Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Security Response

Showing posts for November of 2006
Showing posts in English
Elia Florio | 30 Nov 2006 08:00:00 GMT | 0 comments

In a letter to the editor of CrossTalk magazine, “Rubey” of SofTech Inc. exhorted developers to “go beyond the condemnation of spaghetti code to the active encouragement of ravioli code.” It was 1992 and the "pasta theory of programming" was officially born. Since we first talked of the “spaghetti code” used by Trojan.LinkOptimizer, at least one blog reader has asked for more details about it, so I decided to post a brief explanation and a visual demonstration of what is exactly spaghetti code is.

Programmers talk about spaghetti code when a program has a complex and tangled control structure that uses many jumps (GOTOs) or other unstructured branching constructs. Now, take a second to solve the following visual quiz. Look at the images below, which show three different graphs generated by IDA Professional (a well-known disassembler program). Each graph is the result of the analysis of the function flow of an executable...

Brian Hernacki | 29 Nov 2006 08:00:00 GMT | 0 comments

As municipal Wi-Fi networks begin to roll out, I've begun to notice a trend that isn't surprising, but is still a bit worrisome. Business users are beginning to use the muni Wi-Fi in the office. While the signal doesn't often penetrate too deeply into buildings, conference rooms and window offices seem to get a sufficient signal in many cases. The problem is that I see people using the muni Wi-Fi signal instead of the office IT-supported network. Sometimes they just use it because it's more convenient. The office IT network is "secure" and requires extra work, such as entering keys or using a VPN. Sometimes they do it because they explicitly want to avoid the local IT policy controls (access to restricted sites, use of restricted applications, etc.)

So, why is this a problem? First, it exposes the user’s computer to the Internet without the normal protection of the office IT security safeguards (like a firewall). While it's quite possible to secure the...

Brian Hernacki | 29 Nov 2006 08:00:00 GMT | 0 comments

As municipal Wi-Fi networks begin to roll out, I've begun to notice a trend that isn't surprising, but is still a bit worrisome. Business users are beginning to use the muni Wi-Fi in the office. While the signal doesn't often penetrate too deeply into buildings, conference rooms and window offices seem to get a sufficient signal in many cases. The problem is that I see people using the muni Wi-Fi signal instead of the office IT-supported network. Sometimes they just use it because it's more convenient. The office IT network is "secure" and requires extra work, such as entering keys or using a VPN. Sometimes they do it because they explicitly want to avoid the local IT policy controls (access to restricted sites, use of restricted applications, etc.)

So, why is this a problem? First, it exposes the user’s computer to the Internet without the normal protection of the office IT security safeguards (like a firewall). While it's quite possible to secure the...

Symantec Security Response | 28 Nov 2006 08:00:00 GMT | 0 comments

Symantec has confirmed the existence of a new worm called W32.Spybot.ACYR, which takes advantage of several Microsoft vulnerabilities. The worm also attempts to exploit a previously addressed vulnerability in Symantec Client Security and Symantec Antivirus, SYM06-010; patches for the particular Symantec product vulnerability have been available since Thursday, May 25, 2006. As a result, customers who have applied the patch in their environment are unaffected by the worm’s attempt to leverage the Symantec vulnerability for an attack. Customers running Symantec Client Security or Symantec intrusion prevention (IPS) capable products are protected against all known and unknown exploits of SYM06-010 via IPS signatures released on May 26, 2006.

At the present...

Jim Hoagland | 28 Nov 2006 08:00:00 GMT | 0 comments

Greetings and welcome to my first blog posting. Back when Tim Newsham and I wrote Windows Vista Network Attack Surface Analysis: A Broad Overview, we expressed concern about Teredo's security implications, although we hadn't yet had the opportunity to investigate it. Subsequently, I had a chance to dig into the protocol and found that our concerns were justified: Teredo can have an important and negative impact on your host and network security. With that said, let me announce our new research paper: The Teredo Protocol: Tunneling Past Network Security and Other Security Implications.

Teredo is a timely protocol to look into since it is included in Windows Vista and is enabled by default. So, Vista hosts will be using it unless it is explicitly disabled or blocked (which is...

Sarah Gordon | 27 Nov 2006 08:00:00 GMT | 0 comments

Here at Symantec, one of our beliefs is that keeping people safe online requires more than just a knowledge of technology. It requires a knowledge of how people - both good guys and bad guys - actually use technology. It also requires an understanding of how people view technology and safety. It requires the ability to communicate different types of ideas to a wide variety of people; from teenaged users to the CFO, from the college educator to the data entry operator. It's a huge job and I was just reflecting today on how very fortunate I am to be working within a group that not only sees the value of the multi-disciplinary and inter-disciplinary approaches, but one that actively supports and encourages it.

I recently spent a week at the Santa Fe Institute, learning about scientific advances in everything from the communication patterns of...

Sarah Gordon | 27 Nov 2006 08:00:00 GMT | 0 comments

Here at Symantec, one of our beliefs isthat keeping people safe online requires more than just a knowledge oftechnology. It requires a knowledge of how people - both good guys andbad guys - actually use technology. It also requires an understandingof how people view technology and safety. It requires the ability tocommunicate different types of ideas to a wide variety of people; fromteenaged users to the CFO, from the college educator to the data entryoperator. It's a huge job and I was just reflecting today on how veryfortunate I am to be working within a group that not only sees thevalue of the multi-disciplinary and inter-disciplinary approaches, butone that actively supports and encourages it.

I recently spent a week at the Santa Fe Institute,learning about scientific advances in everything from the communicationpatterns of male...

Al Hartmann | 24 Nov 2006 08:00:00 GMT | 0 comments

I posted a blog earlier this weekthat introduced an abstract host security metasystem and the sensor andeffector instrumentation laws, which are two components of the laws ofhost security. Today’s blog outlines the security and policy componentlaws. Symantec posted a draft proposal on an abstract host securitymetasystem and the laws of host security in order to gain discussionand suggested improvements from interested parties in the securityindustry. Symantec posted this draft to openly solicit constructivecomments and helpful suggestions for draft refinements. The intent isto reach industry consensus on an architectural framework to guidedesigners of future host security subsystems and supportinginstrumentation.

metasystem.jpg...

Mimi Hoang | 23 Nov 2006 08:00:00 GMT | 0 comments

We have recently seen an increase in the number of zero-day exploits, which indicates that attackers are being more methodical in their discovery and use of software vulnerabilities. A zero-day exploit occurs when a software flaw is only discovered after it is already being exploited in the wild (and there isn’t a patch available from the vendor).

The “window of exposure” is the time frame during which users of vulnerable software will be at risk. This is calculated as the difference in time between when a vulnerability is exploited and when a patch is made available. The average window of exposure from the first six months of 2006 was 28 days – a dangerously large window in which systems and users are at risk. Average time to develop a patch – Time to develop exploit code = window of exposure (31 – 3 = 28 days).
While vendors continue to make strides and reduce the amount of time it takes to release a patch, attackers seem to be staying one step ahead of...

Mimi Hoang | 23 Nov 2006 08:00:00 GMT | 0 comments

We have recently seen an increase in the number of zero-day exploits, which indicates that attackers are being more methodical in their discovery and use of software vulnerabilities. A zero-day exploit occurs when a software flaw is only discovered after it is already being exploited in the wild (and there isn’t a patch available from the vendor).

The “window of exposure” is the time frame during which users of vulnerable software will be at risk. This is calculated as the difference in time between when a vulnerability is exploited and when a patch is made available. The average window of exposure from the first six months of 2006 was 28 days – a dangerously large window in which systems and users are at risk. Average time to develop a patch – Time to develop exploit code = window of exposure (31 – 3 = 28 days).
While vendors continue to make strides and reduce the amount of time it takes to release a patch, attackers seem to be staying one step ahead of...