One of the things that I have been putting a lot of thought into lately is the security implication of telecommuting. Telecommuting is becoming much more commonplace among many different types of organizations now that more and more companies are adopting mobile computing practices. This often comes at the cost of security, however. In an effort to make employees more productive when they are away from the office (either traveling or working from home), the security implications of opening up your network in this way are not always considered...or if they are considered, they are set aside for the trade-off of getting more out of your workforce.

So, what's the big deal? So what if Jane wants to work on her desk PC at home when she telecommutes instead of using her laptop?

There was an article posted recently on darkreading.com that said that 94% of Federal CISOs do not believe that telework/telecommuting programs are a threat to security. It also stated that 83% of Federal CISOs are "interested" in mobile endpoint certification for compliance with the Federal Information Security Management Act. Being interested means that they aren't doing it yet, but think it is a good idea.

These numbers don't add up to me. How can you not be concerned about the security implications of telecommuting, but at the same time haven't even certified that your own equipment is in compliance with your own Information Security Management Act?

Let's discuss some best practices that companies can use when implementing a work from home policy:

-- Setup access control so that only your company authorized PCs are allowed to connect to your VPN. If Jane has been connecting her work laptop to her own home unsecured wireless network or to the local Starbuck's Wi-Fi network, you still can't guarantee that she won't be trying to spread a virus across your corporate infrastructure, but you have more control over this PC than you do Jane's home PC that she shares with her two teenagers.

-- Implement as many defense-in-depth strategies on your company PCs as possible. This includes at least one anti-virus product and some kind of Host-Based Intrusion Prevention System (HIPS).

-- Disable ports on the PC which allow users to plug in external storage devices like USB drives. Not only are these devices handy if someone wants to steal your corporate secrets off of your corporate intranet, but they are an easy injection point for malware.

-- Turn off the wireless radio when the PC is going to be hard wired to the network. It will prevent accidental connection to a potentially rogue wireless network. A nice side effect is that it will increase battery life on a single charge as well since the radio is such a wear on the battery when it is on.

As with anything technology related, technology solutions are only part of the answer. User education is also a large piece of this pie as well. One of the most important jobs of a security officer is security awareness and making sure that security is part of the consciousness of every employee at an organization. It is one thing to put policies and technology in place which enforce security, but it is another entirely to make sure everyone in your company is also aware of those policies and knows and understands how to follow them. The backend technology should be in place to enforce those policies, but it is the end user's responsibility to try to not put themselves into a vulnerable position and that is done through education, education, and more education.

This new tactic is leveraging Youtube links in an effort to get users to click and download malicious code. The link sent via email looks like a properly formatted Youtube URL, but is actually directed toward a compromised web server. To avoid DNS the link goes to a numerical IP address instead of a hostname which is also easier to take down.

This is another example of pull based malware that we have been talking about more and more where the user has to go visit a web site (either by clicking a link or following instructions to go to a particular web site) in order to get infected as opposed to having the malware "pushed" to them via an email attachment.

This method of infection also forced the AV vendors to start employing URL based blacklists into their products such that malicious web sites can be proactively identified by the AV engine based on the web site address and not necessarily based on the hosted content. This is a good move on their part especially considering the increase (and expected continued prevalence) in server side polymorphic viruses.

Since late January we have seen Storm worm variants using social engineering tactics like news stories, current events, and e-cards in an attempt to get unsuspecting victims to open attachments, click links, and get infected to become the latest addition to the Storm Worm bot army.

The latest and greatest social engineering tactic that we started seeing on Saturday has now started using porn. This tactic, as with the e-card tactic, is using a pull based method of infection where the malware content is not "pushed" to the user via an attachment, rather the email sent contains a link where when clicked by the user causes them to "pull" it down.

The messages that we have been seeing with this new variant include the following either in the subject line or message body (this is only a partial list): "I need someone to please me. Check out my pictures", "Want me to show you what my room mate and I do when we get lonely at night", and "Taking these pictures made me so hot. I bet they will make you hot too" (I'll bet this post gets caught by a few spam filters :) ). This new variant is currently accounting for about 1 in 6 virus infected messages seen by the MX Logic Threat Operations Center within the last 24 hours.

So, why the movement to "pull" based malware instead of "push" based. For one, it is more difficult for end users to submit samples of the malware. If the attachment is pushed to the end user, they have all of the information that they need at their fingertips to submit to the anti-virus vendors. Secondly, with the pull based model users may not even know that they are going to a malicious web site so that when the visit the site it may display some kind of error message saying that the site was not available (or something innocuous as to not arouse suspicion) when in the background the user's PC just got infected with malware. This model also enables the malware authors to utilize a tactic known as "Server Side Polymorphism" where the way that the malware is packed can continually change on a per download basis thus rendering traditional signature based anti-virus engines ineffective. The version of the malware that I download could have an entirely different signature than the version someone else downloads even though we may have clicked through to the site at the exact same time.

We've been seeing more examples of pull based malware over the last couple of months, mostly related to the Storm worm but the BBB scam from a couple of months ago used this method as well. Pull based infection provides much greater flexibility for the malware authors in their attempts to stay one step ahead of the anti-virus engines and is something we will continue to see not only from Storm, but from other worm authors who learn from Storm's successes in their attempts to come up with new methods to get onto our PCs.

My friend Carl Herberger me an article the other day regarding so called "revenge packages" being offered by a company whose web site is at confidentialaccess.com (the site has supposedly been changed since the article was written and denies everything stated). I had never seen the site prior to reading the story, but whether or not it is true the point behind the services that were allegedly offered are the more disturbing piece.

According to the article the site offered services by which for as little as $20 per month you could essentially make the life of someone that you don't like absolutely miserable. The article mentions services such as ruining your target's credit rating, or even having fake text messages sent to their significant other containing false accusations of affairs.

I heard on a radio commercial yesterday that someone's identity is stolen every 3 seconds. What I hadn't really considered until reading this article was that this type of criminal activity had now become a commodity.

Sure, there is an underground economy that buys and sells credit cards and bank accounts for a few dollars each, but that's not what I am referring to. Defrauding someone out of some cash because their credit card number was stolen is one thing. Money can be replaced. What is more disturbing here is the possible destruction of livelihoods and families by a neighbor who doesn't like how loud you play your stereo...or more disturbingly someone you have never met before.

I don't mean to sound naive about this, but I hope that this isn't a sign as to where else society will go. It's telling enough that we are already where we are, but it is truly more disturbing to think about what could be next...

By my own comparison, this year's conference was far better than last year. Last year's conference was very Bayes centric. A large portion of the papers that were presented were on different ways to use and do Bayesian analysis for spam filtering. Although interesting, one can only take so many presentations on Bayesian analysis before losing their minds. Thankfully this year's papers were far more diverse!

I probably shouldn't have written yesterday's entry as early as I did because some rather interesting things happened yesterday evening.

For starters, I had the opportunity to spend some time and talk with Wietse Venema. If you don't know who he is (I didn't when I originally met him) he is the author of the postfix MTA. Very friendly, cordial, interesting, and humble guy. It was a treat to meet him.

The shock of the day, however came when I was introduced to a gentleman named Adam Dawes from Postini. Yes, Postini! Why would I care about this? Postini has long been chastised for their lack of attendance at industry events. Whether it be MAAWG, the AOTA, or , Postini representation was nowhere to be found. It was definitely nice getting to meet Adam, and I am looking forward to seeing him or other Postini folks at future events. I am not sure if their attendance was primarily being driven by Google or if this was in the works prior to the acquisition, but either way, it is good to see them coming out.

Some more interesting sessions today, and some that although might have sounded good in a theoretical sense, would never work in a practical sense. One such example was a paper on Human Interactive Proofs for Spam Filtering. At its root, this is mostly the same as Challenge/Response (with a couple of twists). Read here for some of my feelings on C/R.

A common theme throughout several papers in the conference was around the theme of social networks. With the prevalence of sites like Facebook, MySpace, and Friendster, it only makes sense to make correlations between social networks and email patterns. You generally tend to email and communicate with certain people within closed groups. This could be the people that you work with, go to church with, or play softball with. Either way, these are closed communities within which you share some kind of common ground. The thought process being that if these people communicate with you a certain number of times and you reciprocate communication with that person, then you can make assumptions as to the legitimacy of the email that you receive from them (and vice versa).

Another paper presented by Chris Fleizach of UCSD discussed a method called Occam's Razor which is another method in which the mail recipient requests a real-time affirmation for each e-mail from the declared sender's MX. An interesting theory, but is one that without almost unanimous adoption across the industry (we know how hard THAT is to do!) wouldn't have an impact. Plus, without some big time corporate sponsor to take the banner and run with it, it's not likely to get much play within the industry.

Similar to yesterday though, the content of the conference was very good. Despite the holes that could be shot in some of the theories that were presented, it is clear that there are many innovative ideas from both industry and academia that if buttoned up could present some interesting alternative spam filtering methods. It's definitely refreshing to see this "out of the box" type of thinking because sometimes when you are so involved "in the box" it is hard to truly step outside of it and look at different ways to skin the proverbial cat.

Typically this conference is focused more on academic methods and theory which have some elements that are more interesting/relevant than others. Either way, I applaud the efforts of all of the presenters as they have all done a great job so far.

One presentation that I was particularly interested in was actually two separate presentations that discussed similar topics from different angles, and those were the use of social networks or "communities of interest" in identifying message legitimacy. The theory here is that if you receive a definable number of messages from a particular sender and you also send email back to that sender, you are likely part of a social network with that sender or have some level of interest in communicating with that person. The study put no limitation on the amount of time that this communication has to take place in though. I could see arguments both ways as to whether or not there should be such a limitation.

There was also a good presentation on Blog Spam by Adam Thomason from a company named Six Apart. He discussed not only avenues of attack, but the prevalence and types of blog spam. One interesting stat that he mentioned was that they generally see less than 100 identifiable attackers on a consistent basis. So, from the sound of it, despite the increases in blog spam that we have been hearing about, the number of people actually involved in this space is still quite small. Another interesting point he mentioned is that the cost of a false positive in blog spam such that a comment is identified as spam when it should not have been is quite low. This makes perfect sense, but I had never quite considered this fact before.

So far it has been an interesting conference with one more day to go. I'll write about my opinions of tomorrow's presentations after the conclusion of the conference.