Security Enabled Network

I came across an interesting article today that touches on the topic of security, so I’d thought I’d write about it briefly. Christopher Boydon over at SpywareGuide.com found a phishing utility called Apheve up for download on Cnet.com. It allows phishers to disguise the program as an instant messaging program like Yahoo IM, Skype, or Live Messenger. The unexpecting victim then goes to log into this fake program and receives an error. After the victim has left, the phisher goes back to that computer and is able to retrieve the username and password the victim attempted to login with.

What is shocking is how this program is freely available for download on Cnet.com and probably a host of other websites. Somehow this program has squeeked through the filters. It has no other purpose other than to steal passwords. The creator of the program has also posted up youtube videos with tutorials on “How to hack Msn, Skype or Yahoo with Apheve 1.1″. I think it is pretty clear about the nature of the program.

This is just one more reason why you really need to be careful about what you access if you are using an internet cafe computer or a computer other than your personal one. You can never be too safe.

I have been doing a lot of reading lately about the history of security research and the issue of full disclosure. It is a huge debate issue and it was something that before I started getting into security, I was completely unaware of. It isn’t something that hits the news often and when a vulnerability makes the news, the background issue about the disclosure of it is usually so controversial that nobody touches on it in the mainstream.

So what is it exactly? Well it is in regard to when a security vulnerability is discovered, the debate revolves around whether or not knowledge of that vulnerability should be open to the public. Some people say that making sensitive information like that public only put the customers and general public more at risk by releasing that information out into the wrong untrusted hands. Others say that untrusted individuals already had that information and that releasing it to the public will help speed up the process of getting a proper fix for the vulnerability out to the people that need it.

No matter where you stand on the issue, both sides seem to agree that one of the greatest issues is communication. There are generally two parties involved with the issue. One being the vendors that make the software at risk, the others being the security researchers that initially discovered the vulnerability. These parties must communicate in such a way that is in the public’s best interest. However, poor communication between the two can deteriorate relations and can lead to the disclosure of sensitive vulnerability information. Vendors typically claim that they are not given enough time to get a fix properly release. The security researches sometimes claim that waiting too long to get a patch to the general public is putting the public at an increased risk with each day that goes without a proper patch.

There have been many disclosure policies that have been developed over the last decade that are aimed at helping develop proper communication between all parties involved such as RFP, OIS, and ZDI. Many of these are just guidelines and are there just out of general respect for both sides. Neither side, however, is obligated to follow those guidelines. They do help give each side of the fence a certain set of expectations. If one side is following a specific policy and staying within the guidelines set, then the other side will know what to expect. It also helps open lines of communication that may not have been there before the policies were put in place. Many times, when a security researcher discovered a flaw in a piece of software, they’d have no idea where to turn to to get the flaw fixed.

After reading more and more about the history of this issue, when I see events that happen, like the DNS vulnerability that Dan Kaminsky and the associated vendors handled, it really amazes me how well everyone involved were able to communicate and help get the issue resolved. Without open lines of communication from both sides, we just won’t be prepared enough to handle wide spead isssues properly when they arise.

I have written many times before about the importance of end-to-end security across all types of networks. With the state of security today, protecting your data at all points on the network is crucial. Well Fortinet recently just introduced a new vulnerability management solution for medium to large corporate businesses. It is called the FortiScan-1000B. It helps businesses maintain security across their network by integrating all the crucial points in a network security policy. It integrates the following features: industry and federal compliance, endpoint vulnerability management, network-level vulnerability management, and patch management and remediation.

In 2008 Fortinet purchased the security company named Secure Elements. They’ve used the assets from this purchase to leverage technology in the new FortiScan-1000B. It uses the software solution from Secure Elements as the basis for its new solution. It also uses the vulnerability scanning feature from its own FortiAnalyzer solution. These features help security administrators stay compliant with SOX, PCI-DSS, GLBA, HIPAA, etc.

You can read more about this new device at FortiNet’s website.

There has been a lot of buzz lately about the Conficker worm that has been circulating and has now infected nearly 12 million Windows computers worldwide. But, not all the news regarding the Conficker worm is doom and gloom. Experts in the field have discovered a security flaw in the virus that will allow security administrators to isolated infected computers.

When the Conficker worm infects a computer, it applies its own version of the Microsoft patch that was released last October that fixes this vulnerability so that when the computer is scanned for patches, the vulnerability goes undetected. However, security researcher Dan Kaminsky said a research group found that it was far easier to distinguish a computer patched with the Conficker worm from a computer patched with Microsoft’s patch due to a flaw in the Conficker code.

From this, they have been able to create scanning tools that can help distinguish whether or not specific computers are infected with the Conficker worm or not because of the the Conficker flaw they found.

The problem with this type of resolution though is it could possibly give some criminals an opening into the botnet to create new worms that will allow them to take control of sections of the botnet.

Such an “anti-worm” might well be more destructive than the Conficker worm itself, Kaminsky said. “You would have to build something that is as virulent as the current worm, and be willing to become the kind of monster you’re trying to fight,” Kaminsky said. “No one can play counter-worm very well.”

If one good thing has come out of the Conficker flaw it is the discovery that it highlights weaknesses that can be found in almost all third-party security patches. Usually the security industry would release seperate security patches and scanners pertaining to a particular virus or worm to provide protection until a complete update is able to be released. But, those updates are generally produced by people who do not have access to the source code, thus not providing a 100% guarantee on patch success or not. The Conficker flaw has shown that systems really can’t be purged until they have a full cleaning with an updated scanning software made from the source code.