Bit9

Security industry has exploded in the last 10 years, with a huge quantity of products and approaches. Yet for most people security is a singular concept that demands a single solution. For the first ten years of Anti-Virus protection, it was just that: one approach with few competing vendors. Then came the network connectivity, firewalls, exploitation for economic benefit, and the top has exploded.

 

The point here is that the market has quickly developed from generic to specific methodology for protection. Solutions are being built to address one or very few use case scenarios, and never all possible cases. For example, Vanja Svajcer of Sophos, among a long list of security researchers, warns users against relying solely on their anti-virus protection. It cannot work for every case. In today's landscape of Sql Injection attacks and custom botnet infiltration, AV tools that are built under one-size-fits-all model will not protect your data and property.

Microsoft has been so successful in pushing its Personal Computer Operating System that it now protects among others: Point-Of-Sales Terminals, Cash Registers, ATMs, Gambling Machines, Voting Stations, and not to mention TVs and mobile phones. These end points cannot and should not have the same security posture as a typical Personal Computer. For starters, many of specialized devices have a very controlled execution environment. So now, why should they have a security product that assumes that a user will want to run all the unknown code?

According to hype, Anti-Malware protection is viewed as a stale incumbent with a little life left in it. Yet no one is really recommending that we do away with it. Actually, according to Alex Eckelberry, CEO of Sunbelt Software, a typical user is quite satisfied with it, with Enterprise users a bit less. We still want protection from the known attacks while we dream of a silver bullet that would make all of our bits and bytes behave. And for those who dream, industry has a plethora of endpoint and network based offerings to fit their budget. It is really not all that important if your IDS or HIPS product is disabled or logs are never ever reviewed.

But that's not the point. Anti-Malware suites rightfully assume that there is a physical freedom loving rebel behind each end point. That's their target audience. Purpose-built terminals that perform only a set of very specific tasks require a different, more tightly controlled, environment. Needless to say, Anti-Malware suites were never meant to protect them against unknown attacks.

Check out the Rogue Anti-Virus gallery at Sunbelt Blog. Somehow it appears that the bad guys are investing more in User Interface design than the legitimate Anti-Malware vendors. Compare these rogue UI's: Rapid Antivirus, Antivirus 2010, XP AntiSpyware 2009 to our legitimate Anti-Malware product beauty contest.

At last week's VirusBulletin in Ottawa, Peter Allor of IBM gave a bit of an untraditional talk for VB, discussing security issues with SCADA systems. The list of fears and problems is long and wide. After all, most of the SCADA systems are designed to be working for 10-20 years. You do not expect to be changing power generation equipment whenever Microsoft releases a major OS upgrade. Yet what struck me was how little U.S. Government, amidst all the activity surrounding SCADA security, discusses the specific ways that these systems are exposed or could be improved. There's much to talk about when some of these systems are built on top of Windows 95, do not have encrypted command & control protocols, and can be damaged by simple operator error. Try starting and stopping turbines 10 times in a row. It will not look good. It runs over IP. Adding security software to some of these systems is absolutely out of question as they have been timed and tuned to do one thing only.

Is it simply that the situation is so hopeless that retrofitting security into these systems is too futile? Do we hope that noise raised will force the legislators to mandate that old and insecure software are replaced by newer more up to date variety? Economic chaos on the Wall Street will not help us in the short run. Still, SCADA vendors and Government users should be open to specific discussions surrounding threat exposures in their systems. That's the only way to devise a meaningful set of policies and requirements that a future of SCADA should be implementing. This has to go beyond encryping communications protocols, logging of all the activities and investing in negative QA testing cycles. Security infrastructure has to be required from security code inspection and review (think of Fortify or Veracode) to actually locking down software execution policies on each SCADA system.

The following line came to my inbox recently courtesy of IDG Connect: "Servers are like attics. Start poking around and there's no telling what you might find. Hardware, applications, platforms, operating systems--all with varying layers of dust."

This cannot be further from truth. Windows have the memory loss complex, as they get older they slow down and begin to forget things. It is not the aging hardware, but rather the aging software that keeps pasting layer over layer of stuff that even the army of forensics and vulnerability researchers could entangle.

There are very few solutions today that actually try to discover and identify every piece of software running in your environment. This is not a cheap pitch for Bit9 Parity, but rather a call for an interesting exercise. Do you really know what is in your attic? Bit9 staff can fix you up with a simple trial where we are sure that you will be astonished in what is discovered. Bit9's Global Software Registry can then help you determine exactly where those allegedly rogue files come from.

Microsoft has finally released a public Beta of their next major browser release. IE 8.0, among many other great features, has an "InPrivate" mode, popularly dubbed the "Porn Mode", as if "InPrivate" was not subtle enough. Irish Times then went a bit further and labeled it the "porn browser". This all recalls the debate over Heatseek browser from two years ago. Heatseak is an alternate browser built on IE.

Mention of Porn does get people excited. Just Google IE and "porn mode" and you'll find more than 76K pages.

So why do we really need InPrivate mode?

As it has been repeated everywhere, it disables page caching, browser history and remembering of any session states such as form fields and cookies. Caching has annoyed me in the past. As Internet connection became rather fast, it made the caching irrelevant. Still, if you did not frequently clear your cache, you were likely to severely fragment your hard drive. Unlike the rest of your file system each page generates hundreds of small files that take ever more hard disk space, all in small blocks, which in turn clog large contiguous spaces and make the drive go back and forth just to cache a simple web page. Imagine dumping garbage down your drain. It clogs. Hence, if you ever wondered why your machine slows down by simply browsing the Internet, check your fragmentation levels, wipe that cache and defragment your drive. It is no wonder that Firefox offers automatic cache cleanup ("always clear my private data" feature). If this indeed is your experience, you may want to consider buying Diskeeper.

But there are better reasons

Keeping your cache or browser history has serious implications in Enterprise:

(1) Web Mail Privacy: Do you really want Google Desktop or any other desktop indexing software to be indexing your private mail along with your corporate data? If you don't care about it, you may still want to think twice as Web mail is protected private mail and your Employer should not be intercepting it without a warrant. As soon as it becomes a part of Google Desktop index, the story changes. Yet if it was not kept on the disk in the first place, you wouldn't have had the problem in the first place.

(2) Custom Web Application and Proporiatary Portals: Every Enterprise has one internal facing portal or another, tracking customers, partners, IT resource, you name it. As we all take our laptops home, should potentially sensitive data about our businesses and people be easily available for malware to grab it? If it is in cache, it is usually in clear text form and hence easily extractable by an outside piece of malicious code. How does that relate to any of the HIPA regulations? Think Medical records, Pharma Trial results. (3) Browser Cache based malware will need to work harder to infect your system as they will not be written to the disk by default. We could hence expect better protection from our Anti-Malware suites as there will be less things to scan and better heuristics for catching rogue buffer overflow attacks that are forcing their way onto disk.

Yes, porn will squeeze by too. Cheapening the discussion to simply a "porn mode" does make Microsoft sexier, something from which Microsoft could always benefit, but it doesn't do much to help us refine our security postures and do things better.

Yet concerns raised are valid as well. Without web cache, it will be more difficult to pinpoint a certain crime to a location and time. Did you surf that web site? Not everybody has implemented a DLP solution like Vontu, Vericept or Tablus. Web cache, and for that matter any HD analysis that you can imagine, was a treasure trove for Forensics professionals in the past. It may be less so in the future.

That is all to change. Forensics will require new tools and new solutions. So in a tug of war, we fix some security scenarios which surely break other security solutions that worked around them, knowing full well that what was working before shouldn't have been working in the first place.

The stars are aligned for application whitelisting in the marketplace -- all the big players are talking about it now and analysts are predicting that it is the future.

The new Gartner analyst  research report - "Application Control Market Update," 4 August 2008, by Neil MacDonald and Michael A. Silver - is a great one. To Gartner, the terms "application control" and "application whitelisting" are synonymous.

Copied below are some top quotes from the Gartner Research Note.

• "Organizations are looking to application control solutions to augment signature-based antivirus protection and to exert more control over endpoints."
• "We continue to advise organizations adopting application control solutions that the key to successful tool selection and implementation is the capability to automate the exception management process and to automate list management. Bit9 has delivered significant innovation in this area by enabling organizations to query their "whitelist/blacklist in the cloud" knowledge base as a subscription service (see "Cool Vendors in Infrastructure Protection, 2007")."
• "Application "whitelisting" and "blacklisting" techniques are becoming increasingly useful to supplement shortcomings in antivirus systems. These techniques deliver more flexibility to reduce diversity, improve operations and manage PC configuration than merely locking down desktops."
• "When antivirus agents and patching aren't possible, consider application control and system hardening as alternative security controls for point-of-sale (POS) terminals, supervisory control and data acquisition (SCADA) systems, and other devices that fall under regulatory requirements."
• "Application control solutions address shortcomings in antivirus and other signature-based approaches and provide security and operational benefits."
• "In most cases, application control software (see Figure 1) doesn't replace traditional antivirus and personal firewall offerings. Instead, it acts as an additional layer of protection for endpoints to supplement the increasing ineffectiveness of signature-based antivirus solutions, which can't keep up with the explosion in malware variants and the increases in targeted attacks. Application control solutions are of interest to information security and operations managers, typically for reducing the chances for image corruption, system damage or data loss by end users, rogue applications or malware."

And this whole section:

 

"Application Control Is a Gentler Form of Lockdown

 

In addition to security protection, application control solutions provide operational benefits by preventing the arbitrary introduction and execution of unknown code ("lockdown") on endpoints, even for administrators. There are several security and operational reasons that organizations may want to use application control solutions:

• To ensure that unlicensed software isn't being used
• To manage known PC configurations so that enterprise software is easier to deploy and maintain
• To restrict users from running software that could be detrimental to enterprise systems or the network
• To prevent users from adding applications to the organization's application portfolio that will require increased support and cost

Many organizations mistakenly believe that they've accomplished lockdown by removing administrative access from users and designating them as standard users. However, this can cause a number of problems:

 

• Users who have a real business need to install applications to do their jobs won't have that right, which hampers creativity.
• Client software components that Web sites upgrade on a regular basis (such as Flash, Acrobat Reader and Web conferencing software) cannot be updated, potentially obstructing user access to important business content or causing lost productivity, as users look for workarounds. It's nearly impossible for organizations to have the latest clients packaged for software distribution so that they can be delivered to users as needed, and standard user access does not allow exceptions.
• Contrary to common perception, running users as standard users does not prevent them from installing and running unknown applications. Depending on the level of lockdown, standard users may be able to download and install well-behaved applications that don't require administrative privileges to install or run. Furthermore, without additional restrictions or tools, users are able to load and execute single executables from the network (including via the browser) or removable media. Organizations are also at risk from malware that targets user data and settings, rather than system files.

 

Application control solutions address these issues and provide organizations with more flexibility and granularity for all users regarding the applications that can and cannot be run. Users can be left running as administrators, allowing them to update client software as needed, including Web applications. Software that's detrimental can be automatically blacklisted, but resources (and/or subscription models) may be needed to keep the list current. Depending on the user, new software can be allowed or blocked by policy. In either case, it is always logged, so that the organization can monitor, at a granular level. what software users are looking to run. Even if users are running as standard users, application control products can plug the gap created by applications that don't require administrator privileges to install and run or single file executables."

 

As an aside, we are now registering our blog with Technorati.

Intego came up recently with the first AV product for the iPhone Platform. What struck us is the awesome User Interface that it carries, as would only be expected for Apple based products. True to the form, we have ignored its functionality and any protection benefits that it may carry.

Hence we'd like to have some fun and have an informal poll. Who do you think has the sexiest Anti-Malware product and why? Functionality does not apply, we are only talking about the looks, even though some beautiful products are really good. Please send us more screenshots of relevant products if you can, and we'll add it to the list. Of course, subjectivity matters, as this is about taste, that is guessing the consumer's taste.

Why is this important? It is really not, but many companies heavily invest into making their security products visually exiciting. They even excessively stress about it, hiring expensive PR firms, as is the case with Symantec.  It ended up being dinged in reviews for its Yellow Fever theme. Why do we think that customers care about their AV UI is a topic for another discussion.

Feel free to be biased. We are too, although saying that anything Apple is sexier than anything Windows is as an objective statement as possible. Whitelabel products are absolutely welcome.

So here are our top 3 sexiest AV contenders:

1. Intego - Obvious, eye candy makes us more secure

2. HelloKitty AV - As long as it protects from HelloKitty Malware, Kitty's in

3. Suze Orman AV - Because security starts with a face

 

REST OF THE LIST, TBD.  Please vote!

Finally, here's the trailing bunch. Supporting documentation was liberally borrowed from Download.Com and Softpedia.  Here are some screenshots.  Obviously there're more interesting products. 

Intego iPhone AV



Hello Kitty AV



Suze Orman's Identity Theft Kit



F-Secure



iolo



PCTools



Symantec



McAfee



K7 Total Security



Eset NOD32



Trend Micro



Kaspersky KIS 2009



AVAST



AVG



AVIRA



BitDefender Total Security



Panda Platinum Internet Security

 
Technorati Profile

In this pre-election season, we seldom step back and think about potential threats to our democracy. All eyes are on picking the best candidate. Yet, we need to be very concerned about the influx of Internet into our election process. For one, most candidates fundraise on the web today. They also heavily use their web sites and email as communication vehicles and as means to mobilize the party faithful.

Internet opens up a great opportunity for a qualitative electoral advantage, but it also opens gates to serious fraud and a potential for significant campaign disruption. We have seen heavy usage of technology in the past elections. Democrats may have seemed technologically challenged (curious with so many young and Silicon Valley pundits). Republicans seemed savvier with their palmtops and electronic lists of party faithful.

2004 Election was a watershed election bringing a number of firsts:

• - First use of E-mail solicitation
•       • 45% of Democrat donors received Email daily Organizing of supporters on web
• – Political BLOGs - Online fund raising with Kerry campaign taking a lead
•      • 70% of Online Donors forwarded emails to others
• - Candidates raised:

•      John Kerry - $82MM 
•      Howard Dean - $20MM
•      George Bush - $14MM
  
Serious concerns were raised by Oliver Friedrichs at Black Hat 2008 in talk titled "Threats to the 2008 Presidential Election".

Key takeaways are the following:

Online campaign donations can be tampered with.

Given the significant amounts being raised online, phishing attacks could defraud donors, dampen enthusiasm & seriously shortchange candidates. Opponents or foreign elements could easily be behind these effort. It all stems from the adhoc structure of campaign web sites.

 

  Political Campaign SPAM

We should worry about campaign SPAM, that may lead to phishing attacks, or simply could spread misinformation, false rumors or could be generating artificial scandals. Successful attacks against your support base could pollute email as a communications medium, intimidate potential voters, and hurt those grassroots efforts. Imagine fake scandals, subtle suggestions of legal or health trouble or of a position change.

Vulnerable campaign web sites & blogs

Ease of SQL Injection attacks has demonstrated that the best way to infect a large number of users is to go where they are. Infecting a campaign web site is a perfect way to get to the most trusted campaign volunteers or staff. They could be tagged with stealthy (rootkitted) and bespoke malware undetected by anti-malware solutions. Potential criminal elements could own your campaign. Being owned could mean sensitive data leakage, redirection of campaign funds, and more, all by forces that are not necessarily U.S. based.

Given the speed of Internet, these attacks could be perpetrated few days before the election, thus influencing the election outcome.

Should we worry now?

Vista Enterprise rollouts seem to be hitting a significant snag, according to Devil Mountain Software, with 35% of Windows VISTA installs being uninstalled in favor of Windows XP. HP & Dell have been downgrading new Vista machines to XP in response to customer demands. Even though Microsoft no longer supports XP, HP & Dell will allow customers to downgrade XP until July of 2009. Still, a sample of 3,000 machines is not a too convincing statistic. There're more than 200 million desktops and laptops shipped annually. The vast majority of them carry the latest Microsoft OS of record, VISTA. Hence, we need to question results based on less that 0.0015% of the sample.

Bit9's experience speaks to the contrary. Even though the adoption of VISTA is slow and the migration path lengthy, organizations are planning their moves to VISTA. Software compatibility problems are offset with new functionality, better user interface and significant security improvements. Even though some organizations are clamoring about skipping the Windows VISTA refresh, they may simply be waiting for others to work out software and driver incompatibilities for them.

As for downgrades, many organizations need new hardware to replace decommissioned machines. That new hardware needs to be running XP at least until VISTA migration procedures are in place, as not to impact internal security and operational procedures. Not that downgrading is inconceivable, yet 35% seems to be overtly exaggerated.

Max blogs about difficulties in getting Apple to acknowledge their vulnerabilities.

Yet, according to ISS X-FORCE Security Report, Apple has overtaken Microsoft in the number of vulnerability disclosures. Microsoft still leads the race in the number of exploits. It seems that it still pays more to exploit Windows instead of MacOS, even though this discrepancy is narrowing.

Note the high positions for Joomla and Drupal. It is a testament to their success, as well as Sql Injection attack exploitability.

What galvanizes Apple's effort is popularity of iPhone. Vulnerabilities affecting iPhone are taken more seriously, which helps users like me, but is also bound to filter down to other products that are based on the same OS.