CoreTrace WhiteSpace

The Application Whitelisting and Security Weblog

Faulty Windows update causes more frustrations for PC users

Posted:  March 23, 2010 by Toney Jennings

On Saturday, a faulty update for 64-bit Windows systems caused the BitDefender anti-virus software to flag thousands of legitimate Windows and BitDefender files as potential threats to the system. According to an article by Brian Krebs, “Bad BitDefender Antivirus Update Hobbles Windows PCs,” the glitch caused quite a stir with users who expressed their concerns on the antivirus firm’s Twitter page.

BitDefender later issued a statement to users saying it was creating a patch that would restore the quarantined files. The company also posted a partial recovery for users to follow, but that was met with more disconcerting Tweet’s from users saying that after following the instructions they were still unable to boot up their computers.

To make matters worse, BitDefender has also reportedly warned users that malware writers are issuing fake downloads that fix the problem. The company is advising users to download the fix only from its website.

This story appears to be another example of the escalating problems antivirus solutions are experiencing with bad system updates. The inability to effectively stop malicious code from exploiting system vulnerabilities is causing more work and frustrations for security professionals and users, alike. Including application whitelisting as part of a company’s endpoint security strategy not only prevents malicious code from executing, but also eliminates the risks that can accompany updates.

Most recent comment:   Greg Newman

Ahhhh, you guys are trying to make it EASY on everybody. Great! And then WHAT are we gonna do with ...

Cyber attacks top terrorism as biggest concern for Indian companies

Posted:  March 18, 2010 by Toney Jennings

Escalating revenue losses from cyber crimes and understaffed network security teams have Indian companies more concerned about cyber attacks than terrorism.

In the article, “Cyber attacks worry firms more than terrorism,” the “2010 State of Enterprise Security Study” conducted by Symantec Software Solutions Pvt. Ltd. found that 42% of companies representing industries such as telecom, hospitality, manufacturing, retail and technology perceive cyber attacks as the biggest threat to their enterprises.

One reason cited was the lack of adequate network security. Over the past year, 66% of companies surveyed said they had experienced cyber intrusions while 51% reported repeated attacks. The study also pointed out that deployment of enterprise security has turned into a difficult task for many organizations. Said Vishal Dhupar, managing director at Symantec:

“Enterprise security is understaffed and the most affected areas in organizations are network security, web security and data-loss prevention. To tackle the issue, companies need to secure their messaging and web environments and defending critical internal servers. They should also have the ability to back up and recover data and respond to threats rapidly.

With the rise in malicious attacks targeting sectors that can have a significant impact on India’s economy, one has to wonder if cyber attacks and terrorism weren’t one in the same. As I mentioned in a recent blog, “Are we in a cyberwar or not?” cyber threats continue to have a growing impact on our nation’s economy and global competitiveness. Although U.S. Cyber Czar, Howard Schmidt, may not think we are engaged in cyber warfare, the impacts from targeted attacks are being felt everywhere, and are top IT concerns for many organizations and nations around the world.

Please use the comment form and leave your thoughts!

NSS test demonstrates 86% anti-virus fails to protect against Operation Aurora variants

Posted:  March 16, 2010 by Toney Jennings

A recent study by NSS Labs revealed just how ineffective some of today’s top anti-virus software solutions are at stopping one of the most highly profiled and successful cyber attacks of 2010. According to the article, “More Anti-Virus Fail,” NSS Labs created variants of the Operation Aurora attack to see how many AV products caught the malicious code. The result: Only one out of the seven products tested correctly thwarted multiple exploits and malicious code payloads.

This says a lot about the current state of the AV industry. With so many new viruses and malware variants successfully bypassing security solutions, it is time to shift our way of thinking about how to protect our networks from new and unknown forms of malware and viruses.

With online crime losses doubling in 2009, we simply can’t afford to rely solely on AV software to protect our critical infrastructures from the countless number of malware variants out there. If these solutions are already losing the battle against highly visible malware, I can’t imagine the success rate of stopping unknown attacks would be any better.

As an example of how the industry currently looks at these problems, NSS Labs’ CTO, Vikram Phatak, said: “There are many ways to possibly exploit a vulnerability, and rather than focusing on every attack method, vendors need to focus on [shielding] the vulnerability itself.”

Vikram is correct in pointing out that you can’t defend against every attack method, but focusing on protecting against exploitation of the vulnerability is reactive, and a failure as well. This still leaves companies open to newly discovered vulnerabilities, relies on reactive patching and security system updates, and will ultimately fall on its face. We need to completely rethink our approach to endpoint security that begins with a foundation of whitelisting that would defeat new malware completely independently of the vulnerability or attack.

Please use the comment form and leave your thoughts!

Are we in a cyberwar or not?

Posted:  March 11, 2010 by Toney Jennings

I continue to hear various viewpoints about whether or not we are in a cyberwar. Recently, our friend, Howard Schmidt was quoted in the article, “White House Cyber Czar: ‘We are not in a cyberwar’,” that we are not in a cyberwar. His stance is cyberwar is “a terrible metaphor” where there are no winners. While I can certainly respect that, there are also a number of opposing views and supporting statistics that say otherwise.

One comes from the former director of national intelligence, Michael McConnell, who recently testified in Congress by saying the country is already in the midst of a cyberwar — and losing it at that. This comes on the heels of growing speculation from experts that say the Chinese government was behind the recent cyberattacks targeting U.S. government Web sites, Google, and dozens of other U.S. companies. This, of course, raises the question: “If we aren’t already in a cyberwar, are we headed toward one?”

Larry Wortzel, a member of the U.S.-China Economic and Security Review Commission, said in the article, “Expert says Chinese government likely behind massive cyberattacks,” that whether the Chinese government or independent hackers in China were responsible for the recent attacks, we are seeing “persistent, systematic and sophisticated attacks” that are clearly targeting U.S. military, technical and scientific information. Similar trends released at RSA Conference and reported in the story, “Chinese hacks attacks said likely to recur,” said an increase in Internet attacks from China could double if the pace during the first two months of 2010 continues.

People often ask me, given my military background and experience fighting cyber crime, are we in a cyberwar or not? To me, whether or not we are is irrelevant. What defines cyber warfare? What’s important is that we are aware of what is going on and our government and the private sector are doing everything they can to ensure our cyber security. I commended President Obama last October when he said that cyber threats were one of the most serious economic and national security challenges we face as a nation. The fact is, cyber crime has already cost U.S. companies billions of dollars. If these trends aren’t stopped, cyber crime will continue to have a growing impact on both our economy and global competitiveness.

Ensuring our cyber security comes down to one thing — preparedness. The more we understand, and the more proactive steps the government and private sector take independently and collectively, are vital to defending our networks, national assets and critical infrastructures from any type of attack, whether we are in a cyberwar or not.

Most recent comment:   Cyber attacks top terrorism as biggest concern for Indian companies — CoreTrace WhiteSpace

[...] if cyber attacks and terrorism weren’t one in the same. As I mentioned in a recent blog, “Are we ...

New exploit technique could mean more Microsoft headaches

Posted:  March 8, 2010 by Toney Jennings

Last week, a new exploit technique was disclosed that bypasses a critical Windows security feature, DEP (data execution prevention), as well as an ASLR security enhancement for address space layout randomization.

In the article, “New exploit technique nullifies major Windows defense,” some researchers worry that a proof-of-concept code published by Google security software engineer, Berend-Jan Wever, could actually lead to more successful attacks against Microsoft’s newer operating systems.

While Wever claims the proof-of-concept doesn’t do any harm because it’s wrapped around an exploit of a bug in Internet Explorer 6 (IE6) that was patched years ago, MicroTrend’s Ria Rivera wrote in the company’s malware blog that the exposure could be used to further enhance exploits, and expects to see it used within exploits soon.

“After Wever released his heap-spraying exploit codes in 2005, a lot of new exploits started using that technique. It would thus be not far-fetched that the release of this new proof-of-concept could lead to the same scenario — new exploits could start using ‘return-to-libc’ to achieve DEP bypass.”

With so many data compromises arising from the latest disclosed vulnerability it seems so clear that now is the time to completely re-evaluate the way we approach desktop security. Vulnerabilities lose their power when you address the core issue of controlling what applications are allowed to run on your system in the first place whether these applications were added by a user or by malicious code exploiting a security hole.

Please use the comment form and leave your thoughts!