Rodney Campbell's Blog

Measuring Security

With cyber attacks continuing to make headlines, companies have responded by rapidly increasing IT security spending even as overall IT budgets have remained flat or declined. Gartner predicts that security software spending will have a compound annual growth rate of 16.2% from 2005-2009 with information security spending representing approximately 6% of overall IT budgets.

9 out of 10 e-mails now spam

Criminal gangs using hijacked computers are behind a surge in unwanted e-mails peddling sex, drugs and stock tips. The number of "spam" messages has tripled since June and now accounts for as many as nine out of 10 e-mails sent worldwide, according to U.S. email security company Postini. As Christmas approaches, the daily trawl through in-boxes clogged with offers of fake Viagra, loans and sex aids is tipped to take even longer. "E-mail systems are overloaded or melting down trying to keep up with all the spam," said Dan Druker, a vice president at Postini. His company has detected 7 billion spam e-mails worldwide in November compared to 2.5 billion in June. Spam in Britain has risen by 50 percent in the last two months alone, according to Internet security company SurfControl.

Introducing Stealth Malware Taxonomy (pdf)

Joanna Rutkowska proposes a simple taxonomy that could be used to classify stealth malware according to how it interacts with the operating system.

Copyright Office publishes digital exemptions

To hack the security preventing interoperability of wireless phones… to reverse engineer the digital rights management on audio CDs for security testing.

Filtering out the hype

Corporate email is vulnerable to attack from the increasingly sophisticated and ever-growing number of viruses, spam, spyware and phishing technologies out there. And vulnerable to abuse from within, which could result in: acceptable use policies being compromised; regulatory compliance violations; and/or confidential corporate data being leaked externally.

Devastating mobile attack under spotlight

All mobile phones may be open to a simple but devastating attack that enables a third-party to eavesdrop on any phone conversation, receive any and all SMS messages, and download the phone’s address book.

Apple Mac OS X Mach-O Binary Loading Integer Overflow Vulnerability

Apple Mac OS X is prone to a local integer-overflow vulnerability. This issue occurs when the operating system fails to handle specially crafted binaries.

FireFox Password Manager Flaw w/ POC

The flaw derives from Firefox’s willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user’s site will be unhelpfully propagated with the visitor’s Myspace.com credentials. Because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion.

IP Telephones

Remotely activate the ‘hands free’ function on an IP telephone (using software) to allow listening in to room conversations.

The Means to an Endpoint Security

As SSL VPN remote access systems – that is, technology used to connect internal company resources and data to people working from home or on the road – becomes more mainstream, and organizations extend their internal infrastructures to users who are not necessarily employees, endpoint security has become an increasing concern.

Security Myths

The IT world is full of myths and legends circulated via email or simply spread by word of mouth. These legends are not the infamous hoaxes or chain letters, but assume that certain things are true, when they usually aren’t. However, they are so difficult to prove that they are accepted as true without any evidence whatsoever.

Common causes of IT security breaches

Historically, the approach to enterprise security has been to make the fortress bigger and stronger – to install more products, and write more policies. Yet despite heightened security awareness and cutting-edge tools, 2006 was the worst year yet on record for corporate security breaches – continuing the year-on-year escalation of security risk.

Microsoft makes claim on Linux code

Microsoft CEO Steve Ballmer has said that every user of the open source Linux system could owe his company money for using its intellectual property. The statement will confirm the worst fears of the open source community.

Mark Rasch: Vista’s EULA Product Activation Worries

Mark Rasch looks at the license agreement for Windows Vista and how its product activation component, which can disable operation of the computer, may be like walking on thin ice.

Spam Bust: The Lessons of Yesmail

Is your company violating spam laws like Yesmail did? Even an unwitting violation can result in a fine.

Top 10 Web 2.0 Attack Vectors [pdf]

Web 2.0 is the novel term coined for new generation Web applications. start.com, Google maps, Writely and MySpace.com are a few examples. This technological transformation is bringing in new security concerns and attack vectors into existence.

Attack code targets zero-day Mac OS flaw

A security researcher has published attack code for an unpatched flaw in Mac OS X.

On the Power of Simple Branch Prediction Analysis (pdf)

A spy-process running simultaneously with an RSA-process, is able to collect during one single RSA signing execution almost all of the secret key bits.

Is the hacking community running out of fresh ideas?

According to a new report by Kaspersky Lab, the hacking community has run out of fresh ideas when it comes to creating new malware. Malware Evolution: July – September 2006 states that while the hacking community is developing ‘proof of concept’ code for new platforms, it is unlikely that it will translate in to malware capable of causing substantial and lasting damage.

Hackers use virtual machine detection to foil researchers

Three out of 12 malware specimens recently captured in our honeypot refused to run in VMware.

Audio For ‘Privacy Is Dead’ Talk Now Online

The Steve Rambam talk at HOPE Number Six was disrupted by his arrest minutes before he was scheduled to go on stage – HOPE Number Six finally came to an end with a three hour talk at the Stevens Institute in Hoboken, New Jersey that focused on just how much information on each of us is readily accessible to virtually anyone. Steve also revealed all of the information he was able to find on a volunteer "victim" and answered all sorts of questions from the standing room only audience, including what really happened back in July.

Could Hollywood hack your PC?

Congress is about to consider an entertainment industry proposal that would authorize copyright holders to disable PCs used for illicit file trading.

New Google Service Will Manipulate Caller-ID

Google has made available a new "Click-to-Call" service that will automatically connect users to business phone listings found via Google search results. Of concern is that Google says that it will manipulate the caller-ID on the calls made to the user-provided number, to match that of the business being called – thus allowing potential for abuse.