Computer Security Articles

live.pirillo.com – Comcast has announced its new surveillance policy. Their storage practices regarding customer information closely follows the letter of the law. Anything you do online can be tracked by your internet provider, as mandated by law enforcement officials.

Download the software www.removevirus.org If you need advanced help go to www.onlinecomputerrepair.org

In their earnings call last week, Google announced a record 2010 third-quarter revenue of $ 7.29 billion (up 23% from last year). The market rejoiced and Google shares shot past $ 615 giving the company a market cap of more than $ 195 billion.

This month, Google broke an equally impressive Internet traffic record — gaining more than 1% of all Internet traffic share since January. If Google were an ISP, as of this month it would rank as the second largest carrier on the planet.

Only one global tier1 provider still carries more traffic than Google (and this ISP also provides a large portion of Google’s transit).

In the graph below, I show a weighted average percentage of Internet traffic contributed by the search / mobile OS / video / cloud giant. As in earlier posts, the Google data comes from 110+ ISPs around the world participating in ATLAS. The multiple shaded colors represent different Google ASN and reflect ongoing global traffic engineering strategies.

Google now represents an average 6.4% of all Internet traffic around the world. This number grows even larger (to as much as 8-12%) if I include estimates of traffic offloaded by the increasingly common Google Global Cache (GGC) deployments and error in our data due to the extremely high degree of Google edge peering with consumer networks. Keep in mind that these numbers represent increased market share — Google is growing considerably faster than overall Internet volumes which are already increasing 40-45% each year. More data on general Internet growth trends is available in some of our earlier papers and blog posts.

While its not news that Google is Big, what is amazing is how much bigger Google continues to get.

A quick analysis of the data also shows Google now has direct peering (i.e. not transit) with more than 70% of all providers around the world (an increase of 5-10% from last year). In fact, the only remaining major group of ISPs without direct Google peering are several of the tier1s and national PTTs — many of whom will not settlement-free peer with Google due to regulatory prohibitions or commercial strategy.

While the business press may debate Google’s future (i.e. can it expand beyond search and continue its earnings growth?), for now Google’s traffic growth continues apace with massive corresponding impact on the network topology, peering arrangements and the overall Internet infrastructure.

 
- Craig
 
 

Full story: Security to the Core | Arbor Networks Security » 2010

(Watch it in HD!) Are you aware you are being phished? That you may have recieved an imitation email or that you could be lured into a fake website? Billions of dollars are stolen every year through a deceptive tacktic called “Phishing.” A “phisher” sets up a look-alike website (of a bank, for example) and sends out legitimate looking emails to lure in victims. They then use these to trick the user into giving up sensative information. Always be carefull to check you are on the REAL website of any bank, store, or other important site. Always be wary of imitation emails asking for personal information. And never give out personal information if you are unsure about who you are giving it to. By taking care to check where you are online and who is actually contacting you in email, you can help eliminate the risk of falling victim to a phishing attack. This video was created by Crosshair Studios and Team Purps as a submission to the 2009 Computer Security Awareness competition presented by educause.edu More information about the contest can be found at: www.educause.edu

A Public Service Announcement on Internet Safety. You never know who you’re talking to. Special Thanks to: Mr. Frank Musto Commack High School Cut with: Pinnacle Studio 10

According to several measures by experts, the IANA (Internet Assigned Numbers Authority), an ICANN-operated organization which administers the Internet’s IP address infrastructure and root servers, has run out of IPv4 address blocks to assign to RIRs (Regional Internet Registries). We are close to that point, but the situation is more complicated than it may seem.

Users—as in both corporate and consumer—get IP addresses from ISPs. Small ISPs get them from large ISPs, but the big ones get them from the RIRs. The RIRs are:

• AfriNIC—Africa Region
• APNIC—Asia/Pacific Region
• ARIN—North America Region
• LACNIC—Latin America and some Caribbean Islands
• RIPE NCC—Europe, the Middle East, and Central Asia

There are several models to measure depletion of IP address resources. I borrowed the following table from The IPv4 Depletion Site:

	Huston	Hain	Lagerholm
Freshness	Daily Sat Jan 22 09:40:01 2011	2005 with updates from 2008-05-27	Daily Sat Jan 22 09:40:01 2011
Mathematical model	2nd order polynomial	Order N polynomials	Exponential and linear
Granularity	Sum of RIR	IANA pool	Individual per RIR
Fitting method	Least square fit	Least square fit	Least square fit
RIR Pool estimates	Fixed low threshold model	No discussion	Fixed low threshold model
Smoothing of data	3 pass with 3 month sliding window	No	No
Historic data used	1200 days (3.29 years)	2000-01-01 to current (9 years)	1460 days (4 years)
IANA pool depleted	2011-01-20	2010-10-01	2011-01-22
First RIR pool depleted	2011-10-12	No estimate	2011-10-09
Last RIR pool depleted	No estimate	2011-11-01	2012-07-28

Note the Hain model is not especially fresh, but all 3 show the IANA pool depleted by today (1/22/2011). Of course, models aren’t reality.

The IANA Has a table of all the 256 class A (also known as /8) IPv4 addresses. This table shows 7 of these blocks as “UNALLOCATED”: 39, 102, 103, 104, 106, 179 and 185 and the page says that it was last updated on “2011-01-04″.

Why do the models (and a lot of chatter on network operator mailing lists) say that we’re at the end, or nearly so, when IANA says there are 7 /8s available? It’s because of a special policy from ICANN governing the coming end days of IPv4 allocation: When the number of available /8s is equal to the number of RIRs, the normal allocation policy goes away and IANA will allocate the remaining /8s, one to each RIR. In other words, once there are 5 left, there are none.

The reason all the chatter indicates that two more have been taken is that APNIC’s address pool has reached a point where they are entitled to take two. 2 in this case means 3. But then the IPv4 gravy train runs off the rails.

The next step in the depletion of the pool is for the RIRs themselves to run out. The Huston and Lagerholm models are very close in this regard, both with dates this October, less than 9 months away. At that point, ISPs in whatever region runs out first will no longer be able to get new addresses. Lagerholm predicts the last RIR running out next July. When will ISPs themselves run out? This is even harder to predict.

What happens then? Nobody really knows. There’s IPv6 of course, and everyone knows that moving to it is an eventual necessity, but users have been resisting it. A market for the reallocation of IPv4 addresses makes sense economically, but there’s no technical mechanism for doing so.

Actual announcements of the IPv4 depletion have not happened, but look for more news on this subject this week, first as the final allocation to APNIC becomes official and then the invocation of the special final allocation policy by IANA. This is big news and it will affect all of us before it’s over.

Many thanks to Leo Vegoda of ICANN for help with this article.

Full story: Security Watch

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

As we move forward, let’s take a look at the highlights of what has been factor to significant change in the threat landscape, and what trends will continue to influence this year and the years to come.

 Motivation – What is the objective of this threat?

The era of ‘fun, fame and glory’ is long gone. The threat landscape is now dominated by two motivations: “Mission” and “Monitization”

1) “Attack or Malware on a Mission” refers to security threats whose goal is beyond money such Hacktivism, CyberWarfare and Espionage.

These types of threats are often highly organized, planned, strategized, and targeted. Few known examples are ‘Operation Aurora’, Ghostnet and recently the Wikileaks DDoS battles – the attacks and operation payback affecting major payment services such PayPal, Visa and Mastercard.   

2) “Monetization” refers to security threats whose main objective is toward financial gain.

These types of threats are often involved in manipulating traffic and Ad serving networks, serving fraudulent services and products, selling user’s data and information, stealing users’ online identity to purport fraud, and perform unwanted financial transactions.

Means – How attackers’ achieve their goals/target? 

In order to be successful, attacker must understand the phases of attacks and deploy or apply the right model, strategy and plan. Organized cyber criminals understands this, thus the threat landscape as observed are widely influence by:

3) Modularization - Each threat is a component of a larger attack. It perform and responds to specific task whether it involves distribution layers (Web, Social Networks, Email, IM, IRC, and P2P), installation ‘Loaders’ and execution of payload.

It depends on the motive of attack, the modular development as well as extension technique enables the attack to persistently stay on the system as we commonly observed with crimeware, or the attacker will simply removed immediately after the task is accomplished.

4) Protection – To evade detection and sustain threats proliferation, the attack and its component will require protection. Attacker hides and obscure malicious code and its communication by using legitimate and publicly available compression, encryption and packing technique.

Using cryptography, a piece of code can be protected and mutate in different form every time.

Cryptographic algorithm are widely used and explored by attackers. For example, Conficker uses RC4 stream cipher, RSA and MD6, while Hydraq has its own protocol to secure the remote communication. Over the years, we have seen strong use of packer protection in malware as means to successfully penetrate in systems and increase its shelf life; although, stealth techniques are also another protection technique used by most advance and complex threats. Attackers are also very aware of reverse-engineering and behavioral analysis, thus a level of protection is also employed in this area.

However “Cryptoviral Extortion” also known as “Ransomware” is another security threat that strongly uses cryptographic algorithm as payload. The recent discovered variant of GpCode caught media attention due to the fact that it encrypts victim’s files using RSA-1024 and AES-256 crypto-algorithms.

5) Commoditization – When offensive capabilities whether service, development or product is available, it creates an ecosystem that is more organized and competitive. This is evident with the proliferation of exploit kits and crimeware such as Zeus and Spyeye.

6) Open Source Development – Offensive codes and development such as malware and exploit are freely available for modification, customization, localization and distribution. Free of use by anyone, anywhere and anytime is part of the growing security threat.

Opportunity – What is the likelihood of success if you are an attacker?
You would likely respond, it depends on the motive and the target. However, if your motive is ‘monetization’ then it is obvious that you will seriously consider the top and most popular online brand.

7) Web, Email and Instant Messenger – Google Blackhat SEO (Search Engine Optimization), Mass website infection, traffic hijacking and spamming. Consider the number of users, for example, Yahoo! has 600 Million users,  25 Million Skype users, over 42 Million ICQ and 16 Million Windows Live Messenger users.     

 8) Application, Software and Operating System – Attack against browser, document and Rich Internet Applications (RIA) such as Internet Explorer, Adobe PDF and MS Office, Java and Adobe Flash.

 9) Social Networking, Web Application and Cloud Services – Social Networking such as Facebook, videos online such as YouTube and Google Videos, blogging site such as WordPress and Blogspot, micro-blogging such as Twitter, web services such as Amazon, financial services such as PayPal.         

 10) Mobile ‘Interoperability’ – This is the ability of diverse systems and organizations to work together (inter-operate). This is a direction that connects data, services and application anywhere and anytime. It means that security threat could also inter-operate from cloud, mobile and desktop; and will affect whether on iOS, Android, Windows, Linux or Mac.

In the past, we’ve seen attackers using browser ‘Interoperability’ layer to redirect users on specific payload for specific platform. Some payloads redirect users to fraudalent website and Rogue serving networks. We’ve witnessed DNSChanger serving installer both for Windows and Mac users. And recently, we’ve seen Boonana that is capable to serve and work on Windows, Linux and Mac.

To summarize, cybercrime is basically influence by attacker’s means, motive and opportunity. By looking at the past and present threat landscape, we were able to explore the big picture and the future challenges.

View the original article at CA blog

The Obama administration is planning to place authority for developing an Internet ID for Americans in the Commerce Department. The news came at an event at the Stanford Institute for Economic Policy Research, where U.S. Commerce Secretary Gary Locke spoke.

Details on the plans are essentially nonexistent, but Locke and others said a lot about what the IDs would not be: “We are not talking about a national ID card,” Locke said. It also won’t be government controlled. The goal is “…enhancing online security and privacy and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities.”

White House Cybersecurity Coordinator Howard Schmidt, who also spoke at the event, said that the ID, which they refer to as “trusted identities,” would not become mandatory. Anonymity and pseudonymity will remain possible on the Internet. There will be no central database and private industry will take the lead in implementation.

A vague outline for the program was released in June entitled the National Strategy for Trusted Identities in Cyberspace (NSTIC). That document was as vague as this week’s event; trusted identities will do good things and avoid doing bad things.

It’s not surprising that details are scarce. Designing an identity that is robust, affordable, secure, easy to use, and all the other things you’d want it to be, is not easy. In fact, many of the design goals operate at cross purposes with the others. Don’t be surprised if this program takes a long time to come to a deliverable, or if the deliverable is irrelevant by the time it’s here.

Hat tip to CBS News.

Full story: Security Watch

You’ve probably heard of the Doomsday Clock. It was created in 1947 by the Bulletin of Atomic Scientists to give mankind an idea of how close it is to catastrophic destruction. A similar clock has been launched by search engine newcomer Blekko, only it’s counting how many spam pages are created on the Internet every second. Since January 1 alone, 156.8 million spam pages have been created on the Web, and the clock keeps counting and counting….

Full story: Network World on Security

Personal Internet Security 2011 is a rogue security product that pretends to find malicious code on a victim’s machine in order to frighten him or her into purchasing this useless application. It replaces InternetAntivirus2011 in the FakeVimes family.

Personal Internet Security 2011 install screen

(Click on graphic to enlarge)


Personal Internet Security 2011 graphic interface

(Click on graphic to enlarge)

How to remove Personal Internet Security 2011:

If Personal Internet Security 2011 has infected your PC, you should remove it immediately. Click here to use VIPRE to remove Personal Internet Security 2011 from your computer now.

Full story: Rogue Antispyware

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

Move over, Internet Explorer – here comes Firefox!

According to web site stat-gathering outfit StatCounter, Firefox sneaked into first place over Internet Explorer for the first time ever at the end of 2010 – just over half a percentage point ahead with 38.1% to IE’s 37.5%.

Global celebrations will have to wait a bit, though: Firefox has yet to triumph over IE worldwide. IE still rules in North America – though IE has dropped to less than of the browser marketplace, coming in at 49% to Firefox’s 27% – and the rest of the world follows a similar pattern to bring IE home with a global score of 47%.

Firefox is in a convincing second place worldwide with 31%, whilst don’t-be-evil poster-boys Google surged to just under 15% to nab third place with the company’s much younger Chrome product.

What does this mean to security professionals? What does it mean to you?

Firstly, companies with change control committees which have selected IE, and only IE, on the grounds that it is the only browser suitable for day-to-day use, need to take action. In particular, they need to put through a change control committee change to the change control committee.

Don’t misunderstand me: there is nothing wrong, organisationally, with standardising on a single browser. It makes all sorts of things easier – configuration mangement, security patching, and support. (Indeed, Sophos has a handy solution which allows you to decide exactly which browsers to allow – and you might be be surprised just how many distinct browser flavours there are out there.)

Just don’t try to carry the argument to your staff that your anointed browser is an “obvious choice”, or that it’s “clearly better” – the sort of dismissive remark which is still regularly heard around the traps. Be honest to your constituents about the reasons for your browser choice.

Secondly, companies with software products which have web interfaces need to do their best to avoid coding in a way which locks their products, and their users, into a specific browser. Avoiding the programmatic pecadillos of any individual browser gives your customers more choice, and it also ensures that you don’t fall into an even deeper hole: getting stuck requiring, rather than merely supporting, just a single version of a single browser. (IE6, anyone?)

Thirdly, today’s mainstream browsers aren’t wildly different in their attention to security. All of them are huge, complex software projects – probably too complex ever to be called properly secure, but possibly secure enough for day-to-day use – made yet more complex by plugins, add-ons and other customisation tweaks.

So your choice of browser isn’t your most important security step. After all, even if your preferred browser could be considered theoretically secure, it would nevertheless suffer from the rather insultingly-named issue known as PEBKAC. (I shan’t explain the acronym here. You’ll have to watch the video to see it spelled out in detail – complete with an illustrative example!)

Whichever browser you choose, make sure you invest time and effort in your best security asset: YOU.

Full story: Naked Security – Sophos

The No. 7 top sleeper tech story of 2010

Full story: Network World on Security

Microsoft has released an urgent security advisory describing a new vulnerability in Internet Explorer that allows for malicious code to be run on user systems if they visit a malicious website. Internet Explorer 6 up to Internet Explorer 8 are confirmed to be affected; it is not clear if the Internet Explorer 9 beta is similarly affected as well.

Trend Micro offers a variety of solutions to help protect users. For home users, the free tool Browser Guard offers protection against this vulnerability without any need for updates. Browser Guard is a free add-on to Internet Explorer that protects users by preventing browser exploits and analyzes in-browser scripts for malicious characteristics and behavior. This provides users with proactive protection against vulnerabilities, as this incident demonstrates.

For enterprise users, both Deep Security and OfficeScan with the Intrusion Defense Firewall (IDF) plug-in also protects against this threat with the updated rules released earlier today.

Post from: TrendLabs | Malware Blog – by Trend Micro

New Internet Explorer Vulnerability Discovered

– Jonathan Leopando (Technical Communications) on TrendLabs | Malware Blog – by Trend Micro

Two different new zero-day exploits were published on December 22. 
Remote attackers could use these exploits to take complete control of a
vulnerable system. Websense Security Labs is monitoring the situation,
and we will update this blog post as we discover more.

…(read more) – Hermes Li on Security Labs

Bad predictions are soon forgotten. This can be a blessing for those in the prediction business. The guy on the local news that predicts the weather doesn’t always get it right, but we still tune in the next night for the next prediction. We forgive and we forget.

I’d prefer you forgot about our bad predictions too. But, because we’re trying to provide some help in thinking about and planning for the future, we add some accountability to our predictions. For our 2010 predictions we actually graded ourselves mid-year as you can see here: http://www.symantec.com/connect/blogs/security-trends-watch-2010-mid-year-status-check. With our 2011 predictions, we let you, our readers, grade us immediately through an attached survey. For the most part, you agree with us. And in one case we (both Symantec and you) have been proven correct already. We are one for one so far. So, let’s take a look at the results. We’ll start with the disagreement.

Compliance Will Drive Encryption Initiatives…or Will It?

Thirty-seven percent of you disagree with our prediction that regulatory compliance will drive the adoption of encryption. This was the strongest disagreement we had on any of our predictions. Interestingly enough, we had pretty solid backup on this one. The Ponemon Institute’s 2010 Annual Study: U.S. Enterprise Encryption Trends study revealed that for the first time, regulatory compliance has surpassed data breach mitigation as the top reason why organizations deploy encryption technologies. My guess is that our readers are ahead of the security curve and moved to encryption long before any regulation demanded it.

The majority of respondents were aligned with our other predictions.

Stuxnet is Only the Beginning

Eighty-eight percent of respondents said they think it very or somewhat likely that 2011 will bring with it additional threats following in the footprints of Stuxnet. Stuxnet is the most significant example to date of cyber espionage. It should at the very least make you a little paranoid. However, it appears that in the spirit of the holidays our readers have taken their security list and checked it twice. Forty-eight percent of respondents feel just as safe now as they did at the end of 2009, long before the Stuxnet threat was discovered.

Zero-Day Vulnerabilities Everywhere

Eighty percent of respondents agreed that zero-day vulnerabilities will become more common as highly targeted threats increase in frequency and impact over the coming year. With 12 zero-day vulnerabilities spotted in 2009, and 18 previously unknown zero-day vulnerabilities spotted so far this year, it looks like the trend is pointing toward 2011 as another record-breaking zero-day year.

Mobile Is Going to Be a Big Challenge

Eighty-eight percent of respondents agreed that the exponential adoption of smart mobile devices will drive new IT security models. With the blurring of the lines between business and personal use, the increasedsophistication of the devices and the consolidation of mobile platforms, it is inevitable that attackers will key in on mobile devices in 2011 and mobile devices will become a leading source of confidential data loss.Part of this new IT model is security. Fifty-two percent of respondents said they’ll be putting security software on their mobile device(s) in the future.

And now where we already know we got it right.

Cyber Attacks as Politics

Eighty-three percent of respondents agreed that politically motivated cyber attacks would emerge. Bingo! We didn’t even need to wait for 2011 to be proven right on this one. Remember, we ran our prediction in mid-November and our readers took the survey long before the massive DDoS attacks took place last week. It’s hard to argue that these attacks did any real damage to the large corporations involved, but they drew attention which was the whole point. Expect more in 2011.

Finally, in the survey we asked about IT trends that would have the biggest affect on security 2011. And the winner is:

The Cloud

We gave our readers four choices for the trend that would have the biggest impact on enterprise IT security strategies in 2011: the consumerization of IT, cloud computing, government regulation, and virtualization. Your vote for the “big bang” for 2011 – the cloud. Forty percent of respondents said cloud computing will have the biggest impact on enterprise IT security strategies. Equal numbers of respondents (24 percent each) said the consumerization of IT and government regulation will have the greatest affect. Only 14 percent thought virtualization would have the biggest impact.

Well, there you have it. There were a few surprises, but for the most part, we think your opinions are pretty well in line with our security and storage experts. Thanks to all those who took our 2011 predictions survey!

– Kevin Haley on Symantec Connect – Security Response – Blog Entries

The  “alarming variety” of chemicals includes rat poison (the blood thinner warfarin)

The U.S. Food and Drug Administration has sent a letter to manufacturers and trade groups seeking their help in preventing distribution of tainted drugs in the U.S.

Although the letter does not mention Internet sources, it’s  clear that the concerns in the letter can be extended to penis pill, diet pill and Canadian pharmacy (which are really not in Canada) web sites.

The letter lists adulterants that should be enough to scare any sensible human from EVER considering buying the stuff advertised in that flood of spam email that seems to wash over all of us:

“FDA laboratory tests have revealed an alarming variety of undeclared active ingredients in products marketed as dietary supplements, including anticoagulants (e.g., warfarin), anticonvulsants (e.g., phenytoin), HMG-CoA reductase inhibitors (e.g., lovastatin), phosphodiesterase type 5 inhibitors (e.g., sildenafil), nonsteroidal anti-inflammatory drugs (NSAIDs) (e.g., indomethacin), and beta blockers (e.g., propranolol). FDA has also identified products marketed as dietary supplements that contain active pharmaceutical ingredients removed from the market for safety reasons (e.g., fenfluramine), as well as new chemical ingredients of unknown safety. Some products marketed as dietary supplements have been found to contain controlled substances (e.g., benzodiazepines and anabolic steroids).”
According to the letter, the FDA investigations have also resulted in criminal prosecutions and nearly 200 recalls:

“Where FDA investigations have discovered products marketed as dietary supplements that contain the same active ingredients as in FDA-approved drug products, analogs of such drug ingredients, or other compounds of concern, such as novel synthetic steroids, FDA has issued warning letters and conducted seizures and criminal prosecutions. FDA has also worked with industry on the recall of numerous products with such potentially harmful ingredients, including more than 70 products marketed for sexual enhancement, more than 40 products marketed for weight loss, and more than 80 products marketed for body building. The Agency has also issued consumer alerts and press announcements to warn consumers about such products.”

Tom Kelchner

– on Sunbelt Blog

If you weren’t paying attention last week, the Internet has gone to war.

ABC News proclaimed  “Welcome to Infowar, Version 1.0″. Fox warned of the “growing data war”. And the Guardian provided minute by minute coverage on the opening salvos of this first “Internet-wide Cyber War”.

Of course, all of the above headlines refer to the rash of DDoS attacks both against the Wikileaks web site and the retaliatory strikes against hosting and commercial institutions that severed ties with the organization.

So are we now in a permanent state of cyber-war? As the San Francisco Chronicle asks, do sixteen year old hackers now control the fate of humanity from their laptops?

Well, this blog uses detailed statistics on the last year of DDoS attacks across the Internet to provide some perspective. I’ll compare the Wikileaks and retaliatory DDoS attacks to historical baselines of attack activity and discuss broader DDoS trends.

In general, getting accurate data about Internet attacks can be a challenge. Namely, a) companies avoid publicly discussing most attacks and b) the attacks can be difficult to measure or at least consistently compare. For example, engineering mailing list discussion of ISP security and DDoS attack trends generate a bewildering variety of responses. In one instance, two engineers at the same ISP debated the largest observed botnet attacking their company — one estimated the size at a few thousand hosts while the other at millions. Later when pressed on the source of their data, both of these engineers readily admitted they were really just guessing (they did not have any infrastructure / tools to actually measure the number of attacking botnet hosts).

In an effort to better quantify DDoS attack trends, two years ago Arbor added support for the export of detailed measurements of confirmed DDoS attacks to our commercial products and ATLAS anonymous statistics (deployed in roughly 75% of all Internet carriers). This blog post provides a first look at quantitative measurements of over 5,000 confirmed (via operator classification or mitigation status) attacks over the last year across 37 large carriers and content providers around the world. We believe this is the largest data set of validated DDoS events ever collected. I presented an earlier version of this blog post at this Fall’s NANOG (link to the presentation here) and we’re currently working on an academic paper version.

Before diving into the statistics, a bit of background — our data includes both survey results and two overlapping measurement data sets: alerts and mitigations. At a high level, alert data include the magnitude and fingerprint of a DDoS (i.e. IP header fields and router / interface topological origins of the attack). Mitigation statistics include finer-grain detail on the payload of the attack, including spoofed source IPs, number of valid (i.e. not spoofed) source IPs, connection attempts, bps and pps rates per attacking IP, etc.

In general, we evaluate DDoS attacks using two metrics: the scale and the sophistication of the attack. At the high end in 2010, we observed a number of DDoS attacks in the 50+ Gbps range. These large flooding attacks often exceed the inbound aggregate bandwidth capacity of data centers and carrier backbone links (often OC192 / 10 Gbps). Mitigation of these high end attacks can be a challenge — carriers generally need specialized, high speed mitigation infrastructure and sometimes the cooperation of other providers to block the attack traffic. The below graph plots the growth DDoS flooding attacks over the last decade (hard to imagine that 400 Mbps was an impressive attack back in 2002).

On the other end of DDoS spectrum, we encounter attacks focused not on denying bandwidth, but the back-end computation, database, and distributed storage resources of large web services. For example, service or application level attacks may focus on a series of web or API calls that force an expensive database transaction or calls to slow storage servers. The attackers then use botnets to inundate the web service with thousands of clients issuing a steady stream of these particularly expensive web / API calls. Other application attacks attempt to overwhelm SIP, HTTP or TCP state (e.g. Slowloris). In many of the more sophisticated application DDoS, attackers perform reconnaissance of the web service for weeks or months before the attack (identifying weak links in the infrastructure). Unlike massive DDoS traffic floods, application attacks can be far more subtle and may only register as increased load on servers or a precipitous drop in five minute real-time sales revenue charts. Also like 10+ Gbps flooding attacks, sophisticated application attacks may required specialized, high speed infrastructure to detect and mitigate the DDoS.

So if we’re in a Cyber-War, then very large (50+ Gbps) traffic floods and sophisticated application attacks are the front-lines. Which brings us back to the question of Wikileaks and the retaliatory hactivist attacks. Were these attacks massive high-end flooding DDoS or very sophisticated application level attacks?

Neither.

Despite the thousands of tweets, press articles and endless hype, most of the attacks over the last week were both relatively small and unsophisticated. In short, other than than intense media scrutiny, the attacks were unremarkable. I note that our ATLAS based observations agree with data from the operators directly involved in mitigating the attacks.

For example, below is a graph of DDoS activity against multiple Wikileaks hosting sites on third day (December 1) following the initial release of “Cablegate” documents. The DDoS traffic (in red) never grew beyond 3-4 Gbps. Today, mitigating attacks of this scale is fairly routine for tier1/2 ISPs and large content / hosting providers (more of an annoyance than an imminent critical infrastructure threat — or “easy peasy” to block as one Internet engineer explained). Also see earlier blog posts (link available here) for more analysis of the Wikileaks attacks.

The retaliatory hactivist attacks took a slightly different approach with mostly low-level application layer attacks against a range of companies perceived as anti-Wikileaks, including banks, hosting and credit card companies. The loosely organized Anonymous group called hundreds of volunteer activists to arms with messages like:


"TARGET: WWW.xxxxx.COM: WEAPONS http://xxx.xx.ru FIRE FIRE FIRE!!! PAYBACK!"


[I replaced the target and Russian download site with xx's].

Based on ATLAS data, the majority (70%) of the hactivist application DDoS came from a Mac / PC down-loadable “Low Orbit Ion Canon” (LOIC) program and a web based Javascript version (JS-­LOIC). Both LOIC variants sent dozens of web requests per second to the victim web sites. The online web version consists of a simple 100 line Javascript for-loop generating web requests and very few options (though you can append text with an appropriately revolutionary message). The PC version supports slightly more complex options, including randomization of URLs and remote control by IRC botnets (“the hive”).

Approximately 20% of retaliatory attack DDoS HTTP requests in one attack last week came from a new variant of LOIC named, predictably, LOIC-2. The new LOIC version (a “total rewrite of LOIC”) supports additional “hive” remote control command channels including RSS, Twitter, and Facebook (LOIC only supported irc). More significantly, LOIC-2 supports two new “slow” class of attack methods (i.e., DDoS strategies where the client deliberately elongates HTTP transaction times to burden the victim server).

In addition to LOIC, ATLAS observed Slowloris like TCP attacks and several other tools / scripts generating web or TCP DDoS traffic. A smaller component of the hactivist campaign included DDoS flooding using ICMP Smurf and LOIC operating in UDP flood mode (sending traffic to UDP port 80).

More recently, Anonymous supporters released two more sophisticated HTTP flooding tools: High Orbit Ion Cannon (HOIC) and Geosynchronous Orbit Ion Cannon (GOIC). The new tools support multi-threaded HTTP flooding, simultaneous attacks against up to 265 web sites, plug-ins and an “easy to use interface”. However, HOIC and GOIC did not appear to play a significant role in the DDoS attacks last week.

While the last round of attacks lead to brief outages, most of the carriers and hosting providers were able to quickly filter the attack traffic. In addition, these attacks mostly targeted web pages or lightly read blogs — not the far more critical back-end infrastructure servicing commercial transactions. By the end of the week, Anonymous followers had mostly abandoned their attack plans as ineffective.

Overall, both the attack traffic and the hundreds of volunteers running the software on their PCs were not terribly sophisticated. Most volunteers clearly did not realize the tools do not anonymize their PC source IP address nor that word processors store incriminating meta-data in revolutionary manifestos. In short, not exactly the work of evil criminal masterminds.

So ultimately, I’d suggest the last week of DDoS attacks surrounding Wikileaks supporters and opponents falls far short of a “cyberwar”. While it makes a far less sexy headline, cyber-vandalism may be a more apt description. In a similar vein, a Foreign Policy Op-Ed called hactivist DDoS the digital equivalent of a sit-in by youth around the world.

All of the above is not to say DDoS is not a serious problem. The number and firepower of botnets grows dramatically each year as well as the sophistication of application attack toolsets. HOIC and succeeding generations of volunteer botnet controlled PCs may evolve to pose a significant Internet-wide threat. However, traditionally the DDoS threat has come more from increasingly professional criminal hackers than volunteer activists.

With discussion of cyberwar out of the way, I’ll compare Wikileaks and related attacks to some of the broader trends we are observing in ATLAS DDoS statistics. The chart below shows the distribution DDoS attack vectors in the 5,000 validated attacks in the ATLAS dataset. Note that this dataset represents a subset of all attacks as not all providers have enabled anonymous export of data and many providers are running earlier versions of the product (i.e., lacking anonymous DDoS statistics export support). See the NANOG presentation (link available here) for more details on the methodology.

As discussed earlier, brute-force flooding continues to dominate most DDoS attacks (60%). Generally, these attacks (including the initial strike against the Wikileaks web site) resemble the early days of DDoS attacks circa 2000 except more distributed (better botnets) and greater use of amplification. As in 2000, most flooding DDoS attempt to overwhelm upstream bandwidth, firewall / load balancer state, or resources on web / application farms.

Though traditional DDoS flooding attacks remain popular, most of the recent DDoS activity has included some level of application or TCP layer attack components. Involved in 27% of the confirmed attacks over the last year, application layer attacks are also the fastest growing DDoS attack vector. Open source tools like LOIC / HOIC and large library of more advanced commercial criminal software targets firewall, load balancer and end-system web, database, and TCP state. A tutorial by security consulting company Securitech provides a nice overview and examples of these layer3+ attacks.

Finally, “Other” in the above chart is a bit of a grab-bag, including operator defined policy around allowed traffic levels for things like ASN, GeoIP (countries), ATLAS filters, large lists of ACLs and payload (e.g. DNS, URL) regular expressions. Although designed as a line-speed DDoS mitigation appliance, some providers use the Arbor TMS to effect policies similar to next-generation firewall or carrier-grade IPS. Our analysis generally cannot distinguish between DDoS mitigations and policies enacted for other carrier security strategies.

As discussed earlier, the Wikileaks flooding DDoS components fell into the small or mid range of our yearly survey data (links available here). The chart below shows statistics on the flooding DDoS bandwidth, packets per second and duration for the 5,000 validated attacks. The average DDoS comes in at 300 Mbps and 200 Kpps lasting several hours. Though given the heavy tailed nature of DDoS attack distribution, the mean is skewed by a relatively small number of extremely large DDoS (including one 22 Gbps and 9 Mpps IP fragment attack against a single web farm lasting four days). The median of 30Kpps suggests that the majority of DDoS by number of incidences remain fairly low bandwidth (and likely reflect provider offering DDoS mitigation services for hundreds of small customers).

The next table focuses on the number of unique sources involved in DDoS flooding attacks. Despite the availability of massive botnets, most confirmed attacks in our study involve relatively few, well-connected IPs — the average is 80 sources generating an average of 162 Mbps and 48 Kpps each. Even the 95th percentile of attacks involves only 300 sources. Why so few botnet hosts in these attacks? I suspect the answer is a) a hundred well-connected hosts is more than sufficient to overwhelm many mid-size web farms (you just don’t need more than this) and b) botnets are an increasingly valuable resource to be used judiciously as discussed in this Security Week article.

Though more than 100,000 users downloaded the LOIC software last week, the actual peak number of simultaneous Wikileaks retaliatory attackers was significantly lower. ATLAS data suggests the number of attackers was in the hundreds (i.e., instead of thousands or tens of thousands). In other words, the number of source IPs observed in the Wikileaks retaliation attacks fell into the mid or higher end of the 5,000 validated DDoS last year.

Of course, just tracking statistics per IP does not tell us if these are real or spoofed source addresses. And indeed, increasingly unrealistic data as we approach the max (4 Gbps per source IP!) in the above chart suggests some degree of either source spoofing (e.g. poorly written attack tools always using the same source address) or large number of hosts behind NAT / mega-proxies. About 10% of attacks fall into this category of unrealistic source IP statistics.

The next table focuses on TCP layer DDoS attack statistics. The first column shows the number of TCP connection attempts per second in each attack and the second column provides the median, mean, 95th percentile and max number of connections that actually pass a range of validation algorithms (i.e. “prove” that the TCP connection is from a real host). Ranging from several hundred thousand to millions of connection attempts per second, the data in above chart suggests most of these Syn floods either use attack tools with incomplete stacks or spoof the source IP address (which is pretty much what you would expect). In the specific case of the Wikileaks retaliatory attacks, we believe most of the traffic did not spoof and used the actual sources IPs.

Finally, the last table below provides statistics on two types of application-layer attacks: HTTP and SIP. In general, HTTP attacks involve highly targeted floods of requests for complex / computational expensive web or service queries. Examples of well-known attacks include Slowloris and Slow Post. From the data, web attacks involve relatively low bandwidth (95h percentile is 10Mbps). Further, web attacks involve large number of hosts (414 in the 95th percentile) than zombie and other types of flooding attacks. Both SIP and HTTP layer attacks tend to be long-lived — targeting infrastructure for days and sometimes weeks. Unlike HTTP, SIP attacks tend to be larger (average 200 Mbps and 77Kpps) and more resemble flooding attacks as hackers attempt to overwhelm SBCs or soft-gateways.

So what conclusions can we draw from all of the above data?

Like the initial Wikileaks attacks, most DDoS continue to rely on brute force flooding to exhaust link capacity or overwhelm load balancer, firewall and web server state. Further, despite the conventional wisdom in the security community that spoofing is no longer common (because botnets are so prevalent), analysis of 5,000 validated DDoS attacks suggests a significant percentage of attackers still take advantage of a lack of BCP-38 and generate large volumes of spoofed DDoS traffic.

While the Wikileaks and retaliatory attacks may not represent the start of “cyberwar”, governments clearly view cyberspace as the battlefield of the future. The trend towards militarization of the Internet and DDoS used as means of protest, censorship, and political attack is cause for concern (the world was a simpler place when DDoS was mainly driven by crime, irc spats and hacker bragging rights). Overall, DDoS fueled by the growth of professional adversaries, massive botnets and increasingly sophisticated attack tools poses a real danger to the network and our increasing dependence on the Internet.

- Craig

Credit to Joe Eggleston, Jose Nazario, Jeff Edwards, Roland Dobbins and Mike Hollyman for their contributions to this analysis.

– Craig Labovitz on Security to the Core | Arbor Networks Security » 2010

Twitter has made it extremely easy for people to share news and web links and at the same time has created a boon for online criminals. It is hard to find a web service that has done more to make malware distributors’ jobs easier.

I don’t mean just the explosive growth in the Twitter user base. Microblogging in general, and Twitter specifically, contribute to malware distribution in fundamental ways that must be re-examined and corrected.

Here are the Twitter features that make it so dangerous:

1. Twitter usernames are easily harvested in vast quantities
2. Criminals can send tweets to anyone on Twitter
3. Twitter encourages its users to share without thinking
4. Twitter and supporting services like bit.ly strip away critical context
5. Twitter is programmable and can be automated using their published APIs

While each of these features has appeared to some degree in other Internet services like email and instant messaging, Twitter has taken them to a new level and — as icing on the cake — got celebrities like Ashton Kusher and Miley Cyrus to help fuel the frenzy of massive sharing.

Before describing how these features introduce vulnerabilities hackers can exploit more easily than ever, let’s be clear that this is not Twitter bashing. There is a reason Twitter has become so popular: it clearly meets a need shared by many millions of users. On Twitter.com we see people using the best features of the Internet to be more connected and more informed. But just as we think twice about attending large gatherings during a swine flu pandemic, we should also think twice about sharing links on an infected Internet.

Okay, let’s look at our hacker wish list in more detail.

Twitter usernames are easily harvested in vast quantities

Compared to email, collecting huge lists of Twitter usernames is incredibly easy. Part of the attraction of Twitter is that anyone can see what all the users are up to, including seeing usernames. Showing everyone what everyone else is saying is a great way to encourage new users to join the fun. It’s also a great way to build a list of users to target.

Quality email lists, on the contrary, are harder to build. Malware authors have been very creative in building tools to collect email address lists. The Warezov worm, for example, would scan a PC for email addresses and then send itself to those addresses to continue the process. These worms, however, require a user to open a binary attachment to start the process, and then require the next recipients to do the same.

Warezov and other email worms were pretty darn effective, but gathering lists of Twitter users does not require jumping through such technical and social engineering hoops. The public nature of Twitter usernames, combined with the Twitter API (see below), make it outrageously easy “crawl” across Twitter and build massive lists of users.

Here is an interesting look at a Twitter-crawling app created by some good guys — repeat Good Guys! — that demonstrates the concept.

Looking at the image above, it is important to note that not only are lists of usernames easy to build, but relationships between users are also publicly available on Twitter, raising the possibility of targeted attacks against organizations using (seemingly) inside information. (“Harry Reid said you should respond to this: [click here]“)

Criminals can send tweets to anyone on Twitter

Now that we have a huge list of usernames that we generated in a couple of hours, our next step will be to send them malicious links to infect their computers. Before the rist of Twitter, there were other methods malware distributors used to get links in front of people. “Spim” is the term of sending spammy links through an Instant Messaging (IM) network. But the Instant Messaging model calls for users to establish relationships by a two-way handshake. I add a new user to my contact list, they see the request and choose to accept the relationship. Then I can send messages. Now, it is true that malware writers can circumvent this requirement for a handshake but, like the email address harvesting example above, it requires malware engineering to get around protection designed into IM systems. On Twitter there is no such requirement.

Twitter has a similar model wherein I follow you and you follow me. But you do not have to choose to follow me in order to see messages from me. I can follow you, see your tweets, and send a reply that you will see in your reply box. The Replies page is labeled “Tweets mentioning [myusername]“. And on Twitter, who does NOT want to see tweets mentioning them? (Miley Cyrus aside.) Compared to the effort of hacking an IM system to send unsolicited links, Twitter makes it very easy for anyone to send links to arbitrary users.

So I build a huge list of usernames, follow all the users, wait for them to tweet and then reply with: “You are so right and this proves it: [click here]“
At this point, the only thing keeping my huge list of users from clicking the link is a good dose of caution. And Twitter is not about caution. Read on.

Twitter encourages its users to share without thinking

Stepping out of the technical realm for a moment, let’s look at the Twitter social phenomenon. Twitter is not about privacy. Twitter is about massive-scale sharing. The tagline on the Twitter home page is, “Share and discover what’s happening right now, anywhere in the world.” And, “Join the conversation.” THE conversation. Not one on one conversations with your known friends. We’re talking about The Big conversation that we crawled through collecting our usernames up in step one.

Twitter does provide Public or Protected accounts. But the default setting is public and the message is clear: don’t be shy. Jump in the deep end of the pool.

On top of that, the first step you see after creating an account is “See if your friends are on Twitter” and a web form that asks for your Gmail, Yahoo or AOL email password. Yes, your password. Twitter will log into your email account and retrieve your contact list to see if there are matching Twitter accounts. Doesn’t this sound just like our friend Warezov described above?

Of course these are features designed to maximize the number of users and connections between users, and that’s the attraction of Twitter. The sunny day scenario is positive one that helps build the Big Conversation. What we are doing here is looking at these features with an eye on how they contribute to the spread of malware across the Internet.

So to recap: we have a huge list of usernames with known relationships between users, we can send any of them a link that includes some apparently familiar context even though they don’t know us, and the users are in a hurry. Tweets are short and sweet and meant to be posted and read frequently. This favors the social engineering malware distributor who hopes the users do not spend too much time deciding whether or not to click a link in a tweet.

Twitter and supporting services like bit.ly strip away critical context

Tweets are very short messages that don’t leave a lot of room to establish familiar context. “Check this out: [click here]” is a classic line from emails that distribute malware.

The shortened URLs that appear in tweets remove all the warning signs that indicate dangerous links. When a link appears in your email, an IM message or a tweet it is important to inspect the URL and see where it goes before clicking on it. If we receive a message that looks like it is from a friend asking us to look at their vacation pictures, we have a chance to be suspicious if the URL ends in a .ru (Russia) or .cn (China). It’s not likely that our friends chose a Russian or Chinese photo hosting service. Or if the link is purportedly from our bank but the URL looks like http://aimee.pl345xxx.ru/scripts/infector/clickit.html, we might be wary about clicking it.

URL shortening services like bit.ly, tinyurl.com or tweetburner remove all the useful context and turn all URLs into generic nonsense. There is no chance for a user to screen out risky URLs when they are shortened.

Then there is the risk of someone penetrating the URL shortening service itself and hijacking previously shortened links to point them to malware sites. Over 2 million shortened links were hijacked this summer at URL shortening service Cligs.

Twitter is programmable and can be automated using their published APIs

As I mentioned above, Twitter provides an Application Programming Interface (API) that lets developers create programs to automatically exercise Twitter features. Features that the API does not support can be accessed by automating web requests as described here: Scripting Twitter with cURL.

Countermeasures

As we have seen, Twitter is a feature-rich malware distribution platform with a ready-to-go user base of 25 million Tweeters who are predisposed to do exactly what the bad guys want: click it fast. Here is a short list of things users can do protect themselves:

• Protect your tweets: Go into your Twitter settings and click the “Protect my tweets” checkbox at the bottom. This will remove you from the public timeline and only people you approve can follow your tweets and send you replies.
• Check those short links: Network security firm Sucuri provides a free service that scans shortened URLs with McAfee SiteAdvisor and Google’s SafeBrowsing service. It’s available here: http://sucuri.net/index.php?page=tools&title=check-url. AVG’s LinkScanner is also an option that will scan all the links you visit in a supported browser.
• Use Twitter security tools: Security tools designed specifically for Twitter are starting to appear on the market. I haven’t evaluated them yet, but one recent example is Krab Krawler from Kaspersky.

– on SafeCentral Blog

I’m in Wellington, New Zealand, attending the fourth annual Kiwicon event. Like Ruxcon in Australia, Kiwicon is a grassroots hacker* conference.

The accessibility and popularity of the event – it takes place over a weekend, and costs just NZ$ 55 (about $ 40 USD/AUD/CAD) to attend – is obvious in the growth in delegate numbers. From around 80 attendees in its first year, Kiwicon has grown to a festive, friendly and well-informed crowd of 350.

Despite the low price, the quality of both delegates and speakers is world-class.

I’ve just come out of a talk by Paul Craig, renowned internet kiosk hacker and security expert. You can find internet kiosks all over the world in hotels, airports, libraries, convenience stores, shopping centres, universities. As it happens, there are no fewer than 16 kiosks in the lobby of the building where Kiwicon is being held.

Internet kiosks can be useful. Most of them offer pay-as-you-go internet access service, often coin-operated, conveniently allowing you to jump online. If you don’t have a laptop handy, kiosks sound like a great way to read the latest news, communicate with friends, check your investments and make those all-important Facebook posts.

Because they’re a shared resource, kiosks are supposed to restrict your browsing. This is so that you don’t leave anything behind for the next user to grab hold of, and so that you can’t install something to compromise the safety of the next user.

But Paul Craig’s talk made it quite clear that using most kiosks for anything to do with personal information is incredibly risky. They simply do not provide the safety and security they are supposed to. During the talk, he gave a live demonstration of how easily he could subvert the security of five different popular kiosks, both Windows and Linux based. He was able to get a command shell, install arbitrary software, change security settings – whatever he wanted. The kiosks were all, in a word, pwned.

The problems stem not from the fundamental impossibility of building a safe kiosk, but from the demands of the average kiosk users. It’s not enough for a kiosk vendor to provide very basic features, such as the ability to send and receive simple internet messages.

Kiosk users demand access to a full-featured, familiar browser, such as Firefox or Internet Explorer, with an extensive range of add-ons. Just viewing a web page is not enough – users also want to be able to download and read PDFs, view documents and spreadsheets, watch Flash videos, and much more. This complexity, as usual, ends up being the worst enemy of security.

Interestingly, Paul noted that he has carried out similar penetration tests against photo kiosks – those devices in camera shops into which you plug a phone or USB stick to print out pictures – entirely without success. (I was slightly surprised to hear this, since photo kiosks are regularly implicated in the accidental spread of USB malware.)

Paul suggested that the greater resilience of photo kiosks can be explained very simply: they have a better-defined and smaller set of functionality, and thus a much smaller attack surface.

In short, kiosks have become too complex to be made secure. I’d suggest that you use them only the most general browsing tasks. Internet banking, access to on-line accounts such as social networks, and the like, are all definite no-nos.

Sometimes, those Tweets will simply have to wait.

[*] For a rational explanation of the meaning of hacker, watch this video:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Internet fraud has been around for just about as long as the Internet itself. Each year, cybercriminals come up with new techniques and tactics designed to fool their potential victims. – on Securelist / All Updates

Microsoft has added new security features progressively with each version of Internet Explorer (IE). For example, IE 7 introduced a phishing filter, and IE 8 added a cross-site scripting filter and InPrivate browsing for better protecting the users’ privacy.

With the IE 9 beta versions out now Microsoft promises even more security than all its predecessors. One problem though is that it runs only from Windows Vista SP1 and newer Windows versions. Windows XP which is currently still the most widespread Windows is not supported at all.

Summarizing the changes in IE9 which drive Microsoft to claim it is the most secure browser from the Redmond company, the most important new security feature is the Download Manager with SmartScreen filter integration. SmartScreen is a URL blacklist providing malware and phishing protection. Starting with this version, Microsoft introduced SmartScreen download reputation. SmartScreen download reputation is a browser feature that uses reputation data to remove unnecessary warnings for well-known files, and shows more severe warnings when the download has a higher risk of being malicious. This reduces the problem of having the users ignoring or deactivating these warnings if they appear too often. The download manager also performs some malware checks, digital signature checks, and so on.

Something closely related to security is the approach to separate the core from the 3rd party functionalities like plugins and addons. IE9 is naming this “Hang recovery” and “Automatic crash recovery”. There is also another interesting feature called “Add-on Performance Advisor” which should audit all add-ons and allow the user to close those which are slowing down the browser. There is also hope for the enterprise users because IE9 now has over 1500 Group Policy settings built in, allowing IT professionals to tweak the browser in many ways.

SorinMustaca
Data Security Expert

– Avira GmbH on Avira – TechBlog