Security Bytes

December 11, 2007  2:25 PM

Bad holiday PR

Leigha Leigha Cardwell Profile: Leigha

I absolutely love Christmas, and even have a soft spot for a lot of the tacky stuff that comes with it, like fake silver trees, loud-colored garland and the Coca-Cola version of Santa Claus.

But there is one thing that will bring out the Grinch in me every time — holiday-inspired PR pitches security vendors insist on hurling at me with the glee of kids in a snowball fight. The folks at PGP will probably be mad at me for this, but I can’t help but make an example of them this time around.

Here’s what they sent me Tuesday as I sat anxiously awaiting this month’s Microsoft patch bulletins:

The 12 Threats of Christmas

The twelve threats of Christmas, is networking secure?

The bad guys are shaking their lures.

With the Storm Worm, and rootkits, and crimeware everywhere, We should prepare For infections we’d rather not share!

O the twelve threats of Christmas, what more can we endure?

Twelve hackers hacking

Eleven passwords cracking

Ten laptops leaving

Nine phishers phishing

Eight Web sites crashing

Seven spammers spamming

Six Trojans sneaking

Five breaches more!

Four corp’rate spies

Three bot nets

Two online games

And an unencrypted missing flash drive!

The only gift I can give in return is a groan followed by a Bah Humbug!

December 10, 2007  1:03 PM

Pay no attention to the pop-up box behind the curtain

David Schneier David Schneier Profile: David Schneier

Bill Clinton may be the world’s champion when it comes to parsing words and phrases to suit his own purposes, but to give credit where credit is due, executives from software companies are making up ground in this race quickly. One prime example of this is the reaction from a Microsoft executive in a recent story by our Bill Brenner on Vista deployments challenges. Users have roundly criticized the User Account Control technology in Vista for its propensity to throw pop-up boxes at users constantly. This, and other Vista quirks, have led quite a few enterprises to put off their Vista roll-outs until after SP1 at the earliest. Microsoft’s answer to this was both odd and instructive, I think:

Shanen Boettcher, general manager of Windows client product management at Microsoft, doesn’t deny there have been problems. But if the sales figures are any indication, he said, the first year of Vista has been a success.

In addition to having sold 88 million copies of Vista, he said, more than 42 million PCs are now licensed under volume licensing agreements, demonstrating that businesses are buying into the long-term value of Vista.

In other words, as long as the thing is selling, we’re good. It would be interesting to see a breakdown of those sales figures to see how many copies were pre-installed on new PCs and how many were shrinkwrapped. The feeling I get from IT folks is that right now they’re only upgrading to Vista when they have to buy new machines, not by choice. Enterprises tend to move pretty slowly on deployments of major new products like this anyway. Microsoft has, in fact, made a number of changes to the way that UAC behaves in response to user feedback. But it’s interesting that the executive’s first reaction to questions about problems with UAC and other Vista features is, Hey, look how many copies we’ve sold.

December 7, 2007  2:21 PM

The changing role of the CSO

David Schneier David Schneier Profile: David Schneier

In the last few months I’ve been hearing more and more from CEOs, CIOs and CSOs about the changing role of the CSO (or CISO, depending on your org chart) in the enterprise. In the past, the CSO has nearly always been a technically minded person who has risen through the IT ranks and then made the jump to the executive ranks. That lineage sometimes got in the way when it came time to deal with other upper managers who typically had little or no technical knowledge and weren’t interested in the minutiae of authentication schemes, NAC and unified threat management. They simply wanted things to work and to avoid seeing the company’s name in the papers for a security breach.

But that seems to be changing rather rapidly. Last month I was on a panel in Chicago with Howard Schmidt, Lloyd Hession, the CSO of BT Radianz, and Bill Santille, CIO of Uline, and the conversation quickly turned to the ways in which the increased focus on risk management in enterprises has forced CSOs to adapt and expand their skill sets. A knowledge of IDS, firewalls and PKI is not nearly enough these days, and in some cases is not even required to be a CSO. One member of the audience said that the CSO position in his company is rotated regularly among senior managers, most of whom have no technical background and are supported by a senior IT staff member who serves as CISO. The CSO slot is seen as a necessary stop on the management circuit, in other words. Several other CSOs in the audience said that they no longer report to the CIO and are not even part of the IT organization. Instead, they report to the CFO, the chief legal counsel, or in one case, the ethics officer.

The number of organizations making this kind of change surprised me at the time. But, in thinking more about it, it makes a lot of sense, given that the daily technical security tasks are handled by people well below the CSO’s office. And many of the CSOs I know say they spend most of their time these days dealing with policy issues such as regulatory compliance. Patrick Conte, the CEO of software maker Agiliance, which put on the panel, told me that these comments fit with what he was hearing from his customers, as well. Some of this shift is clearly attributable to the changing priorities inside these enterprises. But some of it also is a result of the maturation of the security industry as a whole, which has translated into less of a focus on technology and more attention being paid to policies, procedures and other non-technical matters.

How this plays out in the coming months and years will be quite interesting. My guess is that as security continues to be absorbed into the larger IT and operations functions, the CSO’s job will continue to morph into more of a business role.

December 7, 2007  6:26 AM

Time to update your Skype

Leigha Leigha Cardwell Profile: Leigha

Skype users will want to upgrade to version for Windows to close a security hole attackers could exploit to run malicious code on vulnerable machines.

According to Danish vulnerability clearinghouse Secunia, the problem is an error in the “skype4com” URI handler when processing short string values and can be exploited to corrupt memory. Successful exploitation allows execution of arbitrary code when a user visits a malicious Web site.

The flaw was disclosed by an anonymous researcher via TippingPoint’s Zero-Day initiative.

December 6, 2007  5:15 PM

Finding Vista SP1 testers in the blogosphere

Leigha Leigha Cardwell Profile: Leigha

Bill BrennerAs I noted earlier, Microsoft is about to unleash Vista SP1 release candidate 1. I’ll be interested to see if it truly addresses issues IT administrators have noted throughout the run of our Vista deployment series, especially the compatibility and UAC pop-up box troubles. To figure it all out I’ll be looking for a few people who are actively testing it.

In the meantime, I’ve taken to the blogosphere in search of those who are ready to play around with Vista SP1 and blog their impressions, and am using this week’s column to share what I’ve found so far. Security Blog Log

I’m sure the rundown below misses a lot of good blogs, so if you know of any others, please let me know. Now, for what I have found:

Over at, Jonathan Schlaffer promises that as soon as Vista SP1 (public) beta hits the Internet, “we’ll be downloading and testing it until we’re sick of it.”

Steven Hodson writes in his WinExtra blog that he has no intention of touching SP1 until the final version is out. As he puts it, “If it were a case where I was still running XP I wouldn’t hesitate a minute to grab any available version of XP SP3 and install it without a second thought. With Vista however I am breaking this self-made rule and putting my gauze bandages back in the closet because this is one Windows OS version where I won’t be touching anything less that the final build of SP1.”

“Unlike some of the more vocal commenters in previous posts about Vista problems I have some serious doubts about the OS,” he adds.

He writes that while service pack release candidates have proven to be fairly stable in the past, he doesn’t have the same feeling about SP1 for Vista and that much of the advance gossip about SP1 isn’t about performance improvement but more around stability and security; along with a totally revamped WGA system.

Now, I know this column is about spotlighting blogs where the authors indicate plans to test Vista SP1 and this guy is pretty adamant that he won’t be touching it. But I’m listing his blog here because he describes himself as a “cranky old fart wandering the Internet and causing mayhem as he goes.” He may have a cranky outlook on SP1, but I have a feeling he’s going to try it out anyway. If wandering the Internet in search of mayhem is what you’re into, the service pack will probably be too tempting to avoid.

Self-described Windows geek Brandon LeBlanc can barely contain his excitement about the service pack in his blog, writing that he has gone all out in updating all of his PCs to the Windows Vista SP1 RC. In a seperate posting in the Windows Experience blog, he describes his first impressions:

“When logging in to my PCs for the first time after installing the Windows Vista SP1 RC, the first thing I took notice of was that none of my PCs displayed a “find device driver” pop-up like I had experienced with the beta. Previously, I had a “find display driver” pop-up for my graphics driver for the PCs I had installed the SP1 beta on. In the RC – this seems to have been fixed. Many of the improvements I took note of back in September still held up, if not better, with the RC.”

All of his applications continue to work, including:

  • Sony Vegas 7
  • New Zune software
  • Visual Basic 2008 Expression
  • Windows Live suite of applications
  • Windows Live OneCare
  • Smart FTP
  • ImgBurn
  • Yahoo! Messenger 9 Beta
  • Virtual PC 2007
  • Paint.NET

“I’ve spent a total of three days now running a complete Windows Vista SP1 environment and am very impressed with the improvements and fixes that the RC provides over the last beta,” he wrote.

Keep track of his blog and see if he still feels that way in a few weeks. Either way, it looks like he’ll provide some good technical content.

Michael Pietroforte, head of the IT department at the University Library of the Ludwig-Maximilian University in Munich, Germany, writes of the service pack in his 4sysops blog. If you look at some of his posts you’ll see he has had his share of Vista challenges, so it’ll be interesting to keep track and see if SP1 solves any problems for him.

So that’s a few blogs that may offer some insight into Vista SP1 as the testing process unfolds. But like I said, this is far from a complete list. So please, if there are other such blogs I should be listing, pass ’em along.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at

December 6, 2007  6:29 AM

Microsoft rolls out Vista SP1 release candidate 1

Leigha Leigha Cardwell Profile: Leigha

As I’ve been reporting throughout the course of our Vista deployment series, a majority of IT shops are moving as slowly as possible on their Vista deployments because of compatibility problems and a dislike of UAC-generated pop-up boxes. [See the latest case study here.]

As IT pros discuss these issues, they almost always talk about how they’re going to wait for the first service pack, which they hope will address the issues described above.

Microsoft, aware of this attitude, announced Wednesday that it’s launching the first release candidate of Vista SP1. Here’s what the folks at Microsoft had to say in the Windows Vista Team Blog:

“Today we’re making available the release candidate (RC) of Windows Vista SP1 via Microsoft Connect, and tomorrow subscribers to TechNet and MDSN will have access to those RC bits too. In addition, the RC will be available to the public next week via Microsoft’s Download Center. The release candidate phase of beta software is typically the final phase before the RTM (release-to-manufacturing) of a product and indicates that the code has attained a significant level of performance and stability. ”

Nick White, a product manager on the Windows Vista team, described several changes made since the beta release of SP1 — many of which came about as a result of direct feedback from the beta-testing community:

  • The size of the standalone installers have decreased significantly. For example, the standalone installer packages consisting of all 36 languages (x86 and x64 chip architectures) are smaller by over 50%. The standalone installer packages consisting of just the 5 languages (again, x86 and x64) slated for initial release are more than 30% smaller in size.
  • The required amount of disc space for SP1 installation has also decreased significantly. Furthermore, with the RC, if more space is required to install SP1, an error message will now display exactly how much space is needed to complete the installation.
  • Previous SP1 versions left behind a directory of files that wasn’t needed after installation and occupied about 1GB of space; the RC includes automatic disk clean-up to remove this directory.
  • Installation reliability has been improved based on bug reports and error codes reported from Windows Update. Testing shows that these improvements have significantly increased the proportion of successful installations of the RC.
  • Microsoft has improved the user experience of installing SP1 via Windows Update. During the beta release, users installed without much guidance from Windows Update. The RC now contains a series of screens with detailed information on SP1.

Hopefully, these changes will address some of the concerns we’ve written about.

December 6, 2007  6:03 AM

Fixes arrive for Cisco Security Agent, OpenOffice

Leigha Leigha Cardwell Profile: Leigha

Two patching items to report this morning: one affecting Cisco Security Agent (CSA), the other OpenOffice.

First, the CSA flaw, as described in Cisco advisory cisco-sa-20071205-csa: A buffer overflow vulnerability exists in a system driver used by the Cisco Security Agent for Microsoft Windows. This buffer overflow can be exploited remotely and causes corruption of kernel memory, which leads to a Windows stop error (blue screen) or to arbitrary code execution. The vulnerability is triggered during processing of a crafted TCP segment destined to TCP port 139 or 445. These ports are used by the Microsoft Server Message Block (SMB) protocol.

Cisco has released free software updates that address this vulnerability.

Next, the OpenOffice issue as described in CVE-2007-4575: A security vulnerability in HSQLDB, the default database engine shipped with 2 (all versions), may allow attackers to execute arbitrary static Java code, by manipulating database documents to be opened by a user. All versions prior to 2.3.1 are affected.

This issue is addressed in HSQLDB and 2.3.1.

December 3, 2007  6:08 AM

Attackers eye QuickTime exploit code

Leigha Leigha Cardwell Profile: Leigha

Attackers are trying to make use of the exploit code released last week for Apple’s popular QuickTime media player, prompting Symantec to raise its ThreatCon back to Level 2. Here’s the email advisory sent to customers of Symantec’s DeepSight threat management service:

The ThreatCon is currently at Level 2. As of December 1, 2007 the DeepSight honeynet has observed active exploitation of the Apple QuickTime RTSP Response Header Remote Stack Based Buffer Overflow Vulnerability. This vulnerability was originally disclosed on November 23, 2007 and since this time we have seen numerous exploits targeting the flaw being released to the public. At the time of writing, there has been no vendor-supplied patch released for this issue.

The attack observed was hosted on ( over TCP port 554. Additionally the IP address is hosting a web server, which contains script code directing users to the exploit. The IP hosting the attack is referenced by another domain, resolving to

Customers are urged to filter outgoing access to these IP addresses immediately to aid in immediate prevention of exploitation. Symantec is currently investigating this attack further. Currently the main script page users will come into contact with prior to exploitation is detected by Symantec as Downloader.

November 29, 2007  4:41 PM

FBI launches Operation Bot Roast II

Leigha Leigha Cardwell Profile: Leigha

The FBI has just announced the results of its latest crackdown on botnet herders, designated Operation Bot Roast II. Since the first crackdown in June, eight people have been indicted, pleaded guilty or been sentenced for botnet crimes. Meanwhile, 13 search warrants were served in the U.S. and by overseas law enforcement partners in connection with this operation.

So far, the FBI says it has uncovered more than $20 million in economic losses and more than one million hijacked machines.

Says FBI Director Robert S. Mueller: “Today, botnets are the weapon of choice of cyber criminals. They seek to conceal their criminal activities by using third party computers as vehicles for their crimes. In Bot Roast II, we see the diverse and complex nature of crimes that are being committed through the use of botnets. Despite this enormous challenge, we will continue to be aggressive in finding those responsible for attempting to exploit unknowing Internet users.”

The individuals identified as part of Bot Roast II are:

Ryan Brett Goldstein, 21, of Ambler, Pennsylvania, was indicted on 11/01/07 by a federal grand jury in the Eastern District of Pennsylvania for botnet related activity which caused a distributed denial of service (DDoS) attack at a major Philadelphia area university. In the midst of this investigation the FBI was able to neutralize a vast portion of the criminal botnet by disrupting the botnet’s ability to communicate with other botnets. In doing so, it reduced the risk for infected computers to facilitate further criminal activity. This investigation continues as more individuals are being sought.

Adam Sweaney, 27, of Tacoma, Washington, pled guilty on September 24, 2007 in U.S. District Court, District of Columbia, to a one count felony violation for conspiracy fraud and related activity in connection with computers. He conspired with others to send tens of thousands of email messages during a one-year period. In addition, Sweaney surreptitiously gained control of hundreds of thousands of bot controlled computers. Sweaney would then lease the capabilities of the compromised computers to others who launched spam and DDoS attacks.

Robert Matthew Bentley of Panama City, Florida, was indicted on 11/27/07 by a federal grand jury in the Northern District of Florida for his involvement in botnet related activity involving coding and adware schemes. This investigation is being conducted by the U.S. Secret Service.

Alexander Dmitriyevich Paskalov, 38, multiple U.S. addresses, was sentenced on 10/12/2007 in U.S. District Court, Northern District of Florida, and received 42 months in prison for his participation in a significant and complex phishing scheme that targeted a major financial institution in the Midwest and resulted in multi-million dollar losses.

Azizbek Takhirovich Mamadjanov, 21, residing in Florida, was sentenced in June 2007 in U.S. District Court, Northern District of Florida, to 24 months in prison for his part in the same Midwest bank phishing scheme as Paskalov. Paskalov established a bogus company and then opened accounts in the names of the bogus company. The phishing scheme in which Paskolov and Mamadjanov participated targeted other businesses and electronically transferred substantial sums of money into their bogus business accounts. Immigrations Customs Enforcement, Florida Department of Law Enforcement, and the Panama City Beach Police Department were active partners in this investigation.

John Schiefer, 26, of Los Angeles, California, agreed to plead guilty on 11/8/2007 in U.S. District Court in the Central District of California, to a four felony count criminal information. A well-known member of the botnet underground, Schiefer used malicious software to intercept Internet communications, steal usernames and passwords, and defraud legitimate businesses. Schiefer transferred compromised communications and usernames and passwords and also used them to fraudulently purchase goods for himself. This case was the first time in the U.S. that someone has been charged under the federal wiretap statute for conduct related to botnets.

Gregory King, 21, of Fairfield, California, was indicted on 9/27/2007 by a federal grand jury in the Central District of California on four counts of transmission of code to cause damage to a protected computer. King allegedly conducted DDoS attacks against various companies including a web based company designed to combat phishing and malware.

Jason Michael Downey, 24, of Dry Ridge, Kentucky, was sentenced on 10/23/2007 in U.S. District Court, Eastern District of Michigan, to 12 months in prison followed by probation, restitution, and community service for operating a large botnet that conducted numerous DDoS attacks that resulted in substantial damages. Downey operated Internet Relay Chat (IRC) network Rizon. Downey stated that most of the attacks he committed were on other IRC networks or on the people that operated them. Downey’s targets of DDoS often resided on shared servers which contained other customer’s data. As a result of DDoS to his target, innocent customers residing on the same physical server also fell victim to his attacks. One victim confirmed financial damages of $19,500 as a result of the DDoS attacks.

November 29, 2007  1:27 PM

Where to find the best IT security news roundups

Leigha Leigha Cardwell Profile: Leigha

Bill BrennerA couple weeks ago at the monthly meeting of the National Information Security Group (NAISG) in Waltham, Mass., I gave a couple of PowerPoint presentations when the scheduled speaker hit some travel snags and couldn’t make it. I’m on the NAISG board of directors and it was my turn to take one for the team.

One of the presentations was about how and Information Security magazine is focused like the proverbial laser beam on the security challenges of IT professionals. My goal was to make the point that it’s crucial for us to talk to IT admins on a regular basis to get the best sense of what their challenges are and what kind of information we can put in our stories to help them do their jobs better. Security Blog Log

Whenever I finish this presentation and start taking questions from the audience, the conversation always shifts to which Web sites and blogs I visit each day to find the latest news and analysis. The vast majority of what I look at each day is more in the form of technical advisories and security dashboards fitted with the various threat level boxes kept by Symantec, IBM ISS and many other security vendors.

But the blogosphere is becoming an increasingly important source of news and analysis, and while I wouldn’t think of giving away all of my source material, I think it’s useful for me to flag some blogs you can all get some use from. Some are straight roundups of the news of the day, others are more opinionated summaries of the news and then there are blogs offering a bit of both.

And so here is a list of some blogs that have become favorite stopping points during my so-called morning scan, the daily ritual where I fire up the laptop at 5 a.m., coffee in hand, and browse cyberspace in search of breaking news that may require our fast attention:

Liquidmatrix: This is the site of IT security professional Dave Lewis, where he offers, among other things, a daily “Security Briefing” of whatever the big news of the morning may be. It’s set up to read like a scan of the morning newspapers.

The Daily Incite: This is another daily morning roundup — but with a heavier dose of attitude and analysis — from Mike Rothman, president and principal analyst of Security Incite. Once in awhile Mike will take issue with something written by me or one of my colleagues, but he offers a lot of fair analysis on the daily news that can be helpful when you’re trying to make quick sense of whatever has just happened.

Donna’s Security Flash: She keeps meticulous track of daily news items, summarizing and linking to various news stories of note.

The Breach Blog: This one reads like the typical advisory for software vulnerabilities, only the focus is on the latest reported data security breaches. Entries include the date an incident is reported, how many people affected and a summary of what specifically happened.

Techdirt: OK, this blog isn’t security-specific. It’s more of a wide-angle overview of technology news. But they include a ton of security news, helpful links and attitude that makes for interesting reading. This is another daily roundup of security breaches and other privacy-related news such as legislative developments, linking to various news stories around the Web. One of the most impressive aspects of this blog is how up to date it is. You’ll usually find fresh data breach reports milliseconds after the news has broken.

Happy reading!

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: