Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Sarah Gordon | 10 Oct 2006 07:00:00 GMT | 0 comments


I landed in Montreal on Sunday morning and immediately began sortingout pictures of my dogs (!) so I could put the finishing touches on myVirus Bulletin presentation. “Everything I Need to Know About Security I Learned from My Dog and a Country Western Song”is not your usual security paper title; in fact, the initial ideaevolved as a tongue-in-cheek “what if” mental exercise. However, themore I thought about it, and the more people I talked to about it, themore I realized the idea was worth pursuing to the next level.Somewhere along the way it changed to “two dogs”, I submitted theabstract to Virus Bulletin, it was accepted, and the paper began totake shape.

Virus Bulletin is undoubtedly one of the best opportunities(globally...

Dave Cole | 10 Oct 2006 07:00:00 GMT | 0 comments


Read ‘em and weep. Doesn’t matter what it is, how much you spent onit, or what you’ve done it implement it, its outlook is about as goodas the Cleveland Browns’ Super Bowl chances. Got your attention? That’sthe idea. This type of apocalyptic proclamation has been alive and wellin information security over the past few years and never ceases to getits share of eyeballs and chatter. Gartner fired a shot across the bowa while back with the “IDS is dead” statement and similar things arenow being said about antivirus. The siren call of these alarmiststatements has proven irresistible, but I’ll offer that while they makefor catchy headlines, they obscure a more complex, but much moreaccurate reality. In this spirit, I’ll offer up a couple of alternateheadlines that are a lot less captivating, but also do a better job ofhitting the mark, in my eyes....

Eric Chien | 09 Oct 2006 07:00:00 GMT | 0 comments

Over the weekend, the Google blog was hacked and someone made a fake post stating Google was discontinuing their Click-To-Call service. A few weeks ago, Randy Charles Morin's blog was reportedly hacked using a new unknown and unpatched exploit by Jason Schramm known as the Host Overflow Application eXception.

Now,some people are putting one and one together and assuming Google's blogwas hacked via the unpatched Host Overflow Application eXception. Theproblem? The Host Overflow Application eXception appears to be a HOAX(follow the capital letters). Jason followed up with a post to his blogwith a supposed patch. The patch itself...

Peter Ferrie | 06 Oct 2006 07:00:00 GMT | 0 comments

“Garry’s Mod” is a fairly popular modification add-on to the first-person shooter game Half-Life 2. Garry’s Mod doesn’t actually contribute any benefits to the game play, but it allows Half-Life 2 players or enthusiasts to modify objects and/or features in the Source engine, which is the 3-D gaming engine used to run Half-Life 2. Lua scripting has also been added to Garry’s Mod to allow players to create personalized game modes and weaponry. Of course, along with the introduction of Lua scripting support to Garry's Mod comes the predictable appearance of Garry's Mod-specific Lua viruses. So far, all of them simply copy themselves into a specific location and add a reference to themselves in the startup list.

Corresponding with the appearance of the virus scripts was the appearance of antivirus scripts. Unfortunately, some of those antivirus scripts are themselves viruses—the classic and misguided...

Jonathan Omansky | 05 Oct 2006 07:00:00 GMT | 0 comments

As a security professional with over 10years of experience in both government and private industries, I amstill surprised at how little awareness the industry has about thetechnology, intent, and challenges surrounding intrusion prevention. Iintend to use this blog (and others moving forward) to lay out a basicunderstanding of what this thing called "IPS" is, from an analyst'spoint of view. Firstly, let's start with some simple explanations andlay to rest the history of the differences between the terms "IPS" and"IDS". I often hear these words used interchangeably in conversations,meetings, papers, and email threads; yet, there is a clear differencein these terms, based on the evolution of the technology.

In the early days of network traffic pattern patching, intrusiondetection software (IDS) was used to match a set of specified stringswithin a network stream and alert and/or log the event for the user.This information was used by system administrators to detect...

Marc Fossi | 04 Oct 2006 07:00:00 GMT | 0 comments

It’s that time of year when the kids goback to school and the leaves start changing colors. In some parts ofthe world (like where I live) the air starts to get cool and the sky isgray in anticipation of snow and freezing temperatures. The thought ofthis approaching cold front might be enough to send some people to seekout an alternate reality online.

One of these online alternate reality worlds, Second Life,reported a data breach in September. Apparently, one of their databasescontaining customer information was breached. The attackers managed toget users’ names and addresses, as well as encrypted credit cardnumbers. While the unencrypted data may not be too much to worry about,users should still make sure to change their passwords. Hopefully, thecredit card numbers were encrypted using a strong algorithm.

Maybe you’ve already been playing around in one of the variousonline worlds, but you feel...

Zulfikar Ramzan | 03 Oct 2006 07:00:00 GMT | 0 comments

Markus Jakobsson is a computer science professor at Indiana University and has done some excellent work on understanding phishing attacks. I’ve blogged about some of Markus’ research in the past and I thought I’d share some information about some recent work of his that focuses on the question: What causes people to fall for phishing attacks?

Markus and his group completed a study at Indiana University where the subjects were shown various types of stimuli, such as Web pages and emails. Some of these were legitimate and others were based on phishing attacks. The subject group was asked to rate (on a scale of one to five) how authentic the stimulus was. If a participant marked a score of one, it was thought that the stimulus was taken from a phishing attack. A score of five meant that it appeared legitimate.

To make things...

John McDonald | 02 Oct 2006 07:00:00 GMT | 0 comments

It is often said that an antivirus (AV) product is only as good as its most recent signature update; however, that's not strictly true. Even if your AV definition set is months out of date, it will still protect you from some of the worst viruses and worms of all time: Mydoom, Netsky, Bugbear, Sasser, Klez, Sobig, and Nimda, for example. On the other hand, the statement does hold some truth. While an AV product won’t protect a computer from every new threat right from the moment that threat is unleashed into the wild, most AV companies are very quick to add protection for new threats and make that updated protection available to their customers—usually within hours. Given that most threats spread relatively slowly (with a few notable exceptions, such as Slammer (W32.SQLExp.Worm), but that only affected certain systems running specific software), the timely release of...

Symantec Security Response | 29 Sep 2006 07:00:00 GMT | 0 comments

Update: On September 30,2006, Symantec Security Response received reports that theWebViewFolderIcon ActiveX control vulnerability is being activelyexploited in the wild.

Shortly following the out-of-band patch for the VML vulnerabilityearlier this week, Microsoft is releasing yet another out-of bandadvisory. The latest advisory, released today (September 29, 2006),addresses an ActiveX vulnerability in Microsoft Windows.

The vulnerability is a buffer overflow in the MicrosoftWebViewFolderIcon ActiveX control, which, if successfully exploited,will allow an attacker to perform remote code execution on the victimmachine. Failed attempts would likely result in browser crashes.Proof-of-concept exploit code is available publicly.

In order to carry out an attack, the attacker would need to employsome form of social engineering (such as emails, instant messages, orbanner ads) and try to convince potential victims to click on linksthat would lead...

Dave Cole | 29 Sep 2006 07:00:00 GMT | 0 comments

Now that all of the hard work has been done by everyone else compiling the stats and the 100+ page report, it’s time for a glance at the tea leaves. (Typical product manager.) ;-) This blog will serve as a very abbreviated recap of the Future Watch section of the latest ISTR, which looks ahead to the short-term horizon for what we think some of the main issues will be. This isn’t the "toaster is infected with a worm which jumped there from a flawed RFID chip” type of stuff; rather, it’s the patterns that we see forming that are either right around the corner, or are already showing signs of being a clear pattern. Your toaster is safe for now. :-)

While the ISTR report itself discusses both Windows Vista and Web 2.0 issues in the Future Watch section, I’m going to pass on those topics here, as we’ve already provided in-depth coverage of both in previous blogs. (You can find these blogs in the...