Tag Archives: Sophos plc

About 1451 days ago Computer Security

Be Very Afraid of Scareware

our beautiful site

CRITICAL ERROR MESSAGE! REGISTRY DAMAGED AND CORRUPTED! Confronted with a message like this, most computer users feel compelled to take urgent action. Fortunately, instructions for what to do are right in front of them: click on a box to scan the computer. Once the scan is complete, and dozens of infections have been identified, they must go to a security website and pay $49.99 to download software that will remove the infections and safeguard their systems. “A lot of people feel that is $49.99 well spent,” notes Paul Ducklin, head of technology, Asia Pacific, for the security firm Sophos. “They don’t realize they’ve been fleeced.” At best, the downloaded software will have done nothing. At worst, it could conceivably be malware that could steal financial and password information, or cause the computer to distribute spam. The user has been the victim of “scareware” — bogus security software that pretends to find infections and then pretends to remove it after the user has paid for a license. Scareware is a rapidly growing problem. “Approximately five to 50 new samples of scareware are turning up every day,” Ducklin says. There’s a good reason for scareware’s rapid growth: It’s the easiest way for criminals to make money on the Internet, with millions of frightened computer users paying to download the stuff every month. For obvious reasons, it’s hard to get precise information about exactly how much money scareware scares out of users. But by most estimates, scareware is a billion-dollar industry. Sophisticated deception One reason scareware is so lucrative is that much of it uses very sophisticated techniques to fool users. Many scareware warnings reference security threats in the news (such as the Conficker worm), or display the four-color shield logo of the Microsoft Windows Security Center. “The design is almost identical to Windows, so it all looks very inviting and non-threatening,” says Dennis Fisher, editor of threatpost, Kaspersky Lab’s security news site. If users click to accept the scan, a realistic-looking animation will run, showing filenames flying by, much as they would during a real antivirus scan operation. Once the scan is complete the software will report on the viruses it found. “Scareware often promises to find viruses other products miss,” Ducklin explains. “So, to really scare you, it’ll report on all sorts of exotic viruses that infect mobile phones, or unusual applications you probably don’t have installed. If you research them on bona fide websites, you’ll find they are listed as legitimate threats.” The result of all this sophistication is that most people are deceived. And if you think your company’s users are different, consider this: In a recent experiment at North Carolina State University, 63 percent of participants were fooled into clicking on scareware — even though they’d been warned that some messages they saw would be fakes. Protecting users Given these figures, it’s smart to assume your company’s users are as likely to be sucked in by scareware as everyone else. Here are three steps that can help keep your computers scareware-free: Make sure security is up-to-date, and consider blocking all pop-ups. Generally, there’s no reason to accept any kind of pop-up advertising, Fisher says. “Even if there’s no malware link in the pop-up, it could be sending users to sites you don’t want,” he says. A pop-up blocker can always be overridden if necessary. Consider website filtering. “It can help to get some Web filtering software or appliance,” Ducklin says. “It will pre-filter websites your users are visiting, and analyzing the content coming in from them. That way, if a user does fall for the trick, and tries to visit a bad site, you can head it off.” Make sure users know what not to do. Education is your best tool in fighting scareware. Begin by making sure users know what brand of security software your company is using, and that no other security software should run on company-owned equipment. Next, make sure they know that if a pop-up or balloon appears, they should not click anywhere on it. “Don’t touch it!” warns David Bateman, who leads the Internet Safety Group at K&L Gates, a law firm representing Microsoft in its joint lawsuits with Washington state against eight scareware purveyors. “Even if you think you’re clicking the X button to close the window, sometimes those are fake and will begin a download. But nothing can download without the user taking some action.” Instead, users should either use control-alt-delete to close the window from the Windows Task Manager, or call for IT assistance. What if the balloon is a legitimate Windows Security Center warning? “If you need to run security software, open the Control Panel, go to the Windows Security Center, and run it from there,” Bateman advises. “That way, you’re safe.”

About 1451 days ago Spyware and Malware

Be Very Afraid of Scareware

our beautiful site

CRITICAL ERROR MESSAGE! REGISTRY DAMAGED AND CORRUPTED! Confronted with a message like this, most computer users feel compelled to take urgent action. Fortunately, instructions for what to do are right in front of them: click on a box to scan the computer. Once the scan is complete, and dozens of infections have been identified, they must go to a security website and pay $49.99 to download software that will remove the infections and safeguard their systems. “A lot of people feel that is $49.99 well spent,” notes Paul Ducklin, head of technology, Asia Pacific, for the security firm Sophos. “They don’t realize they’ve been fleeced.” At best, the downloaded software will have done nothing. At worst, it could conceivably be malware that could steal financial and password information, or cause the computer to distribute spam. The user has been the victim of “scareware” — bogus security software that pretends to find infections and then pretends to remove it after the user has paid for a license. Scareware is a rapidly growing problem. “Approximately five to 50 new samples of scareware are turning up every day,” Ducklin says. There’s a good reason for scareware’s rapid growth: It’s the easiest way for criminals to make money on the Internet, with millions of frightened computer users paying to download the stuff every month. For obvious reasons, it’s hard to get precise information about exactly how much money scareware scares out of users. But by most estimates, scareware is a billion-dollar industry. Sophisticated deception One reason scareware is so lucrative is that much of it uses very sophisticated techniques to fool users. Many scareware warnings reference security threats in the news (such as the Conficker worm), or display the four-color shield logo of the Microsoft Windows Security Center. “The design is almost identical to Windows, so it all looks very inviting and non-threatening,” says Dennis Fisher, editor of threatpost, Kaspersky Lab’s security news site. If users click to accept the scan, a realistic-looking animation will run, showing filenames flying by, much as they would during a real antivirus scan operation. Once the scan is complete the software will report on the viruses it found. “Scareware often promises to find viruses other products miss,” Ducklin explains. “So, to really scare you, it’ll report on all sorts of exotic viruses that infect mobile phones, or unusual applications you probably don’t have installed. If you research them on bona fide websites, you’ll find they are listed as legitimate threats.” The result of all this sophistication is that most people are deceived. And if you think your company’s users are different, consider this: In a recent experiment at North Carolina State University, 63 percent of participants were fooled into clicking on scareware — even though they’d been warned that some messages they saw would be fakes. Protecting users Given these figures, it’s smart to assume your company’s users are as likely to be sucked in by scareware as everyone else. Here are three steps that can help keep your computers scareware-free: Make sure security is up-to-date, and consider blocking all pop-ups. Generally, there’s no reason to accept any kind of pop-up advertising, Fisher says. “Even if there’s no malware link in the pop-up, it could be sending users to sites you don’t want,” he says. A pop-up blocker can always be overridden if necessary. Consider website filtering. “It can help to get some Web filtering software or appliance,” Ducklin says. “It will pre-filter websites your users are visiting, and analyzing the content coming in from them. That way, if a user does fall for the trick, and tries to visit a bad site, you can head it off.” Make sure users know what not to do. Education is your best tool in fighting scareware. Begin by making sure users know what brand of security software your company is using, and that no other security software should run on company-owned equipment. Next, make sure they know that if a pop-up or balloon appears, they should not click anywhere on it. “Don’t touch it!” warns David Bateman, who leads the Internet Safety Group at K&L Gates, a law firm representing Microsoft in its joint lawsuits with Washington state against eight scareware purveyors. “Even if you think you’re clicking the X button to close the window, sometimes those are fake and will begin a download. But nothing can download without the user taking some action.” Instead, users should either use control-alt-delete to close the window from the Windows Task Manager, or call for IT assistance. What if the balloon is a legitimate Windows Security Center warning? “If you need to run security software, open the Control Panel, go to the Windows Security Center, and run it from there,” Bateman advises. “That way, you’re safe.”

About 1451 days ago Antivirus Software

Be Very Afraid of Scareware

our beautiful site

CRITICAL ERROR MESSAGE! REGISTRY DAMAGED AND CORRUPTED! Confronted with a message like this, most computer users feel compelled to take urgent action. Fortunately, instructions for what to do are right in front of them: click on a box to scan the computer. Once the scan is complete, and dozens of infections have been identified, they must go to a security website and pay $49.99 to download software that will remove the infections and safeguard their systems. “A lot of people feel that is $49.99 well spent,” notes Paul Ducklin, head of technology, Asia Pacific, for the security firm Sophos. “They don’t realize they’ve been fleeced.” At best, the downloaded software will have done nothing. At worst, it could conceivably be malware that could steal financial and password information, or cause the computer to distribute spam. The user has been the victim of “scareware” — bogus security software that pretends to find infections and then pretends to remove it after the user has paid for a license. Scareware is a rapidly growing problem. “Approximately five to 50 new samples of scareware are turning up every day,” Ducklin says. There’s a good reason for scareware’s rapid growth: It’s the easiest way for criminals to make money on the Internet, with millions of frightened computer users paying to download the stuff every month. For obvious reasons, it’s hard to get precise information about exactly how much money scareware scares out of users. But by most estimates, scareware is a billion-dollar industry. Sophisticated deception One reason scareware is so lucrative is that much of it uses very sophisticated techniques to fool users. Many scareware warnings reference security threats in the news (such as the Conficker worm), or display the four-color shield logo of the Microsoft Windows Security Center. “The design is almost identical to Windows, so it all looks very inviting and non-threatening,” says Dennis Fisher, editor of threatpost, Kaspersky Lab’s security news site. If users click to accept the scan, a realistic-looking animation will run, showing filenames flying by, much as they would during a real antivirus scan operation. Once the scan is complete the software will report on the viruses it found. “Scareware often promises to find viruses other products miss,” Ducklin explains. “So, to really scare you, it’ll report on all sorts of exotic viruses that infect mobile phones, or unusual applications you probably don’t have installed. If you research them on bona fide websites, you’ll find they are listed as legitimate threats.” The result of all this sophistication is that most people are deceived. And if you think your company’s users are different, consider this: In a recent experiment at North Carolina State University, 63 percent of participants were fooled into clicking on scareware — even though they’d been warned that some messages they saw would be fakes. Protecting users Given these figures, it’s smart to assume your company’s users are as likely to be sucked in by scareware as everyone else. Here are three steps that can help keep your computers scareware-free: Make sure security is up-to-date, and consider blocking all pop-ups. Generally, there’s no reason to accept any kind of pop-up advertising, Fisher says. “Even if there’s no malware link in the pop-up, it could be sending users to sites you don’t want,” he says. A pop-up blocker can always be overridden if necessary. Consider website filtering. “It can help to get some Web filtering software or appliance,” Ducklin says. “It will pre-filter websites your users are visiting, and analyzing the content coming in from them. That way, if a user does fall for the trick, and tries to visit a bad site, you can head it off.” Make sure users know what not to do. Education is your best tool in fighting scareware. Begin by making sure users know what brand of security software your company is using, and that no other security software should run on company-owned equipment. Next, make sure they know that if a pop-up or balloon appears, they should not click anywhere on it. “Don’t touch it!” warns David Bateman, who leads the Internet Safety Group at K&L Gates, a law firm representing Microsoft in its joint lawsuits with Washington state against eight scareware purveyors. “Even if you think you’re clicking the X button to close the window, sometimes those are fake and will begin a download. But nothing can download without the user taking some action.” Instead, users should either use control-alt-delete to close the window from the Windows Task Manager, or call for IT assistance. What if the balloon is a legitimate Windows Security Center warning? “If you need to run security software, open the Control Panel, go to the Windows Security Center, and run it from there,” Bateman advises. “That way, you’re safe.”

About 2213 days ago Computer Security

Small Businesses and Security: What, Me Worry?

For a small business, making sure your IT is cost effective but also safe and secure can be a daunting task. It may be tempting to ignore data security, assuming malicious attacks on data are only directed at larger organizations. Unfortunately, you do have to worry about security — whether you’re a one-person shop, have 10 employees, or more than 100. Just because your business doesn’t have millions of credit card or social security numbers to mine doesn’t mean you aren’t a target. Hackers will often target small businesses as “practice” for bigger hits, and the evils of phishing and viruses and worms can affect anyone — no matter who you are. Leaving your business unprotected means running the risk of suffering a total data loss, something that can be catastrophic for a burgeoning business. Lost data means lost time.  Productivity suffers when IT systems go down, and often a small business owner can spend tens of thousands of dollars just to get a system back up and running.  In addition, many states have passed laws requiring that customers be notified of security breaches. There have been many high profile cases of companies acknowledging lost or stolen data, which can have a significant public relations impact to an organization. So what can a small or mid-size business do to ensure data is safe and secure? The first step is to understand the threats. Threats to small businesses There are a number of security issues you should be aware of and while some are simply inconvenient, others can result in your data being stolen or someone taking control of your network. Spam, spyware, worms, viruses and Trojans are just a few of the security issues that can result in a data disaster for your business. As we all know, spam has become a major issue in both business and personal inboxes. But it isn’t just annoying. Spam can lead to malware infection, data loss, identity, and financial theft and other fraud. Never open an email from an unknown sender, and be sure to never open attachments from someone unfamiliar. While spam is unsolicited and often inevitable, other types of security breaches can be prevented as long as you exercise caution when entering any network outside of your own. IT security firm Sophos recently released a report indicating that up to 90 percent of spam is now relayed from zombie computers hijacked by Trojan horses, worms, and viruses under the control of hackers. You can avoid the prospect of having one of your machines turn into a zombie computer by urging users to exercise caution when visiting websites and downloading documents or software. Often what appears harmless — a game or funny email — can contain malicious coding and enter your network via a user download. While most users in today’s business world are fairly savvy when it comes to these issues, just one user machine can make an entire network vulnerable, so it is essential to educate your users on the importance of exercising caution. Come up with specific company policies outlining the proper use of computers and procedures for downloading programs or applications. Your people have the power Unfortunately, it’s often not enough to encourage your employees to take IT security seriously. You should also evaluate your IT operations staff carefully. Whether your staff is small or large, it is essential that the people managing your network are technically competent and up to date on cutting-edge security features. If you don’t have an IT staff or are managing your network on your own, consider looking to a professional firm or hiring part-time staff to help you evaluate your current needs and ensure your company’s data security. Many small businesses choose to outsource IT operations to a vendor who can provide overall support for day-to-day operations and on-demand support for one-off issues. While it may be tempting to have your 16-year-old nephew manage your network, there are a number of more reliable options to help you get the support you need. The number of IT support companies for small businesses is as long as the phone book by now, so take some time to do research about the best ones in your area. Ask other local business owners who they use and interview potential candidates to ensure they have the best resources for your specific needs. If you have specialized software programs or a large amount of data to store, you may have different security concerns from other businesses. Good IT support staff will evaluate your current setup and recommend potential changes to ensure your data is as secure as possible. They’ll also make recommendations to your end users on passwords and other security features. Make sure you are aware of the cost of help desk support and emergency situations for any solution provider you hire — those potential costs may outweigh the benefits of low upfront prices. Your data is the DNA and lifeblood of your business. By taking steps to ensure its security, you’re setting the stage for growth and success. Lisa Metcalfe is a Regional Practice Leader in the Technology Leadership Practice of Tatum LLC. Tatum is the nation’s largest executive services firm, providing financial and technology leadership nationwide.

About 2455 days ago Computer Security

The Malware Mess

Computer viruses have been around nearly as long as personal computers themselves. The first ones to show up “in the wild”–that is, beyond wherever they were created–debuted in the early 1980s, spreading from one Apple II machine to another via shared floppy disks. (A Ph.D candidate coined the term “computer virus” in 1983). In 1988, a Cornell graduate student released the first major Internet virus, a self-replicating program that flooded what was then an academic-research network, disabling several thousand computers. (The student, who insisted the damage was unintentional, received a sentence of probation, community service and a fine.) Over the next decade, as the number of homes and businesses connected to the Internet grew rapidly, so did reports of problems from viruses and other “malware” – malicious software such as worms and Trojan horses. (For a selected sampling of top threats, see Most Memorable Malware.) By July 2006, experts had identified nearly 185,000 different viruses and other threats, according to malware expert Graham Cluely, senior technology consultant for Sophos plc, a U.K.-based British antivirus firm. That’s up from an estimated 80,000 in early 2003. Threats proliferate quickly because as antivirus companies figure out how to eliminate one, several others–often closely related spin-offs–start popping up. What do viruses and other malware programs do? Some replicate themselves, flooding e-mail accounts with so much junk mail that systems slow or shut down. Some modify, delete or move files. Some find and forward important data (such as passwords). Some deposit spyware, adware or other unwanted programs on computer hard drives. More sophisticated ones open “back doors” that allow their creators to take remote control of computers to, for instance, coordinate a widespread attack on a particular website. Some are smart enough to disable antivirus programs. A newer threat, called a rootkit, conceals itself so that it can be run undetected by a computer’s operating system or security software. What’s out there right now? Here are three of the threats most frequently reported to antivirus-software companies, as of July 2006: Sober, debuted in October 2003 (several variants still circulating). Delivered via e-mail attachment. Sends e-mails with forged return addresses; disables anti-virus software. Netsky, debuted in February 2004 (many variants still circulating). Delivered via e-mail attachment. Sends e-mails enabling different functions; some variants cause users’ computers to beep at particular times. Mytob, debuted in February 2005 (many variants still circulating). Delivered via e-mail attachment and network shared spaces; sends e-mails with forged return addresses; turns off antivirus applications, may permit remote access. How much do malware attacks cost businesses? It’s tough to find reliable numbers because there are no universal metrics for calculating damages. But when you figure in reduced productivity, missed business, the cost of software upgrades and the labor expenses associated with cleaning up and protecting systems, you can safely put the overall losses for each major outbreak in the millions. (In a few major cases, analysts set the global economic impact at $1 billion and up.) In 2005 alone, U.S. companies lost $15.7 million to virus outbreaks, according to the 2006 CSI/FBI Computer Crime and Security Survey conducted by the FBI and the San Francisco-based Computer Security Institute. In fact, such attacks accounted for 74 percent of all security-related financial losses–more than system break-ins, stolen hardware or data theft, according to the 11th annual survey (Free download available; registration required). While many of the participants–executives from more than 600 U.S. companies–weren’t willing to estimate how much security problems cost them, those who did reported losses averaging nearly $168,000. Even for smaller organizations, malware can take a toll in terms of productivity: Another research organization, Mechanicsburg, Pa.-based ISCA Labs, says businesses typically lose about nine “person-days” to recovering from every malware incident. How can companies protect themselves against such attacks? Experts recommend that you: Take a big-picture approach. Look at security as a business imperative, not just a “tech problem.” Given ongoing concerns about cyberterrorism, it’s worth encouraging all executives and managers to stay informed about the latest threats. Keep corporate firewalls updated. Make sure that your IT team monitors event logs for early evidence of attacks or intrusions. Invest in maximum-strength antivirus software for every computer, including those used by remote, mobile and contract workers. Insist that employees regularly update the software–or make it happen automatically, if possible. Monitor incoming e-mail with virus-scanning software that deletes infected messages and quarantines spam (which can carry viruses and worms). Make sure both your overall systems and employees’ individual machines get backed up regularly to ensure that critical data is preserved even if original files are attacked. Establish procedures for safe network file-sharing; otherwise, when workers move files between computers, they may inadvertently pass along viruses or worms as well. Instruct employees to remain vigilant about incoming e-mail. The old warning about not opening messages and attachments from strangers still stands. But users should be equally cautious with e-mails that may initially seem to come from acquaintances because malware often spreads by co-opting real e-mail addresses. A weird subject line–one containing misspellings or a reply to a message that the recipient didn’t send—often signals the presence of a virus or a worm. Bottom line: When in doubt, delete.

About 2455 days ago Data Security

The Basics: What is Phishing?

It used to be that so-called “phishers” only focused on large international financial institutions — such as Barclays Bank or Citibank — when sending out fraudulent e-mails that tried to imitate the look and feel of correspondence from those firms in order to scam customers. But now law enforcement authorities warn that phishers are invoking the names of local banks and smaller financial firms in their e-mail scams. Phishing is a scam that attempts to lure recipients of the phony e-mails into going to a fake Web site and keying in account or password data — information which then becomes the basis for identity theft. There were 255,000 reports of identity theft in the U.S. last year, according to the U.S. Federal Trade Commission, and phishing scams were a leading cause. But the recipient isn’t the only one vulnerable in these scams — the business’ brand and reputation is also harmed. That’s why business leaders need to be aware of the growing threat from phishing and the need to take steps if their firms become targets, such as notifying authorities and warning customers. What is Phishing? Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials, according to the Anti-Phishing Working Group (APWG), an industry and law enforcement association dedicated to combating phishing. While immediate concern is often focused on the individual receiving the spoofed e-mail claiming to be a legitimate request for personal information, targeted companies are affected in a number of ways. Who are the Targets? Damaged caused by phishers makes consumers wary of an otherwise respected brand. Financial institutions including Barclays Bank — which McAfee, the security software maker, refers to as BarcPhish — are the most prevalent phishing targets. PayPal and eBay are also heavily hit. Security firm SophosLabs estimates that over 75 percent of all phishing e-mail targets PayPal and eBay users, coaxing recipients to log into their accounts on a hijacked site where scammers can grab account info and other personal data. More, recently, however, the APWG has been tracking phishing attempts invoking the names of smaller financial institutions, such as Sky Financial and LaSalle Bank. The number of hijacked brands is on the rise, according to the APWG. In July, there were 154 brands targeted, up from 130 the previous month. The number of new phishing sites also increased to 14,191 from 10,047 in June, the group says. To put the threat to your business in perspective, phishing accounts for less than 0.3 percent of all e-mails sent, according to Kaspersky Lab. What Can a Company Do? Halting fraudulent e-mails is a challenge yet to be solved. Many companies that become targets focus on educating customers on how to look for warning signs. They also notify customers about what types of messages they should and shouldn’t expect to receive from the institution. One of the easiest steps a company can take to combat phishing is by posting a statement on the company website to notify customers that phishing e-mails are being sent illegally and to advise them what type of legitimate correspondence the company sends. Some companies make it a policy to only communicate with customers through paper mail, instead of e-mail and others say they never e-mail to ask a customer to input bank account and password information. Education in-house also helps reinforce safety. Visiting sites set up by phishers can often install keyloggers and other malicious programs to unknowing users. Having programs reside on office, or home computers can spread threats from personal identity — which is serious in itself — to corporate data breaches. Even if they haven’t yet been targeted, some financial firms may want to warn customers about phishing red flags, such as e-mails with links to sites that ask for highly detailed information. On the surface, these e-mails to businesses and individuals often look convincing, use official sounding descriptions, logos from actual companies or banks, and a convenient link to help you get sort out a problem or address another concern. “Is somebody asking me to confirm my account detail including username, password and credit card info?” asks Shane Coursen, Kaspersky Lab, senior technical consultant. “If so, this is the first and most obvious sign that the e-mail is a fraud.” Companies should tell their customers that, Instead of replying or clicking on the link, the best thing to do is to forward the e-mail to the company. Most importantly, tell them not to click on any link.

About 2455 days ago Spyware and Malware

The Malware Mess

Computer viruses have been around nearly as long as personal computers themselves. The first ones to show up “in the wild”–that is, beyond wherever they were created–debuted in the early 1980s, spreading from one Apple II machine to another via shared floppy disks. (A Ph.D candidate coined the term “computer virus” in 1983). In 1988, a Cornell graduate student released the first major Internet virus, a self-replicating program that flooded what was then an academic-research network, disabling several thousand computers. (The student, who insisted the damage was unintentional, received a sentence of probation, community service and a fine.) Over the next decade, as the number of homes and businesses connected to the Internet grew rapidly, so did reports of problems from viruses and other “malware” – malicious software such as worms and Trojan horses. (For a selected sampling of top threats, see Most Memorable Malware.) By July 2006, experts had identified nearly 185,000 different viruses and other threats, according to malware expert Graham Cluely, senior technology consultant for Sophos plc, a U.K.-based British antivirus firm. That’s up from an estimated 80,000 in early 2003. Threats proliferate quickly because as antivirus companies figure out how to eliminate one, several others–often closely related spin-offs–start popping up. What do viruses and other malware programs do? Some replicate themselves, flooding e-mail accounts with so much junk mail that systems slow or shut down. Some modify, delete or move files. Some find and forward important data (such as passwords). Some deposit spyware, adware or other unwanted programs on computer hard drives. More sophisticated ones open “back doors” that allow their creators to take remote control of computers to, for instance, coordinate a widespread attack on a particular website. Some are smart enough to disable antivirus programs. A newer threat, called a rootkit, conceals itself so that it can be run undetected by a computer’s operating system or security software. What’s out there right now? Here are three of the threats most frequently reported to antivirus-software companies, as of July 2006: Sober, debuted in October 2003 (several variants still circulating). Delivered via e-mail attachment. Sends e-mails with forged return addresses; disables anti-virus software. Netsky, debuted in February 2004 (many variants still circulating). Delivered via e-mail attachment. Sends e-mails enabling different functions; some variants cause users’ computers to beep at particular times. Mytob, debuted in February 2005 (many variants still circulating). Delivered via e-mail attachment and network shared spaces; sends e-mails with forged return addresses; turns off antivirus applications, may permit remote access. How much do malware attacks cost businesses? It’s tough to find reliable numbers because there are no universal metrics for calculating damages. But when you figure in reduced productivity, missed business, the cost of software upgrades and the labor expenses associated with cleaning up and protecting systems, you can safely put the overall losses for each major outbreak in the millions. (In a few major cases, analysts set the global economic impact at $1 billion and up.) In 2005 alone, U.S. companies lost $15.7 million to virus outbreaks, according to the 2006 CSI/FBI Computer Crime and Security Survey conducted by the FBI and the San Francisco-based Computer Security Institute. In fact, such attacks accounted for 74 percent of all security-related financial losses–more than system break-ins, stolen hardware or data theft, according to the 11th annual survey (Free download available; registration required). While many of the participants–executives from more than 600 U.S. companies–weren’t willing to estimate how much security problems cost them, those who did reported losses averaging nearly $168,000. Even for smaller organizations, malware can take a toll in terms of productivity: Another research organization, Mechanicsburg, Pa.-based ISCA Labs, says businesses typically lose about nine “person-days” to recovering from every malware incident. How can companies protect themselves against such attacks? Experts recommend that you: Take a big-picture approach. Look at security as a business imperative, not just a “tech problem.” Given ongoing concerns about cyberterrorism, it’s worth encouraging all executives and managers to stay informed about the latest threats. Keep corporate firewalls updated. Make sure that your IT team monitors event logs for early evidence of attacks or intrusions. Invest in maximum-strength antivirus software for every computer, including those used by remote, mobile and contract workers. Insist that employees regularly update the software–or make it happen automatically, if possible. Monitor incoming e-mail with virus-scanning software that deletes infected messages and quarantines spam (which can carry viruses and worms). Make sure both your overall systems and employees’ individual machines get backed up regularly to ensure that critical data is preserved even if original files are attacked. Establish procedures for safe network file-sharing; otherwise, when workers move files between computers, they may inadvertently pass along viruses or worms as well. Instruct employees to remain vigilant about incoming e-mail. The old warning about not opening messages and attachments from strangers still stands. But users should be equally cautious with e-mails that may initially seem to come from acquaintances because malware often spreads by co-opting real e-mail addresses. A weird subject line–one containing misspellings or a reply to a message that the recipient didn’t send—often signals the presence of a virus or a worm. Bottom line: When in doubt, delete.

About 2455 days ago Antivirus Software

The Malware Mess

Computer viruses have been around nearly as long as personal computers themselves. The first ones to show up “in the wild”–that is, beyond wherever they were created–debuted in the early 1980s, spreading from one Apple II machine to another via shared floppy disks. (A Ph.D candidate coined the term “computer virus” in 1983). In 1988, a Cornell graduate student released the first major Internet virus, a self-replicating program that flooded what was then an academic-research network, disabling several thousand computers. (The student, who insisted the damage was unintentional, received a sentence of probation, community service and a fine.) Over the next decade, as the number of homes and businesses connected to the Internet grew rapidly, so did reports of problems from viruses and other “malware” – malicious software such as worms and Trojan horses. (For a selected sampling of top threats, see Most Memorable Malware.) By July 2006, experts had identified nearly 185,000 different viruses and other threats, according to malware expert Graham Cluely, senior technology consultant for Sophos plc, a U.K.-based British antivirus firm. That’s up from an estimated 80,000 in early 2003. Threats proliferate quickly because as antivirus companies figure out how to eliminate one, several others–often closely related spin-offs–start popping up. What do viruses and other malware programs do? Some replicate themselves, flooding e-mail accounts with so much junk mail that systems slow or shut down. Some modify, delete or move files. Some find and forward important data (such as passwords). Some deposit spyware, adware or other unwanted programs on computer hard drives. More sophisticated ones open “back doors” that allow their creators to take remote control of computers to, for instance, coordinate a widespread attack on a particular website. Some are smart enough to disable antivirus programs. A newer threat, called a rootkit, conceals itself so that it can be run undetected by a computer’s operating system or security software. What’s out there right now? Here are three of the threats most frequently reported to antivirus-software companies, as of July 2006: Sober, debuted in October 2003 (several variants still circulating). Delivered via e-mail attachment. Sends e-mails with forged return addresses; disables anti-virus software. Netsky, debuted in February 2004 (many variants still circulating). Delivered via e-mail attachment. Sends e-mails enabling different functions; some variants cause users’ computers to beep at particular times. Mytob, debuted in February 2005 (many variants still circulating). Delivered via e-mail attachment and network shared spaces; sends e-mails with forged return addresses; turns off antivirus applications, may permit remote access. How much do malware attacks cost businesses? It’s tough to find reliable numbers because there are no universal metrics for calculating damages. But when you figure in reduced productivity, missed business, the cost of software upgrades and the labor expenses associated with cleaning up and protecting systems, you can safely put the overall losses for each major outbreak in the millions. (In a few major cases, analysts set the global economic impact at $1 billion and up.) In 2005 alone, U.S. companies lost $15.7 million to virus outbreaks, according to the 2006 CSI/FBI Computer Crime and Security Survey conducted by the FBI and the San Francisco-based Computer Security Institute. In fact, such attacks accounted for 74 percent of all security-related financial losses–more than system break-ins, stolen hardware or data theft, according to the 11th annual survey (Free download available; registration required). While many of the participants–executives from more than 600 U.S. companies–weren’t willing to estimate how much security problems cost them, those who did reported losses averaging nearly $168,000. Even for smaller organizations, malware can take a toll in terms of productivity: Another research organization, Mechanicsburg, Pa.-based ISCA Labs, says businesses typically lose about nine “person-days” to recovering from every malware incident. How can companies protect themselves against such attacks? Experts recommend that you: Take a big-picture approach. Look at security as a business imperative, not just a “tech problem.” Given ongoing concerns about cyberterrorism, it’s worth encouraging all executives and managers to stay informed about the latest threats. Keep corporate firewalls updated. Make sure that your IT team monitors event logs for early evidence of attacks or intrusions. Invest in maximum-strength antivirus software for every computer, including those used by remote, mobile and contract workers. Insist that employees regularly update the software–or make it happen automatically, if possible. Monitor incoming e-mail with virus-scanning software that deletes infected messages and quarantines spam (which can carry viruses and worms). Make sure both your overall systems and employees’ individual machines get backed up regularly to ensure that critical data is preserved even if original files are attacked. Establish procedures for safe network file-sharing; otherwise, when workers move files between computers, they may inadvertently pass along viruses or worms as well. Instruct employees to remain vigilant about incoming e-mail. The old warning about not opening messages and attachments from strangers still stands. But users should be equally cautious with e-mails that may initially seem to come from acquaintances because malware often spreads by co-opting real e-mail addresses. A weird subject line–one containing misspellings or a reply to a message that the recipient didn’t send—often signals the presence of a virus or a worm. Bottom line: When in doubt, delete.

About 2790 days ago Computer Security

How to Avoid Scammers, Spammer and the Rest of the Bad E-guys

The first e-mail message was sent sometime in the early 1970s by Ray Tomlinson, an English computer engineer working for the Defense Department’s Advanced Research Projects Agency. Nobody remembers what it said: possibly “testing” or “QWERTY.” Tomlinson wasn’t thinking about history; he was just trying to create a quick, informal way for a closed universe of research scientists to communicate with one another. Ease of use was the point, not security. Defense scientists 30 years ago, after all, did not have to worry about armies of malicious nerds with laptops and cable modems. The openness of e-mail, though, the thing that makes it so revolutionary, is also what makes it so vulnerable to viruses, worms, ID theft, denial-of-service attacks, and a host of other threats. Scammers are constantly cooking up new ways to use your e-mail system against you. Phishing attacks, for instance. Your employees or customers get an official-looking e-mail saying there is a problem with, say, their credit card account. Would they please click on the link below, then type in their account or Social Security number? MessageLabs, a security firm that tracks phishing attacks, says the number of phishing e-mails grew to 4.5 million in November 2004 from 337,050 that January. Then there’s spam. The Radicati Group estimates that 45% of all e-mail is spam; other experts think it may be as much as 80%. According to Ferris Research, an e-mail and communications consulting firm, the worldwide cost in lost productivity and resources devoted to fighting spam will be $50 billion in 2005, more than a third of that coming from U.S. companies. It’s not all bad news, though. Anti-spam laws have started to show some teeth. In April, Jeremy Jaynes, who was reportedly sending out 10 million junk e-mails a day, was convicted of felony charges in Virginia and sentenced to nine years in prison. Couldn’t have happened to a nicer guy. As you may have noticed, though, spam, viruses, and the rest haven’t gone away. You still have to protect yourself. Which defense is best for you is a function of how big your business is and how much control you want over your security. Many fixes can help not only with keeping your system safe but also with archiving messages and making sure your system complies with your policies and the law. One solution may not be enough. “You cannot expect to buy a single layer of security protection and sleep at night,” says Sara Radicati, of the Radicati Group. Your choices fall into three main categories. Managed Services Letting somebody else do it is an attractive option if you have a modest (or nonexistent) IT staff. The tradeoff is loss of control: You’re trusting an outsider with a key part of your business. Managed providers offer a range of security services that include spam filtering, virus protection, encryption, mail monitoring for compliance with regulations or company policy, and even archiving. Fees are typically per user, per month or year, and the price generally drops the more licenses you buy. Most vendors offer 30-day free trials. Postini’s Perimeter Manager Small Business Edition (starts at $25 per user per year) includes protection from spam, phishing, and viruses. It also provides defense against directory harvest attacks, in which cyber miscreants try to get your employees’ e-mail addresses by bombarding your server with messages sent to every possible address–jfried@inc.com, johnfried@inc.com, etc.–and seeing which ones bounce back. Perimeter Manager handles only inbound e-mail, however. If you need to keep tabs on internal or outbound mail, too, you can upgrade to Postini’s enterprise edition (starts at $33 per user). SingleFin’s Global Gateway Service includes e-mail, Web, and instant messaging content filtering, as well as archiving ($12 a month, or free for businesses with fewer than 10 users). A light version of the suite, which simply marks spam and forwards it along to you and also filters viruses out, is free for any number of users. MessageLabs offers anti-virus, anti-spam, content, and policy control services. Pricing is based on company size. A business with 250 to 499 employees, for instance, pays a monthly $3.83 per feature per user. Other big players worth checking out in managed services are Frontbridge, Symantec, and McAfee. Appliances Not refrigerators or microwave ovens. These are security hardware systems–literally boxes that contain e-mail watchdog and filtering systems. They are the fastest-growing segment of the security industry, according to the Radicati Group. They are generally easy to install and customize and they leave your own tech people in charge. Appliances are, however, not cheap. IronPort’s C-series comes in four sizes, depending on the number of people in your business. The midline C10 (around $9,000) is designed for companies with up to 1,000 employees and features anti-spam and virus protection, as well as content filtering for policy enforcement and monitoring. CipherTrust’s IronMail appliance (starts at $5,995 for the S-10 model, which is designed for companies with 100 or fewer users) has strong compliance tools. Other companies that make security hardware include Borderware, Barracuda Networks, Mirapoint, and Alladin. Software Security software is plentiful and comparatively cheap. Most security experts, though, say this stuff is most effective when used in combination with an appliance or a managed service. They also warn that given the constant evolution of viruses and other threats you (or your IT staff) may be constantly managing patches and updates. WebRoot’s Spy Sweeper Enterprise ($300 for a one-year subscription with 10 licenses) and PepiMK Software’s SpyBot Search & Destroy (free) will keep your business computers clean of spyware programs, which can steal your data or even turn your computers into spam-generating “zombies.” Symantec’s Norton AntiSpam 2005 ($320 for a 10-user pack) will clean your computer of junk mail; Computer Associates’ Server Protection Suite ($1,055 for five users) offers a range of security tools, including anti-virus, anti-spam, and spyware protection; Clearswift’s MIMEsweeper ($2,628 for 100 licenses) series has a variety of monitoring software solutions; Sophos’ PureMessage Small Business Edition ($2,850 for 100 users) offers protection from viruses and spam; TrendMicro’s NeatSuite for Small and Medium Businesses ($59.34 per user for 25 to 100 users) has anti-virus, anti-spam, and content security.

About 3551 days ago Computer Security

System Alert: You’ve Got…Worms

As anyone who has an e-mail account knows, the past few weeks have seen unprecedented virus attacks on computers around the world. With names like Sobig, Blaster, and Welchia, these viruses are the bane of many an IT department — not to mention an “I-was-here” calling card for their nose-thumbing authors. No longer confined to e-mail attachments, the latest worms can spread through the Internet, wreaking havoc as they take advantage of vulnerabilities in exposed computers. A company’s entire network can be brought to its knees in minutes — and many recently were — as infected machines become mass-mailers that cause the virtual equivalent of clogged arteries. Was the recent spate of attacks just more of the same — or are virus writers beginning to infect computers with other gains in mind? Experts at Wharton and elsewhere weigh in on possible motives, what businesses should do to protect themselves — and which industry sectors stand to gain from the chaos. Malicious Code or Marketing Tactic? Some media reports suggest that a few of the present crop of viruses differ from those that infected computer systems in the past. One difference, they say, is that these bugs can capture e-mail addresses as well as IP addresses “that can later be used to generate massive amounts of spam.” How real is that concern? While it’s tempting to wonder whether the latest viruses are being unleashed with a profit motive — and the goal of using computers to send spam — most people agree that it’s unlikely. “The haxors [a term derived from "elite hacker"] and ‘script kiddies’ who write viruses actually hate spammers,” notes Dan Hunter, a professor of legal studies at Wharton. “It doesn’t seem likely that they would get into bed together. The recent big viruses have been e-mail viruses because it’s easy to exploit — since Microsoft Outlook is so pervasive and so buggy — and they cause huge problems. Most people run some type of mail client, as exploited by Sobig; quite a few people run SQL Server, as exploited by Slammer. This explains the pervasiveness of mail viruses better than the idea of a grand conspiracy of spammers.” What’s more, says Hunter, it’s not worth the grief: “Viruses are clearly illegal in many jurisdictions, whereas spam isn’t. Why would a spammer, or a conspiracy of spam enablers, subject herself to criminal prosecution when it’s unnecessary?” Chris Belthoff, senior security analyst in the U.S. office of Sophos, a U.K.-based anti-virus protection firm, has seen no direct evidence that new spam messages have been sent from infected machines. However, he notes, it’s not impossible. “The author of the most recent Sobig virus variant almost certainly used some heavy-duty spamming techniques to initially distribute the virus, which is the main reason it caused so many problems. While there is no hard proof that e-mail addresses are being harvested with recent viruses, it is certainly possible to do so on an infected system with some fairly simple techniques.” Due to the nature of e-mail addresses, moreover, it would be difficult to follow a money trail even if it did exist. “Since this pure information product can be gathered, sold, and used without ever taking on physical form like a CD or printout of names, it’s very difficult to track who’s profiting from it,” says David Croson, visiting professor of management science at MIT’s Sloan School of Management. Stay Current or Else While estimates of the exact economic impact of viruses vary widely, just about everyone agrees that the costs to business are substantial. So what should firms do to protect themselves from a virtual blackout? “Companies not only need to ensure virus protection is in place on every single system (especially remote and mobile systems) but that virus protection programs on these systems are kept up-to-date with automated methods,” says Belthoff. Patches — software fixes that close holes in programs — need to be applied regularly, he adds. “Security policies for all companies need to include detailed steps on identifying new vulnerabilities, quickly testing available patches, and deploying them.” A third consideration is end users: “IT departments should feel compelled to either directly lead or heavily influence end-user training for security issues, getting the end users to be more security-aware,” says Belthoff. Wharton chief information officer Gerry McCartney notes that security needs to be an organization-wide endeavor. “If all the energy is put into guarding the perimeters of the organization — but people inside don’t feel the need to be vigilant — then large-scale bad things can happen if the perimeter security is broken. Organizations need to be vigilant in terms of keeping their machines fully patched and acting quickly and decisively to remove infected machines from their network, no matter who they belong to or what they do.” Shuttering the Windows Since most viruses target Microsoft programs, the obvious question in many an IT manager’s mind is: Is it wiser to switch to another system, such as Macintosh or Linux? Hunter believes that for some firms, going the non-Windows route could make sense. “I think that some businesses will look to other platforms and factor virus costs into their IT departments. Linux and Mac — which of course uses UNIX — are inherently more stable than Windows, and the security on the applications tends to be better. They are also, because of their low user base, a much less attractive target for virus writers. As a result I’m sure there are some places that are looking at their total computing infrastructure costs and realizing that migrating to another operating system is going to be cheaper in the long run than maintaining Windows. Microsoft has been trying to push its ‘trustworthy computing’ initiative, one major component of which is resistance to viruses. Recent events haven’t helped their position.” Croson points out, however, that viruses would probably go wherever the users are. “Remember, Windows is a target of opportunity because (a) it’s popular, so the fixed cost of writing a worm to attack it can be spread over a lot of computers that it could infect, and (b) users of the Windows OS are, on average, less sophisticated than, say, Linux users. If the majority of systems — especially those run by novice users, who don’t really understand operating systems or security — were Mac, then the worms would attack Macs. Thinking about the supply-side incentives for people to produce viruses will give us more insight into how to defend against them, by learning how to automatically defend against prosaic ‘script-kiddie’ viruses and making it not worthwhile to create really clever ones.” In addition, the costs of switching are not insignificant, cautions Belthoff. “Migration to Linux or Mac from Windows may appear attractive at first glance to someone dealing with a major virus infection and cleanup tasks. However, migration costs are sometimes more than they initially appear, particularly with Linux. The cost of the operating system is only one of several cost factors. Others are initial deployment, training or hiring of proper IT personnel, maintenance, and migration of applications to the new platform.” Besides, migrating isn’t a cure-all, he adds. “It is important to note that, although Mac and Linux systems were not ‘infectable’ directly from Sobig.f, users of these platforms could suffer just as much as Windows users from all the resulting e-mail bounce backs and undeliverable returns caused by the worm. From that perspective, you couldn’t hide from Sobig by being on Mac or Linux.” Place Your Bets Not surprisingly, one firm’s infection is another’s profit opportunity, and several players are emerging to take advantage of it. “The big winners will be data security vendors,” says McCartney. “Between people’s concerns about what and how personal data is stored and available and these continuous security compromises, there is a strong argument to be made that most places are not yet doing enough to protect their data assets.” Anti-virus vendors and intrusion prevention firms aren’t the only gainers, adds Belthoff. “There is also increased interest on the part of organizations in performing some form of ‘lockdown’ on the end-user desktop, which would drive increased interest in personal firewall and content filtering vendors.” Established players like Norton and Symantec, notes Hunter, may be joined by new entrants in such niches as plug-ins for mail clients. Alternative platforms will likely tout their superiority, too: “Apple and the Linux-purveyors will probably use this as a marketing benefit. Why wouldn’t they?” All materials copyright of the Wharton School of the University of Pennsylvania.