Microsoft is emptying its pockets with tiny acquisitions of security solution providers with the idea to target the masses in its all-in-one security service OneCare. There's nothing wrong with offering up to three licenses for $49.95 per year, at least not from a marketing point of view. Microsoft's Security Ambitions are getting huge "as it continues to reveal its security ambitions in very obvious ways. Its $75 million acquisition of SSL VPN vendor Whale Communications last week shows just how deep it wants to go against the established leaders of various security technologies. Already in Microsoft’s security sights are the antivirus and antispyware vendors. Since buying European antispyware vendor Giant Company Software and antivirus vendor Sybari, it was pretty clear that Microsoft intended to get into the malware protection market. Symantec, McAfee and Trend Micro seemed to be the clearest targets, but so are Sophos, CA, F-Secure and scores more smaller vendors."
Competition is always good for all parties involved. In another article on the topic, WebRoot's founder, a leading anti-spyware solutions provider, gave great comments about Microsoft's take over of the infosec market : "The taking of a second-best product in this space is akin to locking half the doors in your house," he said. "Vista will not solve the spyware problem. It may change the vector of attack, but it will not solve this problem. And I'll bet the company on it."
Microsoft really surprised me with their release of the Strider Honey Monkeys Crawler, as precisely the type of in-house research that would act as a main differention point of its solutions. The problem has never been the technology, they still have some of the brightest minds in the world working for them, but providing value and communicating the idea to the final customer. Security as a second priority isn't tolerated by customers, and Microsoft is last company that the end user associates with security. Obsessed with perfection, and still living in the product marketing concept world, is outdated thinking, the way pushing features based on "what the sample says" is not going to hold the front any longer. Customers beg to participate!
While for the time being Microsoft is rediscovering the Web, and working on Vista, money doesn't necessarily buy innovation, prone to make impact individuals do --ones heading to Mountain View, California where the real action is.
Tuesday, May 30, 2006
Microsoft in the Information Security Market
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
No Anti Virus Software, No E-banking For You
Malware and Phishing are the true enemies of E-commerce, its future penetration, and E-banking altogether. Still, there are often banks envisioning the very basic risks, and hedging them one way or another, as "Barclays gives anti-virus software to customers"
"Barclays Bank is issuing UK internet banking customers with anti-virus software, as part of attempts to reduce online identity theft. The bank has signed a deal with Finnish anti-virus firm F-Secure, which will provide software to the bank’s 1.6m UK internet banking customers. While other banks offer discounted anti-virus software deals to customers, Barclays is the first in the UK to give it away for free. ’Nearly two-thirds of home PCs don’t have active virus protection, and one in five is actually infected by a virus, placing people at risk from data theft, as well as damage to their computers,’ said Barnaby Davis, director of electronic banking at Barclays."
I find the idea a very good mostly because compared to other banks that try to reestablish the email communication with their customers, but starting from the basics, you can't do E-banking without generally acceptable security measure in place. And while an AV solution doesn't necessarily mean the customer wouldn't get attacked by other means, or that it would be actually active in the moment of the attack, this is a very smart to do. To take advantage of even more benefits, Barclays must actively communicate their contribution and unique differentiating point to their customers, in comparison with the other banks -- it's getting harder for companies to retain customers due to improved access to information, thus more informed decisions.
You can't just deal with the technological part of the problem, but avoid the human side in it, as education and awareness will result in less gullible, but more satisfied and longer retained customers. Phishing is today's efficient social engineering, and a bank's site shouldn't be assumed "secure" as on many occasions site-specific vulnerabilities improve the truthfulness of the scam itself. Forwarding the responsibility for secured access to the E-banking feature to final customers should be simultaneous with the bank auditing its web services. In the upcoming years, with the rise of mobile banking, I think we will inevitably start seeing more mobile phishing attempts.
Ebay's PayPal is still a major player in online payments, on its way to dominate mobile payments too. The trend and potential of cross-platform malware is what both AV vendors and payment providers should keep in mind.
"Barclays Bank is issuing UK internet banking customers with anti-virus software, as part of attempts to reduce online identity theft. The bank has signed a deal with Finnish anti-virus firm F-Secure, which will provide software to the bank’s 1.6m UK internet banking customers. While other banks offer discounted anti-virus software deals to customers, Barclays is the first in the UK to give it away for free. ’Nearly two-thirds of home PCs don’t have active virus protection, and one in five is actually infected by a virus, placing people at risk from data theft, as well as damage to their computers,’ said Barnaby Davis, director of electronic banking at Barclays."
I find the idea a very good mostly because compared to other banks that try to reestablish the email communication with their customers, but starting from the basics, you can't do E-banking without generally acceptable security measure in place. And while an AV solution doesn't necessarily mean the customer wouldn't get attacked by other means, or that it would be actually active in the moment of the attack, this is a very smart to do. To take advantage of even more benefits, Barclays must actively communicate their contribution and unique differentiating point to their customers, in comparison with the other banks -- it's getting harder for companies to retain customers due to improved access to information, thus more informed decisions.
You can't just deal with the technological part of the problem, but avoid the human side in it, as education and awareness will result in less gullible, but more satisfied and longer retained customers. Phishing is today's efficient social engineering, and a bank's site shouldn't be assumed "secure" as on many occasions site-specific vulnerabilities improve the truthfulness of the scam itself. Forwarding the responsibility for secured access to the E-banking feature to final customers should be simultaneous with the bank auditing its web services. In the upcoming years, with the rise of mobile banking, I think we will inevitably start seeing more mobile phishing attempts.
Ebay's PayPal is still a major player in online payments, on its way to dominate mobile payments too. The trend and potential of cross-platform malware is what both AV vendors and payment providers should keep in mind.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Sunday, May 28, 2006
Who's Who in Cyber Warfare?
Wondering what's the current state of cyber warfare capabilities of certain countries, I recently finished reading a report "Cyber Warfare: An Analysis of the Means and Motivations of Selected Nation States", a very in-depth summary of Nation2Nation Cyber conflicts and developments I recommend you to read in case you're interested. It covers China, India, Iran, North Korea, Pakistan, and, of course, Russia. Some selected brief excerpts on China, Iran, and Russia :
China
"Beijing’s intelligence services continue to collect science and technology information to support the government’s goals, while Chinese industry gives priority to domestically manufactured products to meet its technology needs. The PLA maintains close ties with its Russian counterpart, but there is significant evidence that Beijing seeks to develop its own unique model for waging cyber warfare."
Iran
"The armed forces and technical universities have joined in an effort to create independent cyber R & D centers and train personnel in IT skills; and second, Tehran actively seeks to buy IT and military related technical assistance and training from both Russia and India."
Russia
"Russia’s armed forces, collaborating with experts in the IT sector and academic community, have developed a robust cyber warfare doctrine. The authors of Russia’s cyber warfare doctrine have disclosed discussions and debates concerning Moscow’s official policy. “Information weaponry,” i.e., weapons based on programming code, receives paramount attention in official cyber warfare doctrine."
Technology as the next Revolution in Military Affairs (RMA) was inevitable development, what's important to keep in mind is knowing who's up to what, what are the foundations of their military thinking, as well as who's copying attitude from who. Having the capacity to wage offensive and defense cyber warfare is getting more important, still, military thinkers of certain countries find network centric warfare or total renovation of C4I communications as the panacea when dealing with their about to get scraped conventional weaponry systems. Convergence represents countless opportunities for waging Cyber Warfare, offensive one as well, as I doubt there isn't a country working on defensive projects.
In a previous post Techno-Imperialism and the Effect of Cyberterrorism I also provided detailed overview of the concept and lots of real-life scenarios related to Cyberterrorism, an extension of Cyber warfare capabilities. It shouldn't come as a surprise to you, that a nation's military and intelligence personnel have, or seek to gain access to 0day security vulnerabilities, the currency of trade in today's E-society as well as recruiting local "renegades".
Undermining a nation's confidence in its own abilities, the public's perception of inevitable failure, sophisticated PSYOPS, "excluded middle" propaganda, it all comes down to who's a step ahead of the event by either predicting or intercepting its future occurrence. Information is not power, it's noise turning into Knowledge, one that becomes power -- if and when exercised.
China
"Beijing’s intelligence services continue to collect science and technology information to support the government’s goals, while Chinese industry gives priority to domestically manufactured products to meet its technology needs. The PLA maintains close ties with its Russian counterpart, but there is significant evidence that Beijing seeks to develop its own unique model for waging cyber warfare."
Iran
"The armed forces and technical universities have joined in an effort to create independent cyber R & D centers and train personnel in IT skills; and second, Tehran actively seeks to buy IT and military related technical assistance and training from both Russia and India."
Russia
"Russia’s armed forces, collaborating with experts in the IT sector and academic community, have developed a robust cyber warfare doctrine. The authors of Russia’s cyber warfare doctrine have disclosed discussions and debates concerning Moscow’s official policy. “Information weaponry,” i.e., weapons based on programming code, receives paramount attention in official cyber warfare doctrine."
Technology as the next Revolution in Military Affairs (RMA) was inevitable development, what's important to keep in mind is knowing who's up to what, what are the foundations of their military thinking, as well as who's copying attitude from who. Having the capacity to wage offensive and defense cyber warfare is getting more important, still, military thinkers of certain countries find network centric warfare or total renovation of C4I communications as the panacea when dealing with their about to get scraped conventional weaponry systems. Convergence represents countless opportunities for waging Cyber Warfare, offensive one as well, as I doubt there isn't a country working on defensive projects.
In a previous post Techno-Imperialism and the Effect of Cyberterrorism I also provided detailed overview of the concept and lots of real-life scenarios related to Cyberterrorism, an extension of Cyber warfare capabilities. It shouldn't come as a surprise to you, that a nation's military and intelligence personnel have, or seek to gain access to 0day security vulnerabilities, the currency of trade in today's E-society as well as recruiting local "renegades".
Undermining a nation's confidence in its own abilities, the public's perception of inevitable failure, sophisticated PSYOPS, "excluded middle" propaganda, it all comes down to who's a step ahead of the event by either predicting or intercepting its future occurrence. Information is not power, it's noise turning into Knowledge, one that becomes power -- if and when exercised.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Saturday, May 27, 2006
Delaying Yesterday's "0day" Security Vulnerability
I never imagined we would be waiting for the release of a "0day" vulnerability, but I guess that's what happens if you're not a customer of an informediary in the growing market for software vulnerabilities -- growth in respect to, researchers, infomediaries and security vulnerabilities. Stay tuned for "Exploit Of Windows 2000 Zero-day To Hit In June", and take your time to appreciate that it's affecting "extended support" software. From the article :
"Symantec warned its enterprise customers Thursday that an unpatched vulnerability in Windows 2000’s file sharing protocol has surfaced, with details of an exploit expected to show next month. According to the Cupertino, Calif. company’s alert, an exploit for the zero-day bug in Windows 2000’s SMB (Server Message Block) protocol has been created by Immunity Security, the makers of the CANVAS exploit-creation platform. By Immunity researcher Dave Aitel’s account, the exploit leverages a flaw in the operating system’s kernel that can be triggered through SMB, and will give an attacker full access to the PC. Aitel claimed Immunity will make the exploit public in June. "Immunity is considered to be a reliable source and we are of the opinion that this information should be treated as fact," read Symantec’s warning. "An official security update from Microsoft will likely not be in development until after June when the information is released."
Well, how can they fix in such a way, even though their "sophisticated", quality-obsessed patch management practices. When working with vulnerabilities, or updating yourself with the dailypack of new ones, don't live with the false feeling of their uniqueness, but try figuring out how to be a step ahead of the vulnerabilities management stage. If Microsoft requested from Immunity Security to look up for possible security vulnerabilities, gave them a deadline, and secured a commission in case a vulnerability is actually found, it would have perfectly fited in the scenario in a previous post "Shaping the Market for Security Vulnerabilities Through Exploit Derivatives" -- reporting a vulnerability, let's not mention web application vulnerability is for the brave these days. Moreover, "Economic Analysis of the Market for Software Vulnerability Disclosure" quotes Arora et al. on the same issue from a vendor's point of view :
"developing an economic model to study a vendor's decision of when to introduce its software and whether or not to patch vulnerabilities in its software. They compare the decision process of a social-welfare maximizing monopolistic vendot, to that of a profit-maximizing monopolistic vendor. Interestingly, they observe that the profit-maximizing vendor delivers a product that has fewer bugs, than a social-welfare maximizing vendor. Howver, the profit-maximizing vendor is less willing to patch its software than its social-welfare maximizing counterpart." - The Price of Restricting Vulnerability Publications is indeed getting higher.
Reactive, Proactive, or Adaptive - what's your current security strategy?
"Symantec warned its enterprise customers Thursday that an unpatched vulnerability in Windows 2000’s file sharing protocol has surfaced, with details of an exploit expected to show next month. According to the Cupertino, Calif. company’s alert, an exploit for the zero-day bug in Windows 2000’s SMB (Server Message Block) protocol has been created by Immunity Security, the makers of the CANVAS exploit-creation platform. By Immunity researcher Dave Aitel’s account, the exploit leverages a flaw in the operating system’s kernel that can be triggered through SMB, and will give an attacker full access to the PC. Aitel claimed Immunity will make the exploit public in June. "Immunity is considered to be a reliable source and we are of the opinion that this information should be treated as fact," read Symantec’s warning. "An official security update from Microsoft will likely not be in development until after June when the information is released."
Well, how can they fix in such a way, even though their "sophisticated", quality-obsessed patch management practices. When working with vulnerabilities, or updating yourself with the dailypack of new ones, don't live with the false feeling of their uniqueness, but try figuring out how to be a step ahead of the vulnerabilities management stage. If Microsoft requested from Immunity Security to look up for possible security vulnerabilities, gave them a deadline, and secured a commission in case a vulnerability is actually found, it would have perfectly fited in the scenario in a previous post "Shaping the Market for Security Vulnerabilities Through Exploit Derivatives" -- reporting a vulnerability, let's not mention web application vulnerability is for the brave these days. Moreover, "Economic Analysis of the Market for Software Vulnerability Disclosure" quotes Arora et al. on the same issue from a vendor's point of view :
"developing an economic model to study a vendor's decision of when to introduce its software and whether or not to patch vulnerabilities in its software. They compare the decision process of a social-welfare maximizing monopolistic vendot, to that of a profit-maximizing monopolistic vendor. Interestingly, they observe that the profit-maximizing vendor delivers a product that has fewer bugs, than a social-welfare maximizing vendor. Howver, the profit-maximizing vendor is less willing to patch its software than its social-welfare maximizing counterpart." - The Price of Restricting Vulnerability Publications is indeed getting higher.
Reactive, Proactive, or Adaptive - what's your current security strategy?
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Comments (Atom)