Threatscape
2.0 and more scary security stories for business owners
by
Alan Zisman (c) 2008 First published in
Business
in Vancouver December 2-8, 2008; issue 997
High Tech Office column
Burnaby-based Derek Manky
is a security researcher for Fortinet Technologies. In a recent
interview, he discussed a 2007 incident in which a salesforce.com
employee was targeted. In response to a carefully crafted e-mail,
apparently from within the company, that user passed on log-in
credentials, opening up his company’s databases to further attacks.
Along with mass mailings and other blanketed attacks, he’s seeing
attacks that are carefully targeted at individuals.
Increasingly,
attacks – ranging from financial scams and identity theft to virus and
malware infestations – are using Web 2.0-based social networks and
blogs that include popular personal networks like MySpace and Facebook
and the more business-focused LinkedIn. Do you really know all your
Facebook “friends?”
Growing rapidly, according to Manky:
scareware – pop-ups promising free scans or mimicking Windows XP
Security Center alerts warning that your computer has been infected.
These false warnings lead you to websites promising to clean up the
(non–existent) infestation for between $30 and $50. Millions have been
victimized by these come-ons. The cost is not just what each user pays
for bogus security software. These products give a false sense of
protection while too often installing malware including key-loggers
that can result in identity theft.
Between July and September, Fortinet logged a 300% increase in malware,
65% of which was this sort of scareware.
Other
recent attacks include mass e-mails claiming to be from UPS complete
with attachments looking like a waybill. Opening the attachment infects
your computer. (Manky agrees with me that Microsoft inadvertently aided
these sorts of malicious e-mail attachments with the default Windows
setting hiding file extensions. Users are more likely to click on an
attachment appearing to be UPS Waybill.pdf than if they saw the actual
UPS Waybill.pdf.exe name. Go to your My Computer, click view, folder
options and the view tab. Remove the checkmark beside “hide extensions
for known file types.” Do it now!
Some of the Threatscape 2.0
attacks are seasonal. Christmas shopping season increases search engine
optimization campaigns – efforts by scam and malware-hosting websites
to ensure that their names come up in the top page for gift-related web
searches.
What to do? First step, according to Manky, is to stay
up-to-date on patch management. Setting Windows to automatically check
for, download and install security patches is a good first step, but as
more users opt for that route, vulnerabilities in commonly installed
applications and browser add-ins are being targeted. So it’s important
to keep Microsoft Office, Adobe Flash and Acrobat, Apple QuickTime and
the rest up to date.
Equally, though, says Manky, it’s up to
you. Keep an eye on file names and on web addresses. Hover your mouse
over a link in an e-mail message, and you should see the address it’s
aimed at. If the link in that message claiming to be from UPS goes
anywhere other than ups.com, it’s likely bogus. Set your browser so you
can view the “status bar” on the bottom, showing link addresses.
If
a website asks for log-in or financial information, it should have a
secure “https” in front of its web address, rather than the standard
“http.” These little details can make a big difference.
A huge
concern for businesses: your network can seem secure with firewalls,
spam and virus filters and everything up-to-date, but as soon as a user
takes a notebook home and then brings it back to work or connects in
using a smart phone, malware may be brought inside your protected zone.
Finding a balance between security paranoia and convenience requires
careful thought. Theft and loss of notebooks, cellphones and even USB
keys add to the concern.
Among Manky’s suggestions: encrypt data
on notebooks and USB keys, and question why sensitive data is being
stored on them in any case. Can’t your users employ secure connections
to your business network instead? Use public key encryption to secure
e-mail messages.
Fortinet offers businesses layered network
protection against the range of online threats through a combination of
network appliances and solutions for end-users. Derek Manky and
Fortinet’s Global Security Team’s analyses and advisories are available
at
fortiguardcenter.com.
•