Sophos

Archive for the ‘WWW’ Category

Has someone got a crush on me?

Am I the only one who finds this kind of thing a little bit distasteful?

Crush

I’ve been in Ottawa for less than 12 hours, and yet apparently two people here already have a crush on me. I didn’t even know I had “buddies” here! Actually, I’m not even sure I ever could be friends with someone who refers to themselves as my buddy.

All I wanted to do was check out the website for The Daily Telegraph, a respectable broadsheet, to get my news fix from old Blighty. Shouldn’t websites have a higher standard for their online adverts than this kind of cheap trash?

So imagine you did click on the link.. Once you’ve told a bunch of guys you’ve never met before your name and mobile phone number, you find that no-one actually has a crush on you at all, but that they’re quite keen to send you three SMS text messages a week, for a cost of $9.99 a month.

And - of course - there’s nothing to stop you entering someone else’s mobile phone number and crossing your fingers that they’ll be tempted to reply with the PIN code and sign-up for an irritating and expensive service.

Big crush

PS. I am occasionally wearing spectacles here in Ottawa for the first time in my adult life. Maybe it is quite possible that someone does have a secret crush on me after all.


Cisco T-shirt competition - we have a winner!

Congratulations to Chris Emerson, an embedded software engineer currently working with digital radio. Chris lives and works near Cambridge in the UK, and takes a “large” T-shirt fact fans.

Why are we talking about Chris? Because he was the first person to be pulled out of the hat in our fabulous competition to commemorate Cisco losing the letter “t” from its website yesterday, and so an exclusive Sophos T-shirt is winging its way to him.

Chris correctly found all of the missing words. If anyone is still scratching their head, here are those answers in full:

1. tent (ten and ent also accepted)
2. tentacle
3. tintinntabulations
4. attitude
5. buttocks
6. tut (ut also accepted)
7. titter (tier also accepted, but it’s not half as good)

Just be grateful I didn’t put down one of my other thoughts: tittle-tattle.

Well done if you managed to get them all, and thanks to everyone who took part. We’ll do another competition soon.


Browser beta blockers

Earlier this month I blogged about how Sophos was planning to extend the application control functionality built into Sophos’s solution to help you control whether your users should be allowed to run Google Chrome or not.

We can already help you control usage of Firefox (versions 1-3), Internet Explorer (versions 5-7), Safari, Opera, Netscape and Flock, as well as lesser known internet browsers. And I’m delighted to say that we have now added Google Chrome and Internet Explorer 8 Beta 2 to that list.

In a poll we conducted earlier this year, Sophos found that seven out of 10 network administrators wanted greater control over what web browser company employees installed and used. In other words, most of them don’t want you to run Firefox if they have chosen Internet Explorer for the company, and vice versa.

System administrators want to enforce policies about what browsers you can run to reduce their support overheads, and to lessen the security risks.

Google Chrome

After all, we all know these days that most of the threats are coming through the web - so if your browser is not properly patched against the latest vulnerabilities you may be exposing your firm to infection. And if you work in the IT department and you simply don’t know what browsers your fellow colleagues are running then what chance do you have of ensuring that they are defended appropriately?

This is particularly important, of course, with beta versions of browsers. Both Google Chrome and IE 8 aren’t officially launched yet - they’re still in beta test. Computer users, excited by new features or to try out “cool” new technology, may be tempted to run a beta browser on their computer - potentially exposing themselves to a higher level of risk compared to software that the browser vendor has determined is fully ready for the world.

Furthermore, the hype around Google entering the browser market appears to have encouraged some into looking for security vulnerabilities in Chrome’s code. I’m not saying that Google Chrome is bad - just that your company’s IT experts should decide which browsers get run inside your office, not your users.

Firms need to ensure that they have tight control over the software running on their employees’ computers. That doesn’t just mean computer games, IM clients, VoIP and P2P file-sharing, it increasingly means which web browser they’re using too.


Cisco website: where have all the “t”s gone?

This is odd.

It appears that the letter “t” has been banished in its entirety from the home page of Cisco’s website:

Cisco website

Checking out the html source (or should that be “hml source”?) makes it clear that the problem is not affecting capital Ts, only their younger siblings, the lowercase t. Check out this following picture to see more evidence of the t’s exodus from Cisco.

HTML source for Cisco website

The question is this - is this a search-and-replace screw-up by a tired website developer inside Cisco, an error in their server code or something more sinister? My feeling is that there’s probably not something malicious behind this (after all, a malicious script wouldn’t work as it would be a “scrip” tag instead).

Whatever the problem - they do want to sort it out as soon as possible, as it’s a very public way of looking quite silly.

So, any ideas on how we should inform Cisco of this problem. Email webmaser@cisco.com perhaps?

Competition time
It seems to me like this story is a good excuse for a competition. The following words have all had their lowercase “t”s removed from them. You have until the end of Friday to email me what you think the full words should be. So, for instance, if I said “bale”, the answer would be “battle”.

Appropriately enough, the first set of correct answers out of the hat wins a highly exclusive and much-prized Sophos T-Shirt. (See what I did there?)

1. en
2. enacle
3. ininnabulaions
4. aiude
5. buocks
6. u
7. ier

Credit where credit’s due: Thanks to Jess in the Sophos webteam for pointing out the problem with Cisco’s website to me.

Update: Cisco’s website now seems to have returned to normality.

Competition update: The competition is now closed. Find out what the answers were, and if you have won.


Guest blog: Introducing Sophos WebAlert.. with some toys

"It’s time to open up the Clu-blog once again, and give someone else a chance to have their say. This time it’s the turn of Carole Theriault, senior security analyst here at Sophos. Carole discusses how your own website could be passing on a digital disease, describes a new service which helps you monitor whether your websites might be compromised, and introduces a video starring a variety of children’s toys. Over to you Carole…"

Carole Theriault

Isn’t the web just marvellous? It lets you learn just about anything, it lets you buy just about anything, and it lets you communicate with a huge number of people.  It has revolutionized business communication and transactions.

Today’s web has offered companies a whole new platform allowing video, audio, simple ordering procedures, forums, and so on to attract and engage visitors to the site. With billions of other sites out there all screaming for attention and offering bells and whistles to attract visitors, competition is, well, exhilaratingly fierce. 

And this is exactly why hackers and malware authors find it so darn attractive. These guys are like parasites - they let you do all the work of attracting visitors to your site, then they try to infect their computers via your website! Not exactly good for business.. not only are you propagating infection and run the risk of getting a bad reputation amongst visitors, but you also can get slammed in the press.

Sadly, the problem is on the rise, Sophos finds a new infected webpage every five seconds, 90% of which are legitimate websites run by people like you and me. We see sites from government agencies, worldwide organisations to smaller home-grown websites get hammered by malicious code everyday. Worse still, the malware is pretty insidious, so it is easy for web administrators not to know that their website is actively infecting visitors.

Sophos WebAlert service
Sophos is offering customers a new alert service, called Sophos WebAlert, to warn administrators of malicious code being hosted on their websites. Sophos monitors your website automatically, checking it against our vast database of malicious code in real time. If we find yours to be infected, then we ping you an email, giving you the heads up so you can fix the problem and get back to running your site. Simple as that.

Here is a video we have made explaining SophosWebAlert: “Sophos WebAlert explained with children’s toys”.

What else can you do?
Rule number one is to do your best not to get infected in the first place.  Preventative techniques like patching vulnerabilities and running up-to-date reputable anti-virus are paramount to those hosting a website as well as those surfing the web. Companies worried about their networks getting infected via their employees’ surfing habits can even look to web security solutions.

Here are some links to some free information on what you can do to stay safe:


Guest blog: Lies, damn lies, and statistics

"A news release from McAfee about Brad Pitt, Beyonce Knowles and Justin Timberlake has got the goat of guest blogger Paul Ducklin, Sophos’s head of technology in Asia Pacific. Over to you Paul…"

Paul Ducklin

Someone at the McAfee anti-virus company seems to have convinced media writers of the factoid that “…fans searching for information and pictures of Pitt, or downloads, wallpaper and screen savers, have an 18 per cent chance of having their PCs infected with a virus, spyware, spam, phishing and adware…”

At least, that’s what Sydney’s Morning Herald and Melbourne’s The Age are urgently warning you about.

(I’m not sure if it says something about the supposed intellectual difference between Sydney and Melbourne that in Sydney the “Pitt of danger” is the leading online story, whereas in Melbourne it is at least relegated behind “Astronomers agog at circling planet.”)

Tut, tut, tut.

18 per cent chance

This sort of hyperbole about the dangers of cyberspace may fill column centimetres and attract casual readers, but it doesn’t actually help anyone. For a start, it simply isn’t true. If you go online and search for “Pitt”, you do NOT have a one-in-five chance of getting infected, and suggesting that you do is just spreading FUD (fear, uncertainty and doubt).

The two main pedagogical problems with this story are obvious. Firstly, users who do search for “Pitt”, and who do not get infected (which will be the very great majority) may get a false sense of security. After all, if you can routinely get away with it when you regularly search for apparently dangerous search terms, why should you worry at all about those parts of the web which aren’t considered particularly dangerous?

Secondly, this story seems to imply that if you steer clear of celebrities and stick to “safer” subjects, you will greatly improve your online health. But SophosLabs finds an average of about 16,000 newly-infected web pages per day, liberally distributed throughout cyberspace. Some of these are high-profile sites, with high-profile subjects, but the majority are otherwise unremarkable sites which are “chosen” by cybercriminals simply because they are there. Indeed, they are remarkable mainly for being unremarkable.

Another important flaw with this story is that it doesn’t bother to explain how you can search safely. Let’s say you really do want to search for “Pitt”. (Sydney alone, for rather obvious historical reasons, has numerous Streets, Roads, Lanes, a Town and even a Water which carry this name.) How do you avoid the alleged 20% “infection chance”?

The answer is that with the right precautions, and the right sensibilities, you can search in almost complete safety for almost anything you want. Here’s how to do it:

1. Use a spam filter. Scammers who have planted risky content on otherwise unremarkable websites regularly spam out links to these websites in the hope that you will be more inclined to click through to them. Getting rid of such spam reduces the number of risky links you will be tempted by, as well as freeing up your time to read useful stuff, not the spammers’ garbage.

2. Use a web filter. Products such as the Sophos Web Appliance have two chances to protect you: if you click on a link - no matter that it is legitimate or uncontroversial - which is already known to have been hacked, the connection will be blocked outright. And if you do visit a newly-infected page containing risky content, it will be analysed and blocked on the way back.

3. Use an anti-virus and keep it up-to-date. Most hacked web pages are only indirectly infectious. In other words, they try to provoke misbehaviour in your browser which causes the silent download of a virus, worm or Trojan. This sort of attack is called a “drive-by” install. A good anti-virus will block these downloads.

4. Use the security updates provided by your software vendors, especially those for the operating system itself and for your web browser. Many malware attacks succeed only if you have already been lax about security, so get yourself up-to-date today.

5. Use some form of network access control program (NAC). NAC software can analyse the files on your computer to make sure you are well-patched against the latest vulnerabilities, isolating you from the internet at large until you are safely patched. This, along with an anti-virus, greatly reduces your risk of a drive-by install, since it closes off the security holes commonly used by cybercriminals.

6. Use your common sense. When you search for a topic of interest, the results which come back from your search engine are advisory, not mandatory. You aren’t required to visit every one of them until something unexpected happens.

7. Don’t be credulous. Don’t believe everything you read in email. By now, everyone should know that you can’t win a lottery you didn’t enter. So why click through to web links you weren’t expecting? Why visit websites about subjects which don’t really interest you, or act on information which sounds too good to be true? (It is.)

8. Don’t fall for security hyperbole. Learn from the past (e.g. the Michelangelo virus in 1992, the Millennium “Bug” in 1999) and seek objective information, not scare stories, about how to stay secure online.


Hackers infect BusinessWeek website via SQL Injection attack

Sophos experts have discovered that the website of BusinessWeek, the world famous weekly magazine, has been attacked by hackers in an attempt to infect the readership with malware.

Hundreds of pages on a part of BusinessWeek’s website which offers information about where MBA students might find future employers have been struck by the SQL Injection attack - where a security vulnerability is exploited in order to insert malicious code into the site’s underlying database.

It’s worrying when any site suffers from a malicious SQL Injection attack, but when it’s also one of the 1000 busiest websites on the internet the stakes are even higher. The potentially large number of people visiting the site and accessing information to assist their careers may be putting their finances or personal data in jeopardy if they are not properly protected.

As we reported in our recent Security Threat Report, over 16,000 new infected webpages are discovered every single day. That’s one every five seconds - three times faster than the rate we saw during 2007.

View the following video to get more information (and - of course - feel free to embed it on your own websites if you like):

At the time of writing, the code injected into BusinessWeek’s website points to a website that is currently down and not delivering further malicious code. However, it’s worth bearing in mind that it’s status could potentially change at any time. Sophos informed BusinessWeek of the infection last week, although at the time of writing the hackers’ scripts are still present.

BusinessWeek, and the many other firms hit by SQL Injection attacks need to move fast to not only remove the malicious scripts, but also to ensure that they do not get infected again. Companies whose websites have been struck by such an attack often clean-up their database, only to be infected again a few hours later.


Hackers strike Large Hadron Collider website

According to media reports, a website associated with the Large Hadron Collider (LHC) atom-smashing experiment at CERN has been compromised by computer hackers.

A group of hackers called the “GST” or “Greek Security Team” has claimed responsibility for the attack, and posted a lengthy message on the site to prove that they had managed to breach computer security.

Part of a message left by the Greek Security Team on the hacked LHC website. Click for a larger version

The hackers signed off their message with the words: “We are 2600 - dont mess with us.”

According to reports, as boffins were preparing to turn the experiment on Wednesday, hackers had already begun uploading unauthorised files to the website.

With the huge amount of interest worldwide in the LHC the thought that hackers were able to compromise and change data on a website is highly disturbing. Theoretically, hackers could have planted malicious code which could have stolen identities or installed malware onto the computers of millions of web visitors.

Fortunately, there’s no evidence, as far as we can ascertain at the moment, that the Greek Security Team planted a err.. Trojan Horse. Well, Greeks have some history of doing that y’see.. :-)

Scientists at the world’s largest particle physics laboratory appear to have disconnected the affected website (cmsmon.cern.ch) from the intenet until they are confident any remaining security problems have been fixed.


This month’s dumbest hacker award goes to…

Bangladesh’s elite security force, the Rapid Action Battalion (RAB), had its website at www.rab.gov.bd hacked last week. Visitors to the site on Friday were greeted with a message criticising the government for not doing enough for information technology while introducing laws to fight cybercriminals.

According to the message, “HACKERS R NOT CRIMINAL”, and the RAB “DO NOT KNOW WHAT IS THE CYBER SECURITY OR HOW TO PROTECT OWNSELF.”

Within 24 hours, the authorities had arrested 21-year-old computer science student Shahee Mirza, and three of his friends in connection with the hacking. According to RAB, Mirza has confessed to hacking the website and the sites of at least 22 other organizations. Mirza claims that he had no malicious intentions in defacing the websites.

So, why does Shahee Mirza win the award for this month’s dumbest hacker? Because of some other information he left in his message on the RAB website - telling all to see who precisely had defaced the security’s force’s homepage, and even giving his personal Yahoo email address.

Is it any wonder the authorities in Bangladesh were so quick to arrest the suspects?

If found guilty, Mirza and his friends could face up to 10 years in jail. That’s something for every wannabe-hacker to consider before they decide it’s a good idea to attack a website.


Revisiting the NHTCU website

Earlier this week I published a video about how the website of Britain’s National Hi-Tech Crime Unit had been allowed to fade away by the Serious Organised Crime Association (SOCA), and how an opportunistic German had grabbed the domain for his own undefiined purposes.

The story of how a police website (widely linked to by the UK Home Office, the BBC, and many others) had been been abandoned and snapped up by an internet marketing company made a number of headlines in the press.

In a statement to a journalist from Techworld, SOCA admitted responsibility for allowing the domain registration to lapse and said it was “taking the necessary steps to remind partners and stakeholders that the NHTCU became SOCA e-crime in April 2006, and that they should confirm that web links and other references are amended accordingly.”

One silver lining on this story is that it appears the media attention has prompted a change on www.nhtcu.org.

As you can see, the site no longer claims to be about “High Tech Crime”, includes a prominent link to SOCA, the pictures of surveillance cameras have been removed, and no longer contains a bizarre tale of how the site’s owner holidayed at a German hotel and found its security to be admirable.

The front page of the website now reads:

“Notice from Owner: It has come to our attention that the ownership of this site has been the subject of media interest and controversy.”

Hmm.. I bet it has come to their attention! I wonder if it was a call from a British policeman which stirred them into action?

This domain name was purchased with the best intentions and was originally found on RegisterCompass.com. We have no fixed intentions for this domain at present and would welcome any ideas or suggestions about how it might be best used.”

So, here’s my suggestion to the site’s owner - give the domain back to SOCA. Websites around the world are linking to www.nhtcu.org, expecting to find the National Hi-Tech Crime Unit or its successor. Ask SOCA for 20 Euros for your trouble to cover your expenses in transferring the domain, or do it out of the goodness of your heart.