Friday, July 31

Ineffective Laptop Recovery Software + Whitelisted Persistent BIOS Rootkit = Fail!

Following up their bleeding edge research on bios resident malware at CanSecWest the ultra-smart guys (Alfredo and Sacco) from CoreSecurity have disclosed a significant issue with the laptop recovery software LoJack.

I have debated the effectiveness of laptop recovery software many times arguing that its cost does not justify the recovery of the hard asset (how much is laptop hardware worth vs the cost of recovery).

But now this is even worse - by having this BIOS resident software installed (or pre-installed in an estimated 60% of new laptops - Lenovo, HD, Gateway, Dell, Toshiba) there is a significant exposure to having the LoJack software modified by someone malicious. Compounding this issue is the fact that the software is already white-listed by virus vendors meaning there would be no way to prevent or detect it from occurring.

Its a bit ironic when security software exposes its paying users to much more risk that it addresses. "Get it. And get it back - twice as bad."

Monday, July 27

PCI Compliance - Brand Fines Changing?

Looks like there is some rumors related to the payment brands changing their policies on fines levied on non-compliant merchants. Branden's security convergence blog is reporting changes to MasterCard's fine schedules for varying levels of merchant.

Wednesday, July 22

Top 10 Botnets

An interesting article was posted describing the today's top ten botnets and summary information describing there characteristics. The interesting thing is where conficker showed up (10th) and the percentage of these botnets whose criminal purpose is to collect valuable and sensitive information (1/10). Looks like most of these are intended to provide control - and then be capable of what ever the controller wishes.

Thursday, July 16

Twitter Hack - Techcrunch Ethics

There is a real storm of activity after documents which were gained through a hack of a Twitter employee's google apps account. Over at Techcrunch a heated debate over the ethics and newsworthiness over the public posting of the actual data that was ill-gotten is beating down the site's editors.

While it might be entertaining to voice opinions on people ethics regarding the outing of the actual information, I think the real story is the lapse in security of the Twitter employee. A bad, guessable password was used to protect access to very sensitive internal data - but this raises an important point regarding the use of Google apps or any other easily accessible service.

It really shouldn't take an incident like this for companies to get these types of simple protections over their information. If there is risk related to disclosure of the information - make sure you have it protected.

Wednesday, July 15

Anti-virus Statistics - Motivations

In a study completed and published by Avira ( The results of the survey showed that for 34 percent (3,207 respondents) a long-established, trustworthy brand was key. Almost as many users, 33 percent (3,077 respondents), based their decision on the virus detection rates achieved in independent tests.

Detection rates - lets call this effectiveness of the control - as this is the key metric used to measure effectiveness. This is a skewed metric as for the large majority of evaluations (ICSALabs, VB100, etc) use the "in-the-wild" or ITW list of viruses to perform the evaluations. There is no evaluation of these product's ability to respond or even detect newly released virus and malware.

In all honesty really what we are dealing with here is preventative vulnerability management not virus detection and correction, and in my opinion there are four types of preventative protections required for the average consumer (some are currently reality - others not):

1. The consumers buying products based on their security. This does not exist in any meaningful way for the general community. Lets get someone to independently evaluate the software makers on this and publish it for consumers to make choices based on their performance.

2. A service used to update software code quickly. There should also be an independent evaluation of a code's susceptibility to vulnerabilities and speed in which these are patched by the vendor. This should apply to all software not just operating systems and browsers. Again there could be independent evaluations of the companies policies, practices and past performance related to this.

3. A perfect ITW detection engine - 100% - there is no reason a product should be less than this for KNOWN viral code. Really this should be combined with #4.

4. A product to detect and respond to new threats - ones without signatures - which is a significantly larger threat as they are generally being developed with more financial motivation. Apple's and Microsoft's authorization of unsigned code is a good first step but this should be done at the CPU level to detect suspicious behavior by software and apply a policy to it. Do consumers actually read a warning about unsigned code? or do they just click "continue". AMD - Intel - Other chip makers? Is this possible at a low level? and how do we trust these companies themselves.

Anyone else have thoughts on other ways of preventing the impacts of vulnerabilties?

Tuesday, July 14

White-hat Budgeting

In response to his recent black-hat budget post I commented on what Richard has also described he would spend the 1 mil$ on in defense. Ends up that it doesn't buy you much - Although I agree with his approach to spend the cash on people and their ability to use the tools they already have access to.

I would take a slightly different perspective on the problem however. The 1$ million dollars is not just spent in one place but spent multiple times in defense of the black-hat team as they can target multiple organizations, i.e. the same team can move from target to target without spending any additional money, and force multi-millions of dollars in defense in multiple companies.

The other reality is that the defense is not just defending against one black-hat team but the potential for multiple black-hat teams.

My opinion is that like the black-hat teams, the defense should target the amount of money spent on the defense based on the potential loss of the information (or availability if that is the risk). This then would balance as you can spend less in focused efforts targeting protection of the specific information. There is no reason to spend $$$ on a commercial security management solution to protect only one table in a database where the sensitive information exists. The problem is that you have to know where that information lives through-out its life.

Sunday, July 12

Mobile Device Protection - Is this not standard practice yet?

Anyone need any more reasons to avoid situations regarding the loss of sensitive information on mobile devices? Dell has released the results of a study looking into actual data regarding lost mobile devices.