Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Emerging Threats
Showing posts in English
Oliver Friedrichs | 09 Aug 2006 07:00:00 GMT | 0 comments

The Windows Vista operating system launches one of the most aggressive assaults on kernel mode security threats seen to date; even when compared to those capabilities seen in Mac OS X, Linux, and many UNIX variants. Microsoft is using a number of new security technologies in order to accomplish this:

• Driver signing (mandating digital signatures on all drivers)
• PatchGuard (protecting key kernel data structures – on 64-bit Windows)
• Kernel-mode code integrity checks (validating kernel component hashes)
• Optional support for Secure Bootup using a TPM hardware chip
• Access to \Device\PhysicalMemory blocked from user-mode

Our new paper, Windows Vista Kernel Mode Security takes a detailed look at the Vista boot process and these new security technologies. It also discusses techniques by which driver signing and PatchGuard can be...

Dave Cole | 04 Aug 2006 07:00:00 GMT | 0 comments

As we stand here in the middle of 2006, it’s already become a little tired to mention the shift in the threat landscape from the digital graffiti of the past to the outright criminal pursuits that dominate the industry today. The dramatic impact of this shift has left a dense fog in its wake—hanging over the industry—obscuring other important changes that have taken place during the same timeframe. Some of the more interesting trends have been specifically related to the concept of “Web 2.0”: the new genre of Web technologies and models that have emerged, like a phoenix, from the ashes of the dotcom meltdown. Let’s take a look at a few Web 2.0 trends and see what impact they have on security.

User-created content
Blogs are first to leap to mind here, but there are certainly other notable areas where the content creation responsibilities have shifted from the traditional publisher into the hands of the people. Check out the spate of new online video...

Jesse Gough | 03 Aug 2006 07:00:00 GMT | 0 comments

BlackHat_NoTransparency.gif

The continued development of insecure code was a topic at Black Hat 2006 that was explored by speaker Paul Böhm. Paul questioned why we see these same types of manifest coding issues year after year, despite over ten years of widely documented research into the matter. This pattern is not necessarily attributed to ignorance, as these mistakes are made by novice and veteran coders alike. In fact, it is not unheard of for individuals or organizations that specialize explicitly in security to eventually make a coding mistake that compromises the security of their software. One notable example of this was a vulnerability found in the grsecurity patch for the Linux kernel, which caused a product designed to harden the operating system to actually introduce a hole that would allow a full compromise.

Paul stated that...

Marc Fossi | 02 Aug 2006 07:00:00 GMT | 0 comments

BlackHat_NoTransparency.gif

One server controlling thousands of client computers. Sound familiar? This statement is often used to describe a botnet. But, as Tom Ptacek and Dave Goldsmith of Matasano Security pointed out in their Black Hat presentation titled “Do Enterprise Management Applications Dream of Electric Sheep?”, the same statement can be used to describe enterprise management applications. These applications are developed to help network and system administrators with the tasks of configuring and managing hundreds or even thousands of client computers from a single server. This is also known as distributed systems management. Unfortunately, many of these enterprise management applications contain common vulnerabilities and weaknesses that were fixed in most other applications long ago.

Due to the fact that these applications...

Oliver Friedrichs | 01 Aug 2006 07:00:00 GMT | 0 comments

Following closely on the heels of the release of our first publicly available research paper, I am very pleased to present our second paper: Windows Vista Security Model Analysis. In this paper, we have taken a detailed look at the new user account protection (UAP) and user interface privilege isolation (UIPI) capabilities that form the basis of Vista’s new security model.

From our research paper's abstract:

This paper provides an in-depth technical assessment of the security improvements implemented in Windows Vista, focusing primarily on User Account Protection and User Interface Privilege Isolation. This paper discusses these features and touches on several of their shortcomings. It then demonstrates how it is possible to combine...

Oliver Friedrichs | 18 Jul 2006 07:00:00 GMT | 0 comments

I think that it goes without saying that Windows Vista is one of the most important technologies that we will see in the next year. With current versions of Windows appearing on well over 90% of desktop systems, Vista will undoubtedly become the dominant operating system within a few years. The appearance of Windows Vista gives Symantec an interesting opportunity to both perform new research, and to publish the findings of that research. First of all, Vista is a beta operating system, meaning that it is changing at an extremely rapid pace; bugs are getting fixed, and in some cases new ones are introduced. Second, there is more freedom to discuss it because it is being made available explicitly for this purpose (to undergo testing and scrutiny).

With that said, I am very happy to present the Symantec Advanced Threat Research team’s first publicly available research paper: Windows...

Oliver Friedrichs | 17 Jul 2006 07:00:00 GMT | 0 comments

Since this is my first Symantec blog entry, I’d like to start things off by giving you some insight into our Advanced Threat Research team, which is a part of the Security Response group here at Symantec. We are responsible for generating all of Symantec’s protection content, which includes antivirus definitions, intrusion detection signatures, spam analysis, phishing site analysis, DeepSight early warning, and vulnerability alerts. Any content that is delivered through LiveUpdate or that drives the protection of Symantec products is delivered by Security Response.

The Advanced Threat Research team has the sole responsibility of researching new and emerging technologies and identifying how those technologies can be attacked. Our goal is fairly simple: to identify areas where attackers will strike next. There is no shortage of things to research, but we are interested specifically in those technologies and threats that will make the most impact within the next 12 to 24...