Camera:
Nikon D70s
Exposure:
0.001 sec (1/1600)
Aperture:
f/5.6
Focal Length:
48 mm
Exposure:
0.00
ISO Speed:
400
Camera:
Nikon D70s
Exposure:
0.001 sec (1/1600)
Aperture:
f/5.6
Focal Length:
48 mm
Exposure:
0.00
ISO Speed:
400
Congratulations to the winners of the Social Security Awards at the Security Bloggers Meetup. The winners are:
Huge thanks to Rich Mogul, Martin McKeay, Jennifer Leggio, Sonya Caprio, Alan Shimel and Jeanne Friedman for putting in many hours to make the event happen.
A sampling of my recent press coverage.
Cloud Implementation, Part 1: Planning for Success
CRM Buyer - Apr 3, 2009
Grid spyware: Deregulation bites us again
ZDNet - Apr 8, 2009
Microsoft patches serious Excel zero-day, Windows flaws
SearchSecurity.com - Apr 14, 2009
Microsoft patches 'insane' number of bugs
ARNnet - Apr 14, 2009
Round and round we go. Should be a good week at RSA.
The looming mobile malware threat of the past decade has yet to materialize. The reason for its lack of fruition, according to scientists, is due to geography and the lack of a dominant market shareholder. However well done the math, the scientific study is flawed nonetheless. “Understanding the Spreading Patterns of Mobile Phone Viruses” a new paper by 4 scientists fails take into account modern malware trends and operational knowledge of security vendors like those of antivirus companies.
Mitigation and countermeasures to risk is a common parlay for business decisions. In this study, the scientists declare that antivirus vendors will have ample time to deliver antivirus protections due to the slow speed of Bluetooth viruses. Unfortunately, the paper fails to take into account the business operations of antivirus vendors. AV vendors also perform their own risk analysis in order to determine priority for signature writers. Slower moving viruses or any virus with less perceived risk will go second to high-risk threats. In addition, the way vendors become aware of threats are typically in two methods – customer reports and Internet monitoring systems. To best of my knowledge, AV vendors aren’t walking the streets in major metro areas with smartphone in hand scooping up Bluetooth traffic in hopes of finding a virus. More than likely, by the time an AV vendor got wind of a Bluetooth virus, it will already have been spreading for days or perhaps weeks.
The work declares that market share, m, can be declared as a free parameter simply because malware only works on the operating system for which it was designed.
"A cell phone virus can infect only the phones with the operating system (OS) it was designed for (2, 3), making the market share m of an OS an important free parameter in our study."
The accuracy of this statement is correct, but fails to take into account current trends of malware. A virus is typically written for a specific architecture and operating system. It cannot magically morph into a self-aware entity, which can now infect every operating system. By somehow implying such silliness as a method to declare m as a free floating and utmost important variable is itself flawed. Nonetheless, the more important trend failed to be recognized is that malware more often targets applications and not operating systems. The truth of the matter is that most breaches in the last 5 years attack applications, not operating systems. Recent to 2009 are the Adobe vulnerabilities that affected Windows, Mac and Unix systems. Browsers, the ubiquitous tool of the computer today, are cross platform affected. Firefox, for example, commonly requires updates to both Mac and Windows. Apple, which produces personal computer software and one of the most popular smart phones, also commonly finds itself updating software for vulnerabilities on Windows, Mac and the iPhone. So much of the study relies on market share to be a variable; unfortunately, market share is such a small piece of reality.
The paper does acknowledge that MMS based viruses can spread much quicker than Bluetooth, but again places a strong foundation on operating specific threats. No creativity is imposed to suppose that a crafty virus writer could implant payloads for multiple operating systems. Or why couldn’t the virus be written in architecture neutral language such as Java that compiles to byte code? Nearly every smartphone on the market today supports Java. If the paper is found to be correct in this regards, then simply writing a Java based virus will turn the math completely upside down.
To further argue against this paper, we cannot overlook the fact that these devices are now equipped with Wifi, can hold up a VPN back to the corporate office and have wired USB connections. Any slow spreading downplay of the Bluetooth connection are immediately surpassed by the distance and speed of wifi. The potential adjacency spread of malware given the devices numerous connection types easily outpaces and diminishes any compensating declinations due to single operating system virus supposition.
We have to thank these scientists for their hard work and excellent study. However, I must disagree with their conclusions that market share and geography alone are reasons enough why we haven’t yet seen the major mobile virus outbreak soon to come.
A work buddy made this nice beer.
A recap of selected articles where I was quoted in recent days.
Bill to centralize cybersecurity
Sometimes the scariest things are the ones out in plain view.
Last week of the quarter is just around the corner.
Careful what you reach for, it might bite back.
Camera:
Nikon D70s
Exposure:
0.017 sec (1/60)
Aperture:
f/5.0
Focal Length:
55 mm
Exposure:
0.00
ISO Speed:
400
Exposure Bias:
0 EV
Flash:
No Flash
According to a computerworld article and a statement by Heartland, competitors of the now PCI-delisted payment processor are using the breach as means to lure their customers. Competitors are apparently suggesting that doing business with Heartland will result in fines from Visa. That part is not true. Visa has publicly stated that no fines will be levied against Heartland’s customers. However, would you continue to trust Heartland, its auditor and the PCI compliance standard to do their jobs in protecting your information?
Without casting doubt on Heartland, this is a case where past performances may be sings of future returns. Heartland continues to stay on message that they will be re-certified by May. It’s also unclear if Trustwave, their prior PCI auditor, will be the ones re-certifying them. The biggest question of all: when will they come entirely clean with their incident findings and how can they regain our trust?
In any economy it’s a natural force of doing business to use your competitor’s weaknesses against them. Despite assurances from Visa and Gartner, you can bet that Heartland’s customers are thinking seriously about switching processors. If I had any say into what goes on at Heartland, I’d suggest a few moves to help regain customer confidence:
In the end, lets all hope that this breach will be a learning event for Heartland and all businesses.
Sometimes all your corners look squared up. Upon second look, things are not as they seem.
Speaking of recursion, on Friday night I attended the LongNow talk with Daniel Everett. "The Pirahã, a remote Amazonian tribe with little outside contact, have attracted the attention of mainstream media, scientists, zen buddhists, professors of religion, mathematicians, philosophers and others because of their unusual confluence of values, language, and culture."
Part of the synopsis by Stewart Brand:
For most of today, Twitter seemed to have been sporting the "Fail Whale" of over capacity. However, more interesting was the Guy Kawasaki twitter stream. At about 3pm Pacific, users starting seeing some strange tweets.
"How am I in gk's account?"
"I am the all powerful guykawasaki coming to you live via adjix"
"wtg @sswayze ! you're right #friedchicken is the biz. shouts to @kfc_col , @knownhuman, @froggie775 and the rest of the #friedchicken crew."
"http://adjix.com/hhk5
Ad: Free $25 Starbucks Card! http://is.gd/nK6d"
"now that I have
your attention, it would be super if you could help us all trend
#friedchicken it's time has come friedchicken.alltop.com"
By all regards, something unplanned happened or is happening. Clicking one of those short URLs takes you to a blog posting by Mack Collier. Mr Collier even received a comment on his posting, "Have you hacked into Guy Kawasaki's Twitter account? If not you,
somebody who likes you has - multiple links to this post today ??"
A look at
Guy's twitter page confirmed that the suspicious tweets were from a different twitter
client called "Adjix" whereas his normal tweets historically come from
TweetDeck.
Twitter already has a shady history of security issues including an administrator account breach back in January. We will have to wait and see what happens. Until then, most users are just enjoying the Fail Whale.
UPDATE:
According to gawker.com, his account was indeed "hacked" after Kawaski accidentally broadcasted his twitter credentials at Adjix:
Yes, he told me, when I reached him at an airport, his account had been hacked, but it was probably his fault. "I was using a new service called Adjix, and I did something too fast," he told me. "I can't explain it." Sort of like Twitter.
Kawasaki then suggested I speculate that he faked the hacking to get more attention. He added that he loved the hacker's tweets about fried chicken, and would gladly add it as a topic to his website Alltop.com. See? Everything on Twitter ends up being about self-promotion.
Adjix president Joe Moreno, in an email, said that Kawasaki mistakenly broadcast his login credentials over the service, allowing a hacker to take control of his account.
Original Post:
. Add info from Gawker.com
Wake me up when the iPhone OS version 3 demo-thing is done. What happens when you release the most disruptive hand held technology? Well, you have to continue to outdo yourself time and time again. Apple’s preview today was a snooze. Lets review the biggest new features.
Pushed content
This is actually as a result of the iPhone’s inability to run background apps. Ever notice that when you exit Safari and to go read email, that the website doesn’t keep loading in the background? Or how IM clients are web based and must be in the foreground. Apple says that "pushed content" will fix that and provide a new medium for developers.
In-app purchases
You can now purchase content or add-ons from within an application. Great idea. "The first one is free."
P2P blue tooth
Great feature in a gaming device, a bit worrisome in an enterprise-level mobile platform. Just what we need is yet another network-aware vector for attack. Lets hope they did this one securely. I can just imagine a new bread of blue tooth sniper rifles at DefCon.
Copy and Paste
Seriously enough, I have to believe that this one did take a while due to security concerns. With attacks like ClickJacking and untrusted web content, who knows what kind of data is going to be selected and copied into a clipboard. More than likely, that clipboard is part of the underlying "off limits" operating system. This could be new interesting attack vector. Though, you would think that a feature that goes back to at least the 1980's would be more standard by now.
Whats Missing
A recap of selected articles where I was quoted in recent days.
Adobe issues critical PDF reader patch
As if IT security teams didn't have enough to worry about today, Adobe released a patch for their high profile zero day vulnerability in Adobe reader and Acrobat. Patches for versions 7 and 8 of their software aren't available yet.
The story on this exploit started on Feb. 19th when ShadowServer posted information on a "0-date on the loose" and referenced a Symantec AV update from February 12th, indicating that the attack had already been in the wild.
Adding to today's confusion, US-CERT is now recognizing new attack vectors for the Adobe JBIG2 vulnerability.
Throughout this entire process Adobe has been slow to communicate and provide
useful information for security managers. Even with the onslaught of critical press and jabs from the security community, Adobe was late to acknowledge the vulnerability and later yet in releasing remediation steps.
Initially they promised a patch by March 11th, so most security teams have been holding their breath and sitting with white knuckles over the last few weeks while the bug received more attention.
Other teams started migration to the alternative, FoxIt. In a moment of irony, FoxIt was
also found to be vulnerable to same bug.
I joked just this morning that all I needed to ruin my day was for Adobe to release their patch.
Having the patch early is a huge benefit, but releasing it on the same day as Microsoft's planned March patch spells disaster for enterprise resource planning, and it still leaves Adobe with a black eye for lack of communication.
Just got back from Yosemite. Here is a frame from my blackberry camera.
This week is going to be busy.
Monday: Internal security training
Tuesday: Microsoft reboot
Wednesday: Expected Adobe reader patch for the 0day issue.