With all the concern about data being lost on laptops, and “vulnerabilities” in blackberries, Sprint is jumping into the action. They are offering a managed security service for SmartPhones (you know, like that Treo 700 your boss carries).

Sprint Mobile Security enforces password polices using personal identification numbers and other user-specific credentials for authentication. Customers also have the option of encrypting specific files, a device or memory card. This same encryption can be used by mobile customers to securely access their corporate VPN, the service provider says.

The service also scans, identifies and removes malware, viruses, worms and the like from mobile devices using a firewall that resides on the handheld or laptop. This firewall is also used to block denial-of-service attacks.

That’s good, because we’re all worried about phones getting DOS’d. What!?

This is the first of it’s kind to my knowledge, and may help them win some traction in the highly valued big business space. Now, they’re mostly deploying and managing some Mobile Armor software for you, and charging you $9/month although they have added some custom features like:

[The] ability to remotely lock a wireless device if reported lost or stolen and the ability to remotely erase all data from that device in an effort to protect corporate information.

Seems a little pricey to me, but I can imagine some companies going for it on some especially high-ranking sensitive employees.

Sprint beefs up wireless security services [Network World]

Press Release [Sprint]

Google Analytics is the best free web stsattics software out there. They recently opened registration to anyone, and even the bad guys seem to have noticed:

Everyday we see different things that the miscreants develop to make their job easier. Today I was checking the 288th variant of Opanki. The really interesting thing about this one is that the botnet owner seems concerned over not having an organized way to check the bots, like geographic distribution, for example. But how can he or she accomplish this in an easy way? Yes, Google Analytics!

Google Analytics and Bots [McAfee Avert Labs Blog]

News.com brings us two stories about Symantec and Microsoft. The first declares that “Symantec won’t ‘whine’ about Microsoft” and includes statements from Symantec CEO John Thompson like:

We’re not looking to go whining to the EU or the DOJ for anything

Essentially the message is, “we’re not scared of Microsoft entering the security market.” Just making the statement means they are, but that’s another point. But what’s even funnier is that in another story on News.com today, they go on to whine about a new Microsoft technology to protect the kernel in 64 bit systems called patch guard:

“patch guard is hurting security vendors more than it is hurting malware writers,” Bruce McCorkendale, a chief engineer at Symantec

The story goes on to say:

Indeed, Symantec is playing the anticompetitive card for the first time. The Cupertino, Calif.-based company had said it would beat Microsoft by using its security wits as long as the competition is fair. Now the fairness seems to be gone, McCorkendale said.

So, in summary Symantec will not whine to the DoJ or EU about Microsoft, just to the press. I for one am ready for Symantec to stop trying to grab headlines about technology that hasn’t hit the street yet and start fixing the problems we have today.

Windows defense handcuffs good guys [news.com]

Symantec won’t ‘whine’ about Microsoft [news.com]

McAfee claims to have “accidentally” patched a major vulnerability in their EPO management server agents.

“We did not realize that we had fixed a security vulnerability until eEye alerted us to the problem last week,” Viega said. “We were optimizing the system, not looking for security vulnerabilities.” The optimization included changing from storing data in files to storing it in memory, which removed the flaw, he said.

It’s bad enough when security vendors have vulnerabilities in their product. It’s even worse when they don’t realize there were fixing a flaw.

Of course the real irony is that eEye is a McAfee competitor. If only McAfee had a division that discovers vulnerabilities in applications… Oh wait, they do.

McAfee fixes flaw–without realizing it [ZDnet]

The BBC profiles a woman who was a victim of Ransomware:

Ms Barrow, from Littleborough, discovered her computer files had vanished and replaced by one 30-digit password-protected folder.

When you put a face in the crime is starts to become more real.

Woman targeted by web hackers [BBC]
————————–
Update: Thankfully these criminals didn’t follow secure coding practices, and stored the password in the virus code.

Extortion virus code gets cracked [BBC]

British Bank Barclays gets it:

The bank has signed a deal with F-Secure for 1.6 million licences of the Finnish firm’s anti-virus program…

At the same time, the bank is bringing in a system that uses text messages to let customers know when money is moved using their online account details.

Great example of using security to gain a competitive advantage.

Barclays banks on ant-virus deal [BBC]

In a recent speech, MS Big-Wig Jim Allchin recounts a story of CEO Steve Ballmer trying to clean up a severely infested PC for 2 days.

Ballmer spent the better part of the next two days trying to rid this PC of worms, viruses, spyware, malware, severe fragmentation, and well, you name it. Picture it: the world’s 24th wealthiest person, a man worth $13.6 billion according to Forbes magazine, sitting at a table for two days, playing tech support. It was, Allchin says, a humbling experience.

It eventually took a MS team of engineers to clean it up. In the real world tech support would have backup the data and re-imaged it in 20 minutes. Still, I’m glad Steve got to enjoy life in the trenches for a while.

Even the Builders of Windows Find Tech Support a Challenge [ITworld]

If your company is like the ones I’ve worked in, there 2 kinds of metrics around the security program:

1. Real, meaningful numbers that measure risk.
2. Sexy numbers, graphs and pictures that don’t mean much.

F-Secure gives us an example of the latter with their World Map. I don’t actually have a problem with this kind of metric if it helps generate interest in the subject. It’s only when we over focus sexy metrics and use them to make decisions with that we’re in trouble.

Evidently, Montana got screwed yesterday.

F-Secure World Map [f-secure]

Friday brought us yet another zero-day attack. Word has a previously unannounced hole in it that is being exploited by an email propogating worm that plants a trojan. Word 2003 and XP are definately vulnerable, there seems to be conflicting info on Word 2000. Since there’s no patch, everyone has some ideas about what you might do. Potential mitigation I’ve seen suggested include:

• Switch from MS Word to OpenOffice. (SANS ISC)
• Quarantine all attachments for 6-12 hours. (SANS ISC)
• Don’t let anyone be an admistrator on there box. (SANS ISC and Microsoft)
• Force people to run Word in “Safe Mode” (Microsoft)
• Don’t allow users to store important data on the desktop. (SANS ISC)

If you can do any of these, great. But for those of us who live in the real world, here some things you might try:

• Block Outbound traffic to the site the trojan phones home to: localhosts dot 3322 dot org. SANS says the owner has changed the IP several times, so using your DNS servers to blackhole the name may be the most effective.
• Block Word Attachments through email. People will complain and it only works until exploit changes and starts to zip word doc first.
• Latest AV signatures. Most of the vendors are calling the exploits low, so they are not turning out sigs very fast but it’s better than nothing.
• User education about not opening Word Docs from untrusted sources.
• Use advanced AV features or Host-Based IPS to block the writing of the trojan files to specific directories.
• IDS/IPS signatures to the phone-home site: localhosts dot 3322 dot org.

Link RoundUp:

News.com article
eWeek Article
Microsoft Advisory Bulletin
fSecure: Info on the Exloit, Some Background
SecurityFocus Summary

Updates:

SecuriTeam Has a Registry Hack Work Around
We’ve had (untested) reports from McAfee that the Buffer Overflow Protection in the 8.0i AV client will protect against any exploit to this vulnerability, regardless of DAT version.

The theme of debunking security myths continues with Roger Grimes bringing us a case for Security by Obscurity. He sites moving services to a non-well-known port as an effective example of security by obscurity:

For instance, two of my honeypots run Microsoft SQL server. Microsoft SQL servers typically run on ports 1433 UDP and 1434 TCP. The MS-SQL honeypot that runs on those ports gets scanned and attacked dozens to thousands of times a day. The other honeypot runs on a high non-default port (say, 30143 TCP) with a blank sa password, but it never gets attacked. Or, I should say, almost never — in the 22 months that it has been up, it has been scanned once on the correct port, and even that hacker or bot didn’t attack it.

I know, I know you are thinking, “Any InfoSec 101 book says to never rely on Security by Obscurity.” This certainly true if you if you try to try to publish a secret crypto algorithm or you hope no body finds the flaws in the world’s most popular operating system.

The key here is examining what the real threat is you are trying to mitigate. Since the vast majority of threats against a SQL server are going to be from self-propagating malware, and they only check the default ports, then changing the ports is very effective.

Obscurity, like any thing else that makes it more difficult to attack you, does have a vital part of any defense-in-depth plan. The key is to recognize when obscurity adds to your security and when it takes away. But that’s why they pay you, right?

Blasting away security myths [infoworld]

For those of you who just had to cut a check to the federal government for your share of the deficit war in iraq taxes, keep this in mind. Symantec was hit with a $1 Billion tax bill as a part of their aquisition of Veritas– Yes, that’s with a b-b-B.

Network World: Symantec Hit with $1 Billion Dollar Tax Bill

Our friends at McAfee have unveiled a new Threat Center, that gives a quick glance into their view of the world. Typical of McAfee it’s a little AV-centric, but still valuable to check every now and then.

I wish they would make the changes available via RSS, especially new outbreaks. Still, it’s good to see McAfee stepping it up a little.

McAfee Threat Center