Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Security Risks
Showing posts in English
Jonathan Omansky | 05 Oct 2006 07:00:00 GMT | 0 comments

As a security professional with over 10years of experience in both government and private industries, I amstill surprised at how little awareness the industry has about thetechnology, intent, and challenges surrounding intrusion prevention. Iintend to use this blog (and others moving forward) to lay out a basicunderstanding of what this thing called "IPS" is, from an analyst'spoint of view. Firstly, let's start with some simple explanations andlay to rest the history of the differences between the terms "IPS" and"IDS". I often hear these words used interchangeably in conversations,meetings, papers, and email threads; yet, there is a clear differencein these terms, based on the evolution of the technology.

In the early days of network traffic pattern patching, intrusiondetection software (IDS) was used to match a set of specified stringswithin a network stream and alert and/or log the event for the user.This information was used by system administrators to detect...

Marc Fossi | 04 Oct 2006 07:00:00 GMT | 0 comments

It’s that time of year when the kids goback to school and the leaves start changing colors. In some parts ofthe world (like where I live) the air starts to get cool and the sky isgray in anticipation of snow and freezing temperatures. The thought ofthis approaching cold front might be enough to send some people to seekout an alternate reality online.

One of these online alternate reality worlds, Second Life,reported a data breach in September. Apparently, one of their databasescontaining customer information was breached. The attackers managed toget users’ names and addresses, as well as encrypted credit cardnumbers. While the unencrypted data may not be too much to worry about,users should still make sure to change their passwords. Hopefully, thecredit card numbers were encrypted using a strong algorithm.

Maybe you’ve already been playing around in one of the variousonline worlds, but you feel...

Zulfikar Ramzan | 28 Sep 2006 07:00:00 GMT | 0 comments

A “CAPTCHA” (completely automated publicTuring test to tell computers and humans apart) is one of those puzzlesyou are sometimes asked to solve when signing up for a free emailaccount or similar services. These puzzles involve distorted imagesthat are sometimes enough to thwart an automated computer program thatis trying to sign up for free email accounts, giving it the impressionthat it is dealing with a human. Well, an "enterprising" human found aclever way to cheaply solve a lot of CAPTCHAs.

His ideawas to post a project ad on the site www.getafreelancer.com, to see howmuch it would cost him to hire someone to solve CAPTCHAs for a 50-hourweek. Within a week, he received 58 bids, ranging from $30 to $100(with the average bid being $57) before the site administratorcancelled the ad. Assuming (very conservatively) that it would takesomeone 30 seconds, on average, to solve a single...

Mimi Hoang | 25 Sep 2006 07:00:00 GMT | 0 comments

Unlike traditional worms or viruses, spyware usually does not spread itself from system to system. One of the easiest ways to distribute spyware is to go directly to the users and gain their consent to download the application. One of the more common trends in accomplishing this act is through the use of “misleading applications.” On the extreme end, these are applications that can grossly exaggerate and alert critical errors on users’ systems that are not actually present. This deceives some users and scares them into purchasing the program for a substantial fee to fix errors that are nonexistent.

Another method used to distribute spyware is to entice the user by offering up something desirable or useful for free. Not only does the user get the freebie tool, but they also get the bundled adware or spyware program downloaded with it as well.

On the flip side, there are ways of installing and downloading spyware without user consent, such as the simple act of...

Liam O Murchu | 14 Sep 2006 07:00:00 GMT | 0 comments

There is a relatively new annoyance called "spim" that seems to be popping up on our screens more frequently. Spim is the equivalent of spam (unsolicited email, usually selling snake oil) that is delivered over instant messaging clients. After recently receiving more spim, which was advertising what I believed to be a spyware product, it occurred to me that the best tricks are still the oldest ones. With the recent attention that spyware applications are receiving, it is easy to overlook some of the simpler, more direct methods of spying. Spyware applications are not the only way people can catch their spouses cheating (!). The spim message I received was advertising a “catch your spouse cheating service”. No download necessary, no application to install, no hidden software on your spouse’s computer.

The service is based strictly on social engineering. It is a “very straightforward service”, as it is explained on their Web site. For a fee of only $49.95, this...

Marc Fossi | 11 Sep 2006 07:00:00 GMT | 0 comments

The end of summer is upon us—everyone isback from their holidays and the kids are headed back to school. Itseems that we were given a bit of a jolt in August to wake us all upfrom our relaxation, though. There were plenty of security headlines tokeep us all on our toes.

In early August, AOL publicly posted 20 million search keywords thathad been entered by its users. The data was supposed to be used byresearchers and was listed using numerical identifiers in order togroup specific keywords per user, instead of identifying the actualusers’ names. Unfortunately, some of the AOL users had entered searchterms that personally identified them, such as their own names or namesof family members. AOL pulled the keyword lists offline, but the listshad already been copied and posted in other forums. While those of usin the security industry have told people for years to be careful ofentering personal information into questionable Web sites, I don’tthink search engines were really...

Mimi Hoang | 08 Sep 2006 07:00:00 GMT | 0 comments

Symantec uses the term “security risks” to refer to programs such as adware, spyware, and other potentially unwanted programs. Our hands-on analysis of these programs results in risk designations of high, medium, or low. These risk ratings are calculated across four different categories:
• Performance impact: The measure of the effect that a particular program has on a system’s stability and speed.
• Ease of removal: The measure of the difficulty of removing the program from a system.
• Privacy: The type of information that is being captured and whether or not it is personally identifiable.
• Stealth: Measuring to what extent programs may install without the user noticing and/or try to remain hidden to evade detection and removal.

Unlike malicious code threats, which are automatically removed, a security risk program may be acceptable to one enterprise or home user and not acceptable to another. Classifying security risks helps guide users in making...

Peter Ferrie | 07 Sep 2006 07:00:00 GMT | 0 comments

I’ll admit right now that this entry is a tease, because I can't tell you how I did it. However, I'll start by saying that there are some people out there who are claiming that hardware-assisted hypervisors are completely undetectable and some people who are claiming that they are not.

The people claiming that hard-assisted hypervisors are undetectable are basing their argument on several things. First, the sensitive instructions that allow detection of software-based VMMs are trapped by a hardware-assisted hypervisor so that they can be emulated appropriately, if necessary. Second, some registers already have hardware-backed shadow copies; so, as an example, trying to leave paged protected mode (which is not permitted—not even in root mode) might seem like it worked, but it didn't really, because the hypervisor will simply switch the guest into v86 mode and the shadow CR0 will be lying to you. Third, the delivery of physical memory can be intercepted and empty pages...

Eric Chien | 24 Aug 2006 07:00:00 GMT | 0 comments

Over the last few weeks we've been tracking attacks coming from Gromozon.com. These attacks have actually been happening for a few months now, but the number of reports has recently escalated. In particular, a variety of Italian blogs and message boards have been spammed with links to hundreds of different URLs over the last week. These URLs all eventually point to gromozon.com and after an extensive trail of code downloading other code, one ends up infected with LinkOptimizer, which dials a high-cost phone number and then displays advertisements when browsing the Internet.

When you visit one of these malicious links, it eventually loads a page from gromozon.com that determines which browser you are using. If you are using Internet Explorer, it attempts to exploit a Internet Explorer vulnerability. The exploit has changed over time, but is currently...

Marc Fossi | 18 Aug 2006 07:00:00 GMT | 0 comments

Typosquatting has been around for a while.For those not familiar with the term, it refers to the practice ofregistering a domain name similar to that of a legitimate Web site (forexample, symantc.com instead of symantec.com). The idea is that whenyou type the name of a site into your Web browser, there’s a chanceyou’ll make a typo, which results in you being taken to the squatter’ssite instead of the legitimate site. The squatter’s site may be a pageloaded with ads that generate revenue for them, a page that exploits abrowser vulnerability to load malicious code, adware, or spyware ontoyour computer, or a phishing site designed to look like the site youmeant to go to.

To fight typosquatting, many companieshave begun registering domain names based on common typos in theiractual names. For example, if you type gooogle.com into your browser,you’ll be redirected to google.com. Now, this works for typos withinthe domain name itself, but what if you leave the ‘o’ out of .com...