Video Screencast Help
Security Response
Showing posts in English
Marc Fossi | 04 Dec 2006 08:00:00 GMT | 0 comments

‘Tis the season to spend money. As theholiday season approaches, people tend to loosen their purse strings inthe desperate search for the perfect gift for that special someone.Unfortunately, scammers and criminals are well aware of this fact anddo what they can to take advantage of it. Two common ways of doing thisare through “second chance” auction scams and “overpayment” scams.

If someone on your list wants that hot new gaming console that’ssold out in all the stores, you may turn to online auction sites tofind one. Because so many people are after these hot items, the auctionprices can get quite high. This is where the scammer steps in.Frequently, the winner of an auction may drop out or be unable to makegood on their bid for whatever reason. Most online auction sites allowthe seller to contact the next-highest bidder and offer the item tothem rather than re-listing it. As a result, scammers are checkingauctions for these items a day or two after the listing has...

Orlando Padilla | 01 Dec 2006 08:00:00 GMT | 0 comments

The long anticipated Windows Vista operating system is finally out the door and as anyone would agree, it’s celebration time at Microsoft. But, let’s discuss what we are in for with a peek at the default user environment on the 32-bit platform.

Symantec Advanced Threat Research decided to conduct an analysis of Windows Vista’s security enhancements provided by the user account control (UAC) and resulting new security barriers. No formal requirements were defined, although a few guidelines were set to stay organized; gather a sample set of malicious code, execute them under the default UAC environment, and carefully determine their success. The results were then broken down into three categories:
1) Successful execution of malicious code
2) System restart survivability
3) Failed execution of malicious code, and why

There are two important prerequisites in place to establish fair play practices:
1) All malicious code must be executed under the...

Orlando Padilla | 01 Dec 2006 08:00:00 GMT | 0 comments

The long anticipated Windows Vistaoperating system is finally out the door and as anyone would agree,it’s celebration time at Microsoft. But, let’s discuss what we are infor with a peek at the default user environment on the 32-bit platform.

Symantec Advanced Threat Research decided to conduct an analysis ofWindows Vista’s security enhancements provided by the user accountcontrol (UAC) and resulting new security barriers. No formalrequirements were defined, although a few guidelines were set to stayorganized; gather a sample set of malicious code, execute them underthe default UAC environment, and carefully determine their success. Theresults were then broken down into three categories:
1) Successful execution of malicious code
2) System restart survivability
3) Failed execution of malicious code, and why

There are two important prerequisites in place to establish fair play practices:
1) All malicious code must be executed under the default...

Peter Ferrie | 01 Dec 2006 08:00:00 GMT | 0 comments

It's been more than two months since thedisbanding of the 29A virus writing group, and in typical 29A fashion,we're still waiting for the official announcement. Of course, that'sfine – as long as they're no longer writing viruses we don't care ifthey tell us or not. Maybe they're waiting for January 1. ;-)

What fun we can have speculating on the “hows” and “whys”, such asthat Vecna left the group and nobody noticed, or that roy signs hisviruses with a different group name and nobody cares. Zombie's site hasbeen closed for a long time already; now the 29A site, hosted by GriYo,is gone. First it was replaced by GriYo's radio interviews and then itwas removed completely. Benny's real name is known and probablyRatter's and Vecna's are, too. They must know that they can't movefreely anymore. As for roy, I think he is actually not just one personbut several, although that's a topic for another day (although theyshould all quit).

Anyway, these are all promising signs....

Elia Florio | 30 Nov 2006 08:00:00 GMT | 0 comments

In a letter to the editor of CrossTalk magazine, “Rubey” of SofTech Inc. exhorted developers to “go beyond the condemnation of spaghetti code to the active encouragement of ravioli code.” It was 1992 and the "pasta theory of programming" was officially born. Since we first talked of the “spaghetti code” used by Trojan.LinkOptimizer, at least one blog reader has asked for more details about it, so I decided to post a brief explanation and a visual demonstration of what is exactly spaghetti code is.

Programmers talk about spaghetti code when a program has a complex and tangled control structure that uses many jumps (GOTOs) or other unstructured branching constructs. Now, take a second to solve the following visual quiz. Look at the images below, which show three different graphs generated by IDA Professional (a well-known disassembler program). Each graph is the result of the analysis of the function flow of an executable...

Brian Hernacki | 29 Nov 2006 08:00:00 GMT | 0 comments

As municipal Wi-Fi networks begin to roll out, I've begun to notice a trend that isn't surprising, but is still a bit worrisome. Business users are beginning to use the muni Wi-Fi in the office. While the signal doesn't often penetrate too deeply into buildings, conference rooms and window offices seem to get a sufficient signal in many cases. The problem is that I see people using the muni Wi-Fi signal instead of the office IT-supported network. Sometimes they just use it because it's more convenient. The office IT network is "secure" and requires extra work, such as entering keys or using a VPN. Sometimes they do it because they explicitly want to avoid the local IT policy controls (access to restricted sites, use of restricted applications, etc.)

So, why is this a problem? First, it exposes the user’s computer to the Internet without the normal protection of the office IT security safeguards (like a firewall). While it's quite possible to secure the...

Brian Hernacki | 29 Nov 2006 08:00:00 GMT | 0 comments

As municipal Wi-Fi networks begin to roll out, I've begun to notice a trend that isn't surprising, but is still a bit worrisome. Business users are beginning to use the muni Wi-Fi in the office. While the signal doesn't often penetrate too deeply into buildings, conference rooms and window offices seem to get a sufficient signal in many cases. The problem is that I see people using the muni Wi-Fi signal instead of the office IT-supported network. Sometimes they just use it because it's more convenient. The office IT network is "secure" and requires extra work, such as entering keys or using a VPN. Sometimes they do it because they explicitly want to avoid the local IT policy controls (access to restricted sites, use of restricted applications, etc.)

So, why is this a problem? First, it exposes the user’s computer to the Internet without the normal protection of the office IT security safeguards (like a firewall). While it's quite possible to secure the...

Symantec Security Response | 28 Nov 2006 08:00:00 GMT | 0 comments

Symantec has confirmed the existence of a new worm called W32.Spybot.ACYR, which takes advantage of several Microsoft vulnerabilities. The worm also attempts to exploit a previously addressed vulnerability in Symantec Client Security and Symantec Antivirus, SYM06-010; patches for the particular Symantec product vulnerability have been available since Thursday, May 25, 2006. As a result, customers who have applied the patch in their environment are unaffected by the worm’s attempt to leverage the Symantec vulnerability for an attack. Customers running Symantec Client Security or Symantec intrusion prevention (IPS) capable products are protected against all known and unknown exploits of SYM06-010 via IPS signatures released on May 26, 2006.

At the present...

Jim Hoagland | 28 Nov 2006 08:00:00 GMT | 0 comments

Greetings and welcome to my first blog posting. Back when Tim Newsham and I wrote Windows Vista Network Attack Surface Analysis: A Broad Overview, we expressed concern about Teredo's security implications, although we hadn't yet had the opportunity to investigate it. Subsequently, I had a chance to dig into the protocol and found that our concerns were justified: Teredo can have an important and negative impact on your host and network security. With that said, let me announce our new research paper: The Teredo Protocol: Tunneling Past Network Security and Other Security Implications.

Teredo is a timely protocol to look into since it is included in Windows Vista and is enabled by default. So, Vista hosts will be using it unless it is explicitly disabled or blocked (which is...

Sarah Gordon | 27 Nov 2006 08:00:00 GMT | 0 comments

Here at Symantec, one of our beliefs is that keeping people safe online requires more than just a knowledge of technology. It requires a knowledge of how people - both good guys and bad guys - actually use technology. It also requires an understanding of how people view technology and safety. It requires the ability to communicate different types of ideas to a wide variety of people; from teenaged users to the CFO, from the college educator to the data entry operator. It's a huge job and I was just reflecting today on how very fortunate I am to be working within a group that not only sees the value of the multi-disciplinary and inter-disciplinary approaches, but one that actively supports and encourages it.

I recently spent a week at the Santa Fe Institute, learning about scientific advances in everything from the communication patterns of...