Security Bytes

December 1, 2008  5:08 PM

ICANN transfers EstDomains customers to Directi

David Schneier David Schneier Profile: David Schneier

After a few delays, ICANN has officially transferred all of the domains that formerly belonged to registrar EstDomains to another registrar in response to EstDomain’s president being convicted of several crimes earlier this year. ICANN, which governs the use of top-level domains and accredits domain registrars, said it is transferring the domains that had belonged to EstDomains over to Directi Internet Solutions. The action comes more than a month after ICANN originally notified EstDomains of its decision to de-accredit the regitsrar, which is based in Estonia. The company has been linked to a number of malware distributors and has been a target of security researchers and antispam activists for years.

EstDomains was informed on 28 October 2008 that ICANN was terminating the company’s accreditation due to its president’s conviction for credit card fraud, money laundering and document forgery. ICANN stayed that termination following  correspondence with EstDomains. However, after further investigation, ICANN decided to go ahead with the termination, effective yesterday, 24 November 2008.

In accordance with the De-Accredited Registrar Transition Procedure, ICANN put out a request for statements of interest from registrars interested in receiving a bulk transfer of the names formerly managed by EstDomains.

As part of that procedure, EstDomains is permitted to designate a gaining registrar. It chose to use that option and identified ICANN-accredited registrar Directi. ICANN reviewed that request and approved it.

Earlier this year, Directi was implicated as helping to control EstDomains, but that report was later dismissed and Directi and the group that put out the report, HostExploit, have been collaborating on actions to try and stop domain registry abuse.

November 26, 2008  10:34 AM

New worm attacking MS08-067 vulnerability

David Schneier David Schneier Profile: David Schneier

More than a month after releasing an emergency patch for the MS08-067 RPC vulnerability, Microsoft on Tuesday warned that it is seeing increased levels of attack activity against the flaw. The company said there is a new worm, being called Win32/Conficker.A, which is exploiting the RPC flaw and spreading in both enterprises and in home-user environments. Conficker opens a random TCP port between 1024 and 10000 and then starts exploiting the MS08-067 vulnerability on other PCs on the network.

Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll. It is also interesting to note that the worm patches the vulnerable API in memory so the machine will not be vulnerable anymore. It is not that the malware authors care so much about the computer as they want to make sure that other malware will not take it over too.

This is the second piece of automated malware that has cropped up to attack the MS08-067 weakness. In the days immediately following Microsoft’s release of the patch last month, a worm called Gimmiv appeared and began exploiting the same flaw. The level of attacks against this particular flaw aren’t surprising, given the fact that it exists in every supported version of Windows and was severe enough for Microsoft to issue one of its unusual out-of-band patches.

November 24, 2008  3:48 PM

VMWare loses top security researcher Sotirov and exec Mulchandani

David Schneier David Schneier Profile: David Schneier

VMWare has lost two of its key security people in the last couple of weeks: Nand Mulchandani and Alexander Sotirov. Mulchandani, the company’s top security executive, left VMWare recently to take the CEO job at OpenDNS, a startup focused on providing cloud-based DNS operations and security services. Mulchandani was the co-founder and former CEO of Determina, a security startup that VMWare acquired in 2007. He served as the senior  director of product management and marketing at VMWare and was the company’s public face on security issues. Before the Determina acquisition, VMWare had been conspicuously quiet about security in general and had been taking some heat from researchers and customers on that front. After Mulchandani came on board, he made a point of talking up the security initiatives the company was working on, including its VMSafe program.

The company also lost one of its key product security experts in Sotirov, who is well known for his work with Mark Dowd on bypassing memory protection mechanisms in Windows Vista through browser exploits. Sotirov’s last day at VMWare is Dec. 2. Like Mulchandani, Sotirov landed at VMWare through the Determina deal, though he’s best known in the security community for his personal research on the browser exploits and other projects. Sotirov said he hasn’t decided on his next destination yet.

November 21, 2008  1:08 PM

Antivirus is dead; long live antivirus

David Schneier David Schneier Profile: David Schneier

Microsoft’s decision this week to kill its Windows Live OneCare consumer antimalware suite has led to plenty of ruminations on the future of antivirus software and whether it is finally in its golden years. Industry analysts and security vendors have been proclaiming the death of AV for years, telling anyone who would listen that the time for reactive defenses is past. There’s no denying that AV is a product with severe inherent flaws. By design, it can only recognize and stop threats that it has seen before. Even with advanced heuristics, the best AV software can’t stop all of the new threats it sees. It just can’t. So AV has been taking criticism from all quarters for nearly a decade. When I first started covering security in 2000, every vendor I met with couldn’t wait to tell me that AV was going the way of the Newton, and soon. But, somehow, amid all the changes and chaos in the industry, AV has survived.

Why? There are probably a number of reasons, but one key contributor to this unnaturally long life is the worsening threat landscape. The volume, severity and level of innovation of attacks have shot up exponentially in the last six or seven years, leading to a corresponding spike in the volume (if not so much the innovation level) of security products on the market. Some of those products, such as IPS systems and NBAD systems are fairly efficient at detecting and blocking new threats. But there are so many threats out there these days, that systems like AV that are highly effective at finding and stopping known attacks are needed to keep the level of novel, previously unseen attacks manageable.

This has helped keep antimalware suites a necessary component of virtually all enterprise security programs. But whether this will continue to be enough for much longer is unclear. Consumers likely will always need antimalware software, or at least as long as we have our current computing architecture in place. But in the enterprise world? You tell me. Any enterprises out there going commando, sans anvitvirus? Let me know.

November 19, 2008  4:16 PM

Microsoft kills OneCare security suite

David Schneier David Schneier Profile: David Schneier

Microsoft’s experiment with a paid antimalware offering is over. The company announced on Tuesday that it is killing its Windows Live OneCare offering in June 2009 in favor of a free security suite code-named “Morro.” The new offering will include the same antivirus, antispyware and other security features as OneCare does now, but will not have the other capabilities the paid product has. Morro is designed to be a strictly antimalware product and will be offered as a free download for XP, Vista and Windows 7 users in the second half of next year.

One interesting point in this is what this decision might mean for Microsoft’s Forefront Client Security offering, the company’s  enterprise antimalware and security suite. I doubt that it will mean the demise of Forefront, as Microsoft has a whole lot of time, money and energy invested in the Forefront brand and its presence in the enterprise. It’s a lot easier to pull the plug on a limited consumer offering like OneCare than it is to kill a product like Forefront, which enterprises depend on to protect their critical assets. Microsoft has spent a lot of time convincing IT security staffs that their antimalware product is as good or better than McAfee’s or Symantec’s or Trend Micro’s, and they’re not about to give up that real estate anytime soon.

November 18, 2008  3:42 PM

Speculation about John Thompson joining Obama administration running rampant

David Schneier David Schneier Profile: David Schneier

Within an hour of the announcement yesterday that John Thompson plans to retire as Symantec CEO next April, speculation on Thompson’s next move began in earnest. After 10 years at the reins of Symantec, Thompson, 59, is still young enough to take on another challenge if he so chooses. But he’s also wealthy enough that he never needs to work another day in his life. As he told the San Jose Mercury News in an interview yesterday, “The only thing I have in mind is a chaise lounge on the beach, and a mai tai. My personal aspirations are just to relax and spend more time with my family.”

That may be so, but plenty of other people believe that Thompson may be preparing himself for a role in Barack Obama’s administration. Thompson was a vocal supporter of Obama’s during the campaign and Obama has said that he plans to create a national CTO position once he’s in office. Sources close to me say that could be a nice fit for Thompson. In addition to his experience running Symantec and growing it from a consumer AV company to a massive enterprise security and data storage firm, Thompson spent a large chunk of his career at IBM, where he learned the Big Blue management style which has served generations of executives well. He also knows his way around Washington fairly well, having served on the National Infrastructure Advisory Committee during President Bush’s first term.

But the real question is, what’s the upside for Thompson? The national CTO job could be a good platform from which he could have a real effect on the way technology is used in this country. Thompson has plenty of allies in Silicon Valley and the wider business world and he’d be able to open some doors and potentially change what so far has been a sad record on information security inside the Beltway. But the downside is just as big. Plenty of former CEOs and executives have gone to Washington thinking they’d shake things up and make the government work for them, and it just doesn’t happen. The federal government is a unique animal that does not respond well to outsiders with their fancy “real-world experience” and “track records.” It can be a maddeningly illogical environment for a seasoned executive to work in.

But then again, Thompson has shown a willingness in the past to do the unexpected (see: Veritas acquisition), so maybe he has one more trick up his sleeve. He’s supposed to be staying at Symantec until April, and Obama would probably like to have his cabinet and senior advisers in place before that, so we’ll just have to see what the next couple of months bring.

November 17, 2008  5:45 PM

John Thompson to step down as Symantec CEO

David Schneier David Schneier Profile: David Schneier

John Thompson is leaving Symantec in the spring, after 10 years as the CEO of the security company. Enrique Salem, currently the COO, will take over as CEO in April 2009 when Thompson steps down. Thompson has been at the helm of Symantec since the late 1990s and has guided the company through a period of strong growth as well as abundant change. It was Thompson who made the decision in 2004 to acquire storage and backup vendor Veritas for $13.5 billion, a move that was widely questioned at the time and has continued to draw criticism in the years since. For better or for worse, Thompson led Symantec away from its dependence on its core antivirus business and into a number of other markets. A veteran of IBM, Thompson brought a Big Blue-style sense of discipline and structure to Symantec, but some of his acquisitions and product moves — especially the Veritas and @stake acquisitions — were questioned both inside and outside the company.

I interviewed Thompson on several occasions and always found him to be an engaging, smart and interesting guy. (Here’s a feature I wrote on Thompson in 2006.) He always had a clear idea of what he wanted to do with the company, and I can remember meeting with him a couple of weeks before the Veritas acquisition was final and Thompson was adamant about the value of the deal and the coming intersection of security, availability and storage. He seems to have been proven right on the last point, but after peaking at about $31 right before the Veritas deal was announced, the company’s stock has fallen to the $12 range now.
Salem is an interesting choice to succeed Thompson. He’s in his second tour of duty with the company, having first joined in 1990 and returned in 2004 after several years at ID management vendor Oblix. Salem is widely respected in the security industry — and inside Symantec — and has a broad range of experience, which will be vital in the coming months and years at Symantec.

November 17, 2008  12:00 PM

Free love: NetWitness Investigator and Mandiant’s Memoryze

David Schneier David Schneier Profile: David Schneier

In today’s economic climate, security teams, just like the rest of the population, are looking for every way they can find to save money and make their budgets go farther. And that can often mean seeking out free alternatives to the enterprise applications and tools that can be brutally expensive. Free and open-source tools have been gaining in popularity for the last few years, with some security professionals preferring them to commercial software.

Picking up on this trend, NetWitness on Monday decided to roll out a free version of its high-end Investigator threat-analysis tool.  The tool has most of the capabilities of the paid version of Investigator, aside from some limits on the amount of data that can be captured and analyzed. Designed mainly for use in the capture and analysis of live traffic on networks, the free version of Investigator has the ability to decrypt SSL traffic, includes IPv6 support and a list of other features.

Mandiant, a security consultancy that specializes in forensics work, also has released a free analysis tool, called Memoryze, that is capable of doing live acquisition of memory and  give a detailed view of exactly what’s going on in a specific machine’s memory. Each of these tools is meant to get potential customers interested in the companies’ paid products and services, but they each of plenty of value on their own, as well. The Internet Storm Center has a good write-up on Investigator, as well.

November 12, 2008  3:42 PM

The MS08-068 patch: better late than never

David Schneier David Schneier Profile: David Schneier

Microsoft used to be notoriously slow about releasing patches, taking months and in some cases years to produce fixes, much to the dismay of customers and the researchers who reported the vulnerabilities. That’s certainly changed in the last few years with the advent of Patch Tuesday, but this week’s release of the MS08-068 patch was an interesting case study in how circumstances can still prevent vendors from getting fixes out for long-known problems.

Microsoft has known about the vulnerability in the Microsoft Server Message Block Protocol since 2001. (To put that in perspective, there are kids in first grade who have never known a world in which the SMB protocol wasn’t broken.) But after looking at the problem, analysts in the Microsoft Security Response Center decided there was no good way to fix the flaw without breaking a lot of other things.

When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications. And to be clear, the impact would have been to render many (or nearly all) customers’ network-based applications then inoperable. For instance, an Outlook 2000 client wouldn’t have been able to communicate with an Exchange 2000 server. We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but, the reality was that there were similar constraints that made it infeasible for customers to implement SMB signing.

That’s a pretty big obstacle to fixing the problem. So Microsoft decided against the fix, but kept working on the issue over the years, and eventually came up with a way to make it work. I think it’s important to note here that Microsoft could easily have just sort of swept this problem under the rug and said, Everyone will forget about this in a few months and we’ll just keep fixing the ones we’re able to fix and that will get the attention. But to the company’s credit, that’s not what happened. They kept chipping away at it, and eventually figured it out.

Still, as  Zero Day‘s Ryan Naraine points out, there are other vulnerabilities in the Microsoft warehouse gathering dust for reasons unknown:

Oh, by the way, there’s another outstanding issue collecting cobweb.   This ‘token kidnapping’ issue was first discussed in March 2008 and, after a bit of hemming and hawing, confirmed in this Microsoft security advisory.   Exploit code for this privilege escalation vulnerability was publicly released last month.

Microsoft knows all this.

We are still waiting on a patch.

The waiting is the hardest part, as the man once said. Here’s hoping it’s not another seven years for this one.

November 11, 2008  3:08 PM

Google AdWords phishing scam on the loose

David Schneier David Schneier Profile: David Schneier

The creativity and resourcefulness of the criminal underground never ceases to amaze me. Granted, these guys have nothing else to do but sit around and come up with new scams, but still, some of these things are truly inspired. Have a look at this Google AdWords phishing scam that has been showing up in recent days:

From: Google AdWords <>
Subject: Google AdWords Alert
Date: Wed, 12 Nov 2008 02:27:xx +1000 


Our attempt to charge your credit card on Wed, 12 Nov 2008 02:27:xx +1000
for your outstanding Google AdWords account balance was declined.
Your account is still open. However, your ads have been suspended. Once
we are able to charge your card and receive payment for your account
balance, we will re-activate your ads. 

Please update your billing information, even if you plan to use the
same credit card. This will trigger our billing system to try charging
your card again. You do not need to contact us to reactivate your

To update your primary payment information, please follow these steps: 

1. Log in to your AdWords account at: http://adwords .google .com
.session- xxxxxxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxxxxxx .com68 .ru
3. Click 'Billing Preferences' link.
4. Click Edit next to the appropriate 'Payment Details' section.
5. Enter your new or updated payment information.
6. Click 'Save Changes' when you have finished. 

In the future, you may wish to use a backup credit card in order to
help ensure continuous delivery of your ads. You can add a backup
credit card by visiting your Billing Preferences page.
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message. If you
have any questions, please visit the Google AdWords Help Centre at to find answers to
frequently asked questions and a 'contact us' link near the bottom of
the page.

Thank you for advertising with Google AdWords.
We look forward to providing you with the most effective advertising available. 


The Google AdWords Team

I don’t see too many glaring errors in this message that make it stand out as a phish. As the Internet Storm Center diary entry on this scam points out, the only real problems are the URL ending in .ru and the date that is in the future. Aside from that, this is pretty solid work. I’d guess that most average users would have little to no chance of recognizing this as a phishing email. No misspellings, no first-grade grammar and no pleas for money to be transferred to an account in Djibouti. Egads.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: