Archive for March, 2009
Thursday, March 26th, 2009
Verizon Business customers, and security professionals generally, should resist succumbing to a herd mentality and fear of the unknown surrounding the Conficker worm. In most respects, Conficker (a.k.a. Downadup or Kido) is just another piece of crimeware threatening Windows computers. The known risks it represents are minimal; so far, versions A and B simply spread and version C is presently dormant. They impact the integrity of infected systems but the costs are limited to disinfection. Our defenses are set and we are alert for significant changes in the risk environment if they come, but risk has changed little at this time regardless of the apparent desire of the technical press and the blogosphere to indicate otherwise.
Conficker is not generating spam revenue for the outlaws, nor is it exporting data from infected systems or any of the other myriad of hostile activities current crimeware usually exhibits. Infected systems are under the control of a criminal and could begin executing more criminal instructions. On April 1st, 2009, version C is expected to begin listening for instructions from its master(s) using a new Command and Control (C&C) method.
(more…)
Tags: anit-virus, antivirus, Computer Attacks, Computer Crime, Crimeware, Hype, Information Security, InfoSec, Malware, Threat
Posted in Analysis | 4 Comments »
Monday, March 23rd, 2009
It was easy to find fault with the coverage and hacker worship that accompanied a recent exploit-writing contest held at a security conference, but it was tough to decide on a title for this post. A few came to mind, such as the following:
- News flash: Computer users can hurt themselves!
- Warning: Hackers can pwn boxes to which they have physical access!
- Amazing! Computers can do things quickly!
Two individuals are receiving accolades because they wrote code that exploits a very old attack vector and received laptop computers as a reward. The code is new but the story is old.
(more…)
Tags: browser exploit, browser security, firefox security, hack, hacker worship, Hype, ie8 security, Information Security, InfoSec, pwn2own, safari security, sensationalism
Posted in Analysis | No Comments »
Thursday, March 19th, 2009
So rumors abound that a paper and exploit code will be published today that use a vulnerability in a processor’s caching mechanism to install code that is being called “undetectable.”
If it appears that we’re obviously not stating names and vendors, you’re right, we aren’t. At the time of writing all we’ve seen is speculation.
But let’s just take one aspect of the current hoopla: “Can something be installed on your computer and become undetectable?”
(more…)
Tags: Computer Attacks, Hype, Information Security, InfoSec, risk, Threat
Posted in Analysis | 1 Comment »
Thursday, March 19th, 2009
I was reading Graham Cluely’s blog post about Jack Straw’s email account being hacked. At the end of the entry Graham has included a video describing how he comes up with a very strong password which, he says, is easy to remember. See:
http://www.sophos.com/blogs/gc/g/2009/02/24/nigerian-scammers-hack-jack-straws-email-account/
Well, after watching it I realized that we computer security folks are definitely a bunch of nerds, particularly if you think what Graham suggests is “easy” for the average person.
(more…)
Tags: Information Security, InfoSec, password, reasonable control, Threat
Posted in Analysis | 4 Comments »
Thursday, March 12th, 2009
When I began attending security conferences several years ago, PowerBooks were a rare sight. In the years since the release of OS X, however, it’s not unusual to find more MacBooks than Windows systems in rooms populated by security professionals.
MacBooks are certainly not more widespread in enterprise environments than Windows systems; BusinessWeek places Apple’s corporate laptop market share at 20%. So why the bigger market share upon InfoSec professionals?
(more…)
Tags: Apple security, infosec mac, infosec professionals, mac market share, Mac security
Posted in Analysis | 10 Comments »
Thursday, March 5th, 2009
PDF Security through Minority
by Dave Kennedy & Kevin Long
With so many defensive mitigations available, losing sleep over the latest Adobe Acrobat and Reader vulnerability just doesn’t add up.
Threat:
- Indeed there are malicious PDFs in the wild. The most recent high-profile example was a successful attack on eWeek’s web site resulting in iFrames offering malicious PDFs, but it’s important to note that these did not use the new vulnerability but rather last November’s.
- Only a small set of targeted attacks using the new vulnerability have been reported.
- An exploit has been posted on one of the “usual suspects” sites.
(more…)
Tags: adobe vulnerability, CVE-2009-0658, foxit reader, jbig vulnerability, JBIG2 buffer overflow, jbig2 vulnerability, PDF security, security through minority, VU#905281
Posted in Analysis | 2 Comments »
Monday, March 2nd, 2009
by Dave Kennedy and William Murray
The first disk drive that I ever saw was the size and weight of a refrigerator and gave off as much heat. It would hold one megabyte. It was so expensive that it was far more likely to be used as a table than as a database. At the same time, the storage medium of choice was punched paper, cards or tape. A gigabyte in punched cards would fill a railroad box car.
The first hard drive that I bought was 10mb and cost me $3000 at IBM employee price. I thought I would never use it up. One can now buy a terabyte in a cigar box for $99 (I kid you not! It dropped in price while I was working on this post) and for $50 one can buy 320GB that will fit in one’s shirt pocket.
(more…)
Tags: data access control, data leakage, data leakage mitigation, flash drive risk, flash drive theft, physical security, portable storage risk, portable storage theft, thumb drive security, usb drive security
Posted in Analysis | 3 Comments »
