Threatscape 2.0 and more scary security stories for business owners

by  Alan Zisman (c) 2008 First published in Business in Vancouver December 2-8, 2008; issue 997

High Tech Office column


Burnaby-based Derek Manky is a security researcher for Fortinet Technologies. In a recent interview, he discussed a 2007 incident in which a salesforce.com employee was targeted. In response to a carefully crafted e-mail, apparently from within the company, that user passed on log-in credentials, opening up his company’s databases to further attacks. Along with mass mailings and other blanketed attacks, he’s seeing attacks that are carefully targeted at individuals.

Increasingly, attacks – ranging from financial scams and identity theft to virus and malware infestations – are using Web 2.0-based social networks and blogs that include popular personal networks like MySpace and Facebook and the more business-focused LinkedIn. Do you really know all your Facebook “friends?”

Growing rapidly, according to Manky: scareware – pop-ups promising free scans or mimicking Windows XP Security Center alerts warning that your computer has been infected. These false warnings lead you to websites promising to clean up the (non–existent) infestation for between $30 and $50. Millions have been victimized by these come-ons. The cost is not just what each user pays for bogus security software. These products give a false sense of protection while too often installing malware including key-loggers that can result in identity theft.

Between July and September, Fortinet logged a 300% increase in malware, 65% of which was this sort of scareware.

Other recent attacks include mass e-mails claiming to be from UPS complete with attachments looking like a waybill. Opening the attachment infects your computer. (Manky agrees with me that Microsoft inadvertently aided these sorts of malicious e-mail attachments with the default Windows setting hiding file extensions. Users are more likely to click on an attachment appearing to be UPS Waybill.pdf than if they saw the actual UPS Waybill.pdf.exe name. Go to your My Computer, click view, folder options and the view tab. Remove the checkmark beside “hide extensions for known file types.” Do it now!

Some of the Threatscape 2.0 attacks are seasonal. Christmas shopping season increases search engine optimization campaigns – efforts by scam and malware-hosting websites to ensure that their names come up in the top page for gift-related web searches.

What to do? First step, according to Manky, is to stay up-to-date on patch management. Setting Windows to automatically check for, download and install security patches is a good first step, but as more users opt for that route, vulnerabilities in commonly installed applications and browser add-ins are being targeted. So it’s important to keep Microsoft Office, Adobe Flash and Acrobat, Apple QuickTime and the rest up to date.

Equally, though, says Manky, it’s up to you. Keep an eye on file names and on web addresses. Hover your mouse over a link in an e-mail message, and you should see the address it’s aimed at. If the link in that message claiming to be from UPS goes anywhere other than ups.com, it’s likely bogus. Set your browser so you can view the “status bar” on the bottom, showing link addresses.

If a website asks for log-in or financial information, it should have a secure “https” in front of its web address, rather than the standard “http.” These little details can make a big difference.

A huge concern for businesses: your network can seem secure with firewalls, spam and virus filters and everything up-to-date, but as soon as a user takes a notebook home and then brings it back to work or connects in using a smart phone, malware may be brought inside your protected zone. Finding a balance between security paranoia and convenience requires careful thought. Theft and loss of notebooks, cellphones and even USB keys add to the concern.

Among Manky’s suggestions: encrypt data on notebooks and USB keys, and question why sensitive data is being stored on them in any case. Can’t your users employ secure connections to your business network instead? Use public key encryption to secure e-mail messages.

Fortinet offers businesses layered network protection against the range of online threats through a combination of network appliances and solutions for end-users. Derek Manky and Fortinet’s Global Security Team’s analyses and advisories are available at fortiguardcenter.com. •