Earlier this month the Internet saw a newsworthy Trojan called Peacomm. It spurred gasping headlines such as “Storm Worm hits 1.6 million PCs” and “Storm worm still on botnet-building patch” and “Storm virus gathers pace”. I got a request to do a press interview on this Trojan. My response was, no kidding, a large laugh out loud. Why would I take such a quixotic view? The virus just wasn’t a contending threat to enterprise networks. The threat delivered itself in a spam email with as an .exe attachment. I can’t think of a single enterprise where this wouldn’t be automatically caught.

After the press frenzy dwindled I had a chance to do some more research. I wanted to find the answer to why this Trojan got so much attention. It turns out that since all of our antivirus vendors have yet to adopt a standard risk metric, it takes but one vendor to make a virus newsworthy. I might also note that just one of the major AV vendors distinguish threats differently for enterprises and consumers. Here is a recap of how AV vendors classified the Peacomm Trojan:

Symantec
Name: Trojan.Peacomm
Severity: 3
Severity ratings are given as 0 to 5 bars

TrendMicro
Name: TROJ_SMALL.DSI
Overall Risk Rating: Low
Risk ratings can be: Very Low, Low, Medium, High

F-Secure
Name: Small.DAM
Radar Alert: Level 2
Radar Alerts include: None, Level 3, Level 2, Level 1 where Level 1 is a “Worldwide epidemic of a serious new virus”

McAfee
Name: Downloaders-BAI!M711
Corporate User: Low-Profiled
Home User: Low-Profiled
Risk levels can be: Low, Medium, High, Critical

Sophos
Name: Troj/Dorf-Fam
Prevalence: High
Note: Sophos uses a prevalence rating, not really a risk rating.

For the most part the AV teams did rate this as a rather low threat. I really haven’t determined why this Trojan garnered so much news. Though, I did learn 2 things:

1) The rating systems among vendors for AV threats is a learning experience among itself.
2) Only one of the vendors, McAfee, specifically provides separate ratings for corporate and home users.

So whats the point? The point is, don’t trust a media frenzy to make a risk assessment. You’ll have to do that on your own. When it comes to determining the risk of a virus, you’ll have to decide to rely on a single vendor, or try and make heads of the varying metrics provided. Hrmm, sounds like AV risk assessments are just like all other risk assessments.

As reported on CNET.

Apparently, Skype plans to partner with trusted security vendors to somehow make their product fit into the realm of security compliance needs. I like Skype and think it has huge advantages for some people. However, its another example technology going in front of corporate security needs. I'd welcome a Skype client that I could monitor, configure and centrally manage. Until then, keep it away from my networks.

To all those people in the nCircle office laughing right now. I see you using Skype at the office. Don't think I don't know. :-)

After my posting last night regarding Skype insecurity in the work place, I was contacted by their PR agency. They directed me to a few references regarding this topic. Under the guise of information sharing, I’ll direct you to the most interesting link. Their Guide For Network Administrators.

Well, I was shocked. Here is a document dated October of 2006, which discusses methods, to deploy and manage Skype in the enterprise. For me, the most interesting part of the document is the discussion on registry settings to manage configuration options. If your endpoints are in a Windows Active Directory, then you can use GPOs to control settings or registry settings for non-domain systems. There are also some elusive discussions regarding custom MSI builds.

I wouldn’t go so far as to endorse Skype in my enterprise, yet. Nonetheless, I’m encouraged by these findings. Check them out for yourself.

Old Microsoft is old again and Britney with a shaved head is more interesting

After a year of listening to Microsoft tout its new security features and explanations of its rigorous life cycle testing of Vista and its new office 2007 suite, we appear to be right back on the same path. Last week Eeye hinted to an advisory in Publisher 2007. A day later we learned they had in fact disclosed the vulnerability to Microsoft with respect to the Publisher 2007 file format. Didn’t we do this already in office 2003? Oh yes, we did, a few times. Yesterday we learned that Symantec reported a pair of vulnerabilities in Word 2003 and Excel 2003. Apparently, a Russian researcher found a new exploit in, you guessed it, the WMF file format.

The new, yet to be disclosed, vulnerability in Publisher 2007 probably won’t affect many enterprise shops. Publisher isn’t an enterprise application and historically has been targeted to the SMB market. As I recall, the last time I installed Office from CD, wasn’t Publisher on an entirely separate CD? Though in recent years it has taken a slight step forward with its integration with Sharepoint, Microsoft’s enterprise content management and Intranet platform. Nonetheless, if Publisher was subjected to the same rigorous security testing as the rest of the office 2007 suite, we can probably assume that similar bugs will eventually end up affecting Word and Excel. The real question today is “just how good was Microsoft’s stepped up security testing of its new products for a vulnerability to have been found so quickly?”

The fight is getting old and taxing. The insecurity of Microsoft apps probably keeps 20% of security operations employed. How many times do I need to deploy new GPOs to issue a kill bit on some ActiveX bug? Just how many file formats can we be excluding from our perimeter email gateways? We worry about the loss of intellectual property. Seriously, it may get so bad that unless you convert all your Word docs to text only, you be will be unable to find any buyers for your stolen IP. I can imagine a new SOA market – conversion of Office docs to their equivalent text-only formats for the purpose of black-market dealings. Vulnerabilities aren’t going to go away, but lets get something new. How about a new multidimensional attack worm? How about something funny like the Solaris telnet vulnerability? I got to imagine that security teams, press and consumers are probably pretty bored as well. Probably explains why we all flock to our computers to see pictures of Britney shaving her head.

Just a quick note. This seems to be a good month for Cisco vulnerabilities.

Advisory ID: cisco-sa-20070228-nam
Advisory ID: cisco-sa-20070228-mpls

Reported by USA Today, both Hooters and Ruby Tuesday announced new tighter credit card handling procedures. Ruby Tuesday is touting an "Ultra-secure credit card process" which will apparently leave no credit card information at the restaurant. Hooters says they are in a pilot program which allows you to pay with a credit card from your table.

Just exactly what is an "ultra-security credit card process"? This makes me feel like I'm watching QVC. Everything is "ultra" this and "HD" that at an unremarkable value for a limited time. Would you like some bowie knives and a saber with that?

The pay at your table concept will be interesting. No doubt it will be a wireless device. I'd like to see the first analysis of that RF traffic. Another thing, too many people already fail to check my signature or ID. Paying at the table will undoubtedly ensure that the merchant will verify not a single transaction.

According to MarketWatch, Intel may have lost some email with respect to an ongoing litigation regarding an antitrust lawsuit with AMD. The story in itself isn't really all that interesting. What caught my eye were the plethora of failed communication and user training anecdotes. Here are few great snippets from the article:

Intel said a "fail-safe plan" to prepare back-up tapes missed some employees, while some workers didn't properly follow document retention policies. It further admitted some workers weren't given timely notice to retain materials.

In other cases, Intel said some employees may not have moved all the e-mails to their hard drives, while a few employees thought the company's information technology department was automatically saving their e-mails.

He said Intel is taking steps to correct the problems, including implementing a new email archiving system using software from EMC Inc., among other measures.

I'm no SOX expert, but I do know a thing or two about data retention policies. Isn't there a SOX requirement regarding data retention with respect to contracts and financial documents including email? It's my experience that companies affected by data retention policies in regards to regulatory compliance, generally install a technical means to automatically retain all data BEFORE going public. There seems to be a larger problem if your retention policy relies on employees copying data from their mailbox to their hard drive. Exactly how long has Intel been public?
Maybe someone who has first hand knowledge with respect to data retention of email and SOX could help shed some light?

According to AP reports, Sourcefire has set their initial price at $15 per share. Previously, the expected range was set at $12 to $14.

Since the onslaught of SOX, there has been a significant decrease in IPO activity. The new conventional wisdom says that you need at least $100M in revenue to go public. That combined with a minimum of $2M a year to stay compliant has many companies looking for alternative ways to raise capital. These forces are just one reason for the increasing consolidating in many markets. Given that Sourcefire's annual revenue is only about half of the $100M thought to be needed, all of us private companies will be watching and learning.

Handheld mobility devices, the security and functionality of said devices never seem to dull. Of recent, we have two references you may want to read more about. First is a writeup from ComputerWorld, the second is announcement from PayPal.

Jon Espenschied has a nice writeup in ComputerWorld, titled "Ten dangerous claims about smart phone security". This is an excellent primer for anyone who thinks his or her smartphone is safe. His 10 claims are as follows:

1. It's just a phone with cool features, right?
2. It's stable, just like any other purpose-built appliance.
3. Communications are encrypted from end to end.
4. The connection's secure unless I use Wi-Fi in a cafe.
5. E-mails and messages are secure from prying eyes.
6. Using a mobile phone constitutes out-of-band communication.
7. I trust the integrity of data and applications on a smart phone.
8. Information deleted from a smart phone is gone, right?
9. Spying on my smart phone is hard.
10. Abuse is minimal because the network and phones are constrained.

In other news, PayPal is gearing up to deploy a mobile payment service. According to CNET and the WSJ, PayPal will launch a service this year, enabling users to pay for transactions using a smartphone. More specifically, person with web-enabled handhelds will have a specific application allowing them to pay for transactions using their PayPal account.

Back at RSA, when I participated on the SmartPhone Insecurity panel, it came to my attention that people really do use their phone to surf and purchase items. I was amazed to see more than half of the audience had purchased something from the Internet using their handheld in the last month. Personally I find the form factor and medium of a handheld too annoying to do any serious shopping.

I'm reading the new Cisco vulns released today regarding Cisco Unified Call Manager. Apparently one can cause a DoS by sending an ICMP flood.

* ICMP Echo Request Flood Denial of Service

By sending a large amount of ICMP Echo Requests (Ping) to a CUCM or CUPS system, it may be possible to cause various CUCM / CUPS services to crash resulting in a denial of service affecting voice services. CUCM versions 3.x and 4.x are not affected by this vulnerability, only CUCM version 5.0 is affected. The CUCM issue is documented in Cisco Bug ID CSCsf12698. The CUPS issue is documented in Cisco Bug ID CSCsg60930.

I interpret this as the classic "ping of death" we used to enjoy in early versions of Windows. One would think this would have been solved already.

Anybody try it yet?

We seem to be experiencing a rather wide spread outage of Blackberry / RIM service in North America. A few Blackberry forums show users reporting significant outages. We also seem to be showing the same issues, as of about 5:15PM Pacific. While we await our official ticket with Blackberry to be acted upon, does anyone have any official word from RIM?

Meanwhile, if this is a large outage, what a great time to go launch an attack. Many, many companies rely on these smartphone devices to alert their operations teams. We are essentially blind. Time to go bust out my alpha pager and fire up qpage. Always good to have a backup plan.

Update:
Received a response from BlackBerry support:

We are experiencing technical difficulties with BlackBerry services affecting sending and receiving of emails. You will also experience issues using the BlackBerry Browser and sending and receiving of PIN to PIN messages. We are taking all necessary actions to restore regular service levels.

Confirmed its a network issue.

Update: 10:00PM Pacific. NBC out of NY has picked up the story.

NEW YORK -- NewsChannel4 has learned of a massive system failure affecting all blackberry users in the western hemisphere.

Its a big one, folks.

Update: 8:50AM Pacific, 4/18/07

As a paid subscriber to Blackberry Technical Support Services, I received an official update from Blackberry. Unfortunately, its contents must be kept confidential. The email begins with a lengthy disclaimer and statement of confidentiality. Obviously, they are trying to communicate, but within some guidelines.

Also changed the subject of this post.

RIM released a statement this evening regarding their massive outage. A few key points:

* The outage occurred during a software upgrade.
* Apparently, the software was not fully vetted in a non-production system.
* In their attempts to fix the outage, RIM migrated their systems to a fail over environment. Unfortunately, that system did not perform to its intended expectations.

The outcome?

* The market will force RIM to follow a better software development life cycle.
* RIM will probably test their fail over system more often.
* Larger, more important questions regarding the security, reliability and privacy of RIM's architecture will be put in the spotlight.

While most consumers knock on vendor doors to raise awareness and demand better security, PayPal is flexing their muscle in a different way. They are going to force their users to only use approved web browsers. While this may seem disruptive, it is actually a rather old technique used by software vendors. Every piece of software you buy today, consumer or enterprise, comes with a list of approved and required components. If the user chooses to use a non-approved configuration, the vendor denies support. This is a natural progression of the Internet. Providers of services need not only protect their bottom line by making such demands, but also in the long run will protect the consumer. That is exactly what PayPal is doing and this is good business for everyone.

The next disruptive technology to hit consumers and enterprises will be the single site browser. This will be web browser-like client software that can do nothing but be used for a single website. Think of this as traditional client/server application. If you need to use your financial system, you launch browser X; then if you need to use the ERP system, the user launches browser Y. At the outside of the spectrum, this feels like a 10-year step backwards in user productivity and IT operations management. In all likelihood though, what we will probably see is still a single browser, but one that is intelligent enough to lock all network traffic to single known and trusted site. In this scenario, the user would need to logoff and switch context between system X and system Y; all the while the browser ensures no errant information gets transmitted to any other system.

Can it be pulled off? Given the very open nature of the Internet and HTTP, it's rather easy to impersonate web traffic to look as if the user is using Internet Explorer instead of Firefox. Exactly how and if service providers act on this initiative will be interesting to watch. We do already have one other service for comparison. iTunes from Apple is essentially the same situation. If a user wants to use the iTunes music store, they need to use iTunes. So far, that limitation hasn't seemed to limit Apple's revenues.

So what about the openness of the Internet? What about the market created by browser wars? Are we going to see fewer browsers? Look at this way, the more we demand features and functionality, the more the market will evolve.

Close your Twitter and FriendFeed; drop that iPhone; put your shoes on and order some pizza its gonna be a late night full of patching DNS servers. At least that's what you'd think I'd be writing about today. Multiple DNS implementations are vulnerable to cache poisoning and it is a relatively big deal. The bigger deal that we seem to be overlooking is Microsoft's role in this event and how the competition stacks up.

Today is July 8th 2008. Its what we call Patch Tuesday and by normal accounts it's a day that people like myself, who work professionally in information security, already know quite clearly what is on today's plate. However, today's patch Tuesday is a bit different. Thanks to a number of influential security professionals, we have a significant multi vendor and multi agency coordinated release going on. Today, Microsoft is not the only game in town today.

When we talk about today's DNS vulnerability announcement, I'm not fretting over my Windows servers or my XP laptops. The vendors we need to be concerned with today are the 90+ other companies listed on the CERT advisory that have provided no status information regarding their products. Many of these vendors were apparently notified in April and May of 2008. Three months later, the advisory is now public and many high profile vendors have the dreaded "unknown" status. I'll save you the time to read the vendor list and highlight a trend I've talked about before:

Cisco: Vulnerable
Foundry: Not Vulnerable
ISC: Vulnerable
Juniper: Vulnerable
Microsoft: Vulnerable
Nominum: Vulnerable
Power DNS: Not Vulnerable
Sun: Vulnerable
Apple: Unknown

That is correct. The company, which insists it, has the most secure operating system. The company, which continues to try and penetrate the enterprise computing market, is listed as unknown. This is also the same company, which lost its splashy smartphone to a previously patched bug in an open source project. Not much later, its brand new laptop keeled over in less than 2 minutes at PWN2OWN.

In comparison, we know that back in March engineers from major vendors met at Microsoft to plan and coordinate today's events. Further, not only do we know what Microsoft products are vulnerable, but we also have patches. The reason for this is simple - Microsoft is an enterprise vendor:

Microsoft has a predictable and regular patch release cycle.
Microsoft communicates to the public about it security issues.
Microsoft has a publicly readable and defined security glossary of terms.
Microsoft has a well-run security development life cycle.

We may not always like Microsoft or Microsoft products (hint: please extend the support of XP), but today's round goes clearly to Microsoft.

Updates

7/9/08: Add Vendor References

http://sunsolve.sun.com/search/document.do?assetkey=1-26-239392-1
http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml
http://www.isc.org/index.pl?/sw/bind/bind-security.php
http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx

Link to PC World Article

Link here

Being an IT manager and security professional, this story make me shake my head. It has certainly been the talk soup at the office today. A few quick thoughts on this.

Terry Childs seems to have backed himself into a corner and created a no-win situation. He had to have been in a desperate position to take the system hostage by blocking access and refusing to hand over passwords. Unfortunately for Childs, real life computer security rarely works like it does in the movies, bargaining power is limited by the long arm of the law.

Child's managers should have known better. A situation like this could only occur if safety nets and best practices were ignored or circumvented. Any security program that could allow one person to cause much damage is seriously deficient, especially since this has apparently been going on since June 20th.

The big question in my mind concerns the ramifications of continuing to run a system that could have been rigged to remotely delete data. If this concern turns out to be accurate, every minute that the city keeps the system up while it is not entirely in their control is another minute that city data is in jeopardy. A compromised system could mean data is deleted and confidential information gets leaked. Both of these are a significant risks.

Update:
Linked to the Robert McMillan article in PC World since he used my quote.