06 Aug KL@Defcon
13 Jun Microsoft updates released
27 Apr New U.S. legislation
13 Mar Patch-free Tuesday
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
"Hello from Russia!" These were the opening words from Vitaly Kamluk for his Defcon presentation. Before I get to the details of his presentation, first, picture the scene. The room was packed .. beyond packed...standing room only. The overflow chose either to stand, or sit, along the sidelines of the room - a scene common for only the most popular of presenters.
Vitaly may not be a big name (yet!), but the title of his presentation obviously piqued people's curiosity: "Fighting malware on your own". Imagine fighting malware on your own, without purpose-built tools, and without the benefits of commercial antivirus (or other) security software. Now imagine this information being presented by a representative of a commercial antivirus software manufacturer!
Taking the audience through a series of exercises, this is exactly what Vitaliy did. Granted, a modicum of technical knowledge was necessary to immediately understand what he presented. Sitting up front and watching the reaction of the audience as Vitaly revealed the thought processes of a malware researcher, I could tell they fully appreciated the content. Knowing that his presentation (with some of the more complex sections conveyed in 3-dimensional graphic renderings) would ultimately be available from the conference CD, I have a gut feeling that many IT personnel will go home much better armed with manual virus isolation and removal techniques.
Breaking down complex problems - which included projects such as manually removing several well-known Trojans and viruses - and using readily-available tools built in to the (Windows) operating system, Kamluk explained the individual steps in a manner that most attendees could easily understand. At the end of each exercise, Kamluk polled the audience: "Now that we have all the information we need, can you guess what the final step is in the process?" Few in the audience actually raised their hands, but most sat with silent grins on their face, knowing the final step would be just as straightforward as the previous. And he didn't disappoint. Without fail, I noted on more than one occasion somebody mouthing the word "Wow", - for once not referring to an online game.
For those who were at Vitaly's presentation, way to go! I think you will agree with me when I say it was a well-spent hour. For the rest, the Defcon CD may be available for purchase. :))
Microsoft has released this month's update package, which contains (among other patches) updates for Internet Explorer, Vista, Outlook Express and Visio.
As we mentioned in our pre-patch post, some of the vulnerabilities are critical, so if you haven't done so, check the June Security Bulletins and patch your systems now.
The friendly handlers over at Internet Storm Centre have produced another colorful table to guide you through this month's patch maze.
As a quick reminder, June 12th is patch Tuesday for Microsoft products.
The corporation has several updates planned, including 4 critical patches. All 4 critical patches address remote code execution vulnerabilities found either in Windows, Internet Explorer, Outlook Express or Windows Mail. Microsoft also plans to release seven non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS). Microsoft's prenotification bulletin is here.
Microsoft plans to host a webcast next Wednesday to discuss the bulletins released on June 12th. Additonal information, including how to sign up for the webcast is here.
The May update from Microsoft is covered across 7 bulletins. All of the bulletins address remote code execution vulnerabilities, thus are all rated as critical -- Microsoft's most severe rating.
MSO7-023 through MSO7-025 cover 7 different vulnerabilities found in Microsoft Office, specifically in various versions of Word, Excel and the Microsoft Office System. All but one of the vulnerabilities, if exploited, could result in remote code execution. Malicious hackers regularly resort to using malformed Office documents to launch attacks. It is therefore especially important to not open unsolicited email, especially if they include MS-Office Word, Excel or Powerpoint attachments.
MS07-026 bulletin covers critical vulnerabilities found in Microsoft Exchange Server 2003 SP1 and SP2, and Microsoft Exchange Server 2003. There are 4 vulnerabilities patched -- two denial of service conditions, one remote code execution, and one "information disclosure" vulnerability. The latter vulnerability we will certainly hear more of in the future, as malicious hackers continue to target personal information in ID theft, banking, online gaming and other related Internet crimes.
MS07-027 is a cumulative update for Internet Explorer 7, a fixture in many Windows PCs, including the newly-released Vista. The bulletin includes fixes for at least five remote code execution vulnerabilities. Internet Explorer 7, being a very widely used web browser, makes any one of these vulnerabilities an attractive target for exploit writers. If the potential exploit is wormed, it would possibly be big trouble for many average home PC users.
MS07-028 includes a CAPICOM.Certificates bug fix for the lesser-known Microsoft CAPICOM and Biztalk software.
We will likely hear more about MS07-029 -- a patch addressing a vulnerability in the Windows DNS RPC Interface. In this case Windows Vista is safe from attack. This is good news for Microsoft, but little comfort for anybody who has Windows 2000 Server, 2003 Server SP1 and SP2. Once again it is the infamous stack-based buffer overflow vulnerability. A buffer overflow, in combination with DNS will be of great interest to malicious hackers. System administrators are advised to apply this patch immediately.
Microsoft will host a one-hour long webcast to briefly cover the threats addressed by this month's bulletins on May 9th at 11am Pacific Time. More information, and how to sign up for the webcast may be found at:
After its silent demise last year in Congress, a revamped computer-crimes bill once again made its way onto the dockets of this year's 110th Congress. H.R. 1525 – an amendment to part one of Title 18 (Chapter 47, section 1030 of U.S. Code) – was approved by the House Energy and Commerce subcommittee. H.R. 1525 is ongoing evolution to the original (I-SPY) Internet Spyware Protection Act of 2005. Specifically, the new bill is “to discourage spyware, and for other purposes”.
One of the other purposes of the bill is to ensure that major security breaches do not go unreported. In certain cases, reporting a computer intrusion to authorities is not just an option, it is mandatory. Because attackers are increasingly going after data stored at large data warehouses (DSW Shoes, TJ Maxx, ChoicePoint, etc.), and then using the stolen information to commit fraud and ID theft-related crimes, this is important protection for consumers.
The bill also protects the company (or person) being attacked. When there is a computer intrusion that results in the potential disclosure of confidential information, details of the attack may not have to be reported to the public. The bill proposes that companies work with law enforcement agencies to investigate the incident before releasing details to the public. This offers the company time to harden its computer security and put into place monitors and procedures for affected clients. Both are preemptive actions that could save the company additional millions in costly lawsuits.
But while the new legislation serves an important purpose, it won't bring an end to computer crime. We've seen attackers regularly target low-hanging fruits. The relatively easy money that can be made from mass-spammed phish e-mails fits in with that model. Too, the anonymity that attackers think the Internet affords to them is empowering; legislation in one country doesn't necessarily affect somebody in another country. We can thus expect computer fraud and computer invasion crimes to continue for the foreseeable future.
Usually we submit a blog entry to our readers reminding them the second Tuesday of each month is Microsoft's 'Patch Tuesday'. As it stands however, Microsoft will not be releasing any patches today.
Whether or not the lack of updates relates to the ealier-than-usual changeover to Daylight Savings Time changeover is anybody's best guess. Whatever the case may be, please enjoy your Patch Free Tuesday!
I had the chance to walk around a bit on the second day of RSA. One thing that really stood out was this year's buzzterm: endpoint security.
So what does it actually mean? Well, this document defines it as applying a security solution to "an individual computer system or device that acts as a network client and serves as a workstation or personal computing device. Endpoints are often mobile and intermittently connected". It’s mostly used to refer to a PC desktop, laptop, PDA and, most commonly, a smartphone.
For anybody who’s labouring under the happy delusion that we've reached the pinnacle of (security-solution) hardware engineering and creativity, the truth is we've only just started to develop devices to further increase our mobility. For example, if you’re in the medical field, "endpoint" could refer to a dedicated data-recording device.
Where does this all lead? To use an analogy that many of us will understand, while our schooldays may well be behind us, we should never stop striving to learn more. To learn about what? Yes, about the great advantages that increased mobility offers us, but also about the sheer variety of risks and threats that currently exist, and which will continue to evolve in the future. In other words, if you are one of the millions of people who take your work on the road (or home) with you, plan to hit the books! As we never tire of saying - wherever there are new opportunities, the bad guys are always on the lookout for new methods of attack.
The final figures aren’t in yet, but rumor puts the total attendance at this year’s RSA conference at a staggering 15,000. Nearly double last year's reported 8,000. This jump is probably partly due to the conference having moved back to the very popular and accessible San Francisco-based Moscone Center.
Can the show expect even more attendees next year? I think it’s very likely - security issues are becoming an increasing concern, and RSA 2008 will be held in April, when the California weather should be very pleasant.
As the event isn't over yet, we don't have any other final data. But in terms of the best-attended presentation, it looks as though Eugene Kaspersky was the star of the show.
With standing room only - after additional seats were brought in from other presenters' rooms - the main show floor became visibly emptier during Eugene's hour long presentation.
I’ll be posting again later with more news and thoughts from the rest of the event.
Day 2 of Mobile Business Expo was just as enjoyable as the first. Today I threw caution to the wind, took off my anti-virus researcher hat and locked my habitual suspicion away. Today I simply soaked up what the future has to offer in the way of mobility.
It's a future that's awe-inspiring, particularly when you consider (as one presenter pointed out) that the current generation only really knows mobile devices. It’s a generation that’s aware of desktops, but which shuns them in favour of modern smartphones and their prodigious communication functions.
There were a lot of predictions of increased smartphone use in the U.S. and the convergence of as-yet-unstandardized data transmission techniques. These will ultimately complement each other to provide better coverage and higher bandwidth capabilities for 3G and so-called 4G mobile devices.
A representative from Palm included some interesting statistics in her presentation: 65% of the U.S. workforce is mobile, and therefore equipped with a range of mobile devices, including laptops. And another statistic: 744 million smartphones in operation worldwide, with 104 million of them in the U.S. Far fewer than one might expect given how much of the workforce is considered mobile. I think these numbers show we can expect to see a significant rise in the numbers of mobile devices used in the U.S. for work purposes.
I put my anti-virus researcher hat back on to consider these statistics. With numbers like these, how long will it take before we reach the "critical mass" of mobile devices that gets talked about so often? And how long will it take before we see a corresponding rise in the number of mobile malware attacks?
I'm here at the Mobile Business Expo in Chicago. For anyone who’s been to Chicago, the great Windy City is certainly living up to its name this November.
So far, I’ve had the opportunity to sit on a panel on Best Practices in Smartphone and Laptop Security, which included representatives from NetMotion, Hewlett Packard, Good Technology and Unisys. A good mix of industry interests, and we got to share perspectives on where we currently stand on mobile device security.
There’s optimism because new technologies are being developed to detect and prevent threats to the mobile computing environment. The down side is that attackers will continue to develop methods to counteract the best-practice security measures that we put in place.
I explained to the audience that today, security awareness has to be practiced on a psychological and a technical level. Neither approach is enough on its own. There are times when only a human will be able to detect a social engineering trick, just as there are times that only a firewall will detect that data is being exfiltrated.
Although the plain truth is that things will get worse, the war against malware writers isn’t being lost. The landscape is simply changing. At the end of the day, common sense and a healthy dose of suspicion will go a long way towards ensuring security when using mobile devices.