What Is Facebook Doing About Scams?

It is important that each of us remain aware of scams.  Social Networking sites like Facebook are target rich environments for malicious parasites who would do you harm.  Facebook is now taking action on several fronts to warn users when a link they are clicking appears to lead to malware or malicious trickery.

From now on, Facebook will display a warning to users if it detects that suspicious activity is going on behind those mouse clicks.  A scam was circulating recently where Facebook users were inadvertently commenting on what looked like a news site providing details of the iPhone 5.  Clicking on the link led to a page with a “captcha” window where distorted numbers and letters are presented for the user to type to prove they are real users and not an automated script.  If the submit button was clicked, the spam message was spread onto the user’s Facebook page.   Another scam was spreading today that urged people to click some web element to “verify their accounts”.  Facebook was quick to remove those posts.

In many cross-site scripting (XSS) attacks, people are asked to copy and paste Javascript or another type of code into their browser’s address bar with the lure of seeing a video, or getting something for free.  The code ends up infecting their machine with malware, or doing something unexpected.

Clickjacking attacks involve tricking people into revealing personal information, or taking control of their web session when they click on a seemingly innocuous web element.  Clickjacking and XSS attacks take advantage of a vulnerability common across a variety of browsers in the form of embedded script that can execute without the user’s knowledge.

To block these attacks, the site will ask users to confirm their “like” before posting a story to their profile and their friends’ News Feeds.  Facebook is also offering a form of two-factor authentication called “Login Approvals,” which if turned on will require users to enter a code whenever they log into the site from a new or unrecognized device.  The code is sent via text message to the user’s mobile phone to reduce the chances of it being intercepted or spoofed by the attacker.  Facebook has also started performing “Login Tracking” where you are asked to identify the system you are logging in from with a unique name, and that information is sent to your registered email account.

Facebook is also partnering with the free Web of Trust safe surfing service to give its users more information about the sites they are going to from within the social network.  When a user clicks on a potentially malicious link, a warning box will appear, and provide more information about why the site might be dangerous.  The user can either ignore the warning or go back to the previous page.  Web of Trust has rated more than 31 million sites.  Facebook also maintains its own internal black list of sites that it blocks users from sharing.

They have also recently tightened up their programming APIs, and are migrating to OAUTH 2.0 in an attempt to bring security into the developers’ environment.  OAuth is now a mature standard with broad participation across the development industry.  They have also been working with Symantec to identify issues in their authentication flows to ensure that they are more secure.

It looks to me like Facebook is at least aware of the risks that these attacks pose to its reputation and continued existance as a trusted medium for collaboration and social interaction.  They are doing the right things, and I believe will eventually provide a more secure environment and continued popularity.

Sophos, Astaro Join Forces

Today, 2 of my favorite companies have united to become one.  Astaro, makers of the excellent Astaro Gateway and other security products has been acquired by Sophos, cretors of endpoint, mobile, and data protection products.  Looks like a sweet union.  I am very pleased to see that Astaro’s licensing model (FREE for home users!) remains unchanged.

Some of the benefits of the merger:

  • More Features: Sophos owns great technology in many areas like NAC, DLP, Patch Management, Vulnerability Scanning and more. Astaro can now integrate these technologies into their Security Gateway, further improving on its ability to protect your entire network.
  • Coordinated Protection Between Endpoint and Network:  This transaction brings two leading complementary security portfolios together to deliver coordinated protection and policy between endpoint and network.  By combining policy, security filtering and information known at the endpoint with the network,  Sophos will be able to provide improved security and visibility along with integrated management and reporting.
  • Best-in-Class Threat and Data Protection and Web and Application Control:  Solutions will offer complete protection to meet complex threats and malware challenges, especially from the web, applications and social engineering vectors that require full visibility and coordination, supported by SophosLabs and renowned malware and threat expertise.
  • Enriched Channel Offerings: The combination of Sophos and Astaro will offer a complete and differentiated range of security solutions and services to meet customer needs not answered in the market today.  Partners can deliver coordinated threat and data protection, and policy from any endpoint to any network boundary with solutions that can be deployed via software, virtually, appliance-based, via a cloud services platform and backed by security updates from Sophos Live Protection for real-time, high-performance protection for end users no matter where they are.
  • Better Performance:   Astaro always sought to further improve the performance of their UTM functions, but in the past were often limited as the vendors they license technology from were not always cooperative.  With direct access to the experts at Sophos, they will able to offer tighter integration and significantly improve performance.
  • Better Support:  Scaling high quality support is always a challenge.  With Sophos’ expertise and processes in 24×7 support, combined with Astaro’s support experts, we can expect a more responsive and better support experience than ever.
  • Focused Management Team:  Astaro will continue to exist within Sophos, run by the same management team and employees as today.  They expect to strengthen their strategy offering complete solutions, and the focus will continue to be on solving end-user security issues.

Congratulations to the folks at Astaro and at Sophos.  Press Release

Sunspot Malware In The Wild

Trusteer has recently identified “Sunspot”, a little known Windows malware agent that was not previously identified as a financial fraud vector.  Sunspot is currently targeting North American financial institutions and has already achieved significant infection rates in some regions.  There are confirmed fraud losses associated with Sunspot, so this threat is real, adding to the already swelling list of malware targeting finance that is flooding the Internet.

Sunspot targets 32-bit and 64-bit Windows platforms from Windows XP through Windows 7, and is capable of installing in non-administrator and administrator accounts.  Once installed, it targets Internet Explorer and Firefox browsers.  This is a very modern malware platform with sophisticated fraud capabilities.  It can carry out man-in-the-browser attacks, web form injections, page grabbing, key-logging and screen capture.

Sunspot is started either by “rundll32.exe”, or by startup registry entry.  It uses CBT hooking to load its DLL into the browser.  Inside the browser it hooks several Wininet/NSPR4/user32 functions for web injections, page grabbing and key-logging.

It appears Sunspot was not originally developed as “crime ware”.  We could be witnessing a sea change in malware development where little know malware platforms are re-purposed to carry out financial fraud.  This will increase the difficulty in defence since banks may be attacked by volumes of unique financial malware platforms.  Sunspot also illustrates an increasing emphasis on payment card theft.  More and more malware is asking victims for credit and debit card information together with additional personally identifiable information, allowing more card non present fraud, and making it more difficult to identify the source of fraudulent transactions.

Defence against Sunspot and its ilk remains the same as it always has.  Layered security combining server-side and client-side malware defenses, behavior based attack detection and monitoring is the most effective way to protect users against financial crime ware.

Visa’s Digital Wallet

CBC reports that Visa has just announced the next generation of payment solutions that includes a secure cross-channel digital wallet and customized mobile payments services.  The digital wallet will store both Visa and non-Visa payment accounts, support NFC payments through the Visa payWave application, and deliver a range of transaction services to accommodate multiple scenarios, including mobile commerce, eCommerce, micropayments, social networks, and even person-to-person payments.

Visa eventually hopes to link the digital wallet to a chip in a cellphone that would allow consumers to pay by tapping the phone near a receiver in bricks-and-mortar stores.  Visa is promising that the wallet will be well-protected by security and users won’t be accountable for fraud involving Visa products.

Visa expects to launch the digital wallet in the U.S. and Canada in fall 2011 and is working with payments card issuers, banks, credit unions, acquirers, payments processors and merchants in the launch.  Noted financial institutions and organizations supporting Visa’s wallet strategy are:

  • Royal Bank of Canada
  • Scotiabank
  • TD Bank Group
  • Barclaycard US
  • Card Services for Credit Unions
  • ICBA Bancard
  • PNC Bank
  • PSCU Financial Services
  • Regions Bank

Key features of the digital wallet will include:

  • Click-to-buy:  Shop securely by entering an email address, alias or online ID and password. Visa is also exploring dynamic authentication technologies, bringing additional layers of security to online purchases.
  • Cross-channel payments:  Consolidates multiple Visa and non-Visa accounts and can be used in mobile, eCommerce, social network and retail PoS environments.
  • Preference management:  A menu that enables customers to customize and control how their wallet will work, the privacy settings, designating which account will be accessed based on merchant type or purchase amount, and more.
  • Merchant offers:  A service allowing consumers to opt-in to money-saving discounts or promotional offers from participating merchants.

Visa intends to connect existing “closed loop” mobile money services that provide basic mobile banking and payment services to its global network, VisaNet.  This integration will open closed loop systems, and provide consumers and merchants with unprecedented scale, functionality and acceptance beyond local geographic footprints.

IPv6 – The Time Has Come

For years warnings have been issued regarding the looming exhaustion of IP addresses under the current IP addressing scheme.  On January 31, 2011, the last two unreserved IANA /8 address blocks were allocated.  The clock has finally run down for IPv4.  The good news is, IPv4 address exhaustion only concerns the Internet and not the internal networks of most enterprises.  Most home users are unlikely to need to take any action, as their ISPs will manage the issues.

Internet Protocol version 4 is the communications protocol that has formed the foundation for most current Internet communications, technically described in IETF publication RFC 791 .  Existing enterprise networks often use private IPv4 addresses internally and rely on NAT at the perimeter to access the Internet by sharing a few public IPv4 addresses for all their internal users.  There will be no immediate reason for this to change when IPv4 addresses are no longer available.  Internal applications will be able to use IPv4 for some time, even after the Internet migrates completely to IPv6.

IPv6 is the next-generation of the IP protocol.  Transitioning to IPv6 will soon become a requirement for enterprise networks.  IPv6 enables significantly more IP addresses to accommodate the continuously growing number of worldwide Internet users, and provides additional security features for Internet traffic.

There have been many mitigation strategies attempted to avoid the exhaustion of IPv4 addresses, but have only extended the time availble to migrate to IPv6.  The migration is inevitable, and the mitigations have had an undesired effect.  In a survey recently conducted by IPswitch, 88% of business networks appear to be unprepared for a change to IPv6.  66.1% say their networks are less than 20% ready, despite the fact that the last blocks of IPv4 addresses have already been allocated.

  • 0-20% ready      – 66.1%
  • 20-40% ready    – 9.6%
  • 40-60% ready    – 6.5%
  • 60-80% ready    – 5.8%
  • 80-100% ready   – 12.0%

Continue reading