Stories by Roger A. Grimes

Titus Labs helps stop e-mail slips

The news media is full of stories about e-mails and documents that were better off not sent. Last year an airline CEO accidentally sent an ultra harsh e-mail to complaining customers, the text of which was obviously not intended for the customers. Frustrated employees frequently send embarrassing internal memorandum to public news sources. And is there an e-mail user who hasn't regretted accidentally sending an e-mail to an unintended party? Whether e-mail or documents are sent intentionally or not, it is clear that content intended for a restricted audience is being shared with unauthorized parties on a regular basis.

Notes from AusCERT 2008

I've had the pleasure of speaking and attending this year's AusCERT 2008 security conference held in Gold Coast, Australia. If you've never been to Australia, you're missing some of the best that life has to offer, and I feel the same way about the conference. Although a bit smaller than most US security conferences, it's intentionally kept small (around 1,000 participants) and makes up in quality speaker presentations and vendor participation what it lacks in headcount. One of the great attributes of the typical Aussie is their aversion to marketing hype, along with their ability to "cut the fat off a chicken" (as my grandmother used to say) and pull out the salient points. If a vendor tries to push marketing fluff about their product too much, they are likely to get verbally assailed rugby-style. Here are some of my favorite notes and quotes from selected speakers:

ZoneAlarm ForceField: Compromised in sixty seconds

Check Point Software's new Web browser security software, called ZoneAlarm ForceField, integrates a host-based firewall, anti-spyware, Web site rating, anti-phishing, and keylogger-jamming into a limited virtualization environment with the elegant user interface you've come to expect from the ZoneAlarm brand. Its goal is to provide superior anti-malware protection against the increasingly prevalent and complex threats posed to Internet surfers.

Fixing the Internet

Long-time readers know that I often rant about how insecure the Internet is, and how few solutions will do anything to change that equation during the next 5 to 10 years. I've also recommended a handful of solutions over the years, and accepted the resulting criticism that goes along with proposing big ideas.

Zero-second exploits

Microsoft SQL server hasn't had a public vulnerability announcement since 2004. The SQL Slammer worm struck in 2005, but the hole the worm exploited had been patched six months before. The holes that MS-Blaster and Code Red worm attacked had been patched, too. But back just a few years ago, no one really cared about patching really. We just didn't patch.

Be careful with transitive trust

I just got through reading about another hugely popular, legitimate Web site hosting malicious code that redirects visitors to a malicious Web site. Once redirected, the new Web site runs a fake virus scanner and -- surprise, surprise -- finds multiple malware programs on the user's computer as it offers to install new "anti-virus" software to the end-user. Of course, users foolish enough to install the software end up installing what is likely to be the only malicious program on their computer.

Virtual machines aren't really more secure

I've been at several recent conferences where virtual machine (VM) and security "experts" were telling audiences how VM technology can be used to improve computer security. Wow! They are either drunk on the marketing Kool-Aid, misinformed, or simply trying to misrepresent VM capabilities to sell more product.

Don't throw out ActiveX (or Java)

For years, many security consultants and well-meaning guidelines have recommended completely disabling ActiveX in Internet browsers (mainly Internet Explorer) to prevent a particular type of Web client-side attack. Running a browser without ActiveX enabled can be a frustrating experience for end-users, as many popular and legitimate Web sites use ActiveX to enhance the user's overall experience.

It's the applications, stupid

It's always written that the first Presidential candidate Clinton posted, "It's the economy, stupid!" as a banner marquee in his campaign office during his premiere run. This saying supposedly helped focus the staff, resulting in a surprise win for the Democrats.

Thousands of Web sites under attack

On March 12, McAfee's AVERT labs reported 10,000 Web pages using Active Server Pages (ASP) had been infected through SQL injection. A few days later, Microsoft employee Neil Carpenter detected 14,000 maliciously-modified Web pages. After the initial SQL injection, the automated attack injected a malicious Javascript or Iframe code to redirect visitors to criminal-controlled Web sites. The malicious Web sites then attempted to invisibly exploit end-users using multiple, previously patched vulnerabilities, or if no vulnerabilities were found, attempted to socially engineer the visitor into running additional software.

Control user installs of software

I've written many times over the years, including as recently as last week, that letting users execute and install their own software will always allow viruses, worms, and Trojans to be successfully installed. Traditionally, I've recommended that users not have admin or root access, that they let system administrators choose what software is allowed and what is blocked. But this recommendation breaks down for several reasons.

Internet security: What will work

In the first column of this year, I discussed computer security outlook and hopes for 2008. I forecast more of the same that we saw in 2007: more spam, more malware, more bad guys basically owning the Internet and our connected computers. I don't see any trends or new leaders with significant power to change the status quo.

[]