Here at Symantec, one of our beliefs isthat keeping people safe online requires more than just a knowledge oftechnology. It requires a knowledge of how people - both good guys andbad guys - actually use technology. It also requires an understandingof how people view technology and safety. It requires the ability tocommunicate different types of ideas to a wide variety of people; fromteenaged users to the CFO, from the college educator to the data entryoperator. It's a huge job and I was just reflecting today on how veryfortunate I am to be working within a group that not only sees thevalue of the multi-disciplinary and inter-disciplinary approaches, butone that actively supports and encourages it.

I recently spent a week at the Santa Fe Institute,learning about scientific advances in everything from the communicationpatterns of...

We have recently seen an increase in the number of zero-day exploits, which indicates that attackers are being more methodical in their discovery and use of software vulnerabilities. A zero-day exploit occurs when a software flaw is only discovered after it is already being exploited in the wild (and there isn’t a patch available from the vendor).

The “window of exposure” is the time frame during which users of vulnerable software will be at risk. This is calculated as the difference in time between when a vulnerability is exploited and when a patch is made available. The average window of exposure from the first six months of 2006 was 28 days – a dangerously large window in which systems and users are at risk. Average time to develop a patch – Time to develop exploit code = window of exposure (31 – 3 = 28 days).
While vendors continue to make strides and reduce the amount of time it takes to release a patch, attackers seem to be staying one...

Malware is becoming increasingly complex. Take Rustock.B for example: this threat goes above and beyond to prevent analysis and detection. A blog article is probably too small of a space to describe everything Rustock does technically, but you shouldn’t be surprised, considering its complexity, that Rustock has a clear financial motive. In particular, apart from hiding itself with advanced rootkit techniques, the primary goal of this threat is to send a lot of spam. Because we capture spam such as this, it allows us to update our email security products, such as Brightmail AntiSpam. In addition to pharmaceuticals, mortgages, and imitation product spam, Rustock has also sent stock-based spam. Stock-based spam usually consists of some random text, followed by an image, followed by more random text. Below is an example of one of the...

This Weblog and the blogoshpere in general have been abuzz with controversy over Microsoft PatchGuard and issues dealing with appropriate kernel security instrumentation. This blog entry is the first of a two-part series. It provides an excerpt of a draft posting that proposes an abstract host security metasystem and laws of host security that attempt to raise the level of discourse above specific features and implementations. This blog entry will outline the sensor and effector instrumentation laws and the second blog entry, covering the security and policy component laws, will be published later this week. Symantec posted this draft to openly solicit constructive comments and helpful suggestions for draft refinements. The intent is to reach industry consensus on an architectural framework to guide designers of future host security subsystems and supporting instrumentation.

...