Is the Fishing Better on the Other Side of the River?

Recently I was the subject of another Security Professionals Blog. My name was never mentioned in the blog itself because I have never been publicly identified, but the entire subject matter of the blog was my current task here at McAfee. Now I would believe that the majority of security professionals out there would not want their work to be criticized, but I actually feel the opposite. With all of the talk about the McAfee Secure Standard and how it could be improved, as a security professional myself, I fully agree. I do believe that Client Side Vulnerabilities such as Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) should be a downgradable issue, however business decisions are rarely up to the security professionals themselves.

Now I was planning on identifying the PROs/CONs of being under current scrutiny of Security Professionals, but honestly, I could not find any CON's about it. Not only did the blog serve as a small acknowledgment that what I am doing here, is actually making a difference, but it also served as a tool that I could exploit to verify that this current issue was serious and needs to be addressed.

I wont go into details of how I used this Blog Post to my advantage, but I will tell you that it involved sending the link to multiple parties. This raised the severity of the issue to a more critical state and teams were placed immediately to resolve the issue. It is amazing how someone you have never spoken with or met, can make such an impact on your current position, by pointing out the obvious. Sometimes I guess the obvious is rarely understood until it is made an example of.

I would like to finish typing for a while (because I am lazy today) by asking if anyone out there would like to blog about our salaries or the impact that we actually have on a company. I feel that these are two topics that affect me directly and I would love for them to be open to scrutiny.

Update On Google 302 Redirect Exploit

So I received an email from a compromised customer that has his web hosts explanation of how he received the google 302 redirect exploit. I found it quite interesting and I am currently working to see if it is in fact valid. I am having a few doubts( but it could easily be true) that this is exactly how this is occurring. Below is the response.

"In our ongoing commitment to the security of our customers, we have discovered a vulnerability located within many of our client's websites, including yours. This is a self replicating virus which is found by visiting well-known search engines. When you click on any link it may redirect you to a fake Anti-Virus 2009 website which appears to scan your system and then asks you to download the software. Once downloaded and installed it begins displaying pop ups on your desktop. At this time it collects your FTP user name and password from your own computer and uses that information to upload an exploited file named ".htaccess" to your website. Any visitors to your website will then be redirected to the fake anti-virus website.

We have dedicated our systems administration team to finding a solution to this and are happy to say that as one of the first hosting companies we have successfully cleaned all instances of this virus from our servers more than a week ago, and are continually scanning them to ensure your site does not become re-infected.

While your website is now secure, your computer may still be at risk. Here are two easy steps that will detect and remove this malicious software from your computer and make sure your website will not spread the virus again:

1. Uninstall the fake Anti-Virus software by following the instructions at this link:

http://www.bleepingcomputer.com/malware-removal/uninstall-antivirus-2009

2. Once removed, change your FTP password from within your web hosting control panel. Once logged in, click on the FTP Manager icon and then on the icon next to the password to change it.

To illustrate the severity of the issue I would like to share some facts with you:

* 26,991 of our customers have been infected with fake Anti-Virus 2009

* 79,469 websites have been spreading the Anti-Virus 2009 infection

* 120,923 malicious files have been removed from our system

We are constantly monitoring our servers for potential threats to your website, and are proud to say that we are among the first web hosts to identify this particular problem, and have been the first to offer a resolution. Your continued and safe presence on the internet is our top priority.

If you have questions regarding any of this information, please contact our support team anytime."