Archive for June, 2008

Malware: Getting out of Control

Early this year I predicted that a proliferation of rootkits would occur. I was short sided in my prediction in that I missed the bigger issue—the spread of malware itself. Although rootkits comprise the most serious threat in the malware arena, rootkits are only one of many types of malware. Furthermore, rootkits typically set up back door access and also often incorporate keystroke or tty sniffing ability, functions that are also frequently built into other types of malware.

Several weeks ago I noticed a news item that stated that sites infected with malware (and thus that are capable of spreading malware to computers that connect to them) increased by 300 percent compared to last year. These statistics provide poignant evidence of the accelerating growth of malware. Interestingly, of the 213,000 sites that were found to be compromised by malware, over half of them were in the Peoples Republic of China. Incredibly, just ten networks around the world contain almost half of all sites that inject malware into computing systems. Read more…

Categories: Uncategorized Tags:

Security Gone Awry

A very good friend of mine over the years just lost his job. He was a deputy program manager with a very large corporation that has a well-advertised computer usage policy that does not allow files that are not business-related to be on any of this corporation’s computers. My friend was on vacation for a while, and during this period he transferred several attachments sent to him by a family member to his USB storage device. When he went back to work several weeks later, forgetting the contents of this device, he used it to make a “sneakernet” file transfer from his computer to another. This corporation has implemented a mechanism such that starting the instant a computer connects to its network, all files in that computer’s file system are immediately backed up. Unfortunately for my friend, the USB storage device had the files that his family member had sent him, and so these files were also backed up. Soon thereafter someone identified these files as non-business-related, triggering a swift termination procedure for my friend. Read more…

Categories: Uncategorized Tags:

Virtualization and Security – Part 2

In my last blog posting, I asserted that virtualization is from a security point of view very much a two-edged sword. Nothing supports this assertion more than the Blue Pill rootkit developed by security researcher Joanna Rutkowska, who has developed what she calls a 100 percent undetectable rootkit (“Blue Pill”) that circumvents the Vista integrity-checking process for loading unsigned code into the Vista kernel. This rootkit uses AMD’s secure virtual machine, designed to boost security, to hide itself. In short, something that was intended to elevate security can be subverted to cause security nightmares. Read more…

Categories: Uncategorized Tags:

Virtualization and Security – Part 1*

Virtualization is a major trend in the IT arena. There are many reasons to use virtualization, including consolidation of computing resources, dynamic load balancing, failover capabilities, ability to perform maintenance without downtime, ability to pool computing resources, ability to use custom virtual machines (VMs) as a container for application delivery, and much more. Virtualization will be a major part of computing for a very long time.

Virtualization’s benefits go far beyond efficiency, functionality and continuity, however, in that virtualization also offers much for information security. VMs can be used to isolate processes from attackers and malware, making systems and applications more difficult to successfully attack or infect. User access to applications can be tightly controlled in that virtualization allows special applications to be isolated from end-user applications, making unauthorized access to the former very difficult. Even if a system or application that runs in a virtualized environment is successfully attacked, any impact resulting from the attack is almost always attenuated. The ability to spread attacks (particularly due to malware-based infections) is thereby reduced. Read more…

Categories: Uncategorized Tags:

More on the Latest Cyberattacks

Just when it seemed as if all were quiet on the Western front, Jeanie Larson, the Department of Energy’s (DOE’s) program manager for incident response, shattered the silence during her presentation at the recent Government Forum of Incident Response and Security Teams (GFIRST) conference. In a nutshell, Jeanie said that although fewer attacks against US government networks are occurring, the state of security is by no means better. Instead, attackers are more carefully choosing their targets, usually by focusing on a few government employees and contractors whom the perpetrators believe have information that is highly valuable to them, then using various methods (email, malicious Web sites, and more) of infecting their computers with malware that captures all input and output. The targets are chosen through extensive reconnaissance and intelligence-collection activities that often last for months before an attack is ever carried out. Much of the malware hides itself very carefully after it is loaded into a victim system, and then it deletes itself when an attack is finished. Perimeter security is ineffective in countering these threats. Cooperation and information sharing among government agencies is vital in dealing with these threats, but neither is happening. The full story is at Read more…

Categories: Uncategorized Tags:

Strategies for Dealing with Latest Cyberattacks: The Need to Reinvent the Wheel

If you regularly read security-related news, you have undoubtedly seen news items regarding the growing number of targeted attacks against sensitive US government and commercial sector computing systems. Although the attack methods have varied widely, many of them have involved sending malicious attachments to certain US government or private sector employees which, if opened, implant malicious code in the system used by the unsuspecting targeted individual. Now in control of the system it has infected, the malicious code covertly notifies the attacker that this code has control of a system. The attacker follows up by gaining backdoor access to the infected system with full privileges without leaving any indication of the activity whatsoever. The only real common denominator is that systems keep getting broken into time-after-time. Read more…

Categories: Uncategorized Tags:

A Tribute to Don Evans

Many information security professionals have done much good for the information security profession, so many that to single them out would take forever. Some have done so much, however, that they deserve special recognition.  Don Evans of the United Space Alliance is one such individual. Don just retired on June 5, 2008, and although I was not able to attend his retirement ceremony, unfortunately, I would imagine that there were not many dry eyes among the attendees when all the nice things about him were being said. Don is above all else one of the finest human beings I have ever known. He is a living embodiment of kindness, graciousness, honesty, fairness, unselfishness, and personal maturity—a true model for others to follow Read more…

Categories: Uncategorized Tags:

Issues Concerning System Auditing

About 25 years ago when I started working in the information security arena, one of the first issues that caught my attention was a debate concerning whether system auditing was necessary. Advocates of system auditing argued that enabling system auditing was essential for security in that without it, unauthorized activity was almost impossible to detect. On the other hand, detractors argued that nobody looked at system audit log data anyway, and, worse yet, enabling system auditing consumed a large amount of system resources as well as disc space.

Twenty five years later, many things have changed considerably. Whereas 25 years ago intrusion detection systems (IDSs) were in their infancy and intrusion prevention systems (IPSs) were unheard of, today both types of systems are deployed in a significant percentage of information security practices in medium and large businesses and organizations. Additionally, an abundance of network security monitoring tools and utilities now exists. Furthermore, one of the first things intruders typically do in an attempt to masquerade their dire activities is to disable system auditing and/or to erase existing audit logs. Frankly speaking, one of the least trustable pieces of evidence from a potentially compromised system is audit log data. So the issue very much persists—should system auditing be enabled? Read more…

Categories: Uncategorized Tags:

Interpreting Information Security Research Results

An abundance of information security research is performed every year. Surveys that measure the foci and activities of information security practices, funding allocated to IT security, types of security controls that are being used, attitudes concerning compliance, number and types of incidents that have occurred, and amount of incident-related financial loss are just a few of the many that are taken. Large organizations such as the Computer Security Institute and ISACA and corporations such as the Big Four accounting firms are particularly likely to conduct these surveys. No matter what the year is, results generally indicate that funding and staffing are never sufficient, that senior management is prone to overlook information security-related risk, that the cost of security breaches is growing, and that certain types of security-related technology is used more widely than others. Read more…

Categories: Uncategorized Tags:


Last year I spoke at 28 different conferences, and as things currently stand, by the end of this year I will have spoken at even more. When I speak at a conference, I generally spend a good amount of time doing social networking, but I also carefully look through the agenda for talks that might be of interest and value to me. I have listened to a few talks on cyberterrorism at several conferences I have attended recently. Despite the fact that those who presented these talks had obviously spent a good deal of time and effort in creating their vugraphs, I must admit that I was disappointed with their content. As I think back on what troubled me, however, I think that my problem is really with the concept of “cyberterrorism” more than anything else. Any kind of terrorism, no matter what its source is, implies an attempt to wreak fear and havoc among people because of the potential for an impending, disastrous event to occur. Frankly speaking, misusing computers does not have nearly the potential for instilling fear in people as do bombs, automatic weapons, and hijacked planes crashing into skyscrapers. Read more…

Categories: Uncategorized Tags: