Network Security Consulting Blog

I’ve written about the laptop theft problem before, and have recommended some widely-accepted control measures to reduce the risk of laptop-theft incidents. I’ve come up with a few new perspectives since I previously wrote about this issue, and I would like to share them with you.

The laptop I use most often is a Dell Inspiron 600. This computer was issued to me when I joined High Tower Software in July, 2005. Windows XP (now with Service Pack 3) was installed on this laptop, and all things considered, the hardware and operating system have both been excellent. When High Tower folded just about a year ago, all employees with laptops were allowed to keep them. The timing was not very optimal, as my computer was getting older, and I had requested a new one. A number of employees walked away from the High Tower office for the last time with much newer and better machines than mine, but still mine was not (and still is not) really such a bad machine, even though it had gone through all the travails of frequent travel.

Travel is not good for laptops because they get banged around. Airport security staff who inspect them to ensure they do not contain explosives are some of the worst offenders, but I also deserve my fair share of the blame. My laptop really shows the signs of travel-related wear and tear. There are numerous scuff marks on it as well as an ugly gouge, and the paint has faded in a non-uniform manner. This laptop looks as if it has been in a battle zone for a prolonged period of time to the point that sometimes my friends ask me when I am going to get a new one. I will buy a new one some day before too long, but one of the reasons I always take this particular machine with me is that it is not a very attractive target for laptop thieves. Statistics indicate that the major motivation for stealing laptops is to obtain a computer that can be sold in a pawn shop or other place. Most laptop thieves are interested neither in the software nor personally identifiable information and/or financial information. Consequently, I feel that the appearance of my machine is sufficiently ugly that most thieves won’t want to steal it.

How ugly a laptop looks is something that most organizations and individuals never think about, but perhaps they should. I would not rely on laptop ugliness as a major theft deterrent, but I am confident that if a thief has a choice of stealing a brand new, attractive laptop or one that appears old and beaten up, the thief will steal the former nearly 100 percent of the time.

Another measure that I take with my laptop is never allowing any externally-visible information about my employer such as the name of the company, URL for its Web site, and/or the physical location of the company. I figure that if I taped my Emagined Security business card to it, my laptop would become a more attractive target of theft because some laptop thieves are after proprietary and other information. Instead I tape my own personal business card to it. If you read one of my previous blog entries you’ll discover that doing this also saved my neck, so to speak, one time. I left my laptop at San Francisco International Airport security and flew ignorantly and blissfully to Bloomington, Illinois. If my personal card had not been taped to the computer, no one from airport security would have called my home number to report that my computer had been left behind. The ending to this story was good—I was able to recover my computer.

A final, additional non-conventional laptop theft prevention measure is being smart when it comes to storing a laptop when away from home. If I am on travel and I am at a restaurant, I actually take my laptop into the restaurant with me and place it right next to my chair. A few times waiters have almost tripped on it, but no real catastrophes have happened, and I have never had a laptop stolen. I used to leave my laptop in the trunk of whatever rental car I had, but when I realized just how proficient thieves have become in breaking into trunks, I gave up doing this. The biggest dilemma concerning laptop security that I typically face, however, is what to do with my laptop when I am in a hotel and want to go running. I suppose that I could bring a backpack with me, put it on and stick my computer in it, but that seems a little over the top. Consequently, I place my computer in some place that I am fairly sure most thieves would not look, like back of the toilet.

Conventional laptop theft prevention measures are good, but if you really value your laptop, you might consider additional measures. The ones I have mentioned may seem weird, but they definitely work for me as well as for others who have used them.

Network Security

The Patriot Act, passed shortly after the September 11 terrorist attacks in 2001, was designed to give US law enforcement greatly expanded power to conduct surveillance and other activities without the need for warrants and other legal measures. The impending expiration of primary provisions of the Patriot Act has catalyzed considerable legislative activity within the US Congress, particularly within the House of Representatives. Certain House members are greatly focused on introducing significant changes to this law.

At the center of much of the activity surrounding this law is the provision that telephone companies that cooperate with the US government in turning over customer information are granted legal immunity. This particular provision, which is not due to expire at the end of this year, concerns National Security Letters (NSLs), which are defined by Wikipedia as the following:

“… a form of administrative subpoena used by the United States Federal Bureau of Investigation and reportedly by other U.S. Government Agencies including the Central Intelligence Agency and the Department of Defense. It is a demand letter issued to a particular entity or organization to turn over various record and data pertaining to individuals. They require no probable cause or judicial oversight. They also contain a gag order, preventing the recipient of the letter from disclosing that the letter was ever issued.”
The fact that no probable cause or judicial oversight is necessary for NSLs to be issued has been a major concern of civil libertarians. Proposed changes in the proposed House of Representatives legislation (in the Conyers-Nadler-Scott Bill) would greatly limit the conditions under which NSLs could be issued under the provisions of the Patriot Act—namely, only when spy or terrorism activity by someone or a foreign entity were involved. The story in the Senate is completely different. A similar bill sponsored by Senator Richard Durbin of Illinois did not even make it out of the Senate Judiciary Committee. Senator Russ Feingold of Wisconsin has not gotten even that far in getting a bill designed to limit immunity to telecommunications carriers for “turning in customers” to a vote. Clearly, the Senate and House are a long way apart when it comes to views about changing provisions of the Patriot Act.
So where does it all go from here? My gut feeling is that eventually some of the provisions of the Patriot Act will be toned down. As I have said before in my Computers and Security editorials, the Patriot Act, while well-intentioned, aids and abets potential tyrants. This act is not only badly misnamed, but it also has dismal implications for civil rights, personal liberty, and privacy. The overreaction after the events of September 2001 has for the most part come to an end. It is now thus well time to revise the provisions of this act to be much more in accordance with the realities of the current world as well as the ideals and values of America.

Network Security

Last week users of Google’s Postini message service experienced a major disruption in mail delivery, something that triggered a flood of email and postings from angry customers. Some started examining other alternatives for mail servers, and Google Postini competitors started touting the reliability of their message services. Although there was no problem with outgoing email per se, incoming email was severely delayed, causing everything from minor irritation among customers to disruption of business activity. One of the worst cases stories was from a legal firm that was unable to obtain a critical email message from a client in time for a trial. Even Google Apps Premier customers, who pay a premium of $50 per year for top-end mail services, experienced the same problems as regular users. .

The problem was compounded by a lack of communication on Google’s part. Many customers sent inquires to the Postini Help Forum, but received no response. Later a Google spokesperson said only that Google was aware of the problem and was trying to fix it. Finally, a Google engineer posted a message of apology to the Postini Help Forum, saying that the delivery rate for mail was back to normal and that no message traffic had been deleted or bounced as the result of the problems.
What is most significant about what happened is that it exposed some of the huge cracks in cloud-based services. Google, the inventor of the “cloud computing” term, champions its cloud services, but certainly did not deal with the problem in its Postini mail services very well. People and organizations keep rushing to capitalize on low cost or free cloud services without considering the downsides of doing so. The biggest downside may be reliance on the Internet. Between every cloud service and customer is a common link—the Internet.
I’m not at all knocking the Internet, but it (when it was the NSFnet) started out without built-in security mechanisms by design. It was originally built to provide free and easy access to users. The notion that individuals would deliberately try to cause interruption or corruption of services was not seriously considered at that time. Users were told to build in their own security if they wanted any. And things are not too different now. What the Internet has become over time is a number of backbones that connect Metropolitan Area Networks (MANs). ICANN, the Internet oversight organization, contracts with various service providers to run the Internet’s root DNS servers; security requirements for these servers are specified in contracts with these providers. But other than that, the Internet is still a gargantuan network without inherent security. Consequently, the Internet is vulnerable to massive attacks launched by determined individuals. If you are still skeptical, please recall the three well-known attempts over the years to take down so many root DNS servers that the Internet would become unusable. Two of these three attempts came very close to succeeding.
One day the Internet will be taken out for a prolonged period of time by a massive distributed denial of service (DDos) attack. A very large number of systems infected with bots will flood the Internet. Multiple Internet Service Provider (ISP) networks will be involved. Gigantic pipes along some parts will be able to move traffic, but volumes of packets to routers will overwhelm them. As a result, links and routers that connect the infrastructure will crash or become unresponsive, and/or legitimate traffic will be disrupted such that the quality of Internet service will become intolerable. This will happen at some point in time—trust me.
The impact of those who rely on cloud services will be catastrophic. Having redundant cloud providers will not help. The amount of loss and disruption will be beyond belief, and a fair share of cloud-reliant companies will go out of business.
So I close with an earlier statement— between every cloud service and customer is a common link—the Internet. Realizing this might make some cloud-frenzied individuals and organizations come back to their senses.

Network Security

I recently read an article in CNNMoney.com (http://money.cnn.com/magazines/moneymag/bestjobs/2009/snapshots/8.html) in which Gregory Evans, a self-employed information security consultant based in Atlanta, discussed what he does for a living. Describing the job of computer/network security consultant as the “eighth best job in the world,” CNNMoney.com reported that Evans describes himself as a “cybercrime fighter.” He said that his job is to counter threats against computing systems and networks from threats such as hackers, viruses, worms, and spyware.

From what I read, Evans is a personal and professionally competent individual. At the same time, however, I found out that he has a sordid past, one in which by his own admission he broke into one computing system after another. Here we go again—the media glorifying another individual who has a history filled with criminal activity. Lamentably, this is not the first time this kind of thing has happened, and it will not be the last.

The media is not the only entity that does this kind of thing. I remember that not all that many years ago I was doing some consulting for a very large financial organization. The lead technical person in information security had achieved considerably notoriety from all his previous hacking and phone freaking activity. He was ostensibly very knowledgeable about information security, but when I realized who he was, I got a sinking feeling in my stomach. I did not find out that I would have to work with him until I was on site at this client’s facility. Had I known in advance, I never would have accepted the consulting job. How could an organization with so much at stake have allowed someone with such a background to work there (in information security, yet!) How did this person ever slip through a background investigation? Truly there was something wrong in the state of Denmark.

The media may send the wrong message, and financial and other institutions may make the wrong decisions, but what gets to me the most is when information security organizations have former cybercriminals speak (often for exorbitant prices) at conferences and meetings. I’ve written a previous blog entry on this disturbing trend, so I won’t say anything else here except that no matter what incentives are offered to me, I will not speak for any organization that has at any time brought computer criminals in to speak at any of its conferences and meetings. There are lots of speaking opportunities out there—why serve some organization that is not serving the information security profession well?

So I want to propose what I believe is a new idea. Why not make having professional certification such as CISSP certification a prerequisite for the privilege of speaking at information security meetings and conferences? This would weed out individuals such as Evans who have engaged in previous criminal activity, because having done so disqualifies anyone from becoming CISSP-certified. Additionally, this would preclude having individuals such as product managers and marketers from security vendors from being able to speak at professional information security events. Don’t get me wrong—I have a lot of respect for well-seasoned product managers and marketers, and I love talking to them at trade shows. But these individuals typically have minimum credentials in information security. They are usually neither teachers nor mentors in our field. Furthermore, they typically “hawk their wares” one way or another when they speak. If they do not directly make a sales pitch for whatever product they represent, they often indirectly do so by stating the requirements for a certain type of product and then “mentioning” that their product fulfills these requirements.

I do not know what to do about the media making ex-computer criminals look so good, nor can I really do anything about organizations hiring these criminals. But I know what to do about professional organizations bringing these and other unqualified or undesirable individuals in to speak. You can vote with your feet, as I do, and I hope that you also consider doing this.

Network Security

We all know what “Patch Tuesday” is. Every month on the second Tuesday, Microsoft releases a bulletin describing vulnerabilities and hot fixes or descriptions of workarounds in its products. Interestingly, six years have now gone by between the time of the first Patch Tuesday and the one two days ago. Over these six years, Microsoft has distributed nearly 400 bulletins that have described nearly 750 vulnerabilities. Most of these vulnerabilities have not been trivial, either; Microsoft has in fact rated over half of these vulnerabilities as “critical.” And if you look at the trends, you’ll discover that during each year since October 2003 there have been more announced vulnerabilities than in the previous year.

Having worked for a software company for over three years, in a way I pity Microsoft. Simply keeping up with patches for a single product was a bigger task than I ever envisioned, and Microsoft makes many products. At the same time, however, there is something rotten in the state of Denmark, so to speak. Not only is the number of vulnerabilities in Microsoft products increasing every year, but as I have mentioned before, years ago Microsoft told the world that its Trusted Computing Initiative (TCI) was going to substantially raise the quality of Microsoft code. Microsoft programmers were not only going to get training related to secure code development, but they also were going to be held responsible for the quality of the code they produced. It would be very difficult to fault Microsoft for coming up with and implementing its TCI, but if this initiative were truly successful, we would see the number of vulnerabilities in Microsoft decreasing year-by-year, Yet the opposite has happened. Additionally, the same vulnerabilities should not keep resurfacing from one version of product to the next. The good news is that many vulnerabilities are unique to a particular release of a particular Microsoft product. Unfortunately, however, there are numerous, serious exceptions, the most recent (described in Microsoft bulletin MS09-056) of which is a critical, remotely exploitable vulnerability in Microsoft’s Server Message Block (SMB) protocol that could allow unauthorized execution of remote code that runs with elevated privileges. All, and I repeat, all, Windows operating systems from Windows 2000 to Windows 2008 R2 have this vulnerability. I must lamentably thus conclude that although the TCI was a brilliant idea, there is a significant gap between what this initiative promises to deliver and what it has actually delivered.

As an aside, I need to tell you just how much I hate Patch Tuesdays. I use Windows Automated Updates In my Windows workstations, so hot fixes for these workstations are automatically downloaded. Half the patching battle is thus won from the start. I do not allow Windows Automatic Updates to automatically install the hot fixes, however. I was once badly burned when I had this function set to automatically install hot fixes. Something was wrong with a particular IE fix; after it was installed and I tried to reboot the system in question, that system never rebooted. I had to reinstall the system, something that really irked me because I was unusually busy at that time. To Microsoft’s credit, this vendor fixed whatever was wrong with the patch within a few days and released the corrected version to its customers. But the damage to my primary Windows system had already been done. This terrible incident created within me a healthy paranoia about Microsoft hot fixes. Now I normally wait at least ten days to a few weeks, time that I use.to find out if network postings show that people have experienced trouble with new hot fixes, before I ever consider installing them.

Microsoft has reached a huge milestone at the sixth year of Patch Tuesday. But I suspect that there was no celebration for the occasion in Redmond, Washington. Hopefully, higher-level management within Microsoft instead came to a deeper realization that although security in Windows products is not for the most part bad, there is surely a lot of room for improvement.

Network Security

After reading the blog entries on financial Trojans that I have recently written, you might get the impression that Trojan horses are the only kinds of malicious code that attempt to obtain financial information to be used in identity theft attempts and other kinds of criminal activity. After all, we know that malware writers have become increasingly motivated to make money. Trojans are covert, making them ideally suited for the perpetrators’ purposes. Other types of malicious code such as viruses and worms are easy to detect and are thus not very well suited for financial fraud and identity theft. Despite this, however, other types of malicious code are also being used for the same purposes.

Believe it or not, financial worms have been spreading on the Internet for some time now. Worms are not well-suited for financial theft and fraud attempts because once they infect a machine, they usually immediately start scanning IP address space to try to find other victims to infect, something that it very easy for anyone who uses intrusion detection, intrusion prevention, network monitoring, and other tools to discover. The best current example of a financial Trojan is the Clampi worm, which gets and uses domain-administrator credentials to login to Windows domain controllers. It then copies itself to all computers on the domain, trying to obtain information from commercial Web sites. It also serves as a proxy server to anonymize perpetrators’ activity when they log into stolen accounts. Despite the fact that this worm first surfaced approximately two years ago and also that it is not all that covert, Clampi has reportedly resulted in widespread financial loss.

Another type of financial malware is financial spyware, of which Rebery is one of the best examples. Rebery is installed through exploitation of vulnerabilities in Web browsers when users visit a malicious Web site. Once it infects a system, it stays dormant until users connect to certain on-line banking or e-commerce sites. It then wakes up and starts stealing customer and transaction data, sending them to a Web site controlled by the perpetrator. To help the perpetrator figure out exactly what has transpired in a banking session, it even captures screen shots throughout the entire session. Furthermore, a considerable amount of rootkit functionality is built into this malware, enabling it to escape detection through normal means such as running anti-virus or anti-spyware tools.

So what does all this mean? If anything, financial Trojans and similar kind of malware are going to become more prolific. Resulting losses for financial institutions as well as individual users are likely to soar to the point that financial institutions will be forced to provide technology that discovers and eradicates malicious code such as financial Trojans. But is it too late. Consider Robert Mueller, Director of the FBI. He recently announced that he will no longer use online banking after he almost fell for a clever phishing attempt. Users who have their financial and personal information stolen during financial transactions are likely to reach the same decision, as are those who hear of friends and family members who have experienced such incidents. One thing is sure—if security in such transactions does not get better before too long, online banking as we know it could very well become a thing of the past.

Network Security

In Thursday’s Bank Info Security newsletter, Linda McGlasson writes about the need for more consumer education and awareness as the primary strategy a bank should employ against phishing and malware.  I don’t want to in any way criticize the efforts that have been made to date regarding the education of consumers and individuals about malware and phishing attacks. It’s a good start. However, we are fighting a losing battle. When you have such people as FBI director Robert Mueller ending his personal use of online banking after he got burned when thought he could tell the difference between a genuine e-mail and a phishing attack, this should be a giant signal that we have reached the end of our ability to fight this war through consumer education.

Banks have generally innovated and provided reasonably good security concerning the use of websites for online banking. However, this technology continues to depend on the static password and shared secrets for authentication security. In an age when a significant proportion of PCs have been infected by malware, including key loggers, this is a demonstrably inappropriate strategy for banks to take.

Banks need to improve the customer experience so that use of a bank’s website involves less marketing and more assistance. If I think that the next window is geared toward selling me a product I do not want nor have time to consider, I am likely to click any button that will get me past it. The use of a tiny “no thanks” button hidden somewhere on the window plainly demonstrates that banks think marketing is more important than security. And indeed it may be. Banks expect consumers to shoulder a disproportionate burden for resolving fraudulent use of accounts and what banks are spending themselves on security is a tiny rounding error compared to what they are earning as a result of fraud. How about devoting half of the $35 billion banks make each year on overdraft fees to new anti-fraud initiatives?

Next, banks should adopt a much more aggressive and industrial-strength approach to attacking those who misuse the Internet to propagate malware and fraud. Decoy accounts should be used to isolate and provide early warning on fraudulent activity. Aggressive forensic investigation should be used to track back to those responsible for malware and fraud. Aggressive and uncompromising use of cease-and-desist orders against all who prosper or encourage the use of malware and fraud must be pursued by the banking industry.

As anyone who has ever experienced fraudulent use of their bank account knows, banks tend to adopt a rather negative attitude toward customers who identify fraud. The attitude is very much that of “we’ll investigate and come to our own conclusion about whether or not these transactions are legitimate.” Banks need to recognize that their customers are the ones who discover fraud, and who bear the greatest burden for the resolution of fraud. Bank customers are banks’ greatest assets in fighting fraud. Why do banks persist in acting as though customers are somehow responsible for fraud? Yes, they may have allowed a sophisticated malware attack to infect their PC leading to fraudulent use of online banking credentials – but if the FBI Director himself gets fooled, doesn’t that show that consumers may be doing all they can do? Criminals are responsible for fraud, not consumers who’ve been fooled.

Statistics about this are hard to come by, however I have a suspicion that banks are benefiting from fraudulent activity way more than they would care to admit. For example, I recently had $3500 of fraudulent airline tickets charged my account. Thankfully, bank security flagged this on the day the charges were processed and sent me an email which I received on my Blackberry. The following day, I went into my bank to resolve the matter. I was overdrawn and needed to have the fraudulent charges and the $175 of overdraft fees reversed. The manager who helped me had me speak by phone with the bank’s fraud office to get this accomplished. Reversing transactions were put through that took effect on the following business day (a Monday ) on a temporary basis until a permanent resolution could be approved by the bank. For this business day the bank had use of my funds and the net effect on its balance sheet was to overstate the bank’s cash position by $3500 until the funds availability was restored in my account. The bank knew it was fraud but waited a day to restore my balance. I could not use this money. Multiply this by the thousands (millions?) of transactions that succeed in a similar way against bank customers every day, and you have a rather significant bit of dirty laundry to add to the already significant pile already accumulated next to the banks’ washer in the basement. In short, this incident — together with such things as overdraft fee abuse — illustrates that there is a significant moral hazard involved in banks handling of fraud related to their accounts.

This article depends on the premise that widespread use of online banking is a significant positive for the banking industry. I believe this to be true. Banks have achieved significant productivity benefits from implementation of electronic banking measures of all types. But if consumers develop the perception that banks don’t care enough about phishing and malware to really work hard to stop it, then the electronic banking revolution will fade before it reaches its full potential. One thing banks have learned over the decades is that customer perception about banks is very hard to change. And for their part, banks are rather clumsy in their own approaches to developing and managing their brands. If consumers believe that banks are content to let fraud take place and leave customers to pick up the pieces, that could turn into a huge negative that could take years for banks to reverse.

Hiding from the reality of organized phishing and malware attacks by pretending that all is well will not be productive. In the current climate of significant mismanagement of risk by banks (sub-prime mortgages, credit default swaps, etc. – dare I say wrongdoing?) banks should realize that the same old “safety and soundness” message they offer regarding handling of fraud creates a real cognitive dissonance among consumers. The notion that banks play the market like they’re in Vegas, then accept taxpayer bailouts, then pay themselves millions while they place a hold on your money as they “investigate possible fraud” should be killed with a stake through the heart by all banks who care about keeping their deposit base.

Banks should be known as the primary fighters against phishing, malware, and fraud that are out there causing consumers to think twice about using electronic banking services. When consumers are facing financial pressures like never before, banks should be their friend and advocate in fighting fraud, taking much more of a “we’re on your side” attitude. I would argue that if one half of the unneeded and unwanted marketing messages I receive from banks were converted to helpful and empowering messages about information security that would be a good start to improving our chances in the war against phishing, malware and fraud. Perhaps banks should offer a bounty to consumers who identify a fraudulent transaction on their online banking statement. I’d like to see more headlines about banks cooperating with authorities, filing criminal and civil complaints against individuals and organized crime who are engaged in criminal activities. Only when banks, together with the credit card companies, take the lead in this war will we stand any chance of stemming the tide of phishing, fraud and malware.

Network Security "bank fraud", "security education", malware, phishing

It would be nice if the Zeus Trojan, discussed in my previous blog entry, were the only financial Trojan that posed a high level of risk. Alas, this is not true. In fact, many experts consider the URLzone Trojan to be even worse than Zeus. Financial Trojans such as Zeus capture users’ financial information and then rely on individuals to “do the rest of the dirty work.” The more dirty work these individuals have to do, the more likely it is that bank account customers will notice that something is wrong, prompting them to report suspicious account activity to bank authorities. In contrast, the URLzone Trojan is programmed to do steps that middle men in fraudulent banking transactions normally have to perform and also uses a number of stealth mechanisms, thereby making fraud detection more difficult. Once this Trojan infects a system, it gleans the user’s banking information and uses this information to transfer funds to the accounts of naïve’ individuals who have been hired for jobs that superficially appear to be legitimate. These individuals then transfer the money to accounts owned by perpetrators. Information posted by Finjan indicates that to avoid fraud detection, each person used to make money transfers is allowed to do so only a maximum of two times.
The nature of money transfers to the hired “mules” varies. Each infected system connects to a server in the Ukraine to learn what to do next. It can, for example, be instructed to steadily withdraw small, random amounts of money from the victim’s account so that the withdrawals are less likely to be noticed. Additionally, the Trojan does not attempt to withdraw money when the balance of the victim’s account is zero. Furthermore, URLzone modifies on-line statements by modifying HTML content rendered by customers’ browsers such that when users view them, the fraudulent transactions do not appear. Another option is that if the banking transactions are listed, the displayed amount for each is less that the amount that in reality occurred. The Internet Explorer (IE) browser has, according to anti-virus vendor Finjan, been involved in this fraudulent activity more than any other type of browser, but other browsers are also susceptible.
URLzone’s methods of infecting PCs is anything but spectacular. Perpetrators send messages designed to entice potential victims to visit certain URLs. If users click on the indicated URLs, they reach malicious Web sites with routines that attempt to exploit a range of vulnerabilities. If the routines are successful, they inject the URLzone executable and then start it.
URLzone is taking a terrific toll; it reportedly resulted in nearly 6,600 fraud incidents last month, and was making the equivalent of nearly USD 18,000 per day for the perpetrators. Last August the perpetrators focused mainly on customers of major German banks; the financial loss then was reportedly around the equivalent of USD 400,000.
How long will URLzone go on making all kinds of trouble? No one is sure, but the fact that so many anti-virus tools fail to detect this malicious code has greatly contributed to its success. Count on more variants designed to accomplish a wider range of sordid actions surfacing in the future. And you can also count on the fact that most users whose systems are infected with URLzone will not notice that anything is wrong until the damage is already done.

Network Security