Apr 1

There has been a lot of buzz lately about the Conficker worm that has been circulating and has now infected nearly 12 million Windows computers worldwide. But, not all the news regarding the Conficker worm is doom and gloom. Experts in the field have discovered a security flaw in the virus that will allow security administrators to isolated infected computers.

When the Conficker worm infects a computer, it applies its own version of the Microsoft patch that was released last October that fixes this vulnerability so that when the computer is scanned for patches, the vulnerability goes undetected. However, security researcher Dan Kaminsky said a research group found that it was far easier to distinguish a computer patched with the Conficker worm from a computer patched with Microsoft’s patch due to a flaw in the Conficker code.

From this, they have been able to create scanning tools that can help distinguish whether or not specific computers are infected with the Conficker worm or not because of the the Conficker flaw they found.

The problem with this type of resolution though is it could possibly give some criminals an opening into the botnet to create new worms that will allow them to take control of sections of the botnet.

Such an “anti-worm” might well be more destructive than the Conficker worm itself, Kaminsky said. “You would have to build something that is as virulent as the current worm, and be willing to become the kind of monster you’re trying to fight,” Kaminsky said. “No one can play counter-worm very well.”

If one good thing has come out of the Conficker flaw it is the discovery that it highlights weaknesses that can be found in almost all third-party security patches. Usually the security industry would release seperate security patches and scanners pertaining to a particular virus or worm to provide protection until a complete update is able to be released. But, those updates are generally produced by people who do not have access to the source code, thus not providing a 100% guarantee on patch success or not. The Conficker flaw has shown that systems really can’t be purged until they have a full cleaning with an updated scanning software made from the source code.

Posted in Antivirus, Vulnerabilities | 1 Comment »
Mar 25

If you work with computers, then chances are you’ve heard of or had to deal with the malware programs called Antivirus2009 and Antivirus360. This rogue AV software has been tricking users into believing they have viruses on their computers and claiming that the rogue AV software can remove the viruses for them. But, the software is not a real AV program. Instead it installs its own malware and trojan viruses on the computer and never touches any viruses that may have been on the computer to begin with.

Brian Krebs of the Washington Post reported a week ago about an affiliate program called Traffic Converter. This affiliate program pays people who help distribute the rogue AV software. This is part of the reason why this program has been able to spread so rampantly. Many of these affiliates have been making tens of thousands of dollars a month scamming people who pay for this rogue antivirus software.

Both Mastercard and VISA made actual onsite visits to the merchant company after the Washington Post report ran. Since then, the affiliate accounts have been frozen and messages on the Traffic Converter website have stated so.

It is very rare to see such a case where two credit giants come together to help shutdown a company that distributes rogue antivirus software. It is good to see happen. But, it also goes as a reminder that there are many more affiliate programs out there that have payouts just as high. Keep your computer safe by avoiding the installation of these rogue AV programs. If a website says that it scanned your computer and found viruses, it is probably a fake and you should never install software unless your are absolutely positive of its origin.

Posted in Antivirus | No Comments »
Aug 14

On Google’s enterprise blog on Tuesday, Google said they are going to release a report stating that it has seen more spam virus messages in the month of July than any other month. At one point the number had reached more than 10 million infectious messages in one day on July 24th.

That number is 6 to 7 times what is considered normal. This means spam viruses are now finding ways to bypass the majority of spam filters. Not only that, but spam viruses are now taking a new form. Rather than targeting software vulnerabilities to compromise a system, they are simply utilizing a user’s curiosity. Subject lines of false or wild news stories draw a user in and get them to click on a link that will take them to a website containing malware.

With so much spam viruses prevalent today, it is important to inform users to use their common sense when reading emails. If they don’t know where an email came from or the email contains a news story headline subject that sounds ridiculous, then the email is probably a spam virus.

Posted in Antivirus, Email | No Comments »
Aug 13
More and more companies today are starting to virtualize their server farms. One of the main drivers of this is to make for easier deployments, save rack space, utilize existing servers better, and to save costs. IT engineers are seeing all the benefits of virtualization, but often times forget to look at some of the downsides to it and rush their virtualization infrastructure from testing to production way too quickly.

There have been a lot of technological leaps in the virtualization realm in recent
years. There is one aspect of virtualization however that still requires some catching up to do. Security application virtualization is something that IT engineers are not fully thinking through during the planning phase and often time deployments go through without having their security application software reviewed. While virtualization will help save on hardware costs in the long run, many times it can be costly in the short term if security application virtualization is done correctly.

Security applications need to be installed on each virtual machine. This means that the more VM’s you have on a physical server, the more security application licenses and installations you will need. This cost is often either overlooked or the security application is not installed on each VM leaving several virtual servers unsecured. Not only is the monetary cost overlooked, but also the cost in processing power that you are asking of each physical server when you multiply the security application requirements across the board.

Hopefully there will be some strides made in this realm in the next few years. Security application software developers are working on ways to virtualize their software in the same way that operating systems are virtualized. This will hopefully allow not only lower monetary costs for licensing, but will also make for more secure virtualization farms. But, don’t expect to see security software vendors quick to release virtualized applications when they are making a lot more money on the seperate agent licenses needed today. In the meantime, secure your VM’s with your security applications properly!
Posted in Antivirus, Virtualization | No Comments »
Aug 12
Network security is an evolving animal that changes every year. Just as your virus protection changes its signature database, your company needs to change its endpoint security to maintain quality security control throughout your network. Hackers are modifying their approach to attacks constantly and if you don’t change how your network filters out these attacks, then you will lose the war.

Managing endpoint security and control on your network is a key factor in your overall
security. Today endpoint security requires a multi-layer approach. A study done by the European Network and Information Security Industry showed that more than half of all exploits come in the form of browser hijacks and vulnerabilities. Attacks today are also becoming much more blended which means they take advantage of multiple protocols and mediums to accomplish the task. Attacks like these require that all points in your network are covered and endpoint security of the past is no longer effective enough.

The best way to combat against blended attacks today is with a blended or multi-layer endpoint security solution. Intrusion prevention systems are a must. They are not just a solution for enterprise business, but also for small and medium sized business, if not even more so. Today small businesses are becoming a large target for attackers. This is due to the fact that many small businesses process credit card information today, but then lack the budget for a quality endpoint security and control infrastructure. This makes them a an easy target for attackers.

Your endpoint security and control infrastructure today contains several features that help protect your network. They typically involve several of the following forms of protection: antimalware, desktop firewall, hardware gateway firewall, intrusion prevent and detection, device control, application monitoring, and network wide event monitoring. All these facets are usually monitored and controlled to provide a comprehensive endpoint security solution. Because each facet can now be broken down into a seperate product in and of itself, it allows for scalability among all business levels.
Posted in Antivirus, Content Filtering, Firewalls, Internet, Vulnerabilities | No Comments »
Aug 6

Email is a part of everyday life in the business world. Even small companies will see thousands of emails pass through their servers each day. This means there is plenty of opportunity for attack against your mail server. So here are 5 good tips to help keep your email secure.

1) Change your SMTP banner: Most mail servers accept connections of port 25 for use with SMTP. If you telnet on port 25 to a mail server that is opened up on port 25, you will receive a response from that server. This response is called the SMTP banner. Usually by default (with Exchange) this banner will not only display the actual server name and domain, but it will also show the version number and software that is running on that server. This is crucial information that an attacker can utilize when planning an attack. It is important that if your server accepts connections on port 25 that you mask this banner with a canned message that doesn’t display sensitive information like that. For more information on changing this banner with Microsoft Exchange, read this Microsoft article: Changing your SMTP Banner

2) Enabled Relay Restrictions: This is usually set by default on mail servers so that only authentication or specified servers are allowed to relay email through your mail server. But, it is a good security measure to take to ensure that your mail server is not an open relay. If there are no restrictions set, spammers will have a field day with your server. Not only can this really cripple your server if not taken care of promptly, but it can also get your server blacklisted. Once blacklisted you will need to score which blacklists you are on and request to be removed once you prove to them that you are no longer spamming from your server. This can take weeks or months depending on which list you are on. If you aren’t sure if your server is an open relay, you can use this tool to check: Open Relay Checker

3) Make sure your server is up-to-date: Because your mail server is constantly in touch with connections to the outside world, it is crucial that your mail server is always up-to-date. A lot of IT professionals will ensure that their servers have the latest Windows Updates run on their servers, but don’t forget about Exchange updates and service packs as well. Automatic updates won’t keep that up-to-date and many times the security vulnerabilities needed to be patched with Exchange are more critical than your typical Windows update. While there is no excuse for an out-of-date server, if installing updates is something that takes up too much of your time, then look into a patch management solution. Microsoft offers a free solutions for all their software systems called Windows Server Update Services.

4) Protect your mail server with a front-end server: Another good idea for security is to set up a front-end server to act as either a proxy or relay between the mail server that stores your mail databases and the internet. The front-end server will handle all HTTP and SMTP requests for your main mail server. All emails will then be relayed from this front-end server to your main mail server. What this allows you to do is close off port 25 to your main mail server so that it is hidden behind your firewall. Many companies will even provide this service for you. Having your server behind a firewall and accepting connections from only internal mail clients and the front-end server will greatly increase the security of your server.

5) Spam and Virus Protection: I’ve listed both spam and antivirus under the same number here because I think we are at the stage where they both go hand in hand. It is important that you maintain antivirus and antispam software on your network. I recommend using a seperate appliance for spam as this will help catch spam emails from even reaching your mail server. If your mail server processes a lot of emails everyday, then this will help eleviate some of the strain that it carries. Making sure that both systems are up-to-date with the latest signatures goes without saying.

These are only 5 tips for helping maintain security on your mail server and there are a ton more. Hopefully these will get you on the right track and taking email security serious.

Posted in Antivirus, Email, Vulnerabilities | No Comments »
Aug 1

No computer network can be 100% protected from threats that the internet and attackers can bring. But with a smart IT security policy and using a layered approach, you can reduce your company’s risk to attack.

Viruses today are more blended and have a higher payload than ever before. This means that they are easier to distribute and can do greater damage. Viruses today can attack networks at even the lowest level which means they can bypass desktop and server antivirus software. Software antivirus no longer provides the complete protection that it once did.

So what is layered antivirus and network security and how should you approach it? Simply put, it is like placing a defense barricade at every possible entry point onto your network. A typical layered antivirus solution will include server AV, desktop AV, gateway AV, email AV, and sometype of intrusion detection/prevention service (IDS, IPS).

This approach will not only protect from threats that come in at the computer and file system level, but will also protect your network from denial of service and other network level attacks.

A layered approach also helps provide efficiency and load-balancing on your network. If you find that your email server is getting pounded by daily phishing or virus emails, then having gateway antivirus can help take some of the load off of your email server by stopping those emails from ever reaching the server.

Protecting your network with a layered approach is now not just a security design for enterprise networks, it is a requirement for all business networks.

Posted in Antivirus | 9 Comments »