August, 2009

Apple adds malware scanning to Snow Leopard

Ryan Narain of Threatpost.com and ZDNet’s Zero Day blog writes this week about Apple’s decision to add a malware scanner in Snow Leopard, the next version of its OS.

Apple has quietly added a new Snow Leopard feature to scan software downloads for malware, a no-brainer move that coincides with a noticeable spike in malicious files embedded in pirated copies of Mac-specific software.

Apple is not immune to hackers and never was. Although the risk of being attacked remains lower than if you were on Microsoft XP, the risk of infection has risen to a level that Apple decided it needed to do something about it. Clearly this should be taken as a positive development for Apple fans out there. Anyone who plans to surf the Web, download information and ultimately be connected to the Internet in any way should have some kind of protection in place. As Ryan points out in his blog entry, Apple has already recommended third-party antivirus software.

ConSentry Networks’ demise underscores changing nature of NAC market

The somewhat quiet news that ConSentry Networks has gone out of business is more bad news for the independent network access control (NAC) market and underscores the struggles of a handful of pure-play independent vendors — Nevis Networks and Vernier Networks were the others — that took similar approaches.

The trio were notable for their strong post-connect monitoring and enforcement, and fine-grained policy controls around identity-based NAC. All offered appliances, and ConSentry and Nevis also sold NAC-enabled switches. Vernier slipped quietly away a couple of years ago and tried to reinvent itself as Autonomic Networks, focusing on NAC for compliance auditing. It closed in February. Nevis went bankrupt and sold its assets to Aviram Networks in May. Aviram has resurrected the business, still as Nevis Networks.

(Two other NAC vendors, Caymas and Lockdown Networks shut their doors in the last couple of years. Remaining independents include StillSecure, InfoExpress, Bradford Networks and ForeScout Technologies.)

NAC–the next big thing a few years ago — has not yet developed into the huge market it was expected to be. Gartner pegs it at $221 million this year. Venture capitalists have sunk more than $ 550 million into the NAC market, including $9.4 million for ConSentry in January, according to the Wall Street Journal.

With all the major security and network infrastructure vendors offering some sort of NAC capability, focusing primarily either on the endpoint (Microsoft, Symantec, McAfee, Trend Micro,Sophos, etc.) or the network (Cisco Systems, Juniper Networks), the indications are strong that NAC will be subsumed, rather than persist as a market. My colleague, Eric Ogren, noted in his April column, “Gartner gets NAC wrong, again,” that there was no NAC exhibition category for vendors at RSA and that enterprises should be thinking in terms of features to infrastructure products, rather than separate tools.

ConSentry, Nevis and Vernier may be the poster children. For all their impressive capabilities, they may have been selling into a market that didn’t exist. The vast majority of companies are still primarily with basic guest access control and pre-connect endpoint hygience, particularly for remote users (and you should generally be able to get that basic piece with your VPN).

Most companies either don’t have the kind of granular role-based access control policies that would be a good match for the identity-centric monitoring and enforcement ConSentry et al presented. Those that do would likely prefer to work with their network company –Cisco more often than not — through the admittedly slow-to-develop and somewhat painful process of embedding NAC in the infrastructure while working through their endpoint security vendor on the client side. In particular, ConSentry and Nevis switch-based options, while perhaps the right place to put NAC, was never going to make a dent against established network equipment vendors, doomed for the most part to spot deployments in special scenarios.

Serious IFrame attacks spread Trojan cocktail

Security researchers at Web security services vendor ScanSafe have tracked a successful IFrame attack infecting nearly 55,000 website pages with code that infects victim machines with a Trojan downloader that installs a potent mixture of malware.

Mary Landesman, a senior security researcher at ScanSafe, said the IFrame is responsible for loading additional exploits and malware from up to seven different malware domains.

A Google search on the iframe script tag resulted in 54,900 hits. Victim sites include www.feedzilla.com, latindiscover.com, and a number of charitable and nursing facilities, including howellcarecenter.com, sweetgrassvillagealf.com, www.foodsresourcebank.org, and morningsideassistedliving.com.

Last year, security researchers believed the Russian Business Network (RBN) was involved with a scam that corrupts hundreds of thousands of Web sites with IFrame redirects