Video Screencast Help

Security Response

Showing posts tagged with Emerging Threats
Showing posts in English
Brian Hernacki | 29 Nov 2006 08:00:00 GMT | 0 comments

As municipal Wi-Fi networks begin to roll out, I've begun to notice a trend that isn't surprising, but is still a bit worrisome. Business users are beginning to use the muni Wi-Fi in the office. While the signal doesn't often penetrate too deeply into buildings, conference rooms and window offices seem to get a sufficient signal in many cases. The problem is that I see people using the muni Wi-Fi signal instead of the office IT-supported network. Sometimes they just use it because it's more convenient. The office IT network is "secure" and requires extra work, such as entering keys or using a VPN. Sometimes they do it because they explicitly want to avoid the local IT policy controls (access to restricted sites, use of restricted applications, etc.)

So, why is this a problem? First, it exposes the user’s computer to the Internet without the normal protection of the office IT security safeguards (like a firewall). While it's quite possible to secure the...

Jim Hoagland | 28 Nov 2006 08:00:00 GMT | 0 comments

Greetings and welcome to my first blog posting. Back when Tim Newsham and I wrote Windows Vista Network Attack Surface Analysis: A Broad Overview, we expressed concern about Teredo's security implications, although we hadn't yet had the opportunity to investigate it. Subsequently, I had a chance to dig into the protocol and found that our concerns were justified: Teredo can have an important and negative impact on your host and network security. With that said, let me announce our new research paper: The Teredo Protocol: Tunneling Past Network Security and Other Security Implications.

Teredo is a timely protocol to look into since it is included in Windows Vista and is enabled by default. So, Vista hosts will be using it unless it is explicitly disabled or blocked (which is...

Sarah Gordon | 27 Nov 2006 08:00:00 GMT | 0 comments

Here at Symantec, one of our beliefs is that keeping people safe online requires more than just a knowledge of technology. It requires a knowledge of how people - both good guys and bad guys - actually use technology. It also requires an understanding of how people view technology and safety. It requires the ability to communicate different types of ideas to a wide variety of people; from teenaged users to the CFO, from the college educator to the data entry operator. It's a huge job and I was just reflecting today on how very fortunate I am to be working within a group that not only sees the value of the multi-disciplinary and inter-disciplinary approaches, but one that actively supports and encourages it.

I recently spent a week at the Santa Fe Institute, learning about scientific advances in everything from the communication patterns of...

Mimi Hoang | 23 Nov 2006 08:00:00 GMT | 0 comments

We have recently seen an increase in the number of zero-day exploits, which indicates that attackers are being more methodical in their discovery and use of software vulnerabilities. A zero-day exploit occurs when a software flaw is only discovered after it is already being exploited in the wild (and there isn’t a patch available from the vendor).

The “window of exposure” is the time frame during which users of vulnerable software will be at risk. This is calculated as the difference in time between when a vulnerability is exploited and when a patch is made available. The average window of exposure from the first six months of 2006 was 28 days – a dangerously large window in which systems and users are at risk. Average time to develop a patch – Time to develop exploit code = window of exposure (31 – 3 = 28 days).
While vendors continue to make strides and reduce the amount of time it takes to release a patch, attackers seem to be staying one step ahead of...

Al Hartmann | 21 Nov 2006 08:00:00 GMT | 0 comments

This Weblog and the blogoshpere in general have been abuzz with controversy over Microsoft PatchGuard and issues dealing with appropriate kernel security instrumentation. This blog entry is the first of a two-part series. It provides an excerpt of a draft posting that proposes an abstract host security metasystem and laws of host security that attempt to raise the level of discourse above specific features and implementations. This blog entry will outline the sensor and effector instrumentation laws and the second blog entry, covering the security and policy component laws, will be published later this week. Symantec posted this draft to openly solicit constructive comments and helpful suggestions for draft refinements. The intent is to reach industry consensus on an architectural framework to guide designers of future host security subsystems and supporting instrumentation.

...

Zulfikar Ramzan | 16 Nov 2006 08:00:00 GMT | 0 comments

A few weeks ago, two well-known online discount brokers, E-trade and TD Ameritrade, revealed that online fraud had cost them a combined $22 million. The amount of money here is clearly substantial and what is probably even scarier is that it only represents what two firms experienced from one set of attacks.

The purported mechanism by which the financial loss took place was a “pump-and-dump” scheme; the details of which are as follows. The perpetrators first managed to steal the passwords for a victim’s online brokerage account. (We’ll get into how they accomplished this step shortly.) The perpetrators then purchased a large number of small-cap low-volume stocks through an already existing brokerage account. Next, they logged into the compromised account, liquidated the account holder’s assets, and used the proceeds to purchase these same stocks—thereby driving up the price. The perpetrators heavily profited by dumping the previously acquired shares.

In addition...

Mimi Hoang | 14 Nov 2006 08:00:00 GMT | 0 comments

Whether it’s spaghetti or lasagna or any other potential mess, Symantec can clear away whatever Gromozon dishes out. Our team has already written a couple of blogs on just how nasty the Gromozon (LinkOptimizer) threat is. You can read about it in Gromozon.com and Italian Spaghetti, and Gromozon Evolution: From Spaghetti to Lasagna.

Recently, we took 18 different LinkOptimizer samples and did our own testing to see whether or not other vendors could deal with this super aggressive threat. The results are pretty staggering. Symantec provides the most complete protection, whereas the next closest vendor handled only five out of the 18 samples.

...

Ben Greenbaum | 14 Nov 2006 08:00:00 GMT | 0 comments

Microsoft released six security bulletins this morning, covering a total of 11 distinct security vulnerabilities. In rough order of most urgent to least, here we go:

Topping the list in raw urgency is MS06-066 (BID 21023 and BID 20984, CVE-2006-4688 and CVE-2006-4689). This affects everything from Win2K SP0 to XP SP2, provided that the systems have the Client Service for Netware enabled. This obviously reduces the population of vulnerable systems, but for those systems this is where you want to start. This addresses two vulnerabilities, the more severe of which is the Microsoft Windows Client Service For Netware Remote Code Execution Vulnerability. If your computers match that description, you are wide open to remote attackers, who have the opportunity to run code of their choice on your machines – until you...

Dave Cole | 13 Nov 2006 08:00:00 GMT | 0 comments

This past spring we announced that Phish Report Network (PRN) was officially open for any organization who wanted to have phishing attacks against their brand blocked through the PRN’s community of solution providers, including Yahoo, Netscape, Symantec and others. This was (and still is) completely free of charge to the organization sending the data. We’re now pleased to announce that anyone, from Grandma Jones in Topeka to Uncle Jack in Melbourne, can now submit their fresh phish to the PRN. It’s a piece of cake to do and mostly consists of copying the URL of the fraudulent Web site into a submission form at the following location: https://submit.symantec.com/antifraud/phish.cgi

Once we receive the suspicious URLs, we vet them both programmatically as well as manually to make sure it is indeed a fraudulent...

Sarah Gordon | 31 Oct 2006 08:00:00 GMT | 0 comments

This week will find me at the Santa Fe Institute. Wednesday morning kicks off with the Adaptive and Resilient Computing Workshop, and if last year's workshop is any indicator, this one should be very interesting indeed. Meeting with colleagues who work outside the computer security space is extremely informative and helps us to prepare for the many new faces of computing. Although, that only makes sense if you know ahead of time where some technologies are likely to exist and only then can you begin to shape ideas on how you might protect the assets those technologies hold.

For example, let's say that within the next two years, all deep water canals in the state of Florida will be protected against alligator infestation by computerized swimming sharks that work together to form a sort of "canal IDS." We need to make sure the sharks stay up and running to keep those annoying alligators...