Skip to main content

Posts

Showing posts from July, 2009

Ineffective Laptop Recovery Software + Whitelisted Persistent BIOS Rootkit = Fail!

Following up their bleeding edge research on bios resident malware at CanSecWest the ultra-smart guys (Alfredo and Sacco) from CoreSecurity have disclosed a significant issue with the laptop recovery software LoJack.

I have debated the effectiveness of laptop recovery software many times arguing that its cost does not justify the recovery of the hard asset (how much is laptop hardware worth vs the cost of recovery).

But now this is even worse - by having this BIOS resident software installed (or pre-installed in an estimated 60% of new laptops - Lenovo, HD, Gateway, Dell, Toshiba) there is a significant exposure to having the LoJack software modified by someone malicious. Compounding this issue is the fact that the software is already white-listed by virus vendors meaning there would be no way to prevent or detect it from occurring.

Its a bit ironic when security software exposes its paying users to much more risk that it addresses. "Get it. And get it back - twice as bad."

PCI Compliance - Brand Fines Changing?

Looks like there is some rumors related to the payment brands changing their policies on fines levied on non-compliant merchants. Branden's security convergence blog is reporting changes to MasterCard's fine schedules for varying levels of merchant.

Top 10 Botnets

An interesting article was posted describing the today's top ten botnets and summary information describing there characteristics. The interesting thing is where conficker showed up (10th) and the percentage of these botnets whose criminal purpose is to collect valuable and sensitive information (1/10). Looks like most of these are intended to provide control - and then be capable of what ever the controller wishes.

Twitter Hack - Techcrunch Ethics

There is a real storm of activity after documents which were gained through a hack of a Twitter employee's google apps account. Over at Techcrunch a heated debate over the ethics and newsworthiness over the public posting of the actual data that was ill-gotten is beating down the site's editors.

While it might be entertaining to voice opinions on people ethics regarding the outing of the actual information, I think the real story is the lapse in security of the Twitter employee. A bad, guessable password was used to protect access to very sensitive internal data - but this raises an important point regarding the use of Google apps or any other easily accessible service.

It really shouldn't take an incident like this for companies to get these types of simple protections over their information. If there is risk related to disclosure of the information - make sure you have it protected.

Anti-virus Statistics - Motivations

In a study completed and published by Avira (http://www.avira.com/en/company_news/recognition_performance_virus_protection.html) The results of the survey showed that for 34 percent (3,207 respondents) a long-established, trustworthy brand was key. Almost as many users, 33 percent (3,077 respondents), based their decision on the virus detection rates achieved in independent tests.

Detection rates - lets call this effectiveness of the control - as this is the key metric used to measure effectiveness. This is a skewed metric as for the large majority of evaluations (ICSALabs, VB100, etc) use the "in-the-wild" or ITW list of viruses to perform the evaluations. There is no evaluation of these product's ability to respond or even detect newly released virus and malware.

In all honesty really what we are dealing with here is preventative vulnerability management not virus detection and correction, and in my opinion there are four types of preventative protections required for …

White-hat Budgeting

In response to his recent black-hat budget post I commented on what Richard has also described he would spend the 1 mil$ on in defense. Ends up that it doesn't buy you much - Although I agree with his approach to spend the cash on people and their ability to use the tools they already have access to.

I would take a slightly different perspective on the problem however. The 1$ million dollars is not just spent in one place but spent multiple times in defense of the black-hat team as they can target multiple organizations, i.e. the same team can move from target to target without spending any additional money, and force multi-millions of dollars in defense in multiple companies.

The other reality is that the defense is not just defending against one black-hat team but the potential for multiple black-hat teams.

My opinion is that like the black-hat teams, the defense should target the amount of money spent on the defense based on the potential loss of the information (or availability…

Mobile Device Protection - Is this not standard practice yet?

Anyone need any more reasons to avoid situations regarding the loss of sensitive information on mobile devices? Dell has released the results of a study looking into actual data regarding lost mobile devices.