Wednesday 4 December 2013

Gauging employees’ moods using their search trends

In today’s times, it is not difficult to understand the need for web filtering. The pervasive and ever-increasing threats being pushed through websites is always on the increase, and you should already know that you need to have multiple web security engines in place including a web filtering solution. Besides web filtering based on websites address and categories, there are a number of features which can stand out and give the company additional benefits. One of these is search engine query monitoring. By monitoring what a user is actively searching for on the popular search engines, you can gauge an employee’s mood. By monitoring these searches one can determine many things
  1. Whether the user is actively performing work related searches (most of their queries should be work related) 
  2. Whether they are doing anything suspicious 
  3. If they have particular personal or personality problems which might require the company’s assistance

So what exactly is search engine query monitoring?

Search engine query monitoring is the ability to identify and log the search terms when users perform a search on a search engine. So if I run the following query: https://www.google.com/#q=talk+tech+to+me the web filter will extract the “talk tech to me” keywords and log them.

Why is it useful?

Well, under most circumstances you will see mundane stuff, typically searches related to the users work and many times their personal interests. However, there are many instances which you can see things which the company probably wants to be aware of. Let’s say you find something like https://www.google.com/#q=web+filter+bypass , you will immediately know that this user is trying to do something fishy. Even much more worrying would be if you find a query such as https://www.google.com/#q=ways+to+commit+suicide. Essentially, besides the websites that a user is trying to visit, the searches they are conducting will give a very clear picture if all is ok, or if there is something wrong or any suspicious activities.

Great, tell me how to do it!

GFI WebMonitor provides this functionality is a standard part of its web filtering features. You can define policies to exclude users who you don’t want to be monitored if you wanted to, but by default users search queries will be monitored and logged.

What search engines are supported?

Google, Bing, Yahoo!, Lycos.  Queries on any of these search engines will be monitored. Given that Yandex is the most popular search engine in Russia and other east european countries, GFI WebMonitor also supports search engine monitoring for Yandex.

Search over HTTPS? Will search engine monitoring work in this case?

We’ve seen many search engines sending search queries over HTTPS. This has created a bit of a furore in the web Analytics world, but this does not really affect GFI WebMonitor, since HTTPS scanning is supported. When this is enabled, GFI WebMonitor will still be able to inspect queries over HTTPS and thus the queries will still show up. This is also a security feature which ensures that if users are trying to visit HTTPS based websites, GFI WebMonitor can still monitor and protect the end user.

What value does this give me?

We’ve already identified a number of ways these helps you gauge the mood of employee’s in the company. Moreover, GFI WebMonitor has the ability to run a periodic report searching for specific keywords which you are mostly interested in. For example, by default GFI WebMonitor has a number of reports which can give a company value out of the box, without having to configure anything

1) TV Series or Movie Downloads – people attempting to search for TV series or movies to download which could lead to legal liability when pirated material is downloaded via the company’s connection

2) Adult and Pornography Searches – people attempting to search for Adult content via search engines despite you blocking Adult websites

3) High Risk Searches – searches for explosives, weapons, suicide or other possible problematic situations

4) Your own custom search term report – GFI WebMonitor allows you to easily create your own reports for specific terms, and in any language you want

Interested yet? Try GFI WebMonitor for 30 days and monitor what your users are searching for. You might be surprised!

Malware as a Service

Cloud based services are all the rage these days, every kind of software services available are typically available as a cloud or software as a service offering. And when we say every kind of software service, we do mean every kind of software service – including malicious software services. Malware as a service has become by far the most common way that malware is distributed. Here we’ll attempt to give a non-technical overview of how this industry works.

So what exactly is Malware-as-a-Service (MaaS) and why it is used?

Malware as a service is essentially an online service which is used by people who have written a specific piece of malware and want this to get distributed quickly. Essentially what the MaaS does is take the headache out of distributing the malware. Let’s say you’ve written your own malware program which you want to distribute. You could do a few things to help push its distribution

1. Infect pirated software with your malware and upload it to common piracy websites
2. Create a website which invites visitors to download something fake which in reality is your malware
3. Make the virus self-replicating and distribute it via some kind of software vulnerability
4. Infect your friends USB sticks with the malware and rename it to something which they are likely to open

As you can see all of the above either require a significant amount of effort or are not really effective. The MaaS also known as exploit kits effectively allow you to distribute your malware at a very cost-effective price. If your malware is going to give you financial benefits, then a MaaS service to distribute the malware widely will be very handy, and very cheap. Quoted prices from certain exploit kits start from as low as $50 for using the kit for a day, to $1500 for a year’s service making it very cheap considering its effectiveness.

But how does the infection happen?

There are a number of steps which happen to infect a user. Let’s say that you don’t want to go through the above processes to distribute the malware and you’ve decided to use an exploit kit. After paying for the service, the following will happen

Step 1: Your malware is loaded onto a distribution server ready to get deployed to new victims

Step 2: The MaaS authors discover web servers of legitimate software which have problems or vulnerabilities in their setups. These vulnerabilities allow the MaaS authors to inject a piece of hidden HTML code which will be used to perform certain malicious actions

Step 3: A normal user visits the legitimate (but compromised) website. The hidden code analyses the user and detects what browser and other software they have installed on their computer. If the user has software which has not been unpatched then the next step is executed

Step 4: Based on the analysis in step 3 the user is redirected to another website which will use a targeted exploit to infect the user with the malware. As an example, if a user has a version of Java which hasn’t been updated, they will be redirected to an Java exploit

Step 5: The exploit is executed which deploys the malware using the unpatched vulnerability

The effectiveness of the distribution is due to a number of reasons

1. The sheer amount of compromised websites (millions) which exist on the internet right now and which will keep getting compromised in the future allowing for a huge audience to be exposed to the malware
2. The fact that these sites are actually legitimate sites which normal users will visit – they just have been hijacked with some invisible malicious code

3. The delivery of an exploit targeted to the specific user’s unpatched software – they will attach the user with an exploit which they know will work

4. The fact that the exploit does not need any kind of additional user interaction such as a click or a download. Just visiting the website will result in an infection (what is termed as a drive-by download)

5. The lucrative business of MaaS which allows the authors to keep expanding the sites they use, the exploits they use, the AV avoidance techniques

6. Using spamming, SEO poisoning, or other techniques to push users towards the compromised sites

How effective are these kits? And how many of them are there?

Very effective. Different security vendors quote different numbers for each kit, but all of them agree on one common conclusion. These malicious websites used by these kits make up the absolute majority of threats in the wild today. The majority of infections which happen today are coming from these exploit kits. Old viruses and distribution methods have become insignificant when compared to these new malicious URLs. There are tens of exploits kits out there, the Blackhole Exploit kit used to be one of the most effective (though the author Paunch has reportedly been arrested and the kit is no longer being updated), Neutrino, Glazunov and many more. As the business gets more lucrative the MaaS authors start to get competitive between themselves, making improvements in all aspects of the kit from usability, price, infection and obfuscation techniques.

Ouch! … How do I protect myself and my employees?

Essentially, you can never keep know or keep track of which legitimate websites have been compromised so you need a little help. You’ll need to put multiple mechanisms in place to protect yourself and your employees. First, you need to make sure all the browsers and software on your user’s machines have been fully patched – Languard or GFI Cloud – Patch Management is an essential tool to help you with this. Second, you need to put a web security software in place which stops users from visiting websites which have been detected to contain malicious payloads. GFI WebMonitor or GFI Cloud Web Protection both will protect your users from visiting these websites. Thirdly, you still need to have an Anti-Virus on your machines to ensure that malicious software payloads are detected and stopped – GFI Cloud – Anti-virus is the right tool here. If you miss any of these protections, it’s only a matter of time before your users are exposed to something dangerous without their knowledge.