Did the job of security software just get bigger?

Well, it sure looks that way. We are only just into the second month of 2010, and yet, we can now see in prospect a whole raft of innovation coming our way. At CES in Las Vegas last month, a lot of the attention was given to eBook readers and new slate/tablet based PCs. These new devices are squarely focused on the opportunity with digital content. The success of Amazon and Apple with iTunes, clearly shows that there is a big market for digital content and that money can be made as a result. We have seen a lot of activity in the eBook reader market, with many companies starting to launch products. Amazon, with the Kindle, have very much been in the vanguard of showing how this can all come together.

CES also witnessed a range of announcements with respect to tablet computers. We saw products from HP, Lenovo (interesting cross-over laptop/tablet device), Sony, Archos etc. These products will start to come to market from the mid-point of this year. Many people commented that these CES announcements were a pre-emptive strike to gain interest and profile ahead of the long and much anticipated Apple tablet device. And so, last week, Apple finally took the wraps off of the ‘iPad’. The headlong rush into the brave new world of digital content devices is now on. What are the security implications of all this? That is a very good question.

In all of the product announcements, a picture was painted of us having almost constant and ubiquitous access to digital content, be that web sites, books, news, music, videos, pictures etc. That content will be accessed, managed and importantly paid for from these new devices. They themselves, when you strip them back, all have an operating system, a browser, storage and some means to connect to the internet. At the end of the day they are PC of some sort, hence, from a security perspective they face all the same challenges. We all (regrettably) know that hardware and software have flaws and vulnerabilities and that the hackers and cybercriminals live off the back of this. I will predict, that in the coming months, will see proof of concept announcements, along the lines that a particular device or OS, used in any one of these devices, can be compromised and that on the back of this a particular exploit can be enacted. The iPad has just been announced and it uses the iPhone OS. Just today, Apple has released a patch to block remote code execution on the iPhone, therefore by default, the iPad.

This will spook many people and will not doubt garner many headlines. However, that does not mean that users will be immediately impacted; not in the short term. How come? Well, as ever, it comes down to money. The hackers and cybercriminals, in theory, now have a fertile new segment to exploit and pillage. These new devices hold digital content that has a real value attached to it. To transact and procure this content, on these devices, we are going to use our online ‘identities’. Again, these have real value and quickly attract the attention and focus of the cybercriminals.

However, their desire to do so will be checked not initially by technical considerations, rather, economic ones. The cybercriminals need to have a large ‘addressable market’, to adopt the parlance of the marketeers, before they will really focus on it. For the moment, the hottest product in town is the Apple iPad. I have read that some of the analysts are predicting that up to 6M of these devices could be sold this year. That seems a big number, but if you think that the installed base of Windows PCs stretches into the billions of units, and that the Mac installed based stretches into the hundreds of millions, then it still is relatively small. The numbers and economics suggest that the cybercrimimal would be better to focus on the existing, large and established Windows and Mac markets. These new digital content devices will be afforded some protection in that they are operating in a nascent market segment.

 At the moment, there is not much, if any, commonality with the products that have been announced – everyone is off and doing it their own particular way. Heterogeneity is not the ideal bed-fellow for the hackers and cybercriminals. It can and will force them to have to create different versions of malware, that all takes time and effort, read for that cost. So, again it is economic considerations that dictate where the cybercriminals put their focus.

Past experience is always instructional in shaping the reality of today. This new category of digital devices is going to be huge. It will grow quickly, but it will not necessarily happen overnight. The heterogeneity of the nascent market will afford some initial protection. But, as the number of people buying and using these new devices grows, and as people start to converge upon the few winning products, then we will start to see real attacks come to pass. They will impact many people and will yield real revenue and reward for the cybercriminals. Hence, the perimeter, that we as a security community have to patrol, will get bigger and that bit more complex.

February 3, 2010 | Filed Under Security | Leave a Comment 

The Google ‘hack’

TrojanThis past week has seen a whole slew of stories and coverage on the Google-China incident. We have labelled the malware at the heart of this ‘Trojan.Hydraq’. Symantec Security Response have written a blog on this and provid a very interesting insight into the whole  incident and how it came to pass . You can find the link to it here.

January 21, 2010 | Filed Under Security | Leave a Comment 

Is connecting to the ‘net becoming faster?

computer_networkWell according to the latest report from Akamai, yes it is. In their latest state of the internet report, make the claim that the ‘net is getting faster. Looking at the third quarter of 2009, the report found that most countries in the top-10 list for Internet performance saw an average 18 percent increase in speed from the second quarter. South Korea topped the list, with a 29 percent jump in speed to 14.6 megabits per second, while Ireland came in second for most improved, with a 26 percent rise to 5.3Mbps.

This is all very encouraging, if you are in the top tier of countries. However, during the third quarter, 103 of the 226 countries measured had average connection speeds below 1 Mbps. The slowest connection speed? Well, the ignominy of that particular title goes to the island of Mayotte, located in the Indian Ocean, with an average connection speed of 43Kps, however, I am sure given its wonderful location there are other merits.

Interestingly, the report is now going to turn its attention to mobile internet connection speeds. Akamai analysed the average connection speeds from three of the leading mobile providers within the United States. They observed speeds of circa 700 Kbps.  However, there seems to have been a lot of variability between the carriers and also in what city you are in. I am sure that this rings true with many of us.

A faster internet brings with it more users and also the ability to do more things online. It also provides more opportunity for the hackers and cyber-criminals. In a shift from prior quarters, Russia and Brazil unseated the United States and China as the two largest attack traffic sources. Cyber attacks are now a global phenomena, with Akamai observing attack traffic originating from 207 unique countries. They also noted that they believe that Conficker worm is still very active.  During the third quarter, 78 percent of internet attacks observed by Akamai targeted port 445, up from 68 percent during the previous quarter. Port 445, which is used by Microsoft Directory Services, is the same port that Conficker targets, aiming to exploit a buffer overflow vulnerability in Windows and infect the targeted computer.

January 15, 2010 | Filed Under Announcements, Market trends, Security | Leave a Comment 

What is ‘private’ any longer?

Spy_eyeThe word is getting out there, not as quickly as we would want, that people need to be careful about just how much information they provide about themselves, and to whom, via social networking sites. In all the excitement of discovering the utility of a social network site, people can unwittingly compromise themselves. This is an issue for everyone, however, a lot of the focus, quite rightly, has been on kids and youngsters to keep them out of the prying eyes of on-line predators.

Zoe Kleinman has brought an interesting perspective to all of this with an article she has written on the BBC News site. In her piece she referes to research to be presented by Dr Kieron O’Hara of  Southampton University, wherein,  he calls for people to be more aware of the impact on society of what they publish online.  Privacy law is driven by a concept of a reasonable expectation of privacy. As more of our private lives have moved online, either intentionally or not, then the expectation of privacy has changed. What is normal now? The bottom line is that, with more people putting ever more private information out there, then we not have the level of legal recourse that we think we have. However, we are part of the community and our actions do ultimately drive the social norm. Hence, the solution is down to us and what we ourselves do on-line.

January 8, 2010 | Filed Under Announcements, Identity theft, Security | Leave a Comment 

Is there a funny side to cross site scripting?

httpCross Site Scripting (or XSS) is one of the most common web-application attacks that we see today. In general, cross-site scripting refers to that hacking technique that leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content to an end-user, with the possibility of collecting some type of data from the victim.

Today, websites rely heavily on complex web applications to deliver different output or content to a wide variety of users according to set preferences and specific needs. The heart of the issue is that if mistrusted content can be introduced into a dynamic page, neither the web site nor the client has enough information to recognize that this has happened and take protective actions.

The BBC have reported on an XSS attack, wherein, visitors to Spain’s EU presidency website have been greeted by an image of hapless fictional character Mr Bean instead of Spain’s Socialist leader. It would appear that many people in Spain, feel there is a strong physical resemblance between Mr Zapatero and Mr Bean. Now, it would appear that this XSS attack was not malicious, just a prank to poke fun.

However, XSS can and is widely used for more malicious purposes. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code. Any web page which passes parameters to a database can be vulnerable to this hacking technique. So, whilst this incident with Mr Zapatero is amusing, the fact remains that XSS is pernicious and dangerous technique and really is no laughing matter.

January 6, 2010 | Filed Under Security | Leave a Comment 

File scanning – a game of hide and seek?

VirusQA (quality assurance) is a critical step in the creation of new software. It tests the code to ensure that it does what is supposed to do. Now, for the creators of malware, one of their critical QA steps is to test their code against the leading security products, to see if it can go ‘undetected’ and therefore be successful in being executed on the target system. Brian Krebs, in his blog, has brought to our attention an new underground service that lets the malware writers check their work.  There are already a few legitimate file-scanning services that have been in operation for some time. They allow users to upload a suspicious files and scan it against dozens of commercial anti-virus tools. If a scan generates any virus alerts or red flags, the report produced by the scan is shared with all of the participating anti-virus makers, so that those vendors can incorporate detection for the newly discovered malware into their products.

Now, what Brian Krebs has reported on, are a new generation of file-scanning services that do not share their results or the malware with the anti-virus community. The malware authors have to pay for this service, but what it allows them to do is to quickly test and check their software against the leading security products. However, the results of these tests and the files themselves, remain hidden. It would appear that in offering, a service such as this, hands the advantage to the malware creators. Or does it?

The ability for the malware authors to test their files against security products has always been a dynamic in our industry. Every time we bring out a new release of our products, they move quickly, to test and assess what this means for their software. They would always appear to have an advantage in this regard. However, we have always been aware that what the malware guys want to do, is in effect, try to ‘fly below the radar’ of detection. What I mean by this is, that they want to go unnoticed and undetected. The best way to do this,  is to control and limit the number and distribution of their files or binaries, so as to not attract the attention of the security community. Hence, when a file is submitted to one of the file-scanning services, it is then really known to the whole security community.  This is where Reputation based security technology really comes into its own.

With this approach, we look at all new files and binaries and when we find a new file, we assess its reputation to understand if it is to be trusted or not. In doing so, reputation based security turns the advantage of anonymity and relative low distribution of a file against the malware authors. It is a very powerful approach and effective defence. We implemented reputation based security into the Norton 2010 products. We also created a video that explains how all this works. Hence, whilst the arrival of this new generation of malicious file-scanning services is bothersome, it is not necessarily ceding the advantage to the malware authors.

January 5, 2010 | Filed Under Security | Leave a Comment 

Don’t do the crime if you are not prepared to do the time!

jailHave you ever heard of Albert Gonzalez? The chances are probably that you have not. However, he has now entered into infamy, having been convicted of the largest identity fraud scam in US history. You can get more details on him and the case using this link. In addition to having paid back $2.7M and offered up a condo, jewellery and cars as further restitution, he is now facing a jail sentence that could stretch to 25 years. They certainly wave a big stick in the US when it comes to internet fraud in the US.

The interesting thing in this case was that he was able to get his hands on the 130 million credit and debit cards relatively easily. It appears he used ‘wardriving’ as his preferred modus operandi to hack into the companies he targeted. Thereafter, he then used a sniffing program to grab the payment card details that were being used by the companies to transact with their customers.

What Albert Gonzalez brings into sharp focus is just how much money can be made from  internet crime and the sort of lifestyle it can afford to those who participate in it. It also does bring into sharp relief the downside of this activity; when you are caught you go to jail and for a long time.

January 4, 2010 | Filed Under Security | Leave a Comment 

Mobile mania?

Crystal ballMany security experts are asked to make prediction as to the new trends and exploits to watch-out for in 2010.  Having read a number of these ‘predictions’, there is a consensus, that one area to watch-over is that of ‘mobile’. The burgeoning growth in mobile apps, coupled with the explosive growth in ‘smartphones’,  has all of the security experts predicting interesting times ahead.

The past holiday season allowed me to watch some television and relax, or so I thought. However, I was quite struck by ads that were run by HSBC and Lloyds banks. They were using prime time (read for that, expensive) national television to trumpet the ability to download and use their new mobile banking apps, for free. This got me thinking. It is clear that the banks want their customers to now access and use banking services from smartphones. They are spending big on advertising to build awareness of this capability, and to generally get the word out there. Accessing services from your smartphone is the way of the future. Albeit, with initiatives like this, the future has now arrived for many of us.

There is an immutable law of  internet security, that where you have large numbers of people and there is money involved, there quickly follows the cyber-criminals. To date most of the malware written for ‘mobile’ devices have been mostly ‘proof of concept’ stuff, a sort of limbering up before the main event. We will have to see what ultimately comes to pass in 2010, but it does seem that ‘mobile’ will be interesting.

January 4, 2010 | Filed Under Security | Leave a Comment 

Proxies pose a problem for kids

computer_networkI was approached by BBC Radio 1 about a piece they were pulling together on proxy servers. The angle they were exploring was that proxies were being used by kids, to defeat, the blocking filters used by their Schools. The link to the story can be found here.

It is an interesting subject. Undoubtedly, kids are using proxies as a way to get to web sites that are being blocked by their Schools. It really is a game of cat-and-mouse, with the Schools struggling to keep pace with the proxies and trying to black-list them. I think it an almost impossible task and it requires a different approach. I think there is a role for a better dialogue with the kids, in School, to better understand the sites that they really want to access. The School needs to take a view as to the educational or social worth of the sites requested. Having that dialogue, being seen to allow sites on the basis of merit, would then act as positive statement to all.

What the BBC Radio 1 piece also brings to the fore is that, the kids, are blissfully unaware that they can be putting themselves and the School in harm’s way. Many of these proxies sites are harbouring malware or potentially unwanted applications. In using the proxy, they are not aware that other things can be happening in the background. The proxy site could be a staging post for a key-logger, that could then provide details of the passwords and logins to stuff that kids care about: social networking sites and gaming sites (with their associated credentials etc). Once the kids were made aware of this, then their attitude to freely using proxies changes.

December 22, 2009 | Filed Under Security | Leave a Comment 

A gathering storm in the clouds?

This past week saw news that the ‘Cloud’ had fallen victim to the bot-herders. Use this link to see the coverage of it on CNET.  Security researchers found that a variant of the infamous password stealing Zeus Trojan had found its way onto a server, hosted on Amazon’s Elastic Computing Cloud (EC2) and they had used as their command and control point.

This news, I am sure, helped provoke a severe case of ‘I told you so’ from the cloud ‘nay-sayers’. However, whether the server site was in the cloud, or on plain boring terra firma, the cause of the hack, was not something new or revelatory. It was in all probability, something more prosaic. A hole in a particular application may have opened the door, or other instances of Zeus could have captured log-in credentials, which were then used to access the necessary services hosted on EC2.

It requires site owners to ensure that they lock-down access to the server and that they update and patch the software used to mitigate any vulnerabilities. The rush to cloud based services and infrastructure is gathering pace. What this incident should remind us is that the same rules, controls and requirements need to be applied to sites hosted in the cloud, as anywhere else.

December 14, 2009 | Filed Under Security, Technology | Leave a Comment 

Next Page »