campaigns and exploits trivial and scalable. The net result was significant growth in the volume of malware and infections.

Cybercriminals also diversified their targets to include new platforms, as business use of mobile devices accelerated. Politically motivated hacktivist groups took the media spotlight, even as the more common threats to cyber security grew.

Hype over hacktivism

The emergence of LulzSec and Anonymous marked a shift from hacking for financial gain to hacking as a form of protest. Hacktivists sowed chaos by leaking documents and attacking websites of high-profile organizations and even defense contractors. LulzSec dominated headlines in the first half of the year with attacks on Sony, PBS, the U.S. Senate, the CIA, FBI affiliate InfraGard and others, and then disbanded after 50 days.

Risky business

Increasingly, corporate users weren’t just at home or at work, but somewhere else on the “everywhere network.” And the consumerization of IT, sometimes called “bring your own device” or BYOD, became one of the newer causes of data vulnerability. Employees accessed sensitive corporate information from their home computers, smartphones and tablets. Moreover, corporate-issued mobile devices increased risk, as did the rise of cloud services and the use of social media.

According to the Sophos online poll, which asked users if their company allows personal laptops, desktops or phones for work, nearly 50 percent of respondents said yes. Another 10 percent who said their company doesn’t allow personal devices for work preferred they did.

Changing web threats and drive-by downloads

Cybercriminals constantly launched attacks designed to penetrate digital defenses and steal sensitive data. Almost no online portal proved immune from threat or harm. SophosLabs identifies an average of 30,000 newly-infected web pages each day. More than 80 percent of these web pages are on innocent web servers, which have been hacked by cybercriminals to make them part of the problem.

Additionally, 85 percent of all malware, including viruses, worms, spyware, adware and Trojans, comes from the web, according to the Ponemon Institute. Today, drive-by downloads have become the top web threat, and in 2011, one crimeware kit, known as “Blackhole,” rose to the number one on that list.

In the Sophos online poll, users were asked about the prevalence of malware compared to 2010; 67 percent of respondents felt it was on the rise.

The emergence of Mac malware

Microsoft Windows may be the most attacked OS, but the primary vectors for hacking Windows have been through PDF or Flash. Despite Microsoft’s regular updates to patch Windows OS vulnerabilities, the content delivery systems remained the largest vulnerability on any OS. In 2011, the emergence of malware for the Mac upstaged Windows malware. There's no doubt that the Windows malware problem is much larger than the Mac threat, but the events of 2011 show Mac users that the malware threat is genuine.

Top trends

There are many factors that will impact the IT security landscape this year and into the future. These include new attacks using social media platforms and integrated apps, more targeted attacks on non-Windows platforms, and mobile payment technologies under threat, among others which are highlighted within the report.

“As cybercriminals expand their focus, organizations are challenged to keep their security capabilities from backsliding as they adopt new technologies,” said Mark Harris, vice president of SophosLabs, Sophos. “And as we continue to access information in different ways, from different devices in different locations, security tools must be able to ‘protect everywhere’ - from desktops to mobile and smart devices and the cloud. But more importantly and oft-disregarded, cybercriminals will continue to stalk the easiest prey - security basics like patching and password management will remain a significant challenge.” 
Source: http://bit.ly/yjrHYu

01 February 2012

Twitter users beware: Homeland Security isn’t laughing

Planning to make a joke on Twitter about bombing something? You might want to reconsider: according to a report from Britain, two British tourists were detained and then denied entry into the U.S. recently after they joked about destroying America and digging up Marilyn Monroe. The fact that the Department of Homeland Security and other authorities — including the FBI — are monitoring social media like Twitter and Facebook isn’t that surprising. But the fact that Homeland Security is willing to detain people based on what is clearly a harmless joke raises questions about what the impact of all that monitoring will be.

Leigh Van Bryan, a 26-year-old bar manager from Coventry, told The Sun that he and friend Emily Bunting were stopped by border guards when they arrived at Los Angeles International Airport and questioned for five hours about messages that Van Bryan had posted on Twitter saying he planned to “destroy America.” After the questioning, during which the Irish traveller said that Homeland Security threatened the two, they were put in a van and taken to a holding cell overnight, along with some illegal immigrants. After being held overnight, they said they were forced to take a plane back to England.

According to a report in The Daily Mail, the Homeland Security officers gave Van Bryan a document that detailed why he was refused admission to the United States, and it reads like a bad joke itself, saying:

He had posted on his Tweeter website account that he was coming to the United States to dig up the grave of Marilyn Monroe… Also on his tweeter account Mr Bryan posted that he was coming to destroy America.

Van Bryan told the newspaper that he tried to explain to Homeland Security officials that the term “destroy” was British slang referring to a party, and that his comments about “digging up Marilyn Monroe” were an attempt at humor, but that the officers didn’t listen. The authorities even searched their luggage looking for shovels and other tools, he said.

Monitoring social media makes sense — within reason

This isn’t the first time that someone has gotten in trouble for making a joke on Twitter: a British businessman named Paul Chambers was arrested under the Terrorism Act and questioned for more than seven hours in 2010 after making a joke on Twitter about blowing up an airport, a joke he said he made because he was frustrated about the airport being closed due to bad weather. He was tried and found guilty and fined a thousand pounds, and eventually lost his job as a result of the publicity.

The fact that Homeland Security is monitoring social networks like Twitter and Facebook for certain keywords isn’t that surprising: the department said during a security review earlier this year that it has been monitoring those networks and a list of blogs and other sources (including WikiLeaks) for information about potential security hazards and what it called “situational awareness.” The Federal Bureau of Investigation also recently revealed that it is trying to develop a service that can monitor social-media sources and automatically create alerts based on the information it finds there.

To me, it makes perfect sense for security officials to be monitoring social networks and even blogs. This is all public information that could contain useful signals about real terrorism or threats to national security of some kind, and it should obviously be part of the normal intelligence process. But doing this properly also requires some sense of proportion about what constitutes a real threat and what is clearly a joke. Did Homeland Security really think that a 26-year-old bar manager was a serious threat?

We all know that we are likely being monitored in even more ways now than we have ever been, whether it’s by security cameras or algorithms that comb through tweets and Facebook posts. But that’s not the scary part — the scary part is what can happen when that information gets misinterpreted and it escalates into a major crisis for no reason.

Post and thumbnail photos courtesy of Flickr users Stefan and Rosaura Ochoa

Source:  http://goo.gl/qY8CI

5 reasons to enforce email monitoring

Managing storage continues to be one of the most significant challenges for email management, but the right tools can change this from a daily headache to an easy win. Email monitoring gives administrators those tools; providing detailed information on how email is being used, both internally and externally. Here’s a list of the top five ways email monitoring will empower you to optimize your email management.

1. Identify heavy users

Knowing who the heaviest users are can help you plan storage, reallocate mailboxes amongst databases to streamline backups, and also learn about who is emailing whom, both within and outside the company. Knowing your communications channels can help you better understand the business and the needs of your customers while helping you with email management, email management tools can provide you with detailed reports on who sends and/or receives the most email, and who they are communicating with.

2. Manage those attachments

A single word document can take up more space than a hundred plain text emails. And how many different versions of a project plan are floating around inside your mailstores because each revision gets mailed out to everyone on the project team? Email is a convenient, but inefficient file server, and most attachments should really be on stored on SharePoint or a network drive. Moving file transfers to the proper resource will make email management a much easier task. Email monitoring software allows you to receive reports on total space used by attachments, the types of attachments, and real space wasters like duplicates.

3. Find policy violations

When it comes to attachments, non-work related attachments can also chew up huge amounts of storage. Finding the MP3s and AVIs, and reminding users of the company policy can free up lots of disk space rapidly. While you are at it, using email monitoring will enable you to make sure no one is forwarding all their company email to their personal account, or worse, the competition. Good email management includes safeguarding the company’s assets.

4. Storage

Of course, older emails can take up a ton of storage space, and users won’t delete anything unless you stand next to them and press the keys for them. An email monitoring solution can help you to understand how much better it would be if of all that email was moved to the storage managed by an email archiving solution. Using easy to setup rules, your email management of storage becomes an easy task, as messages are moved to the archive automatically. Your users will have no more run-ins with quotas, and no more need for PST files.
5. Retention

Sometimes, email management means knowing when to say goodbye to those older emails. If your company has a document retention policy, it probably defines not only how long to save certain information, but when it needs to be destroyed. An email archiving solution that offers email monitoring features can automatically age out and purge email that exceeds the defined retention policy, automating the housekeeping that you never have time to get to yourself.

As you can see, the winning combination of email archiving and email monitoring makes email management a much easier task, providing in-depth information about how your users communicate, and supports the company’s document retention and other policies. With these tools you can take your Exchange infrastructure to the next level, providing better service with lower storage costs.

This post was provided by Christina Goggi on behalf of GFI Software Ltd.