malware

How safe is your seach engine?

Crackers are increasingly attempting to influence the behavior of search engines to get them to misdirect users to malicious sites says security firm Marshal.

Unknowing users are asked to download an anti-malware application to protect their computers. The malware program then installs it’s malicious code onto the users computer.

Microsoft has attempted to help users with it’s Internet Explorer browser by using what they call a Smartscreen filter. The filter scans servers that have downloads to determine if those servers have a history of giving out malicious content. It if does the user is warned that they may be on a malicious web site.

Crackers also add links to bad websites in the comments. Posting links to such sites is known as blog spamming. When a user goes to one of these sites the cracker has automated tools that help gain entry into the users computer.

Unfortunately there is no firewall rule to prevent the foolishness of people visiting such sites. Once they are there bad things happen. Updated browsers, proxy servers and black and white lists certainly help. Still the best prevention for eliminating problems is educating users what to avoid along with the aforementioned methods.

-j

IRS a little lazy on scanning servers for malware

A recent report by the Treasury Inspector General for Tax Administration (TIGTA) noted that the IRS scans about 89% of it’s servers weekly for malware and viruses. That should give you a warm and fuzzy feeling.

Apparently they believe that employee workstations pose more of a threat. All employee workstations are scanned weekly. Of the 11% of servers that aren’t scanned some are scanned intermittently and others not at all.

According to Michael Phillips, the deputy inspector general for audit, The IRS’ Cybersecurity Computer Security Incident Response Center responded to 961 malware incidents in calendar year 2008, an increase of 45 percent over the prior year,

The TIGTA also said that the IRS has adequate controls in place to prevent and respond to malware attacks. They have also built up the security structure to deal with the increasing threat of crackers.

The inspector general also recommended that IRS administrators should not be accessing the internet with their IRS logons. Employees and their managers should also be notified when their browsing results in a successful malicious code incident.

Terence Milholland, IRS’ chief technology officer, said in response the service would begin to scan all servers weekly by May 1 and implement regular reminders on Internet access restrictions by Aug. 1. The IRS would start notifying employees and their managers when their activity results in a malware incident, he said.

You can access the full report here.

-j

Application Whitelisting for Window..or is it SELinux

I recently read an article in eWeek that talked extensively about Application Whitelisting. The more of the article that I read this seems to be nothing more than SELinux on Windows.

The Windows people are looking to lock down their machines because of the horrendous numbers of viruses, trojans and other malware that attacks them. Apparently user education, anti-virus and anti-whatever just is not getting the job done.

Windows machines in the past have used the traditional methods for fighting malware. Anti-virus tracks and quarantines certain bits that are known malware problems. This is known as blacklisting. Whitelisting is the process by where certain executables are approved to run on a certain machine.

Now let’s have a look at SELinux which was first implemented by Red Hat several years ago. While Linux in general does not have a problem with malware an unprotected machine could get hacked and unwanted applications installed. Red Hat wanted a way to stop this type of intrusion. Let’s look a little deeper how this came into play.

SELinux was originally a development project from the National Security Agency (NSA )[19] and others. It is an implementation of the Flask operating system security architecture.[20]The NSA integrated SELinux into the Linux kernel using the Linux Security Modules (LSM ) framework. SELinux motivated the creation of LSM, at the suggestion of Linus Torvalds, who wanted a modular approach to security instead of just accepting SELinux into the kernel.

You can see the rest of the article here

So here we have a security application mostly developed by the NSA.

Much of the work to get the kernel ready for upstream, as well as subsequent SELinux development, has been a joint effort between the NSA, Red Hat, and the community of SELinux developers.

Now let’s look at how SELinux runs under Red Hat and any other *nix that uses it. Red Hat uses what is called a target policy for SELinux. SELinux creates what are known as domains. Each daemon has it’s own domain. Every daemon on the system runs under the unconfined_t domain except for those that have targeted specific domains. Daemons that run under the unconfined_t domain fall back to using standard Linux security. As an example the http and ntp daemons run under the targeted policy by default and are therefore protected. If you haven’t experienced what happens under this protection, if one of the binaries or configuration files get put into the wrong context the daemon will not start.

This should be starting to sound familiar to the definition of Application Whitelisting above. It will be interesting to see if the Windows shops buy into this method of protection. I also expect some announcement from Microsoft or some other big firm how they have developed this new concept and are providing it as a tool to protect Window applications. I wonder how much the licensing fee and yearly maintenance will be on that…

-j