Verizon Business customers, and security professionals generally, should resist succumbing to a herd mentality and fear of the unknown surrounding the Conficker worm. In most respects, Conficker (a.k.a. Downadup or Kido) is just another piece of crimeware threatening Windows computers. The known risks it represents are minimal; so far, versions A and B simply spread and version C is presently dormant. They impact the integrity of infected systems but the costs are limited to disinfection. Our defenses are set and we are alert for significant changes in the risk environment if they come, but risk has changed little at this time regardless of the apparent desire of the technical press and the blogosphere to indicate otherwise.

Conficker is not generating spam revenue for the outlaws, nor is it exporting data from infected systems or any of the other myriad of hostile activities current crimeware usually exhibits. Infected systems are under the control of a criminal and could begin executing more criminal instructions. On April 1st, 2009, version C is expected to begin listening for instructions from its master(s) using a new Command and Control (C&C) method.

(more…)

It was easy to find fault with the coverage and hacker worship that accompanied a recent exploit-writing contest held at a security conference, but it was tough to decide on a title for this post. A few came to mind, such as the following:

• News flash: Computer users can hurt themselves!
• Warning: Hackers can pwn boxes to which they have physical access!
• Amazing! Computers can do things quickly!

Two individuals are receiving accolades because they wrote code that exploits a very old attack vector and received laptop computers as a reward. The code is new but the story is old.

(more…)

When I began attending security conferences several years ago, PowerBooks were a rare sight. In the years since the release of OS X, however, it’s not unusual to find more MacBooks than Windows systems in rooms populated by security professionals.

MacBooks are certainly not more widespread in enterprise environments than Windows systems; BusinessWeek places Apple’s corporate laptop market share at 20%. So why the bigger market share upon InfoSec professionals?

(more…)

PDF Security through Minority

by Dave Kennedy & Kevin Long

With so many defensive mitigations available, losing sleep over the latest Adobe Acrobat and Reader vulnerability just doesn’t add up.

Threat:

• Indeed there are malicious PDFs in the wild. The most recent high-profile example was a successful attack on eWeek’s web site resulting in iFrames offering malicious PDFs, but it’s important to note that these did not use the new vulnerability but rather last November’s.
• Only a small set of targeted attacks using the new vulnerability have been reported.
• An exploit has been posted on one of the “usual suspects” sites.

(more…)

by Dave Kennedy and William Murray

The first disk drive that I ever saw was the size and weight of a refrigerator and gave off as much heat. It would hold one megabyte. It was so expensive that it was far more likely to be used as a table than as a database. At the same time, the storage medium of choice was punched paper, cards or tape. A gigabyte in punched cards would fill a railroad box car.

The first hard drive that I bought was 10mb and cost me $3000 at IBM employee price. I thought I would never use it up. One can now buy a terabyte in a cigar box for $99 (I kid you not! It dropped in price while I was working on this post) and for $50 one can buy 320GB that will fit in one’s shirt pocket.

(more…)