Security Bytes

Jun 22 2007   5:16AM GMT

Sick of those 100% virus-free claims? Read on

Leigha Leigha Cardwell Profile: Leigha

As an information security writer, my email and voice-mail inboxes are constantly flooded with vendor pitches promising everything from Sarbanes-Oxley compliance in a box to 100% malware-free machines. Anyone in IT security knows these things don’t really exist, and so I begin with a posting

100% virus-free guarantee” for its TrustLayer Mail service.

“If it wasn’t for that ‘absolute protection‘ bit … I might have believed they had the best of intentions at heart and simply meant that they’d give you your money back if they failed to keep the viruses out (not that it will necessarily compensate a business for the cost they’ll incur when malware slips through and their guard is down due to a false sense of security).” Wismer writes that he knocked Messagelabs for making similar claims a few years ago.

“Even if I were inclined to believe they had the best intentions, the road to hell is paved with such intentions,” he said.

He warned that 100% virus protection are the magic words vendors must not say and the promise they must not make. I agree. Even if a security product were 100% ironclad from the day of release (which it wouldn’t be), the bad guys have a way of finding their way around the latest and greatest defenses, and no one product is ever immune.

AOL’s “odd” password problem

The Darknet blog has an interesting item this week on what it calls AOL’s “odd” password problem. The blog cited a Washington Post article about what’s described as AOL’s strangely configured password system.

“Users can enter up to 16 characters as a password, but the system only reads the first eight and discards the rest,” the blog said. “They are basically truncating the password at eight characters.”

The entry links to the blog of Washington Post writer Brian Krebs, who writes about how one of his readers went to access their account and accidentally entered an extra character at the end of their password. “That didn’t stop him from entering his account,” Krebs wrote. “Curious, the reader tried adding multiple alphanumeric sequences after his password, and each time it logged him in successfully.”

BT Counterpane CTO Bruce Schneier told him the system is “sloppy and stupid” because it does nothing to help users protect themselves. In fact, he says, the user is unfairly punished for writing a long password.

AOL is apparently looking into the problem.

Reflecting on this week’s massive Web attack

The analysis keeps coming in regarding that massive Web attack that left a lot of Italian computers reeling earlier in the week. Robert Freeman over at IBM ISS has this assessment in the company’s Frequency X blog:

“The most important thing to keep in mind about this attack using compromised hosts and the mPack exploit toolkit is that there is nothing unique save for the number of hosts involved,” he writes. “A year ago the popular exploit toolkit was WebAttacker from Inet-Lux. The same many-to-one approach of using multiple compromised hosts to redirect to a singular malicious site was popular.”

Prior to this “Italian Job,” he says, “we’ve been seeing mPack use in the wild exploding this year.” But he wants people to remember that there are other toolkits out there and there is no shortage of malicious talent to construct new ones.

“Whoever advertises the highest anticipated rate of infection will have a chance to become the weapon of choice,” he says. “Moving forward, I’m sure we’ll see further larger-scale attacks play out either with mPack or another toolkit.”

Not a very comfortable thought, but not surprising, either.

Will the last security vendor please turn out the lights?

I end with the ongoing reaction to HP’s decision to buy SPI Dynamics. As one security vendor after another is gobbled up by the big IT infrastructure providers, speculation on who’s next can only intensify.

Christofer Hoff, chief security strategist for Crossbeam Systems, writes in his Rational Security blog that HP, like IBM with WatchFire, will use this to drive service revenue. In the end, he jokes, “That leaves only 600+ security companies left in the security consolidation dating pool.”

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: