Why relying on virus signatures simply doesn't work anymore?

January 19, 2006
As a fan of VirusTotal and Norman's Sandbox being always handy when making analyses or conclusions, and me looking for metrics and data to base my judgments on, besides experience, I feel their "Failures in Detection" of VT deserve more attention then they it's actually getting. 

With over 14, 000 files submitted on a weekly basis, where most of them are supposedly 0day malicious software, it's a great resource to consider. Using these scanners for the basis of its service (saw yours?!), it is still able to conclude the plain truth - signature based anti virus protection is having deep troubles as a concept these days. 

Moreover, vendors covering or enjoying monopolistic competition in specific geographical regions, without having the necessary AV expertise is something that is actually happening. So what made me an impression?

Failures in Detection (Last 7 days)

- 14, 016 failures that is, infected files not detected by at least one antivirus engine
- 372 samples detected by all vendors

What's important to note here is that, response time towards a new piece of malware in the wild is crucial as always. But that's great when it's actually achieved. The independent folks at Av-test.org, have featured a very nice Excel sheet on the "Reaction Times of the latest MS05-039-based Worm Attacks"(2005-08-22) so you can take a look for yourself. 

And as I've once mentioned my opinion on the growing possibility of 0day malware on demand, proactive measures would hopefully get the attention of vendors. Some folks are going as high as stating that AV scanners and AV defense as a concept will eventually end up as product line extension of a security appliance? Though, I feel you will never be able to license a core competency of a vendor that's been there before the concept of DDoS started getting public! And obviously, the number of signatures detected by them doesn't play a major role like it used years ago. Today's competitive factors have to do with, but not only of course :

Heuristic
Policy-Based Security
IPS (Intrusion Prevention Systems)
Behaviour Blockers
Protection against Buffer Overruns

 I also advise you to go though a well written research on the topic of Proactive Antivirus protection, as it highlights the issues to keep in mind in respect to each of these. Is client side sandboxing an alternative as well, could and would a customer agree to act as a sandbox compared to the current(if any!) contribution of forwarding a suspicious sample? Would v2.0 constitute of a collective automated web petrol in a PC's "spare time"? How sound is this and the other concepts in terms of usability and deployment on a large scale?

Signatures are always a necessary evil as I like to say, ensure that at least your anti virus software vendor is not a newly born company with a modest honeyfarm and starting to perceive itself as a vendor, vendor of what? Solutions or signatures?!

Don't get me wrong, my intention behind this post was to make you think, as a customer or decion-maker on the approaches your current vendor uses, and how to make better decisions. At the bottom line, it's still a vendor's sensor network or client side submissions, even exchange of data between them, that provides the fastest response to *known* malware!

Technorati tags :
,,,,,
Continue reading →

FBI's 2005 Computer Crime Survey - what's to consider?

January 19, 2006
Yesterday, the FBI has released their Annual 2005 Computer Crime Survey, and while I bet many other comments will also follow, I have decided to comment on it the way I've been commenting on the U.S 2004’s "Annual Report to Congress on Foreign Economic Collection and Industrial Espionage" in previous posts. This one is compiled based on the 24, 000 participating organizations from 430 cities within the U.S, so look for the averages where possible :)

What are the key summary points, and what you should keep in mind?

- Attacks are on the rise, as always

That's greatly anticipated given the ever growing Internet penetration and the number of new users whose bandwidth power is reaching levels of a middle sized ISP. Taking into consideration the corporate migration towards IP based business infrastructure, and even the military's interest in that, it results in quite a lot of both, visible/invisible targets. My point is that, to a certain extend a new Internet user is exposed to a variety of events that are always static in terms of security breaches, or was it like that several years ago? Less 0day's, lack of client side vulnerabilities(browsers) the way we are seeing it today, and cookies compared to spyware were the "worst" that could happen to you. Things have changed, but malware is still on the top of every survey/research you would come across.

- The threat from within

Insiders dominate the corporate threatscape as always, and the average financial losses due to "Laptop/Desktop/PDA Theft", act as an indicator for intellectual or sensitive property theft that is actively quantified to a certain extend, though it is still mentioned in a separate section. As far as insiders and the responses given in here, "the threat you're currently not aware of, is the threat actually happening" to quote a McAfee's ad I recently came across to. Especially in respect to insiders.

- To report or not to report?

According to the survey "Just 9% said they reported incidents to law enforcement, believing the infractions were not illegal or that there was little law enforcement could or would do. Of those reporting, however, 91% were satisfied with law enforcement's response. And 81% said they'd report future incidents to the FBI or other law enforcement agencies."

The key point here is the lack of understanding of what a threat is, or perhaps what exactly should be reported, or why bother at all? And given that out of the 9% reporting 91% are satisfied I can simply say that, "If you don't take care of your destiny, someone else will".

Overall, you should consider that the lack of quality statistics is the result of both, the "stick to the big picture" research and survey approaches, or because of companies not interested/understanding what a security threat worth reporting actually is? I greatly feel the industry and the Internet as a whole is in need of a commonly accepted approach, and while such exist, someone has to perhaps communicate them in a more effective way. Broad and unstructured definitions of security, result in a great deal of insecurities to a certain extend, or have the potential to, doesn't they?

- Who's attacking them?

Their homeland's infrastructure and the Chinese one, as the top attacks originally came from " The U.S. (26.1%) and China (23.9%) were the source of over half of the intrusion attempts, though masking technologies make it difficult to get an accurate reading", and yes, Russia "of course".

Though, you should keep in mind that whenever someone sparkles a debate on certain country's netblocks attacking another country's one, it's always questionable.

- What measures are actually taken?
Besides actively investing in further solutions, and re-evaluating their current measures, what made me an impression as worth mentioning is :

- patching, whether the patch comes from a third-party or the vendor itself is something else, yes it's the reactive measure that could indeed eliminate "known" vulnerabilities, yet it's proactive approaches companies should aim at achieving

- keeping it quiet, as you can see the 3rd measure taken is to actually not report what has happened, wrong, both in respect to the actual state of security, and the potential consequences in case a sensitive info breach occurred and customers did the job of reporting and linking it.

- tracing back? I think it's a bit unrealistic in today's botnets dominated Internet, namely an enterprise might find out that some of its external port scans are coming from internal infected PCs. When attacked you always want to know where the hell is it coming from, and who's involved, and while entirely based on the attackers techniques put in place, I feel that close cooperation with ISPs in reporting the infected nodes should get the priority compared to tracing the attacks back. That greatly depends on the attack, its severity, and traceability of course.

To sum up, the bottom line is that, antivirus software and perimeter based defenses dominate the perception of security as always, companies are actively investing in security and would continue to do so. It's a very recent survey for you to use, or brainstorm on!

Technorati tags :
,,,,
Continue reading →

China - the biggest black spot on the Internet’s map

January 17, 2006
Chinese Internet users have the potential to outpace the number of the U.S Internet population, yet, the majority of them still remain behind the most sophisticated online censorship systems in the world, the Great Chinese Firewall

I am definitely not buying into the idea of trying to take control of all the information coming in and going out of a country for the sake of my well being, as any individual has the right to decide what's good and bad for them. 

If I, for instance knew there's a virus on the streets of my city, I would take immediate precautions, or at least, see how "my" government reacts on the crisis. Yet, how responsible, moral, or legal according to international human rights standards is to prosecute users who have been spreading the news about the SARS virus from within the Great Firewall is perhaps another point.

Isn’t central planning the panacea of Communism, be it, old-school or modern(an excuse for the old-school) one, and isn’t the obvious fact that the government cannot, but wants to play God, an utopia by itself? It is disturbing how business ethics surpass moral ones for the sake of business continuity, so to say. Though, efforts are made to break the ice, until a collective campaign is not started I doubt anything will change. For the time being, what they don't like, they either hijack(forward to another site), or completely restrict.

With over 100,000 cybercafes, and 30,000 state police enforcing policies on the Internet, the Chinese government is trying to estaliblish a very effective self-censorship atmosphere, namely, prosecuting those somehow violating it. The idea is to, of course, cut the costs of their censorship efforts.

U.S companies don’t have a business choice, but to comply in case they are interested in taking advantages of the business opportunities in the country.

Activists have been expressing their attitude towards assistance like that, while I feel the majority of business leaders still don't have the incentive to take action, besides the human moral obligations, ones that are often neglected when doing business. Sad, but true :)

For me, it's not businesses complying with local laws that bothers me, but the playground for the these vendors that’s fuelling innovation in the wrong direction. That very same innovation is later on to used on Western countries or pretty much anywhere around the world. For the time being, China is still winning against the Web, and the term cyberdissident is getting rather common. For instance, the recently started Cryptome.cn, pointed out a great link to the actual known number of Chinese actions against journalists. That's disturbing.

One of the most resourceful and timely research currently available is ONI's Internet Filtering in China in 2004-2005 : A Country Study. Interested in finding out whether a certain sites is currently blocked in China? Check the Real-Time Testing of Internet Filtering in China, courtesy of Harvard Law School, whose Empirical Analysis of Internet Filtering in China still gives an overview of the situation and what's to consider.

Further research and opinions on the topic can be found at :

Internet Development and Information Control in the People’s Republic of China
Internet censorship in mainland China
The Internet in China: Civilian and Military Uses
Internet in China: Big Mama is Watching You
Internet Filtering in China
The limits of Internet filtering : A moral case for the maximization of information access over the Internet
Controlling Online Information: Censorship & Cultural Protection
Tools for Censorship Resistance
The Filtering Matrix
Tor: An anonymous Internet communication system

Technorati tags :
,,,,
Continue reading →

What are botnet herds up to?

January 17, 2006
Johannes B. Ullrich, with whom I had a chat once, did a great post providing us with real-life botnet herds "know how" or the lack of such. And while I agree that these are newbies, they are exploiting another growing trend. The vertical markers Johannes mentions are the result of abusing the affiliate networks themselves. 

Though, how can an affiliate network distinguish traffic coming from botnets, should it count it as malicious one, can they somehow link everything and see the entire picture? They sure can, but as soon as revenues keep coming in, they simply wouldn't. 

The botmasters' mentioned here are primarily acting as domainers, and the possibilities for abuse here are countless. In case you're interested in knowing more about the use and abuse of such networks, I recommend you to go through Ben Edelman's research on affiliate networks, and how easily they get abused. My point is that, if it takes a newbie to start realizing this, imagine the big players, as there are obviously some, at least in respect to the sizes of their botnets :)

If they make a buck for selling access to their resources, still have the opportunity to do it on their own, and cash again while giving instructions on how to "reinfect" yourself, that's a Ecosystem that I mentioned in my recently released "Malware - Future Trends" research. I feel this particular botnet herd is up to experiments, that obviously didn't go unnoticed.

What are your thoughts on the future of botnets, how would they abuse their power in Web 2.0? Week before I release my original publication, someone started coming up with "solutions" on how to abuse Google's AdSense, there's a lot to come for sure!

In case you want to know more about botnets, consider going through the following :

Bots and Botnets: Risks, Issues and Prevention
The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets
Botnets as a Vehicle for Online Crime
Botnets - the threat to the Critical National Infrastructure
Botnet Detection and Response
Tracking Botnets
Robot Wars – How Botnets Work
Worms, Viruses and Botnets - security awareness video

Technorati tags :
,,, Continue reading →

Anonymity or Privacy on the Internet?

January 16, 2006
Last week, Bruce Schneier wrote a great comment on Anonymity, how it won’t kill the Internet, and that it has to do with accountability mostly.

Logically, if identification is impossible, then there cannot be adequate accountability. Though, alternative methods based on the collective trust exist, and are as anonymous, as necessary. Spoofed identities, perhaps even hijacked ones should also be taken into consideration. But how important is Anonymity today? What is Anonymity and Privacy anyway? When is the first desired to preserve the second? How blur is the line in between? I think Anonymity is so much broader than it is originally perceived.

I’ve once mentioned the possibilities of IP cloaking for competitive intelligence/disinformation. On the other hand, for me today’s concept of anonymity has three dimensions :

- The individuals trying to achieve anonymity with the idea to express their right of free speech, and access censored information
 
A chinese citizen is the first thing that comes to my mind, though many others are having the same problems when trying to access information or express their right of free speech, such as Saudi Arabia, United Arab Emirates, Bahrain, Iran, Singapore, Burma, and Tunisia.

- Those trying to avoid accountability for certain actions, in one way or another
Anonymous-p2p.org has for instance featured a list of P2P applications that improve anonymity to a certain extend. In this case, anonymity is desired in order to cover up certain actions. The use of proxy servers to try to hide originating host should also be mentioned as a possibility.

- Those with an established pseudo-anonymity, netizens for instance

I think pseudo-anonymity is important in today’s society, it’s utopian worlds(online gaming worlds etc.), express freedom and promote creativity to a certain extend. The entire trust and accountability model is actually entrusted on the service, for instance, Ebay as mentioned in the original article. You trust that Ebay’s practices going beyond this pseudo-anonymity would achieve accountability in case it’s necessary.

What others think on privacy, and why is anonymity hard?

There’s no Privacy, get over it” Sun's CEO Scott McNealy, back in 1999

John Young, Cryptome.org on privacy, data aggregation, data mining, terrorism fears and our constantly digitized lifes :

Privacy should be a right of citizens worldwide, in particular the right to keep government and business from gaining access to private information and personal data. The argument that government needs to violate privacy in order to assure security is a lie. The business of gathering private information by corporations and then selling that to government and other businesses is a great threat to civil liberties. Much of this technology was developed for intelligence and military uses but has since been expanded to include civil society.

Dan Farmer and Charles C.Mann – Surveillance Nation
Low-priced surveillance technologies will help millions of consumers protect their property, plan their commutes, and monitor their families. But as these informal intelligence-gathering networks overlap and invade our privacy, that very could evaporate.”

Continue reading →

To report, or not to report?

January 16, 2006
Computerworld is running a story that, “Three more U.S states add laws on data breaches”, but what would be the consequences of this action? Less security breaches? I doubt so. Realistic metrics and reactions whenever an actual breach occurs, as well as its future prevention measures? Now that’s something I think.

Such legislations have a huge impact, both, on the industry, the public opinion, and company itself. No one likes admitting getting hacked, or having sensitive information exposed to unknown and obviously malicious party. Yet, if it wasn't companies reporting these breaches, thousands of people would have been secretly exposed to possible identity theft, and we’ll be still living with the idea that the Megacorporations are responsibly handling our information. Which they obviously aren’t! And even if they try to hide it, sooner or later a victim will starting digging in, and the story ends up in mainstream news. Privacyrights.org have taken the time and effort to compile a "A Chronology of Data Breaches Reported Since the ChoicePoint Incident", and as you can see, it's not getting any better, though, reporting and legislations have the potential to change a lot.

At the bottom line, I am a firm believer that, reporting breaches greatly improves the accuracy of security metrics, and hopefully the solutions themselves. Security through obscurity is simply out of question when it comes to storing unencrypted databases online, or even distributing them offline, though, it’s still obviously very popular today.

What do you think? Are the long-term negative PR effects worth the uninterrupted business continuity as a whole? Are you comfortable with not knowing how exactly is any of the organizations possessing sensitive info on you, is taking care to secure it? I'm not!

As well as various other comments on the topic :

Information Security Breaches and the Threat to Consumers
Security Breaches : Notification, Treatment, and Prevention
Recommended Practices on Notification of Security Breach Involving Personal Information
What Does a Computer Security Breach Really Cost?

Technorati tags :
,,,
Continue reading →

Future Trends of Malware

January 16, 2006
Great news, that I greatly anticipated, my "Malware - Future Trends" research got Slashdotted. The strange thing is how my actual post and numerous others from different respected sites weren't approved. I guess I would have to live with that, given the huge number of hits and new subscribers to my feed I have received for the last couple of days :))

Someone once said, that it’s all about to courage to write down what you think. And he was right, but he missed to mention, that you should also stand behind what you believe in. There’s nothing more important than disseminating that kind of information to the broadest audience possible, in the fastest way achievable. The comments, links recognition and active feedback that I have been receiving, are the best benchmark for the usefulness of my research. So, thanks!

My “Malware – future trends” publication has recently appeared at :

Packetstormsecurity.org
Securiteam.com
Net-security.org
LinuxSecurity.com
Infosecwriters.com
WhiteDust.net
ISECA.org
BankInfoSecurity.com
Wiretapped.net
Astalavista.com
CGISecurity.com
Megasecurity.org
Secguru.com
Wikipedia's entry on Malware

to name few of the sites, and in various blog comments :

Computerworld’s IT Management Blog
Datamation's Blog
Sergio Hernando's post, and the Google translation
Alan Cardel's Blog
Worm Blog

And many others : 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20

The more naysayers, the more important is what you are doing, and I have come across a lot of them, though I wouldn’t even bother to link them back. They are a valuable incentive on a certain occasions. It's a great feeling that I missed for a little while, it reminds of the how differently people react to one another’s success and hard work. I totally enjoy people quoting me on every sentence from a 26 pages publication I pretty much finalized on Xmas eve, just for the idea of doing it.

Cheer up, guys, and go through my points objectively.

What I truly like, is the debate it opened up here and there, one of the main ideas behind it. Feel free to post your comments at my original announcement, Malware - Future Trends.

Technorati tags :
,,,,, Continue reading →

Insecure Irony

January 12, 2006
What’s the worst thing that could happen to BigBrother and any of its puppets? – Have their confidential info exposed due to the negligence of a commercial organization, one that is used for gathering the majority of intelligence data these days. Now, that’s an insecure irony. 

It is a public secret that any government is gathering enormous information on its citizens through commercial organization's extremely rich databases. Everyone's in the system though, even the ghosts!

I also advise you to go though a great research on the topic of "Commecial Data and National Security" in case you want to know more on how governments and intelligence agencies use/abuse the data.

Technorati tags :
,,,,,
Continue reading →

Security threats to consider when doing E-Banking

January 12, 2006
E-banking, and mobile commerce are inevitable part of our daily lifes, and would continue to get more popular. 

The bad thing is, that it's not just us, the end users benefiting from this fact, but also, the malicious attackers exploiting our naivety and lack of awareness on the threats to watch for. Candid Wuuest did an outstanding research on the insecurities of E-banking, and excellect job in comparing the different security measures next to one another. The slides will also provide you with a lot of useful info on the topic.
Continue reading →

The hidden internet economy

January 11, 2006
How much does phishing, spam and spyware for instance cost on businesses? Should we measure in cash, or hardly quantified long-term affects such as reputation damage, loss of confidence in the business, or the percentage of people that would think twice before doing any E-shopping at all?

These days, I believe that there’s a huge number of individuals with purchasing power that tend to avoid online purchases at all. That's the baby boomers I am talking about, who as a matter of fact are having more and more disposable income!

Published in December, 2005, a poll published by the CSIA estimated that almost 50% of all adults in the U.S avoid making purchases online because they are afraid that their personal information could be stolen. And while impulsive teens are excluded, and the poll's quality is taken for granted, to me it highlights an important fact that I have always believed in -- that there is a hidden Internet economy that could boom given more confidence is build in ensuring that, this huge number of individuals will start bringing even more online revenues to any of the dotcom darlings. Until then, stay tuned for yet another major security breach at a data aggregator :(

Technorati tags :
, , , ,
Continue reading →

The never-ending "cookie debate"

January 10, 2006
On the 6th of January, CNET reported that the web sites of 23 U.S senators use persistent cookies (usually expiring around 2035), and several days earlier, Google-Watch.org found out the same for NSA's web site.

As a matter of fact, Google, the world's most popular search engine with millions of searches in over 100 languages, also uses cookies that expire in 2035. But how does this all matter to you? Does erasing your cookies makes you invisible, invincible and not traceble? 

Totally wrong! However, cookies are the most popular privacy invading concept on the Internet, and if you start filling in privacy conscious individuals into the basics of timing attacks, remote physical devices fingerprinting, or distributed surveillance possibilities, they'll end up thinking you're paranoid -- for a reason!

What you MUST know concerning your privacy on the Internet is that, in today's globalized Internet, namely hundreds of countries participating, privacy laws, their enforcement or even understand of the important of the issue, tend to vary from country to country.

There are worst things that could happen to you compared to cookies, and I refer to them as Web Timing Attacks, and how practical they really are! Don't bother about cookies, given you wiped them out, that's the Cookie Monster's job :)

In case you are interested in further info on the topic you can take a look at the following :

How Web Server's Cookies Threaten Your Privacy
Local Shared Objects -- "Flash Cookies"
EPIC's Cookies Page
Search Privacy At Google & Other Search Engines
Bugnosis
Taking the Byte Out of Cookies

Technorati tags :
, , , ,
Continue reading →

Why we cannot measure the real cost of cybercrime?

January 10, 2006
At the end of 2005, a rather contradictive statement was made, namely, that the costs of cybercrime have surpassed those of drug smuggling? And while I feel it has been made in order to highlight the threats posed by today's cyber insecurities, I find it a bit of an unrealistic one.

Mainly because of :

- the lack of centralized database and approach to keep track of, and measure the costs of cyber crime
Centralization is useful sometimes, and so is standardization. My point is that, doesn't matter how many metrics I go through on a monthly basis. They all have had different approaches while gathering their data. Estimated or projected loses are a tricky thing the way Donald Trump's valuation is largely based on his name brand. In this very same way, if we were to quantify the losses of a worldwide worm outbreak posed by direct attacks of the availability and integrity of networks and hosts, it would always be rather unrealistic, yet hopefully scientifically justified to a certain extend!

I feel it's about time the industry appoints a watchdog with an in-depth understanding of the concept. A watchdog that has the open source intelligence attitude, and the law enforcement backup to diffentiate online identity theft next to dumpest diving, and both, soft and hard dollar losses out of an event.

- the flawed approaches towards counting the TOC costs
"We had out network hit by a worm attack, where 200 out of 1000 desktops got successfully infected resulting in 4 hours downtime of the 200 desktops, and with the department's $15 hourly rate it resulted in direct loss of productivity." Rather common approach these days, what isn't included is the time the IT/Security department spent fixing the problem, the eventually
increased infosec budget (given the department takes advantage of the momentum and asks for more), and and potential law suits that may follow by other companies whose systems have been attacked by any of the 200 infected ones. A security incident shouldn't be isolated when it comes to costs, yet it's the best approach to bring some accountability, though, it's totally unrealistic. The butterfly effect has its word in both the real, and the financial world as well.

- the hard to quantify intellectual property theft
Continuing my thoughts from the abovementioned opinion, if we were to count the IT/Security department's associated costs, as well as the loss of productivity next to the hourly rate, especially when there's been a theft of intellectual property is easy, yet, untrue. If we were to
even estimate the potential dollar losses of intellectual property theft due to security breaches, it would surpass the U.S budget's deficit and reach levels of a developing economy's GDP, I bet that! The current inability of the industry to successfully quantify the costs of intellectual property theft, results in a mare estimation of the real costs of the cyber crime act. In this case, it's more complex that some want to believe.

- lack of disclosure enforcement
More and more states(U.S only, painfully true but the world is lacking behind) are adopting breach disclosure laws with the idea to prevent successful use of the information, seek accountability from the organizations/enterprises, and, hopefully result in even more clear metrics on what exactly is going on in the wild. However, the lack of acceptance, and sometimes,
even the awareness of being hacked is resulting into the highly underestimated, and actual picture in respect to the real state of cyber crime today. The more disclosure enforcement, and actual awareness of the breaches, the better the metrics, understanding of where the threats are going, and accountability for the organizations themselves.

- survey and metrics should always be a subject to question

The way a research company gathers survey and metrics data should always be a subject to questions. Even highly respected law enforcement agencies surveys and research, clearly indicate similarities, though when it comes to financial losses, every organization has a different measurement approaches and understanding of the concept. That is why, in the majority of cases, they aren't even aware of the actual long-term, or soft dollar losses directly posed by a single security breach. Evaluating assets, and assigning dollar values to intellectual property is tricky, and it could both, provide a more realistic picture of the actual losses, or overestimate
them due ot the company "falling in love" with the intellectual value of its breached information.

- companies fearing shame do not report the most relevant events today, online extortion or DDoS attacks
No company would publicly admit complying with online extortionists, and no matter how unprofessional it may sound, a LOT of companies pay not to have their reputation damaged, and it's not just public companies I'm talking about. How should a company react in such a situation, fight back, have it's web site shut down resulting in direct $ losses outpacing the sum requested by extortionists, or complying with the request, to later on having to deal with issue again? How much value would a company gain for fighting back, or for publicly stating of having such a problem, and complying with it? What's more, should quantifying a successful DDoS attack on a E-shop also include the downtime effect for the ISP's customers, given they don't null route
the site of course? And who's counting all these counts, and how far would their impact actually reach?

- the umatelized sales of people avoiding shopping online
A topic that is often neglected when it comes to E-commerce, is the HUGE number of people that aren't interested in participating(though they have the E-ability to do so), mainly because of the fear posed by cyber crime, having their credit card data stolen etc. The current revenues of E-commerce in my point of view, are nothing compared to what they could be given the industry's leaders gently unite in order to build awareness on their actions towards improving security. I also consider these people as a cost due to cyber crime!

At the bottom line, drug addicts don't exist because of drugs, but because of the society, and it may be easier to execute phishing attacks than smuggle cocaine from Mexico to the U.S, but this is where the real $$$ truly is from my point of view - drugzZzZzZzZ...................:)

Technorati tags :
,,,
Continue reading →

Would we ever witness the end of plain text communications?

January 10, 2006
Last week, a report released by the research firm In-Sat estimated that revenues for IP VPNs will double between 2004 and 2009 to $658 million.

Estimates should also be questioned, though the trend is very relevant these days. VPNs as a concept are the natural shift from avoiding plain text data exchange over the insecure by default Internet. Yet, secure communication channel doesn't mean actual attacks on the both, the channel and the host itself cannot be executed. Though, I think that avoiding plain text communications at all is a strategic step of a great important.

How you can take advantage of this trend?
Given the market is actively growing, namely a lot of new entrants, it would mean a lot of product/service choice and very competitive pricing schemes. Keep track of them, and ensure your TOC is as low as possible,think in the long-term.

What to keep in mind?
Do your homework, and while a newly established company offers might seem attractive compared to an established vendor's one in respect to pricing, don't ignore expertise and quality for a short-term deal. On the other hand, make sure you are aware of the fact, that vendors will rush into offering many other cross-sale services. We are already witnessing such vendors being as confident as to launch their own anti-virus solutions. That's exactly the type of companies whose product extension services you should avoid, as they are basically reinventing the wheel, with the idea to cut paying any royalties to the established anti virus vendors. TOC, experise, value oriented and flexible vendorare the things to keep in mind, given you don't have something else in mind?

Technorati tags :
, ,,
Continue reading →

Watch out your wallets!

January 10, 2006
The irony of today's, obviously not working loan system, has left a 22 years old Chicago student in debt of $412,000. A very scary event, that I feel could have been prevented if the loss was reported, and the bank giving the loans was somehow aware of the social status of the "borrower" :)

In case you are interested in knowing more about identity theft, go through the following :

ID Theft : When Bad Things Happen to Your Good Name
Coping with Identity Theft : Reducing the Risk of Fraud
The Problem of Identity Theft

Technorati tags :
,,, Continue reading →

Malware - future trends

January 09, 2006
I'm very excited to let you know that, I have finally managed to release my "Malware - future trends" publication. Basically, it will provide you with an overview of the current trends, the driving factors behind the scene, and some of the trends to come, from my point of view.

As factors contributing to the rise and success of malware I have pointed out :
- Documentation and howto's transformed into source code
- Vulnerabilities, even patches, easily turned into exploits
- Clear signs of consolidation on the malware scene
- The media as a fueling factor for growth
- Over 960M unique Internet users and their connectivity, or purchasing power
- The demand for illegal services

And as far as the trends themselves are concerned, I have indicated :
- Mobile malware will be successfully monetized
- Localization as a concept will attract the coders' attention
- Open Source Malware
- Anonymous and illegal hosting of (copyrighted) data
- The development of Ecosystem
- Rise in encryption and packers
- 0day malware on demand
- Cryptoviral extortion / Ransomware will emerge
- When the security solutions (antivirus etc.) ends up the security problem itself
- Intellectual property worms
- Web vulnerabilities, and web worms - diversity and explicit velocity
- Hijacking botnets and infected PCs
- Interoperability will increase the diversity and reach of the malware scene

Have an opinion? Feel I have somehow missed a point? Let me know, or directly comment on this post! Thanks folks!

Technorati Tags :
,,,,, Continue reading →

How to secure the Internet

January 04, 2006
I recently wondered, are there any existing government practices towards securing the entire Internet?

So I went though the U.S National Strategy to Security Cyberspace, to find out what is the U.S up to given it still maintains "control" of the Internet. What is the Internet's biggest weakness? No, it's not a sophisticated term, its a common word called design.

A fact that is often neglected as the core of all problems, is that the Net's design by itself was primarily developed for reseach purposes. That is, universities and scientists exchanging data, users whose activities would definitely not result in the following :)

- infect the competing Ivy League universities with malware, and "borrow" as much intellectual property as possible

- Conduct DNS poisoning and redirect their competition's site to their own one

- Eavesdrop on their fellow researcher's communications

The Internet wasn't mean to be as secure as we wished it could be today. So, when it became public and turned into today's part of daily life, I feel this weakness started to remerge on a harge scale.

Perhaps the second biggest vulnerability is the ability to forge source addresses, and given you can spoof the origins of your packet no accountability for a great deal of today's threats is present. IPv6 isn't the panacea of security, and would never be though. There are as a matter of fact a lot of vulnerabilities related to mostly, implementation, and awareness on the possibilities. But the introduction of IPv6 over the Internet, still remains an ambition for goverments and organizations across the world. As a matter of the the U.S DoD indicated their troubles while migrating to IPv6, but they desperately need it. Though, I greatly feel the sooner the better.

The current Internet IP space is so easily mapped and datamined, that on most occasions,such transparence is mostly beneficial to malicious attackers. I believe that security threats can indeed have a national security impact, of course, given their sevirity and actual abuse. Today's information and knowledge driven societies are largely dependent on information and technology infrastructure for most of their needs. This has on the other hand boosted a tremendous technological growth. It eventually resulted in an increased world productivity, but the dependance can also affect real life situations on certain ocassions.

Can cyberspace indeed influence real-life situations and cause havoc? Would someone wants to bring down the Internet, and how sound is this? What are the main driving factors behind the known weaknesses of the infrastructure, and how can their negative effects be prevented?

I greatly feel that the growth of E-governments, native Internet population, improved communication infrastructure, thus more bandwidth and opportunities,are crucial for the growth of a nation. The only weakness besides actual usability or utilization, is Security.

Going back to the report, it clearly highlights and takes into consideration both, soft and hard dollars. That is, enemies conducting espionage over companies, universities, or mapping key government, industry networks, and easily reachable known targets to be used later on. Hit-lists for potential targets can be easily gathered in today's open source intelligence world.

On a worldwide basis, the implications to the entire Internet posed by insecure DNS servers, and by the insecurities of the DNS protocol can undermine the Internet in itself. What happens when all sites are actually there, but remain unreachable worldwide? The 2002 attacks on the root Internet servers indeed acted as a wake up to the international community on how fragile the current system really can be.

Some of the obstacles for a secure Internet from my point of view consist of :

- Plain text communications are the easiest, most common way malicious attackers can abuse a nation's communications, excluding the fact that the majority of communications remain unencrypted

- Lack of evolving compliance, threats change so fast, that everyone can barely keep up with them, and what used to be "secured" yesterday, is vulnerable today

- Less procedures and strategies, more actions, perfecting planning is futile, by the time you end you planning process you would have to change everything. My point is, empower those who are able to execute real actions towards improving security.

- The gap between government, private and academic sectors is resulting in a lack of integrated early warning systems, that would eventually benefit everyone

- Realization of a nationwide client-side sensor, I have also considered Symante's utilization of their 120M client based as the biggest, most sensitive honeypot ever.

To sum up my ideas, migration to the, at least though to be more secure Internet2 , would take years and cost billions of dollars on a worldwide basis, yet it's worth it!

Have an opinion? Share it!

Technorati tags :
,,,, Continue reading →

Security quotes : a FSB (successor to the KGB) analyst on Google Earth

January 04, 2006
"Lt. Gen. Leonid Sazhin, an analyst for the Federal Security Service, the Russian security agency that succeeded the K.G.B., was quoted by Itar-Tass as saying: "Terrorists don't need to reconnoiter their target. Now an American company is working for them." A great quote, and I find it totally true. The point is, not to look for high-resolution imagery, but to harness the power of OSINT, improve their confidence by observing the targets "from the sky", and actually plan and coordinate its activities on huge territories. AJAX anyone? :)

However, the public has always been good at bringing the real issue to the rest of the world. There have been numerous attempts to spot sensitive locations, and I wouldn't be myself if I don't share the joys of the Eyeball Series with you. Of course, in case you haven't come across the initiative earlier. However, the way it gives terrorists or enemies these opportunities, it also serves the general public by acting as an evidence for the existence of espionage sentiments, here and there. Echelon's Yakima Research Station was spotted on GoogleMaps, originally by Cryptome, see the dishes there? Any thoughts in here? Can Microsft's Local Live with its highly differentiated bird eye view on important locations turn into a bigger risk the the popularity of Google's services?

Technorati tags :
,,,,, Continue reading →

Keep your friends close, your intelligence buddies closer!

January 04, 2006
Too much power always leads you to the dark side!

Cryptome has yesterday featured a excerpt from "State of the War : The Secret History of the CIA and the Bush Administration" shredding more light on what the NSA used to be before 9/11 and how things changed at a later stage. In case you really want to find out more about the entire history of the NSA, go though "The Quest for Cryptologic Centralization and the Establishment of NSA, 1940-1952", and some of the most remarkable NSA released publication entitled "Eavesdropping on Hell : Historical Guide to Western Communications Intelligence and the Holocaust, 1939-1945".

My opinion - With no guards, the gates are always open. But who will watch the watchers when they start watching us?!

Even though, as Marine Corps General Alfred M. Gray have put it years ago "Communications without intelligence is noise, intelligence without communications is irrelevant", and so is privacy in the 21st century, period.

Technorati tags :
, , ,
Continue reading →

What's the potential of the IM security market? Symantec thinks big

January 04, 2006
Yesterday, Symantec, one of the world's leading security, and of course, storage providers aquired IMlogic, a leading provide of Instant Messaging security solutions. How sound is this move anyway? Doesn't Symantec already have the necessary experience in this field?

IMlogic has never been a build-to-flip company. Dating back to 2002, it has managed to secure important customers, Fortune 1000 companies as a matter of fact, and acts as a prefered choice for many of them. And given that enterprise IM is exploding, and so it home use, the real-time nature of this type of communication has always been acting as a hit-list in my mind. Client based vulnerabilities, social engineering attacks, auto-responding malware, and many other issues are among the current trends. How huge is the potential of IM security, or is it me just trying to think big in here, compared to Symantec's simple product line extension ambition?

Besides acting as another propagation vector for future malware releases, IM usege worldwide is already outpacing the most common form of Internet communication -- the email. A Radicati Group's research report entitled "Instant Messaging and Presence Market Trends, 2003-2007" indicates the same. The group predicts that :

- 1,439 million IM accounts in existence by 2007
- a very significant increase in corporate imlpementation of IM, from 60 million accounts today to 349 million in 2007.
- that's a degree of monopoly, as always!

Lucky you, Symantec!

With fear of being a pessimist, I have though witnessed how unique organizations and teams got eventually swallowed by the corporate world. And it's their know-how that I truly miss these days. You can though, still go through Symantec's constantly updating list of acquired companies, and it's evident they are fully committed to continue being a market and knowledge leader. I also recommend you read a great aricle at eWeek entitled IM Threats : The Dark Side of Innovation to find out more about the current trends. What's your attitude about them?!

Technorati tags :
, , , Continue reading →

Happy New Year folks!!

January 04, 2006
Dear friends and visitors,

Happy New Year and sincere apologies for the lack of updates on my blog recently. It's not that I have somehow stopped brainstorming on how to put my knowledge into neat posts, rather, I didn't have the time that I wanted to provide an in-depth overview of they key topics I had in mind :-)

I wish you all the best in 2006, thank for your feedback on my ideas, and keep ridin' on the road of intellectual exploration! Continue reading →
Subscribe to: Comments (Atom)