06 Aug KL@Defcon
27 Apr New U.S. legislation
08 Feb RSA: 15,000 strong
07 Sep Spammer fighting sentence
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
"Hello from Russia!" These were the opening words from Vitaly Kamluk for his Defcon presentation. Before I get to the details of his presentation, first, picture the scene. The room was packed .. beyond packed...standing room only. The overflow chose either to stand, or sit, along the sidelines of the room - a scene common for only the most popular of presenters.
Vitaly may not be a big name (yet!), but the title of his presentation obviously piqued people's curiosity: "Fighting malware on your own". Imagine fighting malware on your own, without purpose-built tools, and without the benefits of commercial antivirus (or other) security software. Now imagine this information being presented by a representative of a commercial antivirus software manufacturer!
Taking the audience through a series of exercises, this is exactly what Vitaliy did. Granted, a modicum of technical knowledge was necessary to immediately understand what he presented. Sitting up front and watching the reaction of the audience as Vitaly revealed the thought processes of a malware researcher, I could tell they fully appreciated the content. Knowing that his presentation (with some of the more complex sections conveyed in 3-dimensional graphic renderings) would ultimately be available from the conference CD, I have a gut feeling that many IT personnel will go home much better armed with manual virus isolation and removal techniques.
Breaking down complex problems - which included projects such as manually removing several well-known Trojans and viruses - and using readily-available tools built in to the (Windows) operating system, Kamluk explained the individual steps in a manner that most attendees could easily understand. At the end of each exercise, Kamluk polled the audience: "Now that we have all the information we need, can you guess what the final step is in the process?" Few in the audience actually raised their hands, but most sat with silent grins on their face, knowing the final step would be just as straightforward as the previous. And he didn't disappoint. Without fail, I noted on more than one occasion somebody mouthing the word "Wow", - for once not referring to an online game.
For those who were at Vitaly's presentation, way to go! I think you will agree with me when I say it was a well-spent hour. For the rest, the Defcon CD may be available for purchase. :))
After its silent demise last year in Congress, a revamped computer-crimes bill once again made its way onto the dockets of this year's 110th Congress. H.R. 1525 – an amendment to part one of Title 18 (Chapter 47, section 1030 of U.S. Code) – was approved by the House Energy and Commerce subcommittee. H.R. 1525 is ongoing evolution to the original (I-SPY) Internet Spyware Protection Act of 2005. Specifically, the new bill is “to discourage spyware, and for other purposes”.
One of the other purposes of the bill is to ensure that major security breaches do not go unreported. In certain cases, reporting a computer intrusion to authorities is not just an option, it is mandatory. Because attackers are increasingly going after data stored at large data warehouses (DSW Shoes, TJ Maxx, ChoicePoint, etc.), and then using the stolen information to commit fraud and ID theft-related crimes, this is important protection for consumers.
The bill also protects the company (or person) being attacked. When there is a computer intrusion that results in the potential disclosure of confidential information, details of the attack may not have to be reported to the public. The bill proposes that companies work with law enforcement agencies to investigate the incident before releasing details to the public. This offers the company time to harden its computer security and put into place monitors and procedures for affected clients. Both are preemptive actions that could save the company additional millions in costly lawsuits.
But while the new legislation serves an important purpose, it won't bring an end to computer crime. We've seen attackers regularly target low-hanging fruits. The relatively easy money that can be made from mass-spammed phish e-mails fits in with that model. Too, the anonymity that attackers think the Internet affords to them is empowering; legislation in one country doesn't necessarily affect somebody in another country. We can thus expect computer fraud and computer invasion crimes to continue for the foreseeable future.
The final figures aren’t in yet, but rumor puts the total attendance at this year’s RSA conference at a staggering 15,000. Nearly double last year's reported 8,000. This jump is probably partly due to the conference having moved back to the very popular and accessible San Francisco-based Moscone Center.
Can the show expect even more attendees next year? I think it’s very likely - security issues are becoming an increasing concern, and RSA 2008 will be held in April, when the California weather should be very pleasant.
As the event isn't over yet, we don't have any other final data. But in terms of the best-attended presentation, it looks as though Eugene Kaspersky was the star of the show.
With standing room only - after additional seats were brought in from other presenters' rooms - the main show floor became visibly emptier during Eugene's hour long presentation.
I’ll be posting again later with more news and thoughts from the rest of the event.
Day 2 of Mobile Business Expo was just as enjoyable as the first. Today I threw caution to the wind, took off my anti-virus researcher hat and locked my habitual suspicion away. Today I simply soaked up what the future has to offer in the way of mobility.
It's a future that's awe-inspiring, particularly when you consider (as one presenter pointed out) that the current generation only really knows mobile devices. It’s a generation that’s aware of desktops, but which shuns them in favour of modern smartphones and their prodigious communication functions.
There were a lot of predictions of increased smartphone use in the U.S. and the convergence of as-yet-unstandardized data transmission techniques. These will ultimately complement each other to provide better coverage and higher bandwidth capabilities for 3G and so-called 4G mobile devices.
A representative from Palm included some interesting statistics in her presentation: 65% of the U.S. workforce is mobile, and therefore equipped with a range of mobile devices, including laptops. And another statistic: 744 million smartphones in operation worldwide, with 104 million of them in the U.S. Far fewer than one might expect given how much of the workforce is considered mobile. I think these numbers show we can expect to see a significant rise in the numbers of mobile devices used in the U.S. for work purposes.
I put my anti-virus researcher hat back on to consider these statistics. With numbers like these, how long will it take before we reach the "critical mass" of mobile devices that gets talked about so often? And how long will it take before we see a corresponding rise in the number of mobile malware attacks?
I'm here at the Mobile Business Expo in Chicago. For anyone who’s been to Chicago, the great Windy City is certainly living up to its name this November.
So far, I’ve had the opportunity to sit on a panel on Best Practices in Smartphone and Laptop Security, which included representatives from NetMotion, Hewlett Packard, Good Technology and Unisys. A good mix of industry interests, and we got to share perspectives on where we currently stand on mobile device security.
There’s optimism because new technologies are being developed to detect and prevent threats to the mobile computing environment. The down side is that attackers will continue to develop methods to counteract the best-practice security measures that we put in place.
I explained to the audience that today, security awareness has to be practiced on a psychological and a technical level. Neither approach is enough on its own. There are times when only a human will be able to detect a social engineering trick, just as there are times that only a firewall will detect that data is being exfiltrated.
Although the plain truth is that things will get worse, the war against malware writers isn’t being lost. The landscape is simply changing. At the end of the day, common sense and a healthy dose of suspicion will go a long way towards ensuring security when using mobile devices.
Yesterday, the Washington Post reported that the conviction of spammer Jeremy Jaynes had been upheld in a Virginia Court of Appeals. In February 2005, Jaynes received a nine-year prison sentence. However, he remained free on a $1 million bond while his case went to the Virginia appellate court.
His attorneys disagree with the court's decision, and will appeal again. Their main arguments are that there had been ‘overbreadth’ infringments of Jaynes’ First Amendment rights, and that Virginia courts have no jurisdiction because Jayne’s crime was committed from his home in North Carolina.
The First Amendment which relates to freedom of speech as defined in the U.S. Constitution always merits further discussion and further refinement. It's particularly interesting when examining the now widely-used forms of electronic communication and media. How should the law be applied? And where are the limits?
Using the First Amendment argument might just be a legal ploy; an attempt to keep Jaynes out of prison a bit longer. According to statements included in a 26-page opinion put forth by Judge James W. Haley, Jr., “facial challenges are sometimes allowed when an appellant claims First Amendment protections”. Because “the Supreme Court recently said the First Amendment doctrine of overbreadth is an exception to our normal rule regarding the standards for facial challenges”, the Jaynes’ attorneys First Amendment challenge might just be given another day in court.
The argument that a Virginia Circuit court doesn’t have the jurisdiction to review this case also seems an ineffective argument. Haley’s Opinion states that “[c]ircuit courts in Virginia have exclusive original jurisdiction over all felony indictments for offenses committed within their respective circuits”. North Carolina and Virginia are both in the 4th Circuit. Additionally, “jurisdiction may exist where the immediate harm occurs, even if the criminal act does not physically occur there”.
By its very nature, cyber crime crosses territorial and legislative boarders. Differences in national legislation are one of the reasons why it can be difficult to prosecute cyber criminals. The Jaynes case may be nearly over - it’s to be hoped that the court ruling may act as a precedent which can be used to effectively prosecute spammers in the future, and which will also pave the way for more effective cyber crime legislation.
A very important and worthwhile InSafe initiative starts today. Dubbed 'Safer Internet Day', the initiative is designed to raise awareness of cyber threats. The target audience in this case, however, isn't the corporate IT-type, but users, specifically targeting parents and children.
This year's Safer Internet Day attempts to ride on the coattails of success of blogging and will distribute its message using exactly the same vehicle.
Comments from special guests and site visitors about safe blogging will be collected and posted over the next 24 hours at:
While any properly-managed event that raises awareness of internet security threats is a good thing, and has my full support, I'd like to stress that internet security requires users to be on their guard every day of the year. As RUNET statistics indicate, internet scams have nearly doubled since December, 2005, when fraudulent schemes were detected in 10% of filtered spam-traffic. Today that number is close to 22%.
These numbers give a clear indication of the size of the problem. So is it a Safer Internet or not? Maybe we should rename this day Unsafer Internet Day?