Category: Uncategorized

SecurityFocus writes about the situation. We helped a small bit on this article.

Estimates of the magnitude of the increase in junk e-mail vary, but experts agree that an uncommon surge in spam is occurring. On the low side, Symantec, the owner of SecurityFocus, has found that average spam volume has increased almost 30 percent for its 35,000 clients in the last two months. Others have seen much more significant jumps: Spam black list maintainer Total Quality Management Cubed has seen a 450 percent increase in spam in two months, and the amount of spam filtered out every week by security software maker Sunbelt Software has more than tripled compared to six months ago.

Link here.

Alex Eckelberry

Google spells out their security philosophy and recognizes people and companies in the security industry.  

Google Thanks You
People and organizations with an interest in security issues have made a tremendous contribution to the quality of the online experience.  We are grateful for the responsible disclosure of security vulnerabilities in our software. On behalf of our millions of users, would like to thank the following individuals and organizations for going out of their way to improve the Google experience for everyone:

• Alex Shipp, Messagelabs
• Bryan Jeffries
• Castlecops
• H D Moore
• Jeremiah Grossman
• Johannes Fahrenkrug
• Martin Straka
• Team Cymru
• Yahoo! Paranoids
• Wayne Porter & Chris Boyd, FaceTime Communications
• Alex Eckelberry, Sunbelt Software
• Richard Forand

Seeing my company on this list is a rather pleasant surprise.  I must also recognize all the people in my company who help me in my efforts.  You know who you are, and I thank you.

And my hearty congratulations to my good friends CastleCops (Paul and Robin Laudanski), Wayne Porter, Chris Boyd (aka PaperGhost) and all the rest on Google’s list.   You rock.

Alex Eckelberry
DoTheGoogle

 

Tyler Reguly tries out the Sandbox.

Lately, I’ve been more and more interested in malware analysis… I’ve been gathering viruses I receive and watching how they operate inside VMs. Due to this interest I’ve added more blogs to my seemingly never-ending list of RSS Feeds… Today a very interesting one came across the wire. Sunbelt Software had a blog posting announcing the official launch of CWSandbox. I must say, the software looks pretty damn cool.

Blog link here.

Alex Eckelberry

I’ve seen a number of posts on a couple of different groups speculating that there has been a big increase in spam.

The answer is yes, there has been a dramatic increase.

You can see this chart yourself at TQMcubed.

Just as a general side note, we were doing some analysis the other day, and found that about 95% of the email that Sunbelt receives is spam.  That’s a lot of junk.

Alex Eckelberry
(Thanks Jeff)

Re our PatchaGuard argument.

Authentium (incidentally, a partner of ours), bypasses PatchGuard.

Security software maker Authentium says that it has created a new version of its flagship product that circumvents the PatchGuard kernel protection technology being added to Microsoft’s next-generation Vista operating system.

Link here.

Alex Eckelberry
(With a hat tip to Ferg)

The Maginot Line in 1944

“If you entrench yourself behind strong fortifications, you compel the enemy to seek a solution elsewhere.” — von Clausewitz

“Fixed fortifications are monuments to the stupidity of man.” — Patton

Before I start on one of my typical diatribes, I think it’s worthy to note that one of the problems facing the security industry is entrenched user resentment.

I see this all the time: When I write about the larger security vendors, there is almost an angry mob mentality about how they deserve it because “antivirus companies have been soaking us for years”, etc. Ok, so there may be validity to some of that entrenched resentment, but the PatchGuard issue affects all security vendors.

Yesterday, Sophos tapped into that angry mob user resentment in a brilliant PR move — after having drunk the Microsoft KoolAid from a fire hydrant, they openly embraced PatchGuard. In one fell swoop, they positionoing themselves as Microsoft-friendly, happy-dancing, API-loving people. At the same time, they positioned the rest of the industry as a bunch of moronic crybabies. Beautiful.

Now, the Sophos folks are very smart both PR-wise and technically, and so one must give pause to consider their statements. However, I suggest we dig a little deeper.

It is an evolved theory of both security and warfare that one cannot create one defense that is all-encompassing. A infamous object lesson in this thinking is the French, with their Maginot Line: Created to stop a German invasion by land, the German’s merely flew over it — quite a wake-up call for the Frenchies. Now, military planners rely on flexibility as the ultimate defense.

The security industry has had several such lessons, the Code Red Worm being one of them. A network-based worm that utilized a vulnerability in Microsoft’s IIS, it never hit the disk. Instead, it ran solely in memory. A system based on file-based protection would not have been able to stop it.

The lesson? We cannot predict how malware authors will work in the future, and that is one reason why PatchGuard is such a potentially dangerous technology.

PatchGuard creates a barrier to the kernel, against which security vendors (the major defensive bulwark for Microsoft) can’t get in to to help the operating system against an attack, at least without permission through APIs.

Mikhail Penkovsky at Agnitum also points out that the API model itself opens up the kernel to attack anyway.

Why is it so risky to use KPP [PatchGuard] to provide kernel security for computers running Vista x64 rather than a third-party security solution?

Here’s an analogy. Today, every house has a different lock on its front door; in the same way, you can use any security product you want to protect your computer. Now imagine if every house in your city were required to use the exact same lock on its front door. As soon as a burglar figures out how to crack that lock, he can freely enter and steal from any house. This is what 64-bit Windows security will look like with PatchGuard.

His point is valid, because PatchGuard will get hacked in a number of ways: a) through good old-fashioned hacking (like we saw at BlackHat recently), b) or even possibly bundling themselves with a component of a product that does have access to the APIs.

But there’s another key issue: The ability of security companies to fully support the 64–bit Windows platform itself, a fact that Gartner’s Neil McDonald recently highlighted in his warning that if enterprises use HIPS technology, they should postpone deployment of Vista. After all, the APIs won’t even be available until 2008!

And it’s interesting that Neil used HIPS as an example.

HIPS (which stands for Host Intrusion Prevention System), uses methods at the kernel to prevent certain types of attacks. HIPS is part of our Kerio line and it’s also part of other products out in the market. For example, our HIPS functionality helps protect against buffer overflow attacks, by watching for system functions being called from memory locations where they shouldn’t be called. As another example, our Kerio Server Firewall uses HIPS to provide application lockdown.

Sophos and Kaspersky have gone on the record that they don’t really care much about PatchGuard, but that is ostensibly because a) they don’t have HIPS or b) they are not using the kernel in such a way that PatchGuard poses a problem for them. Is this just whistling past the graveyard?

McAfee, Symantec and other companies, like Sunbelt, need this access. For Symantec, it’s around a number of technologies they’ve implemented at the kernel, including Tamper Protection, which prevents hackers from attacking Symantec products themselves. For us, it’s around HIPS, but it could also affect other technologies that we are developing.

Could we use the existing APIs to do what we need to do? Yes, and Microsoft has publicly stated that they will release APIs to PatchGuard to security developers, but a) these will not be for some time (2008) and b) if we need a new API or some enhancement to an existing API, we have to ask for it. It puts security providers in a tenuous position, waiting for possibly up to a year to get the legal APIs to fix a threat that may be in the wild. And waiting for the PatchGuard APIs will delay our ability to ship a 64–bit version of our Kerio firewall and possibly other technologies.

Getting back to the Maginot Line example, however, if some type of new threat comes out that requires a security vendor to access the kernel to protect against it, we’ll all be in trouble, and so will the customer. Because we’ll have to ask Microsoft for an API to the kernel and hope they provide it, instead of just quickly adding some extra functionality to our products by directly accessing the kernel.

Alex Eckelberry

How to change the picture on the Start menu
Note: this doesn’t apply to XP computers that belong to a Windows domain. On non-domain systems, XP displays a photo on the Start menu that’s associated with the logged on user account. You can set this photo through the User Accounts applet in Control Panel, but there’s also another, faster way:

1. Click Start to open the Start menu.
2. Click on the picture itself. This opens the User Account settings option.
3. Choose a new picture from the ones displayed, or click Browse to use a picture located anywhere on your computer.
4. After you’ve changed the picture, close the User Accounts dialog box.

How to Start the Shared Folder Wizard
The XP Shared Folder Wizard lets you create one or multiple shared folders. The quickest way to start it is to click Start | Run and type shrpubw.exe.

Vista: Using check boxes to select items
It’s a small thing, but it can make a big difference to users who have to type with one hand. Now instead of holding down the CTRL key to select multiple items, you have the option of enabling checkboxes.

By default, files in Explorer don’t have the checkboxes, but it’s easy to enable it: just click Tools | Folder Options and click the View tab. Scroll down in the Advanced Settings list to “Use check boxes to select items” and select it. Now in Explorer you can just check the boxes to select multiple items without holding down CTRL.

What happened to the option to make pictures smaller?
QUESTION: Once upon a time, when I would attach a picture to email in Outlook Express, a dialog box would pop up, offering to make them smaller. I almost always said “no” – but somewhere along the way I stopped getting asked and recently I did have some photos taken at very high resolution that I wanted to make smaller before sending. Do you know how I can get this option back? – Judy D.

ANSWER: The lack of the “make pictures smaller” dialog box usually means a DLL has become corrupted or unregistered. To fix the problem, try registering the DDL. Here’s how:

1. Click Start | Run
2. Type regsvr32 shimgvw.dll

Let us know if this doesn’t work.

Current folder settings are not applied to other open folders
You can set all the folders in Windows Explorer to display in the same View (List, Details, Thumbnails, etc.) as the one you have currently selected. However, if you have other folders open when you apply the setting, those folders may not get the new setting applied. For the solution, see KB article 307116.

Access Denied error message
If you try to open a folder and receive a message that says “ is not accessible. Access is denied,” it may be because the folder was created prior to upgrading to Windows XP, on an NTFS partition. Upgrading to XP changed the security ID (SID) for your user account, so that it doesn’t match the one on the folder. Luckily, if you can log on with an administrative account, you can take ownership of the folder so you can access it. For instructions on how to do so, see KB article 810881.

System Restore is suspended
If you try to start System Restore, you might get an error message that says “System Restore is suspended because there is not enough disk space available on the system drive.” This can happen even when you do have plenty of available disk space on that drive. There are two workarounds for this problem; to find out how to fix it, see KB article 299904.

TechTool: The psTools list of sysinternals command line tools are very handy in some occasions. Here is an overview of all these gems.

TechTool #2:  ShortKeys is a utility that allows you to set up replacement text or paragraphs for any given number of user defined keystrokes. A free version is available.

Deb Shinder, MVP

Most of us have had the experience, when we saw someone do something stupid or that we thought was wrong, of shaking our heads and lamenting that “there ought to be a law.” Unfortunately, our legislators have taken our wish literally – more and more laws are being passed criminalizing every “bad” behavior, and I’m afraid that soon it’s going to be as impossible for most people to go through life without committing a crime as it is to drive a car without ever committing a traffic violation.

This came to mind yesterday when I was filling out a form on the web. You know, the ones that you have to complete in order to access some sites? I never give my correct address and phone number in those forms; who knows who’ll have access to that information? In many cases, the lists are sold to spammers – er, sorry: to advertisers. Another piece of info I don’t give out casually is my date of birth, since that’s prime information for identity thieves.

But as I typed in my fake info, I wondered whether someday in the near future it will be illegal to lie on web forms. Sound silly? I’m not so sure. Lying is becoming a crime in more and more circumstances, in more and more jurisdictions. It used to be that the only time you could go to jail for telling untruths was when you committed perjury (lying under oath) or engaged in a blatant con game. Now we have laws making it illegal to lie in all sorts of situations, from applying for a loan to applying for a job. Some states have outlawed claiming to have a diploma or degree you don’t have. Does that mean the office manager who pretends to be a doctor when he’s coming on to some lady in a bar can go to jail for it? Maybe, depending on how the law is written.

Now I’m not advocating dishonesty. Telling a lie usually results in way more trouble than it’s worth and in most cases it’s ethically wrong (although in some cases, brutal honesty can be ethically questionable, too). But this trend toward making it a criminal offense worries me. Not everything that’s unethical or immoral should result in jail time. If you lie on your resume, your employer should be able to fire you. If you lie to your spouse too many times, he/she might (and probably should) leave you. If you lie on your credit card application, you ought to get the card yanked and your credit record affected. Heck, all of the above wronged parties should be able to sue you for compensation if they want. But should you be imprisoned for it?

As a former cop, I don’t really think most police officers want to be in the business of rounding up all the folks who fudged a little about their former job titles or salaries or education. With serial killers, terrorists and child predators out there on the loose, I don’t think government resources are best spent tracking down liars.

And it’s not just the possibility of being taken downtown for giving a false phone number on a Web form that I’m worried about. This propensity to make everything illegal goes way beyond the bans on lying. We are increasingly turning to the criminal laws to punish every undesirable behavior. Smoking is illegal in more and more places; it’s only a matter of time before it’s banned outright and mere possession is made a crime. I hate cigarettes and don’t allow them in my house or car – but I also hate the thought of the government putting nicotine addicts in jail. We’ve seen how well that works with those addicted to “harder” substances.

Having done a miserable job of waging the war on drugs, health advocates are now ramping up to declare war on “bad” food. They point to obesity statistics as justification and are already seeking to make fast food illegal. What’s the next step? Raiding grandma’s kitchen if she dares whip up a batch of evil fried hushpuppies for the grandkids?

What does all this have to do with technology? Computers and the Internet are prime fodder for our over-zealous lawmakers, and it’s probably just a matter of time before this micro-management of our lives spreads further into the electronic frontier. Just last week, reports came out that FBI director Robert Mueller wants ISPs, social networks and search engines to log and store records of users’ IP addresses for up to two years, and another proposal would require providers to record the identities of email correspondents, IM users and addresses of web pages visited. Of course, you can still use web browsers that encrypt the addresses of users and online sites – but will legislators soon make it illegal to use such technologies based on the theory that they can be used by terrorists and child predators? Given the trends in modern lawmaking, I’d say it’s not just possible but probable.

What do you think? Is our society becoming over legislated to the point where the government will make criminals of us all? Should the government stay out of issues like lying to private parties (such as an employer) and let it be handled administratively or civilly?

Are you in favor of laws protecting people from themselves (such as bans on smoking in your own home or eating food that’s not healthy) or do you think it’s justified on the basis of health care costs for which society often must pick up the tab? Twenty years from now, will we still be able to surf the ‘net freely, or will we be required to get a license and register every site we visit with the government? What other changes to the laws (for good or bad) do you foresee in the near future?

Tell us your opinions.

Deb Shinder, MVP 

Our new sandbox technology was officially announced this morning at the Infosec conference in New York.

Sunbelt Software today announced the availability of Sunbelt CWSandbox, a powerful tool for the automatic analysis of malware samples. The technology was originally developed by noted security expert Carsten Willems while at the University of Mannheim and is under exclusive license to Sunbelt Software.

CWSandbox provides technology providers and corporations the ability to rapidly analyze malware for a number of different purposes — security research, creation of new signatures, forensic/criminal analysis and improved threat protection. Malware samples submitted to the sandbox are executed in a controlled environment, with a comprehensive analysis provided of the malware’s execution in XML, HTML or text format.

How CWSandbox Works
Using a comprehensive automated system, CWSandbox uses unique technology to execute malware in a controlled environment for behavior analysis. The application provides fast analysis of large volumes of malware samples in a short period of time, capable of automatic collection of malware from different inputs including Nepenthes (a tool for automated collection of autonomous spreading malware), a web server/interface, or a directory.

The CWSandbox is an awesome tool for malware analysis.   Submit a piece of malware, and you’ll get a detailed report back as to what the malware is actually doing.  In addition, the sandbox will also run the malware through several different AV engines to give you a feel as to what the in-the-wild detection is.

Link here.

Try the sandbox out youself — go to www.sunbeltsandbox.com and submit a malware sample. 

Our business model for the sandbox is simple: Anyone can freely use our public sandbox for malware analysis.  If commercial entities want to bring the power of the sandbox in-house, they can purchase a reasonably priced license.  Entities involved in pure research (e.g. no commercial intent) can license the sandbox at no-charge.  More information can be had by contacting a specialist.

Alex Eckelberry

Microsoft uses the trademark Spyweeper in promoting OneCare. 

This shows that Microsoft is not looking for new customers who don’t have security software, as they’ve said in the past.  They are directly targeting an incumbent player here.

Alex
(Thanks Suzi!) 

 

 

File under shameless self promotion.

FutureSoft®, Inc., the Houston-based Endpoint Security solution provider, today announced the release of their latest and most powerful version of DynaComm i:scan®. Version 6.5 of DynaComm i:scan addresses such critical endpoint security issues as distributed anti-spyware protection, USB security management, and application and desktop lockdown.

This new release builds on the centrally managed solution by incorporating new anti-spyware day-zero protection to secure critical operating systems resources that are typically targeted during the first hours of a new spyware infection. In addition to the enhanced day-zero protection, this newest release includes an anti-spyware scanning and cleaning engine licensed from award-winning security developer Sunbelt Software.

Link here.

Alex Eckelberry

Aberdeen Group’s Information Security practice recently published a new research report “The 2006 Messaging Security Benchmark Report: Strategies for Securing Corporate Communications.” Sunbelt Software co-sponsored this research, which is now available to you at no cost.

Feel free to to take a moment and download this report. It focuses on messaging security trends in today’s IT market, and finds that while 80% of companies are aware of the threat of loss of confidential data by insiders, only 43% have implemented messaging security solutions that will stop that outbound threat. Link here.

We’re going to be in Barcelona, Spain – November 14-17. Look for the QBS booth and check out Ninja and CounterSpy Enterprise! Here is the link to the Microsoft site.

I’m a competitor so my opinion is worthless.  But this article has some people quite curious.  What is up? I don’t know — anyone want to leave a comment explaining more?

Alex

n3td3v (leetspeak for “net-dev”) is a person or persons who has had a history of posting some fairly obnoxious stuff on Full Disclosure.

Dr. Neal Krawetz of Hacker Factor decided to figure out who this person(s) was, and has written an extensive analysis of his effort.  It’s fun sleuthing, and the result is he believes that n3td3v is likely the same person(s) behind Gobbles Security, who had posted similarly obnoxious (but quite interesting exploits) messages on technical forums.

In three minutes, writing samples from n3td3v were collected. Two minutes later, it was determined that n3td3v was not a “he” but a “they”: at least three distinct individuals, two males (one European) and a female. Another researcher (Jim McCown) mentioned that the trolling1 reminded him of the postings made by Gobbles Security. Dr. Krawetz had met the primary members of Gobbles Security many years ago and knew that they consisted of three people: two males (one is Eastern European) and a female. This document shows techniques used to identify writing characteristics and concludes that the core people behind Gobbles Security are strong contenders for being the people behind n3td3v.

Link here.

Alex Eckelberry

Update: SecurityFocus has more on this here, which sheds some doubt on Krawetz’s findings, but it’s all part of the sleuthing fun.

InternetPerils has an interesting animated gif that shows a “cluster” of phishers.

A phishing message arrives in your mailbox, pretending to be from a bank, or from an etailer such as eBay or Paypal. It directs you to a web page and asks you to enter your password or social security number to verify your identity, but the web page is not one actually associated with the bank; it’s on some other server.

InternetPerils has discovered that those phishing servers cluster, that infest ISPs at the same locations for weeks or months.

Here’s an example of a phishing cluster in Germany, ever-changing yet persistent for four months, according to path data collected and processed by InternetPerils, using phishing server addresses from the Anti-Phishing Working Group (APWG) repository.

Link here.

Alex Eckelberry
(Thanks Bill)

 />

(Edelman’s strategy diagram)

There’s revelations coming out that mega PR firm Edelman created three “independent” blogs for WalMart (called “flogs”).   The first one that was outed was “Wal-Marting Across America”, a travelogue of a couple of RVers that was found out to be paid Edelman staffers.  Now, MediaPost reports that two more blogs, PaidCritics and a blog run off of Working Families for Walmart were all manufactured blogs.

As Mya Frazier writes in Ad Age (link here via Walmartwatch), “It’s ironic that Edelman Worldwide helped to write the Word of Mouth Marketing Association’s code of ethics, which states: “Honesty of identity: You never obscure your identity.”

Oh yeah, that’s ironic. Especially coming from a PR agency.

Edelman got tricky and got caught with their hands in the cookie jar.  Will this make a difference for WalMart’s brand?  Hell no.  WalMart is virulently hated by a minority of people, tolerated by a larger group and loved by RVers and shoppers (ostensibly those who are at or below the median income line,  where every penny counts).  

But PR agencies have been playing games like this for a long, long time — with an explosion around the turn of the century.  Smarmy PR types have used deceptive means to craft public opinion for as long as there has been a press, except over the 100 years, it’s evolved into a fine science of sleaze.  There’s the obvious ones, like global warming — it’s “unproven” and “junk science” — the very words implanted through repetition in the American public originally through oil company funding of The Global Climate Coalition and now by groups such as the Competitive Enterprise Institute and Frontiers of Freedom (please, I’m not making a political statement). And then there’s the not-so-obvious ones, like the drumbeat of the of the Committee on Public Information, which crafted US opinion on World War I; and in technology, McAfee’s predictions of worldwide apocalyptic chaos from the Michelangelo virus – an act which transformed the antivirus industry from a largely shareware model into a real business.

Covert control of public opinion has been the hallmark of 20th century PR, and it hasn’t served us well at all. It’s just that now, with the ease of transparency on the Internet, it’s much easier for them get caught.  But it’s still there and quite a part of our society.  The pharmaceutical industry is built on PR (how many “syndromes” and diseases can you actually make up to sell more drugs?), as are many other industries.  How many “thinktanks”, “grass-roots” organizations and “independent studies” are the work of PR agencies?  Some are obvious, like Hands Off the Internet (with their silly video), which a clearly disclosed membership roster. But most are not-so-obvious. 

Question “facts” until you’ve verified them yourself, question authority and always be skeptical anything you read in the paper or on television until you’ve checked it for validity.  You’d be surprised as to how many times there’s a crafty PR person behind popular “opinions”.  Our only weapon against it is our own intelligence and our willingness to go against the tide. 

And read the client lists or practice specialities of the big PR agencies — Edelman, Hill and Knowlton and others.

Alex Eckelberry

On the ongoing saga of Spamaus vs. David Linhardt, life is a bit better.

From SecuriTeam:

The proposed order is limited to only the first remedy, suspension of the domain name by The Internet Corporation for Assigned Names and Numbers (“ICANN”), the entity responsible for coordinating unique identifiers used for Internet communication, or Tucows, Inc., the registrar through which Spamhaus obtained its domain name. Neither of these outfits are parties to this case. Though more circumscribed than the preceding request, this relief is still too broad to be warranted in this case. First, there has been no indication that ICANN or Tucows are not independent entities, thus preventing a conclusion that either is acting in concert with Spamhaus to such a level that they could be brought within the ambit of Fed. R. Civ. P. 65(d). Though our ability to enforce an injunction is not necessarily coterminous with the rule, the limitations on its scope inform an exercise of our power to address contempt. See, e.g., Rockwell Graphic Systems, Inc. v. DEV Industries, Inc., 91 F.3d 914, 920 (7th Cir. 1996). Second, the suspension would cut off all lawful online activities of Spamhaus via its existing domain name, not just those that are in contravention of this court’s order. While we will not condone or tolerate noncompliance with a valid order of this court, neither will we impose a sanction that does not correspond to the gravity of the offending conduct.

Link here.

 

Microsoft has released a set of privacy guidelines for developers.

Failing to protect customer privacy can lead to an erosion of trust. Over the last several years, Microsoft has established extensive internal guidelines for developers that help them protect customer privacy, give them a view into customer expectations and global privacy laws, and document the hard lessons we’ve learned. These guidelines have been engrained in our development process and are now incorporated into the Security Development Lifecycle (SDL). The impact has been felt across Microsoft’s products and services.

In response to requests from customers, partners, ISVs, educators, advocates, and regulators, we created a public set of privacy guidelines for developing software products and services. These guidelines are based on our internal guidelines and our experience incorporating privacy into the development process. By documenting our principles, we hope to help anyone building products and services to meet customer expectations and deliver a more trustworthy experience.

As the threat landscape escalates, customers are feeling less able to control access to their personal information, so consumer trust is waning. As an industry, we need to set a high bar for respecting customer privacy, to help build greater trust in the Internet and e-commerce. We want to foster an open dialogue with others in the industry so we can build a common set of privacy best practices to help meet our privacy obligations and increase customer trust. We are pleased to offer our guidelines as a starting point to accelerate this effort.

Link here via BeSpacific.

I’m getting reports of people not being able to see the blog.  Should be resolved soon by the good folks over at Blogger.