Apple: bigger problem, less excuse? Or same problem, same excuse?
Folks out there know I’ve been critical of Apple when it comes to product security. I’ve criticized Apple on two counts primarily: #1) for giving the user base (particularly the non-technical user base) a false sense of security #2) for stacking up poorly relative to the competition on response time to fix vulnerabilities What’s interesting to me about the discussion is...
Read MoreAMTSO… Yet again…
I really didn’t want to continue on this topic again, but I find that I am unable to control myself. I was reading through David Harley’s recent comments about the difference between ISO and AMTSO and Kurt Wismer’s well-reasoned post on AMTSO generally and I started musing about the role of AMTSO, my particular beef with it, and why this seems to stick in my craw. So, to briefly...
Read MoreSecurity researchers: They smell your fear
There’s a bunch of press today out on the interwebs about a new vulnerability in Windows 7. Actually, let me rephrase. It’s not actually a vulnerability according to the researchers – instead, they’re calling it a “fundamental flaw”. Here’s the short story: you see, there’s a apparently some issue with the way Windows 7 handles DMA – DMA...
Read MoreRethinking McAfee Research
If you’ve been following my meanderings over the past few months, you know about the Rootkit report where they say that rootkit incidents have risen 2300 percent over the past two years, and you’ve seen their assertion that we’re on the “cusp” of a phone-borne malware attack. Of course, I don’t subscribe to any of that. However, I came across this article...
Read MoreMalware Statistics Apparently Malleable
Remember when we went through the McAfee “Rootkit Report” and pointed out that their “statistics” were merely reflective of their product rather than actually reflective of what’s going on in the real world? Well, today I stumbled across the headline Virus emails drop to record low informing us that virus-laden emails are at the “record low” figure of...
Read MoreThoughts about McAfee’s Rootkit Report
I noticed this morning a brief article over at Xatrix about rootkits on the rise, which sounded interesting. As it turns out, McAfee has put together some research indicating that “In the first quarter of 2006, the number of rootkits increased by 700 percent” and “Windows-based stealth components dominate the landscape, with an increase of 2,300 percent from 2001 to...
Read MoreMy laptop is not a Rhesus Monkey
The Register had an article today, “As Emperor of Security, I hereby decree…” It caught my attention since it was so atypical in style. The author spends some time discussing the things that he would decree if made emperor of security. Neat concept, right? I thought so too. The mandates were totalitarian and restrictive; purposefully so (that’s sort of the point,...
Read MoreVulnerability Research: Good or Evil?
This morning, I came across the excellently written post by Pete Lindstrom “Why Bugfinding is Irresponsible and Increases Risk”. As always, Pete is succinct, considered, and lays out his argument in exceptional clarity. That’s not to say that I agree with the entirety of what he says – just that I think he’s studying the problem in a comprehensive way, and I think...
Read MoreOS X Challenge Wrap-up: How to waste time and not prove anything
Have you seen the Onion’s “Dolphins Not So Intelligent On Land” report? Is it just me or does this (obviously fictional) study remind anyone else of the hacking challenges going on in the OS X world the past few days: After capturing the dolphins from the ocean, Lindell and his colleagues tagged them and placed them under the intense, high-wattage lights of a moisture-proof...
Read MoreVulnerability Research According to Smith
Let’s try that again without the typos… So, there’s been a bunch of hullabo today about how ethical (or unethical) it is to sell vulnerability research information before it’s disclosed. Everybody’s leaping into the fray – overall, though, I think I side with the capitalists: those who would give researchers the right to hawk their wares. I’m for...
Read MoreSymantec feels the pain?
This week, Symantec launched their new “Internet Threat Meter” site; the “Internet Threat Meter” is basically a portal where Joe Average can go to see aggregated information about the “state of the Internet” – there are “traffic lights” (green/yellow/red lights) on the site that correspond to the overall “safety level” associated...
Read MoreNew Whitepaper about Malware Evolution
Dancho Danchev (you may or may not know him from his blog) has put together a new whitepaper about the evolution of malware. There is, by no means, a shortage of opinion on how malware will evolve – it is a topic of considerable interest in the security community and there are tons of predictions about how malware authors will (or will not) continue to incorporate new distribution vectors...
Read MoreAsinine Science Theater Three Thousand
In case you haven’t been keeping up with developments, last week some FUD came around about how ET was gonna haxor your bank account and use it to make REALLY long distance phone calls. Well, quite unexpectedly the situation has become much, much worse. SC has unfortunately elected to lend this cruft an air of respectability by including this asinine story in their “top infosec...
Read MoreWhat is “Cybercrime?”
The Register is running a story today about how cybercrime has become more lucrative than drugs. That sounded like an astonishing factoid, and completely blew me away… and then I read the footnote. Apparently, they are counting copyright violations and the costs of malware in that number – accounting for well over 75 percent of the cited “losses”, these numbers are...
Read MoreAliens Haxor the Internet?
Just FYI – we’re raising the catastrophe alert level on the TerrorMonger Alert Con to “phenomenal terror” in light of recent evidence that ET is going on a h4xx0r rampage the likes of which we have never before encountered. As if there wasn’t enough FUD already, a respected physicist over at Fermi labs has sent out the alert that “SETI at home” is...
Read MoreUS has the con
In a move totally unanticipated by yours truly, the ICANN has remained under the control of the U.S. Given that none of the recommendations from the WGIG left the current structure intact, I didn’t even anticipate that this would be on the table. Honestly, I’m glad I was wrong…
Read MoreCME useful despite static from Trend
Some of you probably already know that CME – the Common Malware Enumeration – list went live yesterday. Anybody who follows malware research will appreciate the significance of this; the fact is that trying to figure out which malware is which is seriously problematic when different vedors call it different names, and there’s no unifying standard. Hopefully, this list will do...
Read MoreDown with Firewalls?
So, this news article citing Abe Singer’s anti-firewall rant came across my inbox this morning. Basically, Abe’s point is that too many people are spending too much money on firewalls, which don’t really do all that much in light of the expense. The article is filled with quotes like, “Too much of the security budget is being spent on firewalls which also get too much...
Read MoreToo cool
I’m not sure how to use it, but as tools go, this one is really cool. It will find connections between two arbitrary terms via content on the Internet. It’s also interesting that going from “rootkit” to “Department of Homeland Security” goes through Microsoft – hidden meaning, you...
Read MoreScore one for NLP
Richard Bandler discussed mimicry or “mirroring” back in the seventies as a way to successfully communicate and as a more efficacious way persuade a subject in the context of a discussion. Honestly – I thought it was a load of bull. Apparently not; or at least not according to what this study would have us believe.
Read MoreSick of Password Statistics
I’m sick of seeing statistics about how likely users are at giving out their passwords. This is the kind of survey where interviewers at the mall or a crowded train station interview a “statistically large sample” of people and ask them to give up their password for a fancy pen, or a chocolate, or some other trivial good. Of course, some people say they will, and news outlets...
Read More“here we have something out of Star Trek, in which taxpayers are investing billions”">“here we have something out of Star Trek, in which taxpayers are investing billions”
That’s Thomas Greene colorfully describing the Transportation Security Administration (TSA)’s rather dubious “Secure Flight” system. Greene makes a good case for why he thinks the system will never get off the ground. A more measured view on the topic can be found at Information Week, System For Screening Passengers For Terrorism Risk Not Ready For Liftoff, Report...
Read MoreTrend’s “Top Threats”
Is it just me, or am I missing something? I’ve speculated about this before, but the methodology that Trend uses to figure out their top threats makes no sense to me. As I write this, the “top threat” #5 is Gator. I commented on this a while back to the press, but I think it bears repeating since Trend hasn’t done anything about it clearly: really, how much of a problem...
Read MoreHow many firewalls do we need?
Search Security today put out a list of reasons why we need email firewalls. My question is this: how many firewalls do we ultimately need? Already, if we are a typical enterprise, we probably already have multiple DMZ’s, each of which requires one or more “traditional” (IP) firewalls, then we’ll probably have “application firewalls” for proxying SOAP or...
Read MoreDisaster-recovery plans still need work">Disaster-recovery plans still need work
Network World reports: “Nearly two years after the Sept. 11 attacks, many organizations remain woefully unprepared to quickly recover their IT systems and key business processes in the event of a disaster.” For those enterprises that haven’t yet gotten a reasonable and workable DR plan in place, this article has a nice ‘jump point’ checklist to get the wheels...
Read MoreUtility Computing and Security
Both HP and IBM have recently announced enhancements to their Utility Computing offerings for the “Adaptive Enterprise.” In short, the approach is supposed to allow companies to use their resources, both hard and soft, in a more cost-effective manner. Using systems, “on-demand” on an as needed basis. From a security perspective these solutions could have positive impact....
Read More“Know Your Enemy”
The Honeynet Project, http://www.honeynet.org/ has released a short but informative, and moderately entertaining to boot, report on credit card fraudsters and how they operate. The report includes snippets of IRC chats between experienced and newbie fraudsters. For anyone that wants to know how the fraudsters do it, it’s a terrific read. The report can be downloaded from the Honeynet...
Read MoreNet survives mass-defacement contest">Net survives mass-defacement contest
The Register weighs in: “The Internet is still up and running thanks to the diligence of government agencies like FedCIRC and commercial fearmongers like mi2g. . .Or thanks to the fact that the defacement hackathon was a hoax from the beginning, which it almost certainly was. But the interesting question is, whose hoax was it?”
Read MoreThe “Defacers Challenge”
Lock up your web sites everyone, recent headlines are peppered with reports about the so-called “Defacers Challenge” a contest, purportedly set to start this Sunday, July 6th, to see who can deface/attack 6,000 web servers first. Government Computing News, http://gcn.com/vol1_no1/daily-updates/22623-1.html Info World,...
Read MoreYet another reason to be careful what you say in IM (Instant Messaging)">Yet another reason to be careful what you say in IM (Instant Messaging)
From IDG News Service: “The National Association of Securities Dealers (NASD) informed its roughly 5,300 brokerage firm members Wednesday that they must retain their
Read MoreTuesday September 7, 2010
Diana Kelley's profile