|
Meaningless Malware Counting?
- July 25, 2008
If you were to scroll a little further down your favorite
technology news site this week (somewhere below all the DNS
and iPhone news/spam) you’ll likely see some snippets from
the latest batch of half-year vendor-sponsored security
reports. One particular statistic struck me as worth a
closer examination… “It is estimated that the total number
of unique malware samples in existence now exceeds 11
million…” according to Sophos. |
|
Cyberspying - July 18,
2008
Should you be worried about cyberspying as you travel the
globe? A recent article in the Wall Street Journal – “U.S.
Fears Threat of Cyberspying at Olympics” – discusses the
dangers posed by Chinese hacking groups to travelers heading
over for the Beijing Olympics. In particular, whether (and
how) the U.S. government should publicly warn businesspeople
and travelers of the threat. |
|
Strategic Security – Cloud-based
MSS - July 14, 2008
Last month I covered how I’m expecting protection
technologies to increasingly become embedded deeper in to
the applications and platforms we rely upon– rather than the
way in which security currently encases (or should that be
‘entombs’?) those very same applications. Today I’m going to
cover how the third-party management of perimeter security
devices will likely change over the next few years. |
|
Trojans on the up - July
07, 2008
While I think it’s important for security professionals to
read these types of reports when they come out, it’s also
very important to compare those findings with what other
vendors are saying and what you’re actually observing on
your own networks (or the networks and environments of the
customers you work with) – and not to take any figures as
gospel. |
|
637 million Excuses Posted -
July 02, 2008
It’s been a couple of days since the release of the paper
“Understanding the Web browser threat” and it’s been
interesting watching the public reception. Along the way
there have been a few questions raised and observations
made, and I thought I’d take this time to offer my thoughts
on some of them. |
|
637 million Users Vulnerable to
Attack - July 01, 2008
You can sum up a lot in a single number. 637 million. That’s
the approximate number of users currently surfing the Web on
a daily basis with an out-of-date browser – i.e. not running
a current, fully patched Web browser version – or, to put it
another way, 45.2 percent of all Internet surfers have
neglected to update their favorite Web browser and are
potentially vulnerable to all sorts of nastiness. |
|
Strategic Security – Embedding
it - June 12, 2008
It’s easy enough to talk about the threats observed today, and not too
difficult to extrapolate how those threats will evolve over
the next couple of years, nor is it that difficult to
discuss how current protection technologies function against
the threat and the types of research or investment likely
needed to combat their evolutionary descendents, but it gets
a whole lot tougher if you have to dust off the old crystal
ball and provide a longer-term perspective on the shift from
tactical security technologies to strategic security
delivery. |
|
DIY Credit Card - Chips and
Smart Cards - June 09, 2008
Following on from last week’s blog concerning the apparent
ease in acquiring online all the technologies necessary for
making your own fake credit cards, I received several
queries about how this relates to the newer contact-based
smart card’s rollouts – i.e. credit cards with embedded
chips. |
|
DIY Credit Cards - June
03, 2008
Over the last few years, if you’ve been following the
Frequency-X blog, you’ve probably gained a fair
understanding of the mechanics behind Internet-based credit
card cloning and fraud. All the components needed to conduct
this particular crime can be easily uncovered through a
little searching of the Internet. |
|
Global Innovation Outlook -
Security and Society - May 28, 2008
Over the last couple of weeks I’ve been privileged to
participate in the Tokyo and Taipei sessions of IBM’s Global
Innovation Outlook (GIO). For those of you who don’t know
what the GIO is, it’s an annual program that began back in
2004 whereby IBM opened up its annual technology and
business forecasting processes to the world. |
|
Are you Feeling Lucky? -
April 24, 2008
Given the proliferation of site’s infected with malicious
drive-by download attack code, it’s about time to retire
Google’s “I’m Feeling Lucky” search button isn’t it? |
|
"Automatic Patch-Based Exploit
Generation is Possible" - So say we all. - April 22,
2008
Over the weekend I managed to read a new security paper
titled “Automatic Patch-Based Exploit Generation is
Possible: Techniques and Implications” that goes in to some
depth of how to automatically reverse engineer security
patches and create (reliable?) exploits. |
|
CAPTCHA's and Mechanical Turks
- April 14, 2008
Last month I introduced the topic of “security ergonomics”
and mentioned that I’d try to cover some of the presentation
topics from the IBM internal conference a little later.
Well, I guess it’s a little later, and the topic for today
is CAPTCHA. |
|
A Second-order of XSS -
April 01, 2008
Several people have approached me for more information about
the spate of search engine iFrame injection attacks that
have been occurring for the last few weeks. Dancho Danchev’s
blog entry provides a good primer of the threat observed
thus far, and lists some of the popular news sites that have
been hit with the attack thus far. |
|
The Cost of Networking @
Blackhat - March 29, 2008
The second day of Blackhat Amsterdam proved to be just as
good as the first, with the afternoons presentations
generally being of more interest to me than the mornings (my
perception may have been unduly tainted by the previous
evenings late night meanderings and consumption of fermented
liquids with the usual flock of pentesters). |
|
Apple Crumble @ Blackhat -
March 28, 2008
It's been an interesting day at Blackhat Amsterdam. As
conference venues go, you can't really beat having Blackhat
in Amsterdam - the city is alive at night (even if you
manage to filter out the red hue around certain districts) -
meanwhile, at the conference level, the actual number of
attendees is pretty small, but the atmosphere is cozy and
open to discussion; something not so common at other
cookie-cutter security conferences. |
|
Security Ergonomics Posted -
March 16, 2008
Last week, IBM’s top security and privacy professionals
attended an annual internal conference down in Austin,
Texas. Over three days there were around 40 sessions divided
in to two streams covering diverse topics ranging from
detecting Web application vulnerabilities using static
analysis, through to European national e-ID card scheme
evaluations. |
|
Mass Attack - March Madness?
- March 13, 2008
I’m hoping you’ve all been following the latest mass web
defacement and have ensured that your desktop systems are
fully patched, and that you’re running a good anti-virus
solution (with latest updates) because, if you’re not, it’s
not particularly safe to be browsing the Web today – even
browsing your favorite “safe” sites. |
|
Chip and PIN Tampering -
February 29, 2008
There's an old(ish) saying amongst Internet security
professionals, "if you can get physical access to it, you
can 0wn it." Unfortunately too many organizations just don’t
grasp the concept. Case in point – smartcard readers used
for Chip & PIN transactions. |
|
Evolving Beyond CAPTCHA -
February 25, 2008
Last week I was up in New York giving a fairly standard talk
about the evolving threat landscape (“standard” – but
ever-so-exciting). One of the running themes in my
presentation material has to do with the complexity of some
security solutions and how the evolution of the protection
has, in many cases, evolved beyond the capability of people
to use it efficiently – and inadvertently provided new
avenues for attackers to socially engineer their prospective
victims. |
|
Remotely Exploitable Trends in
2007 - February 12, 2008
For those of you who may have missed it, X-Force publicly
released their annual threat report for 2007 yesterday.
There are lots of interesting graphs and statistics in the
report and, as with most scary security stats, you’ll
probably be seeing them referred to lots of times throughout
the year. |
|
The Vulnerability Disclosure
Rate in 2007 - February 11, 2008
Last week a taster was provided as to the slight dip in new
vulnerability disclosure rates for 2007. There have been
several citations of the data after some of the security
news blogs picked it up - along with some short external
analysis pieces. I found it interesting that several
reporters hypothesized that it was due to the selling of
vulnerabilities. I don't think so - at least not directly,
and not in the way that they think. |