Bottom line up front: Risk has not changed significantly as a result of research into rogue Certificate Authority attacks. This is a significant attack on an obsolete hash algorithm, but there is no known threat, and countermeasures are already taking place to reduce and possibly eliminate the potential that a threat actor will succeed using this attack.

There are numerous explanations of the technical vulnerability announced Tuesday, December 30, 2008 at the Chaos Communications Congress in Berlin. Brian Krebs at the Washington Post has done his customary superb job of making this understandable to the average Internet user. Professor Ed Felten at Princeton University crafted a version for those security professionals not normally earlobe-deep in cryptography and PKI. And Professors Gene Spafford at Purdue University and Steve Bellovin at Columbia University each have perspectives beyond the technical to explain how this happened and what information professionals can and should do now. They explain how this problem has been stalking us since 1996 and how we hit the snooze alarm then, in 2004, 2005, and last year.

(more…)

by Peter Tippett and Kevin Long

This is Part III of a three-part series on OS X security. Please read Part I and Part II if you haven’t already.

If you ran Amtrak, would you install a missile defense system on your trains? Trains are certainly vulnerable to missile attack, and the cost of such an attack would be devastating. Luckily, trains are not commonly subjected to missile attack, so the cost of implementing such a defense is not justified.

Is the protection afforded by antivirus software (AV) worth the cost? First we’ll estimate the cost, then we’ll discuss the protection AV affords.

(more…)

by Peter Tippett and Kevin Long

This is Part II of a three-part series on OS X security. Please read Part I if you haven’t already.

Before we go further, a review of the Verizon Business RISK Team’s risk equation is in order. Risk is traditionally thought of as the product of Likelihood * Impact (Cost). In the world of computers, the Likelihood is itself the product of Threat, which is the frequency of attempts of an attack, and Vulnerability, which is the likelihood of success of an attempted attack considering all countermeasures that are already in place. Thus, Risk = Threat * Vulnerability * Impact.

For the purposes of this discussion, Impact is consistent across platforms, so Threat and Vulnerability are the factors that will be addressed.

The threat of attacks against OS X systems has traditionally been significantly lower than that against Windows systems. When OS X was introduced in 2001, reasons cited for that could have included the following: (more…)

by Peter Tippett and Kevin Long

What’s a Mac user to do? Depending on where (and when) you looked, during December you’ve been offered the following advice when it comes to having security software on your system:

• If you listened to Apple on December 1, you should be running multiple antivirus applications.
• If you listened to a maker of antivirus software, you should be running their respective antivirus application.
• If you listened to various bloggers and columnists, you’ve certainly not heard a consistent message.
• If you listen to Apple today, they’re suggesting that Leopard is protected against malicious code “right out of the box.”

Despite the existence of several notable posts already written about this topic, this month’s chatter provides an opportunity to share the reasons we recommend against running antivirus software on Macs (in most situations).

(more…)

by Dave Kennedy and Russ Cooper

I just checked, and so far not one member of the Verizon Business RISK Team has moved into their apocalyptic redoubts over the latest vulnerability in Internet Explorer (IE).  Our assessment is that this latest vulnerability isn’t very different than many of the IE vulnerabilities we’ve seen in the past.  IE has historically been a popular target for criminals, and we don’t doubt some are using/will use this latest vulnerability to take over users’ systems.  We assess the threat  volume as small, with locations isolated, and believe that several mitigations are available to reduce overall risk.

(more…)

No – it’s not a typo, and, as far as I know, I haven’t lost my marbles (yet) either. The title is intended to read exactly as it appears. I suppose some explanation is in order…

If you keep abreast of what folks in the security industry are talking about with any regularity then you’ve probably read something lately about how the current economic crisis might affect corporate information security. For instance, layoffs could result in the loss of key security personnel and/or trigger retaliation from bitter employees. Others are worried that slashed budgets won’t allow security programs to buy what they need to buy, or do what they need to do. The list goes on.

(more…)