Video Screencast Help
Security Response
Showing posts in English
Marc Fossi | 11 Sep 2006 07:00:00 GMT | 0 comments

The end of summer is upon us—everyone isback from their holidays and the kids are headed back to school. Itseems that we were given a bit of a jolt in August to wake us all upfrom our relaxation, though. There were plenty of security headlines tokeep us all on our toes.

In early August, AOL publicly posted 20 million search keywords thathad been entered by its users. The data was supposed to be used byresearchers and was listed using numerical identifiers in order togroup specific keywords per user, instead of identifying the actualusers’ names. Unfortunately, some of the AOL users had entered searchterms that personally identified them, such as their own names or namesof family members. AOL pulled the keyword lists offline, but the listshad already been copied and posted in other forums. While those of usin the security industry have told people for years to be careful ofentering personal information into questionable Web sites, I don’tthink search engines were really...

Mimi Hoang | 08 Sep 2006 07:00:00 GMT | 0 comments

Symantec uses the term “security risks” to refer to programs such as adware, spyware, and other potentially unwanted programs. Our hands-on analysis of these programs results in risk designations of high, medium, or low. These risk ratings are calculated across four different categories:
• Performance impact: The measure of the effect that a particular program has on a system’s stability and speed.
• Ease of removal: The measure of the difficulty of removing the program from a system.
• Privacy: The type of information that is being captured and whether or not it is personally identifiable.
• Stealth: Measuring to what extent programs may install without the user noticing and/or try to remain hidden to evade detection and removal.

Unlike malicious code threats, which are automatically removed, a security risk program may be acceptable to one enterprise or home user and not acceptable to another. Classifying security risks helps guide users in making...

Peter Ferrie | 07 Sep 2006 07:00:00 GMT | 0 comments

I’ll admit right now that this entry is a tease, because I can't tell you how I did it. However, I'll start by saying that there are some people out there who are claiming that hardware-assisted hypervisors are completely undetectable and some people who are claiming that they are not.

The people claiming that hard-assisted hypervisors are undetectable are basing their argument on several things. First, the sensitive instructions that allow detection of software-based VMMs are trapped by a hardware-assisted hypervisor so that they can be emulated appropriately, if necessary. Second, some registers already have hardware-backed shadow copies; so, as an example, trying to leave paged protected mode (which is not permitted—not even in root mode) might seem like it worked, but it didn't really, because the hypervisor will simply switch the guest into v86 mode and the shadow CR0 will be lying to you. Third, the delivery of physical memory can be intercepted and empty pages...

Dave Cole | 06 Sep 2006 07:00:00 GMT | 0 comments

Last month, I blogged on the security and privacy implications surrounding Web 2.0, but left a little for another day. Following up after this year’s Black Hat, where Web 2.0 issues were cast into the spotlight, I’m here to finish what I started and provide an update on some interesting happenings.

Since my last post
To begin with, the potential for AJAX to empower sophisticated JavaScript malware and a host of invasive Web applications was demonstrated at Black Hat in Las Vegas. From port scanning to fingerprinting and basic network mapping, all done using the AJAX group of technologies, it’s clear that we’ve only begun to see what’s possible via malicious Web sites. While they may not have the immediate impact of a...

Ollie Whitehouse | 05 Sep 2006 07:00:00 GMT | 0 comments

In a time not so long ago the world was a very different place—in terms of mobile phone software upgrades at least. For many years now, several smaller companies in the cellular handset industry have provided a means for users to upgrade the firmware of their devices at home. These firmware upgrades are typically carried out using a computer—on which the firmware files are stored—and a connecting cable (or desk stand) for the cellular device. Sadly, this was not always true for the larger players; the result of which was that when a vulnerability was discovered, the user would first have to learn of it and then take their handset into a service center to be upgraded. This method isn’t very practical and would be pretty low on the priority list for most, if not all but the seriously security conscious.

Well, I applaud Nokia for their recent change of heart to allow users to perform...

Hon Lau | 03 Sep 2006 07:00:00 GMT | 0 comments

In recent months there has been a lot ofactivity around the discovery and exploitation of vulnerabilities inthe Microsoft Office 2003 suite of applications. This activity led tothe discovery of a large number of vulnerabilities in Microsoft Word,PowerPoint, and Excel; many of which were incorporated into newTrojans, such as the Trojan.PPDropper and Trojan.MDropper families. Asa result, Microsoft has spent a fair amount time and effort in patchingsecurity vulnerabilities in its Office 2003 suite.

In thepast couple of days, we have seen samples of a Trojan that exploits apreviously unknown vulnerability in Microsoft's Office applications.This time, it is in Microsoft Word 2000 running on Windows 2000. ThisTrojan (detected by Symantec products as Trojan.MDropper.Q)takes advantage of the vulnerability to drop another file onto thetarget computer....

Zulfikar Ramzan | 01 Sep 2006 07:00:00 GMT | 0 comments

The second Symposium on Usable Privacy and Security (SOUPS 2006) was held July 12-14, 2006 at Carnegie Mellon. The symposium focuses on bringing usability back into the equation when designing security technologies. That is to say that ultimately, any system providing security is only as secure as its weakest link. Unfortunately, that weakest link often turns out to be the human being using the system.

One particular paper from the conference proceedings that (naturally) caught my attention was “Decision Strategies and Susceptibility to Phishing” by Julie Downs, Mandy Holbrook, and Lorrie Cranor (all of Carnegie Mellon). The paper describes the results of a mental model interview/study with 20 non-expert computer users, in an effort to better understand the user decision-making process upon encountering suspicious emails and Web sites.

The study found that while the participants were aware of traditional risks such as malicious code, they were less aware of...

Hon Lau | 31 Aug 2006 07:00:00 GMT | 0 comments

Software engineers, just like any other professionals, are always on the lookout for a faster, better, and cheaper way of getting the job done. In the construction industry you can use pre-cast concrete and timber frames to speed up production. Likewise, in the systems engineering world you can use code generators and CASE tools (and the like) to make things easier. So, it comes as no surprise that malicious software creators have also been building tools and aids to help them become faster and better.

Many years ago, building a useful and profitable piece of malware required a fair amount of skill and knowledge of the systems being targeted for attack. The lack of handy tools, together with a limited target group for the malicious code, made it difficult to make any easy money out of writing malicious code. Unfortunately, those days are long gone. Today, it doesn’t take much skill to produce, distribute, and maintain a large collection of deployed malicious code to...

Hon Lau | 29 Aug 2006 07:00:00 GMT | 0 comments

Currently, exploits are the flavor of the month as far as malicious code authors are concerned. However, in recent days we have seen a few variants of a new mass-mailing worm called W32.Stration@mm successfully spreading on a moderate scale over the Internet. For some time now we have observed fewer and fewer new instances of mass-mailing worms, so it has now become a bit of a novelty to see that somebody is still willing to invest time and effort into creating a worm that uses this method as the primary means of propagation.

Mass-mailing worms have been around for a long time and people have, by and large, learnt to defend themselves more effectively against them. In the fight back, many administrators now block certain attachments on the gateway; some may apply email filtering such as...

Kelly Conley | 28 Aug 2006 07:00:00 GMT | 0 comments

You are not alone. Practically everyone with an email account has encountered this problem. Image spam is everywhere these days and for the recipients it is a headache of fake Rolex, Chialis, and stock recommendations, to name only a few of the favorites. While antispam vendors mobilize to keep up with this new trend, the spammers infiltrate your Inbox.

The most frustrating thing is that these messages all look pretty much the same when reading them in your email. However, they are very different in the raw, which is why it makes the creation of effective filters much more difficult. Some of the techniques being employed by spammers to get these image-based ads into your Inbox are so subtle they are virtually imperceptible to the naked eye. These include, but are in no way limited to slight changes in text size and color, as well as image placement from one message to the next. The spammers keep utilizing more and more elaborate avoidance techniques to get their ads to...