April 08, 2006

ThreatWatch - Sony is your friend, Game Over?, Meccano costs, and it'll all be better in two years

Dan Kaminsky writes on the Sony experience:

Learning from Sony: An External Perspective

‘What happens when the creators of malware collude with the very companies we hire to protect us from that malware?’ Bruce Schneier, one of the godfathers of computer security, was pretty blunt when he aired his views on the AVindustry’s disappointing response to the Sony rootkit (for an overview of the rootkit and its discovery see VB, December 2005, p.11). His question was never answered, which is fine, but his concerns were not addressed either, and that’s a problem.

The incident represents much more than a black eye on the AV industry, which not only failed to manage Sony’s rootkit, but failed intentionally. The AV industry is faced with a choice. It has long been accused of being an unproductive use of system resources with an insufficient security return on investment. It can finally shed this reputation, or it can wait for the rest of the security industry to finish what Sony started. Is AV useful? The Sony incident is a distressingly strong sign that it is not.

I'm not sure what to make of the threats situation here. On the one hand, it is shocking, simply shocking to think of corporates deliberately increasing the risks of consumers so as to make more money. But, in reality, this has been going on for decades. So what we need is not less but more of the Sony threats. We need more information out in the public view so that we can all more clearly analyse the threats here. I call for more Sony rootkits :)

Has Microsoft declared Game Over?

In a rare discussion about the severity of the Windows malware scourge, a Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from malware infestation.

"When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference here.

Basically, the OS cannot be protected, and in the event of infection, you have to re-install. That's one brave disclosure, but better they start seeding the public with this info less later than later still.

Fear of security is starting to bite in the US - in contrast to anecdotal evidence. Entrust did a survey that said:

Fear of alienating customers

Banks recognize they must increase online security, but are equally concerned that making Web sites harder to use will drive customers back to telephone and branch banking.

"Telephone transactions cost banks 10 times as much to process as Internet transactions. And an in-branch transactions cost 100 times Internet transactions," Voice said.

About 18 percent of online bank customers have already cut back or stopped banking online completely because of security worries, according to an Entrust survey.

It is the cutting back or stopping that is causing the fear from the Meccano trojans I reported on a bit back (also known as MITB or Man-in-the-Browser). Forcing people back to phone or branch has massive cost and deployment ramifications. In the face of these costs, expect many banks to simply suffer the losses. Unfortunately, this won't be socially acceptable, as the majority of the costs are borne by the consumer, not the institution.

Lynn spots the latest crazy threat to invade media mindspace - Beware the 'pod slurping' employee

A U.S. security expert who devised an application that can fill an iPod with business-critical data in a matter of minutes is urging companies to address the very real threat of data theft. ....

"(Microsoft Windows) Vista looks like it's going to include some capability for better managing USB devices, but with the time it's going to take to test it and roll it out, we're probably two years away from seeing a Microsoft operating system with the functionality built in," Usher said. "So companies have to ask themselves, 'Can we really wait two years?'"

This is not a new threat, just an old threat with a sexy new toy. Don't believe we had to wait for Apple for the innovative solution to employees' desperate needs to walk out with lots of data...

On the other hand, read that second paragraph above carefully. If you don't like today's scenario, you'll have to wait about 2 years, assuming that Vista has some sort of answer to whatever it is you don't like. I don't normally do stock picks but here's one that screams: buy Apple, sell Microsoft. Users will, even if you don't.

A bit of BitTorrent bother. In brief, ISPs have been using "traffic shaping" to identify Bittorrent traffic and drop it. In response, the top three clients have added an RC4 encryption capability. Threats everywhere...

In closing, 1 in 10 Laptops Stolen:

"Up to 1 in 10 laptops will be stolen during their lifetime according to one of the Law Enforcement Officers behind the new Web site Juststolen.net..."
Posted by iang at April 8, 2006 07:46 PM | TrackBack
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.