Slashdot Mirror

There's an informative (and non-PDF) post on Fortinet's blog discussing DLL hijacking. You can use a registry tweak to harden a system against this technique.

This is funny because all the banking companies, in the past, removed their firewalls on their intoconnection with trading places. Now that they've been hacked left and right, they are starting to put them back because of this. Firewall vendors are now starting a war with regards to latency (also keep in mind this is one-way latency).

Fortinet for instance announced a sub-9 microseconds firewall. That's 9000 nanoseconds. Check Point followed-up with a sub-5 microseconds latency. Oh, this is with 64 bytes packets, pretty much the minimum size you can get on a link.

With such "bottle necks" I don't see the point of going to the 100's in the nano-second (but I'm not a layer 2-3 guy, I'm layer 4-7 all the way) given this.

A solution seems to be timestamping the financial requests when the order is sent, and when the server receives the packet it can back-order at the price of the stock when the order was given. I guess it's better not to buy stock than to buy it at the wrong price. But then again, I don't like high-speed trading very much and I'd rather have this concept die.

Zitmo/ZEUS hits Android:

http://blog.fortinet.com/zitmo-hits-android/

---

"Lately, there's been an active discussion on technical forums regarding ZeuS targetting Android users. We finally managed to get our hands on the mobile sample the ZeuS PC trojans are propagating. Actually, it is not a new sample and has been detected under several names (Android.Trojan.SmsSpy.B, Trojan-Spy.AndroidOS.Smser.a, Andr/SMSRep-B), but it is far more scary when propagated by the ZeuS gang... In the background, it listens to all incoming SMS messages and forwards them to a remote web server. It's simple, but just enough for the ZeuS gang to grab your banking mTANs...

---

* "Read ALL about it...", hot off the presses!

APK

P.S.=> Further proof that once an OS of ANY KIND (yes, kids - INCLUDING LINUX) gets high marketshare on a given platform, it absolutely WILL get exploited by the malware-maker/hacker-cracker... and YES, even Linux variants like ANDROID!

... apk

There are companies that make routers with 2 WAN links. Health checks are run periodically (pinging a public DNS server or some other reliable IP through the link), and traffic is routed across your preferred link if it is up, or the backup if the preferred link is down. The one I'm familiar with is made by FortiNet and costs $500+ http://www.fortinet.com/products/fortiwifi/50B.html

Funny how these crooks can write ransomware but they can't count to three: 1) 2) 2)

You've obviously never interviewed people for a programming position.

Funny how these crooks can write ransomware but they can't count to three: 1) 2) 2)

Fortinet did an analysis of this. http://blog.fortinet.com/all-your-drives-are-belong-to-us/ It simply backs up the partiton table and rewrites the MBR. It's fixable without paying the ransom.

I am surprise that no-one here has mentioned the excellent FortiClient software that is free of charge and includes not just AV, but also a firewall and IPSec and SSL VPN clients. I have found it to be very lightweight and uses little resources. http://www.fortinet.com/products/endpoint/forticlient.html

By "technology", I was referring to the black box that sits inline with the uplink(s) to the internet.

The system I used to maintain was such a beast, and it did everything from real-time AV scanning, SPAM scanning, and IDS/DoS functions. It could in fact be used to detect DoS attacks, and send alerts via SMS/email to us. I also used it to shape/limit Bittorrent and other P2P protocols.

http://www.fortinet.com/ is where you can find one example of such "technology".

We just started using products from FortiNet and have been pretty impressed with them. Their FortiWifi-50B should do the trick for you. It'll do the QoS you need, but is also a great UTM device with built in AV, web filtering, firewall, VPN, etc. Good stuff!

http://www.fortinet.com/products/telesoho.html

On the networking component side, I've had decent luck with SMC switches, though, of course, HP's switches are really nice, too (hence why they cost so much). On the router side, Cisco is great if you can afford it, but for a place with 50 people, it's probably overkill. I've had tolerable luck with Netgear ProSafe firewall/routers, but they can be really simplistic. Sonicwall makes some easy-to-use, versatile firewall/routers, but I'm not a big fan of their per-connection licensing scheme. Fortinet makes some competitively priced mid-range firewall/routers with decent anti-virus scanning abilities, which is nice, and they're incredibly flexible. I've even been able to configure them to connect to Windows servers using LDAP and control user access to the Internet through them, which is pretty nice, and their routers are SIP-aware, which is handy if you plan on doing any in-house VoIP work. However, that flexibility comes at a price - they are REALLY quirky. Be ready for a serious learning curve if you've never dealt with one before.

Firewall technically speaking was always simply a filter for lowend network traffic. Like open this port for this IP and DROP else etc. Right now I see the term "firewall" has evolved to meaning - everything that does border security (firewall, proxy filtering, NIDS, monitoring etc.). So I guess you should be asking about security appliance...

According to their description here - http://www.fortinet.com/products/telesoho.html - it does lots more than a firewall:

"These [...] systems deliver [...] security services - including *firewall*, VPN, intrusion prevention, antivirus, web filtering, and traffic shaping [...]"

I've cut the marketing shit with square brackets. As for pure firewall I think it would be better with Linux box and iptables or BSD ipfw - more flexible. But as entire appliance this is probably OK.

Anyway as always the basis of security is that you understand what it does - not just put on a big switch signed SECURITY ON and hope it does what you think it is doing.

I would suggest one of the SOHO product of Fortinet. They are firewall/IPS/IDS. That is, not only do they provide the basic routing and firewall protection (NAT, (D)DoS protection, etc..), but will also scan inbound and outbound traffic for virus, malware, spyware and spam. The dangerous data is blocked before it reaches your computer, and that is good.

http://www.fortinet.com/ Ever since implementing Fortigate Router bundles in all of my offices, which include AV, Antispam, IPS and Content Filtering services, user-induced havoc is much less of a concern for us. I've been called a Nazi a few times since turning on certain webfiltering but I usually laugh and tell my users to take it up with the boss to have their favorite gambling/file storage/message board/etc unblocked and the subject is immediately dropped. lol. Price vs performance I personally dont think these appliances can be beaten. Good news is they're about to go IPO as well.

We're a distributor of industrial "stuff". We're using Exchange for email. Our salesmen try to use their email accounts for all kinds of crap in addition to getting dozens to hundreds of emails each every day. We regularly delete pr0n, music and all sorts of stuff from their accounts. We don't have a posted size limit (we should) and just force the worst abusers to delete stuff or archive it to a network drive. Mostly we just delete the old stuff and they never notice. We not so gently remind our users that its the company's mail and server and the "company" can delete that stuff if it needs to do so. We probably need a more stringent published policy. The hard part is getting someone high enough in management to enforce it. Until someone above the IT department makes a policy and enforces it, its just gonna be a continuing headache.
One thing that has helped us deal with the crap these guys email and download are our new firewalls. We just installed Fortinet boxes at HQ and at all the branches. http://www.fortinet.com/
  These boxes (called Fortigates by Fortinet) are very easy to configure and don't cost too much. They have a nice web interface and work with Fortinet's subscription service. The subsription service provides AV defs, whitelist and blacklist for web addresses and email etc. The boxes are really do-it-all solutions. We could have done the same thing via a do-it-ourselves Linux box, but the folks that have traditionally supported the firewalls here, while linux-friendly, don't have the time to install and configure something like that from scratch. Plus there would be the nagging worry that we had mis-configured something, leaving a nasty security risk. The Fortinet firewall appliances have taken care of that worry. AFAIK, Fortigates run a Linux distro with proprietary "bits and pieces" added in.
The Fortigates have cut down on the trash that gets downloaded as well as the junk mail the sales types were getting from web sites they shouldn't (and now can't) go to in the first place.

I use a Fortigate firewall and they are amazing. I can't recommend them enough. The antivirus running on the servers and clients is almost redundant and it only catches spyware and adware. Viruses never make it through the Fortigate.
http://www.fortinet.com/

http://www.fortinet.com/

The FortiGate(TM) Enterprise Series, which includes the FortiGate-300A, 400, 400A, 500, 500A, and 800 Antivirus Firewall models, meets enterprise-class requirement for performance, availability and reliability. They include all of the key capabilities provided by other FortiGate models, with integrated, real-time antivirus, firewall, VPN, network intrusion detection and prevention, and traffic-shaping services. With throughputs up to 1Gbps, high-availability features including automatic failover with no session loss, and multi-zone capabilities, units in the FortiGate Enterprise Series are the choice for mission critical applications.

A Real Estate company has to have money to spend on security, right?

This virus is very likely a POC and an advance guard to hold doors open for future infection or botnets.
As stated by others already, LURHQ has distribution stats. http://www.lurhq.com/blackworm.html US infections only number about 5% of total. Peru and India have most of the worldwide population of this. (this is ip-based, and may not be reliable.)
I haven't seen another mention, but SANS Storm Center has been following this - and actually has made an offer to sysadmins to share info. They limit the info they will give; if you can reasonably establish that you are the RP for a network or subnet - they will send you a list of known infections in your IP range. They have already sent out notice messages to admins of record (whomever the abuse or tech contact is currently on the whois lookup) using a script. [Check the ISC pages if you really want to know - I don't want to flood them by posting a direct email link here.]
Referred to in the SANS/ISC history on this http://isc.sans.org/blackworm and previous pages - Fortinet has done extensive analysis. This virus has several actions. Most folks already know it deletes files, breaks AV software, and spreads over Windows shares. What hasn't seen much daylight is that it drops a bunch registry entries that grant "trusted" status to the virus. http://www.fortinet.com/VirusEncyclopedia/search/e ncyclopediaSearch.do?method=viewVirusDetailsInfoDi rectly&fid=119856 I'm not an expert on this mechanism - but I'd assume that any machine with these "bad" trusts in place could easily be compromised later using code that is authenticated against these bad keys.
I read M$' page on this virus, http://www.microsoft.com/security/encyclopedia/det ails.aspx?name=Win32%2FMywife.E%40mm as well as a few AV pages. None mention these keys, so I would assume they don't fix this problem.
Any system that has been infected and then cleaned will probably retain these falsified certificates. This leaves a big hole in place, while some users (even the " all your AV is updated hourly folks.. return to your seats" IT guy) - will have a false sense of security on this.
Thankfully, many AV programs discovered this virus Heuristically. (see links to LURHQ & others) McAfee, Panda, NOD32, and several others identified blocked this virus without needing a signature update. This may be why we don't have 2 million AOL/Comcast sheep spreading the virus.
This should serve as a strong reminder to backup religiously, use defense-in-depth, and enforce strong registry policies when Windows systems are implemented.

one word: fortinet

http://www.fortinet.com/FortiGuardCenter/wmf_advis ory.html

Mod parent down. The fine article about the test specifically states that only one of the solutions that tested 6/6 provided a large number of false positives, and flagged the infected files as such simply by deciding that all packed executables are suspect. The other, is actually commended for having a low false positives rate.

I prefer appliances for firewalls because they use less power and are quieter. It would also be more reliable than a recycled computer. My current favorite brand is Fortinet. They make a really nice all-in-wonder security box (firewall, ids, anti-virus, etc.), but it costs more than $100. The Fortigate 60 runs about $1000 when you include the annual maintenance & IPS/AV updates. You can certainly get a Linksys firewall for less than $100. The only question would be whether it could handle your bandwidth requirements.

I've been working since 1998 on network security and tested a lot of firewalls. My recomendation: Use hardware appliances like Juniper NetScreen (http://www.juniper.net/products/integrated/), Fortinet (http://www.fortinet.com/) or WatchGuard (http://www.watchguard.com/). All of them are >U$$100 but that may be the best deal comparing the price to the US$100 per machine you're asking.

Juniper's made some great strides, but as much as I like their products, what I've seen of Fortinet products is much more impressive. Having all your enterprise netowrk and infrastructure devices in one product is reaaaaaaaaaaalllly fucking handy. No more explaining "ok, the up-link is coming from our IDS, then comes our firewall, then comes our VPN device, then comes the spam filtering boxes."

Fortinet was founded by one of the guys who started Netscreen (which is now Juniper) and some of their ideas are really worth checking out (like re-ordering packets to search them as one complete packet -- no "deep-inspection" BS like Netscreen or TippingPoint IDS'. From what I understand from speaking to company reps, this was one of the things that made the founder go from netscreen to creating his own company.

Purpose-specific products (e.g. sealed boxes with ASICs that do one thing reallllly well,) are the future of enterprise-level security, imo. Linux (or solaris or what-have-you,) doing firewalling or routing or anti-spam or whatver may be adequate for small offices, but is not an ideal solution for large companies (10000+ users.)

We use a Fortinet FG-60 to scan for viruses at the network layer. This has the advantage of also scanning HTTP, VPN, POP3, IMAP, SMTP and FTP traffic and strips the viruses from those streams before it hits your network!

These devices provide VPN support as well as full firewall features. The Fortinet devices start at $500 USD and go all the way up to data center class devices costing >$40,000 USD. Very easy configuration. Worth the cost.

Didn't Fortinet already do this???

Check out FortiNet. They do seven layers, NIDS and antivirus all in ASIC (also BSD/OS based, I think). Very f'n cool.