Hoff’s House of Fun

31 Oct , 2006  

While in Boston on other business this week Alan and I were able to spend some time with Chris Hoff at Crossbeam headquarters. I have to say I’m pretty impressed with Crossbeam’s gear and where the company is going. I’ve deployed network services in a few central offices and POPs in my day and their stuff looked sturdy and zippy (in a carrier-class kind of way.)

Chris was a great host and gave us a tour of the building. (I did salivate over their test lab… sorry if I ruined any gear, Chris). We then went out for a rousing sushi lunch even Rothman would appreciate. (Except I think they call sushi “bait” in Atlanta.)

Anyway, just a note to say thanks Chris for your hospitality and more importantly the engaging conversation. I was rolling in laughter for most of it.

Join us on a SSAATY podcast sometime Chris?


BOB-ing for the Enterprise

31 Oct , 2006  

The branch office box (BOB) market is heating up again with this week’s announcement from Juniper that it is integrating routing, security, VoIP, and network acceleration onto the SSG 500 hardware platform. More convergence of networking, security and voice.

Juniper announced two new product models, the J4350 and J6350 J-series enterprise branch routers. Not billed as a UTM, but as a BOB router the J-Series has a stateful firewall and IPSec VPN for security. Missing are the standard UTM features like IPS, AV gateway, content filtering, spam/spyware/adware/phishing filtering and other security features.

The J-Series is “voice ready” meaning they plan to support VoIP through integrated Avaya voice gateway and telephone interface modules in Q1 ’07. It’s a 6 slot chassis so we’ll have to see how many users the voice modules support. WAN acceleration (via the Red Line and Peribit acquisitions) was announced but is slated to be available in the future. Described as “forward-looking platforms”, clearly this is a line of routers Juniper is expecting to build on. I’d guess we’ll probably see more models emerge from the J-Series and I wouldn’t be surprised to see more security features announced for these boxes as well.

I guess this is network convergence if you have an Avaya VoIP system but what happens if you don’t? There’s no indication that other VoIP platforms will be supported. The J-Series is an Enterprise Branch Office Box so I’m guessing that these boxes may not work as a standalone VoIP system; they must be interconnected into a larger Avaya system at the enterprise. (If that’s wrong or you know more details please let me know.) I would certainly want standalone VoIP capabilities for those truly remote offices or as a backup to corporate connectivity.

A very hardware centric approach (from a network hardware company, no doubt) but it will be interesting to watch the adoption of these Juniper boxes.


Vista loophole plugged quickly

27 Oct , 2006  

Microsoft acted quickly and patched the kernel loophole Authentium used to bypass Vista’s PatchGuard. I guess Microsoft’s serious about keeping access to the kernel secure. Kudos to them.

Authentium deserves nothing less given the ‘stick in the eye’ posts on their blog at Microsoft. Expect future problems with security vulnerabilities in Vista to be fixed quickly. (And you know there will be more so don’t act like it’s news when everybody acts shocked at the next security flaw.) This one probably happened quicker than normal just because of Authentium’s attitude.

All I can say to Authentium is… Doh!

Podcasts, Security

Podcast #19, Jon Oltsik of Enterprise Strategy Group

26 Oct , 2006  

podcast microphoneSAATY podcast episode #19 is up and available! This week Alan was traveling and I had the pleasure of interviewing Jon Oltsik, principal analyst at Enterprise Strategy Group. Jon specializes in security and has an in depth knowledge of the NAC market. He also recently called for vendors to support an open 802.1X supplicant and is putting together an organization to lead this call.

During the interview with Jon we cover: Assessment of the NAC market, Cisco and Microsoft proprietary frameworks vs. TCG’s TNC standard, Pre-connect and Post-connect NAC – Which is the market demanding? and Building support for an open source 802.1X supplicant.

Alan and I spend time during This Week In Security discussing the latest with Symantec, McAfee and Vista squabbles, Cisco’s Quadplay vision, and Insightix’s NAC release that relies on ARP spoofing after the CTO dis’ed such an approach at BlackHat ’06. We also answer a question from podcast listener and blog reader Brad Rich.

Thanks for listening and please remember to send in your comments and questions to podcast@stillsecure.com.


43,000 bot variants in 1st half ‘06

26 Oct , 2006  

According to a Microsoft Security Intelligence Report data was gathered from users of the Windows Malicious Software removal tool since it’s introduction in Jan. of 2005.

More than 43,000 variants of bots and Trojans were found during the first half of 2006. Windows Malicious Software removal tool has cleaned over 4 million Windows machines in that time period. And over 2 million (50%) of them were infected with some type of bot or Trojan. This down from 68% in 2005.

The Windows Malicious Software Removal tool has been executed 3.6 billion times since its introduction and has an install base of 290 million unique machines.  Win32/Rbot, Banker and Hupigon had the largest number variants with 16796, 15782 and 8646 respectively. 17% of machines cleaned in the first half of ’06 contained at least one peer-to-peer worm. Rootkits detected were down from 17% to 8% between the 2nd half of ’05 through the 1st half of ’06.

I think I’ll go home and rest up. It should be a busy day tomorrow. 🙂


Hacking for profit

26 Oct , 2006  

So if you don’t believe hacking is for profit, check out this great article by Kelly Martin at Security Focus/Symantec. Kelly does a very nice job of covering the discussions at the recent Virus Bulletin 2006  conference where whitehat researchers and law enforcement discussed the trends and topics in hacking for profit.

My friends Byron Acohido and Jon Swartz at USA Today recently reported that cybercrime extracts $67.2 billion a year as reported by the FBI. Consumer Reports claims that malware has resulted in the loss of more than $8 billion of U.S. consumers hard earned money. Guillaume Lovet from Fortinet reported at the Virus Bulletin 2006 conference that the typical profits from a phishing scam can range from $2,500 to $25,000. And we are just in the early days for real cybercrime.

Some of the schemes? Phishing scams to steal identities. Trojans are customized to target a specific organization. Encrypted users’ hard drives are held for ransom. Stolen identities are resold for profit (just like on the Sopranos). Logs are pilfered for the valuable credit card data they contain. Those are just a few examples.

Think only the sophisticated hackers steal all this money? Well if you can’t build one, just buy one. You can pick up a ready to use Trojan that will hide itself and encrypt communications for $100 to $5500. And discovers of new “less than zero” day vulnerabilities are paid several thousands of dollars by cybercriminals for this valuable information.


Keep it simple for the end user

26 Oct , 2006  

My friend Martin McKeay has a good post on his ComputerWorld blog about the future of malware. Martin made a trip to Symantec to talk with them about the topic.

I agree with much of what Martin has to say. I’ve advocated for a long time that the weak point in security is and will continue to be the end user. Despite any amount of security awareness training we give end users, they still will be subject to social engineering and targeted exploits. Training helps but it’s not a panacea.

I advocate for automated security. Default security settings should be turned on. Minimize the amount of end user interaction or decision making they have to do. This is one thing I like about programs like the Windows XP firewall – minimal opportunities for it to annoy the end user so they get fed up and turn it off.

Martin re-enforces the idea that blackhat hacking is being done for financial gain, not a security joyride like the recent Akamai DDoS-er. Martin’s example of malware aimed at MMORPG is an interesting one. More than losing that cool sword, I’d be concerned about someone selling my account. Some EQ2 accounts go for $200-$400 dollars if you can believe it. I guess all of those hours of game play are worth something, but I’m not sure the hourly rate is all that much. If anyone is interested, I have some Monopoly money I’ll sell you.


Stupid fee: $200k or 2 years

25 Oct , 2006  

The Florida hacker who launched a DDoS attack on Akamai appeared in federal court Tuesday. He used the Gaobot worm to infiltrate universities and create a net of owned machines.

DDoS attacks are serious business especially when they impact business continuity or customer services for hours. Lets face it, DDoS attacks are a visible, frontal assault and you pretty quickly know its happening. ISPs are effective at reacting to most of these situations. As such, DDoS attacks usually don’t last very long. Stealthy attacks can be much more serious as you may not know they are happening until after the damage is done. These can be much more serious.

This guy fits the classic definition of a hacker, not the stealthy kind today who are doing it for financial gain. Plus the guy is 33 years old. Surely he had a deprived childhood which led him to hacking. Maybe his mommy should have bought him an Xbox 360 to keep him occupied. Book’em, Danno.


Will Vista kernel APIs cripple the market?

25 Oct , 2006  

Grant Johnson, a theconvergingnetwork.com reader, left a very interesting comment regarding my recent post about Authentium bypassing PatchGuard in Vista’s kernel. Grant’s view is that vendors may not have a choice but bypass Vista’s new security protections if Microsoft provides a crippled kernel API. Here’s Grant’s comment:

There is just one issue. If MS does not want to share the market segment, the can easily just as easily cripple the API as close the back door. A “critical” update that changes that piece just enough to break every other security vendor’s software is all they need to show how their security software is better.

I am not really for using the black hat methods like bypassing the protections, but I also see where the security vendors may have little choice f they want to stay in business.

Good point, Grant. I agree. We must hold Microsoft accountable to provide a robust enough API into the kernel that security vendors can add value and address deficiencies in Vista. If they provide a lame API then we are gonna shout hard and loud. Let me also say that I’m glad Authentium found this way around Vista’s PatchGuard. My issue with Authentium is their attitude of thumbing their nose and saying they will continue to use this loophole in Vista rather than any of Microsoft’s APIs. Good security isn’t built on loopholes – it plugs them. I want a secure Vista kernel and PatchGuard is a good thing.

Thanks for your comment, Grant. And thank you for reading.


Vista PatchGuard Bypassed

24 Oct , 2006  

By a security vendor no-less. While Symantec and McAfee have been coating the electronic airways with gallons of whine about Microsoft not sharing Vista’s secrets, Authentium used a loop hole in Vista and just bypassed Vista’s PatchGuard. The loop hole was intended to help support older hardware.

While it may provide a few breaths of life for Authentium, you better believe Microsoft will very soon close the exploited hole. There are rumors that Symantec or McAfee may have done the same thing but haven’t disclosed it while they pursue the issue in the court of public opinion and the EU. It’s possible but I seriously doubt they would release a product using this method, but who knows for sure. Authentium has further thumbed their nose at Microsoft indicating it will not abandon this approach or use the soon to be released kernel APIs Microsoft has committed to provide. Keep in mind that PatchGuard only applies to 64 bit version of Vista right now.

While the skirmishes over Vista security improvements cause issues with entrenched security vendors, I for one am all for a secure Vista kernel. Signing of kernel patches/drivers, PatchGuard, and APIs into the kernel make sense to me. It may require more work on vendors’ products to adapt them to Vista but in the end we have a more secure OS platform. I don’t know about you, but I wouldn’t buy security software that relies on a hack into the kernel which Microsoft opposes and could shut off at any time.