There's a nasty bug going around the Web that targets developers.
When a developer visits an infected site, the page installs a virus on their machine that silently copies the passwords stored in FileZilla, CuteFTP, and possibly other File Transfer Protocol (FTP) client software, and sends them to a central server. The server then runs a bot to access all sites for which credentials have been stolen and installs an iframe injection attack on many pages, further spreading the infection.
Infected sites occasionally break if they use the Web scripting language PHP, but frequently they continue to operate, and thus infect more users with the virus.
When a search engine such as Google detects the infection in a site, they may remove the site from their index, resulting in a financial loss to the site owner. Some browsers may flag the site as infected and show a warning that scares away users.
This attack is interesting because of the way it spreads, and the risk to developers. I would not want to be the freelance Web professional who has to explain to a few dozen clients why their sites all got hacked.
Presumably, this attack vector will eventually be used to install a payload, such as software for sending spam or executing denial-of-service attacks. After all, today's best malware is all about making money.
Big sites have security measures that would probably protect them. But what if a few million small sites are compromised and used to launch a coordinated attack? As we recently saw with Twitter's vulnerability to distributed denial-of-service attacks, there's no such thing as "not my problem" on a shared network like the Internet.
The lessons to be learned here include:
Website owners should provision a unique FTP password for each developer so access rights can be rescinded later without disrupting the system. Hosting providers often issue a master login that provides access to both their hosting control panel (Cpanel or Plesk) and FTP. Typically, users cannot disable or change the password on this account. If the master account gets compromised, you'll need to contact support at the hosting provider, which can be slow. To avoid this risk, don't allow anyone to store the master account password in an FTP program.
Developers should inform owners promptly if a security breach occurs so that the owners can change passwords. If a developer has access to the hosting controls, they should consider changing the passwords immediately, using a secure machine.
Developers must take extra precautions to avoid infection of their machines, including installation of the latest OS, browser, and browser plug=in (e.g., Acrobat) patches. Developers should also use a tool like NoScript, which prohibits unknown scripts from running in a browser, to avoid infection via malicious scripts.
Several products do this, and yes, it should be the standard. But it is costly. That's one of the problems we face in the security field. I know you are well aware.
Limited budgets are the fact of life. We (security) compete with business groups for money. When compared to a new project that has the potential to bring an increase in revenue, the security tool fails miserably.
It's only been since the age of regulatory compliance (with financial impact) that we've been able to get an edge in the budget game.
I can only imagine where we would be if the NAC solutions were in place and protecting us on a daily basis... Ah Utopia!
ISPs could run pen tests on client machines. They could also scan in and outbound traffic, identify the bots and disconnect them. The reason they don't do any of that is because it costs an ISP something like $60 per incident in support costs when the consumer starts complaining, "Why did you cut me off? What did you do to my computer? I demand that you fix it!"
I'll have to write a column about that soon. It's perverse incentive: ISPs won't do the right thing because it's against their financial interest, at least until somebody holds them liable for the damages caused by malicious traffic from their networks.
You are per chance, referring to the Cisco Security Agent I assume. A firm that I worked with used this, albeit an older version 5.0.x(?), which was a tad bit buggy and poorly managed. It liked to whack XP upside the chops with the occasional BSOD. Later versions were more stable. The BIG thing with getting the CSA to work properly was allowing enough experienced, knowledgeable support for it (more pesky 'competence' and 'having enough I.T. budget' shtuff in order to do things right). The company using this flew by the seat of their pants a bit with it = issues, including the new CIO’s laptop Blew Screaming when he was overseas (ah lovely). Later on after we (tech support, Mgmt and end users) complained (more like b1tched readily) enough about it and even UN-installed it a few times; THEN more resources were allotted & issues were ironed out. All in all, 'twas a decent tool when configured & supported "PROPERLY!" Beats the “Hope & Pray for the Best Method” used by all too many computer...f-oh-lks.
Thanks for identifying the term I couldnt think of at the time.
Everyone in the technical profession should push for their organizations to implements NAC. Ironically, the much maligned AOL was a leader in this field, providing malware protection as part of their client software.
Please make sure that your organizations are diligent enough to use this type of protection. It not only protects the organization, it protects others.
NAC is a concept/technology that has been around for a while, but is still not gaining enough momentum in corporate America. I've actually been a bit surprised that I rarely hear a member of executive management mention it...it's been a buzz word lately, and I know how non-techie people love acronyms. ;-)
What is kind of bizarre (surreal that it is not in use) about your comments is that I remember talking to a large university right after Slammer came out. That was in 2003 or so.
The university implemented a Cisco end point security agent that worked by verifying a system had all patches and anti-malware updates applied, before the system was allowed on the network. The technology has been readily available for about 5 years, and it is bizarre to me that it is not more in use.
JP : = "Is this yet another issue we want the government stepping in on?"
most certainly not, at least not in my view. government will make a horrible mess if they try to legislate a solution; at most all I would be interested in is in changing the policy on product liability. all this would tend to do would be to motivate the industry to pay attention to security
security should be built-in on every computer sold. customers have a right to expect that.
it would undoubtably be usefull to discuss what those expectations ought to be
first and foremost customer computer should not be updated with un-authorized programs -- even if the customer is tricked with a phish -- the security software should discover the phish does not have the necessary credentials -- and refuse to install.
in addition, web pages or other executable documents which the customer might process should not be conducting data-mining or other spying, snooping for account numbers, passwords, or other data.
it should be noted that this wish list is just BASIC security: protecting the operating environment from tampering and protecting one application from another. just the basics.
Couldn't agree more! Internet Community insanity CAN be good for business (for me anyway in some regards). The Internet is really a COMMUNITY. Is it not?
Q: OK...what community DOES not have crime? What person (realistic person anyway), in a community expects to do nothing, NOT be educated about the dangers of the "bad" parts of the community to know when & where to walk during the day/nighttime etc., and expect to have nothing happen to them!
A: Insane/unrealistic people! Like the ex-nun I know, who lived down in a "bad" area of the city, but she went jogging in the early am anyway, like EVERYONE told her not to! YEP, she was mugged & assaulted! (True story too!).
The Internet is a dangerous place ppl, inform & protect yourself or stay away!
Can hardware/software be made better? Of course. Will threats STOP? NEVER! Can the PEOPLE who run the hardware/software do it better? Ha ha ha ha.....ahhhh.....maybe???? I vote for DO DILIGENCE (as mirrored by society).
You're right, Mike. The bigger problem is WHO determines what is realistic and what is practical?
The government steps in on a lot of issue regarding the safety and welfare of consumers and the public in general. The FDA requires warnings on medications and foods. Remember the "shown to cause cancer in laboratory test animals" that used to be on everything with sacharine as an ingredient?
Is this yet another issue we want the government stepping in on? Do we want completely non-technical people who will get all of their policy influence from large technology conglomerates?
To some extent, a little bit or regulation and ownership/acceptance of liability might be comforting, but I have doubts that the government would mandate anything correctly. And, if they do, what price will the consumer pay?
Jason: ="Whose responsibility is it to make sure the end-user is informed?"
excellent post and I think we need to examine
what is realistic?
what is practicle?
It is not realistic to expect the average customer to effect an A/V defense; the A/V defense must be included in his purchase.
now, from a practicle standpoint how do we get it to happen? if we can't embarrass vendors into providing an effective a/v defense then we will have to petition government to make it mandatory.
it's looking more and more like it will need to be product liability legislation
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Unless you live under a rock, you've no doubt seen those "Google Cash business opportunity” ads from entities like Google Money Tree and Google Treasure Chest. They seem to be everywhere. UPDATED 8/24 6:05 PM
Websites offer two vectors for spreading email spam: email addresses and insecure forms. Bad guys and their botnets crawl the Web, looking for both. With email addresses they build lists. With forms they hijack servers to send spam.
Multi-tenant clouds assure security for clients, but not necessarily for their ideas. Here's one thing you should discuss with your cloud provider before you sign on.
Google’s Android@Home is the first step in its plans to create an Android-powered "life fabric," where appliances lead us through changing, controlling, and, yes, maybe monitoring our lives. Are we ready to sort out the bad from the good in this?
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
50 billion household devices will be on the Internet by 2020, according to Cisco. And we're hearing foreign governments are hacking our infrastructure. Surely our refrigerators are next!
That's what Larry Page said on Google's earnings call, referring to the conjunction of mobile and the cloud. Well, let's chart it then! We need to be thinking about an Internet where 90% of our traffic goes to 70 destinations within 40 miles of us.
ITRC found that more than 600 security breaches took place in 2012. Flaws were found in some of the nation's most respected companies: Apple, Citibank, and Wells Fargo. So, it seems the bad guys are doing better than the men in the white hats.
The FBI recently issued a warning to smartphone users, highlighting two mobile malware applications: Loozfan, which steals personal information, and FinFisher, which is spyware that takes over a smartphone's functions.
Big-data and analytics tools enable marketers to understand customers as individuals, identifying unmet needs and addressing each customer as a "segment of one," says John Kennedy, VP corporate marketing, IBM.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
So here we are, the last day of the 2013 US Open Golf Championship at Merion, and Phil Mickelson -- who has been a US Open runner-up five times now but never taken the trophy -- is right up there at the top of the leaderboard.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
