Robert Lemos

Remote-Access Apps Continue to Serve As Popular Attack Vectors

By Rob LemosThere are a lot of good reasons to have remote-access software installed on a business network: It might be there to allow a remote administrator to manage a database; or to give a third-party point-of-sale management firm to apply patches; or even to allow a PBX vendor access to the server managing their client’s voice-over-IP lines. Unfortunately, through poor configuration, bad passwords or vulnerabilities, the software is also allowing attackers in to steal data and is  becoming an increasingly popular attack vector.

UPDATE: Slammed And Blasted A Decade Ago, Microsoft Got Serious About Security

UPDATE: A decade ago this week, Chairman Bill Gates kicked off the Trustworthy Computing Initiative at Microsoft with a company-wide memo. The echoes of that memo still resonate throughout the software industry today as other firms, from Apple to Adobe, and Oracle to Google have followed the path that Microsoft blazed over the past ten years.


By any measure, Luigi Auriemma is a prolific vulnerability researcher. In the first ten months of 2011, the pay-for-bugs program Zero Day Initiative credited Auriemma with discovering 30 vulnerabilities, ranging from issues in Sybase enterprise software to Adobe Shockwave to Apple Quicktime. In its Upcoming Advisories section, ZDI listed Auriemma with finding another 35 vulnerabilities that still await fixes from their developers. The vulnerability researcher, who has made his name in part by finding SCADA bugs, is not yet ready to leave his day job. Despite ZDI’s bonus system, his independent research is not a career, he says.

In the wake of this weekend’s revelations of the seriousness of the attack on certificate authority DigiNotar, security experts have renewed criticism of the Internet’s digital certificate infrastructure, with some wondering if larger certificate authorities (CAs) might be too big to fail.

Attackers interested in getting the most bang for their buck focus on ubiquitous software. Microsoft’s Office, Adobe’s Acrobat and Oracle’s Java have all become popular platforms exploited by cybercriminals intent on compromising end users’ systems. Another platform has quietly made its way onto many systems and become the focus of security researchers, if not cybercriminals: Webkit.

Rethinking DEFCON

For nearly two decades, the DEFCON hacking conference has brought together people with an interest in investigating technology and cracking security. In recent years, however, DEFCON has suffered significant growing pains. Getting between sessions meant pushing through crowds reminiscent of major crossroads in Tokyo. Entering an almost-completed session to get a jump on the next was not allowed, so people lined up in the hallways, further clogging the byways. And, the smaller sessions — such as the lockpicking village — failed to offer a sanctuary from the crowds and were routinely packed as well. While attendees were always destined to miss the majority of the happenings at the conference, DEFCON increasingly seems to be more about moving from location to location, and less about all of the learning in between.

The security
industry is full of pernicious problems with no easy solutions. Take spam, for
example. The current best defense is filtering out the obvious spam messages.
Yet, the countermeasure is not a solution: As anti-spam technology gets better,
spammers merely churn out more spam and achieve the same results. Not satisfied with
the status quo, a team of academic researchers focused
on collecting data on the business ecosystem that funds spam and
searched for weak links. While blocking domain names will not generally work,
they did find a strategy that could have a high payoff: Targeting the small
number of banks that process spammers transactions and getting them to cut off
their clients.

The threats and attacks may have changed in the last decade, but one thing has remained constant: software giant Microsoft doesn’t pay for vulnerabilities. Never has. Never will. Even as rivals like Mozilla and Google have introduced bug bounty program, the Redmond Washington giant has stuck doggedly with a position it articulated almost a decade ago, refusing to offer monetary rewards for information on software holes. But security experts say that position may have to change.

The take-down of the Rustock botnet in March gave Microsoft another head for its mantle: two in just the last year. That’s an impressive take for any private firm, and one of a string of actions against bot networks in recent years.  But security experts say that the company’s success in building a legal basis for moving against botnets is an even bigger achievement.