Video Screencast Help
Security Response
Showing posts in English
Jeremy Ward | 22 Feb 2007 08:00:00 GMT | 0 comments

If 2006 was the year of NAC, then 2007 is already shaping up to be the year of Risk Management. Perhaps you missed many of the analyst and expert New Year’s predictions of information security evolving into IT Risk Management this year, but a brief walk through RSA’s show floor and a perusal of the product news coverage would have only confirmed 2007’s focus on IT risk.

Similar to NAC’s challenges, there seems to be a good deal of confusion regarding the definition of IT Risk Management and how it is practiced. Fortunately—nearly one year later and after 500+ in-depth interviews with IT executives and business professionals worldwide—Symantec released the results of a new study, the IT Risk Management Report. The report is designed to cut through some of the industry noise and help organizations understand the fundamental elements of IT...

Zulfikar Ramzan | 21 Feb 2007 08:00:00 GMT | 0 comments

n this blog entry, I’ll talk about where malicious software (or malware) can find its place within the lifecycle of phishing attacks. This material accompanies a recent panel I participated in during the American Association for the Advancement of Science Annual meeting. If you attended the panel, this blog will review the points I made. If you missed the panel, then hopefully you’ll get a sense for what I covered.

Phishing: Overview and Motivation. Recall that a phishing attack is one where some illegitimate entity sends you an email posing to be a legitimate entity, like a bank or credit card company. Their goal is typically to get you to click on a link in the email, which directs you to a Web site that appears to be that of the legitimate entity. You are prompted to enter sensitive information, and from that point onward, the information is in the hands of an attacker. Not only can he or she wipe your accounts clean, but that information can then be used...

Zulfikar Ramzan | 21 Feb 2007 08:00:00 GMT | 0 comments

In this blog entry, I’ll talk about where malicious software (or malware) can find its place within the lifecycle of phishing attacks. This material accompanies a recent panel I participated in during the American Association for the Advancement of Science Annual meeting. If you attended the panel, this blog will review the points I made. If you missed the panel, then hopefully you’ll get a sense for what I covered.

Phishing: Overview and Motivation. Recall that a phishing attack is one where some illegitimate entity sends you an email posing to be a legitimate entity, like a bank or credit card company. Their goal is typically to get you to click on a link in the email, which directs you to a Web site that appears to be that of the legitimate entity. You are prompted to enter sensitive information, and from that point onward, the information is in the hands of an attacker. Not only can he or she wipe your accounts clean, but that information can then...

Ollie Whitehouse | 20 Feb 2007 08:00:00 GMT | 0 comments

People who have been following the notunexpected initial wave of security research with regards to WindowsVista will have seen a few informative blog posts recently. First, in ablog titled "Running Vista Every Day!"Joanna Rustkowska pointed out some issues with UAC, one of them being asimple implementation bug in UIPI. This, I believe in part, resulted inMark Russinovich writing his blog entry "PsExec, User Account Control and Security Boundaries." Joanna posted another blog, "Vista Security Model ? A Big Joke?" in response to Mark's blog post. And then followed it with "...

Elia Florio | 20 Feb 2007 08:00:00 GMT | 0 comments

This morning we received reports of spammed emails with the following bodies:

John Howard survived a heart attack
Read more: http://wi[REMOVED]news.hk

Prime Minister survived a heard attack
Read more: http://in[REMOVED]help.hk

Once again, it’s the usual attack that tries to lead victims to a Web site that hosts an exploit code. In this case, attackers also added some additional social engineering fun to pursue their criminal purposes. In fact, when someone visits the hostile Web site, it will show a false “502” error and will gently suggest shutting down firewall and antivirus software to avoid the problem. (Of course! What else? Do you want my credit card number? Send money to your bank?).

...

Ollie Whitehouse | 20 Feb 2007 08:00:00 GMT | 0 comments

People who have been following the notunexpected initial wave of security research with regards to WindowsVista will have seen a few informative blog posts recently. First, in ablog titled "Running Vista Every Day!"Joanna Rustkowska pointed out some issues with UAC, one of them being asimple implementation bug in UIPI. This, I believe in part, resulted inMark Russinovich writing his blog entry "PsExec, User Account Control and Security Boundaries." Joanna posted another blog, "Vista Security Model ? A Big Joke?" in response to Mark's blog post. And then followed it with "...

Peter Ferrie | 19 Feb 2007 08:00:00 GMT | 0 comments

A colleague of mine came to see me one morning recently with anunusual result. For reasons that he didn't explain to me (he called it"a secret project"), he had intentionally placed a particular encodingof an invalid instruction near the end of a valid page, next to anunallocated page, then executed that instruction. However, instead ofseeing the expected invalid opcode exception, he was seeing a pagefault. Initially, I thought that it was related to the unexpected LOCKexception bug in Windows that I documented here, but it turned out to be something else entirely.

It turns out that the CPU performs a complete fetch, includingparsing the ModR/M byte, prior to performing any kind of decoding.Thus, because of the instruction encoding that he had used, the CPU wasattempting to retrieve all of the necessary bytes first,before it knew that the...

Debbie Mazurek | 19 Feb 2007 08:00:00 GMT | 0 comments

One of the most common practices insoftware development is code reuse. Developers use the strategy to savetime and money by reducing redundant tasks and the theory is put intopractice in several popular content management systems available tousers who want to create their own Web presence.

The CMS, or content management system, is a framework that can beused by both experienced and novice developers to produce Web sites forcountless purpose. From blog sites (like this one) to e-commerce sites,for Fortune 500 companies to private individuals, a CMS can makedeveloping content for the Web a whole lot easier.

Many of the popular CMS varieties employ a modular approach thatmakes it easy to construct your own add-ons to suit any purpose you'dlike - searching, FAQ building, file uploading, news posting - the listis exhaustive. In fact, the odds are good that someone else has alreadymade the add-on you seek: they figured out code reuse.

Joomla! and Mambo are two...

James O'Connor | 16 Feb 2007 08:00:00 GMT | 0 comments

There has been much talk recently about thelaunch of Windows Vista, and one feature in particular: SpeechRecognition. Speech Recognition allows the user to dictate arbitrarytext to the computer (a letter for example) using speech instead of thekeyboard. It also allows the user to carry out normal computing tasksvia a choice of pre-defined commands. There are commands such as"delete that," "press escape key," and "what can I say?" This last oneshows the user what kinds of command they can use in the currentsituation. If Speech Recognition is running, but sleeping, the usersays "start listening" to activate it.

It has been suggested that Speech Recognition could be subverted fornefarious purposes using malicious audio clips. The scenario would beas follows:

• The user is browsing the Web, with Speech Recognition enabled.
• They visit a Web site, with a background audio clip that plays as soon as the site is opened.
• The audio clip contains commands that...

Candid Wueest | 16 Feb 2007 08:00:00 GMT | 0 comments

Another Valentine’s Day has passed and everyone knows that there are certain guidelines that should be followed on this day of love. Over the years, I've developed a top three list of recommendations:
• Don’t forget Valentine’s Day.
• Don’t forget to get in touch with your loved ones.
• Don’t open any strange email attachments, not even if they seem to come from a secret admirer and have a special greeting card attached.

But after the stories I heard this year around Valentine’s Day, it appears I'll need to add new advice to my top three list. Apparently many people received a suspicious text message on their mobile phone this Valentine’s Day. The text message came from an online love message service, which lets you record a message onto a central voice recording machine that can be dialed into. The service then sends a timed SMS to your friend, who can collect the recorded message by calling a number. Of course you have to pay around US$ 4 per minute for...