May 16, 2008

Defending "Fixing the Internet"

Last week I publicly released a white paper called Fixing the Internet: A Security Solution in this blog. I proposed three main ideas: Put together an Internet security dream team of experts to solve the hard issues Create an Internet global infrastructure service dedicated to Internet security for the benefit of all Replace the Internet's pervasive anonymity with requestable identity and integrity I've had as many critics as supporters, although not surprisingly, my closest friends and colleagues have been the harshest. This I expected, as you don't learn new things by hanging around with passive, unopinionated people. Here's the most... more

TAGS: Internet Security

May 09, 2008

Fixing the Internet

Long–time readers know that I often rant about how insecure the Internet is, and how few solutions will do anything to change that equation during the next 5 to 10 years. I've also recommended a handful of solutions over the years, and accepted the resulting criticism that goes along with proposing big ideas. Privately, and not so privately in this column and other public forums, I've been proposing specific solutions to make the Internet significantly more secure during the next five years. If you know me personally, you would also know that other than my family, I think of nothing... more

TAGS: Internet Security

May 02, 2008

Zero-second exploits

Microsoft SQL server hasn't had a public vulnerability announcement since 2004. The SQL Slammer worm struck in 2005, but the hole the worm exploited had been patched six months before. The holes that MS-Blaster and Code Red worm attacked had been patched, too. But back just a few years ago, no one really cared about patching really. We just didn’t patch. Over the course of malware history, the number of days between a vendor patch being released and the malware exploit being announced has shrunk. Consequently, in today's Internet-connected, crimeware world, you've got to get patched as soon as possible.... more

TAGS: Internet Security

April 25, 2008

Be careful with transitive trust

I just got through reading about another hugely popular, legitimate Web site hosting malicious code that redirects visitors to a malicious Web site. Once redirected, the new Web site runs a fake virus scanner and -- surprise, surprise -- finds multiple malware programs on the user's computer as it offers to install new "anti-virus" software to the end-user. Of course, users foolish enough to install the software end up installing what is likely to be the only malicious program on their computer. Gone are the days when you could tell your end-users not to visit "untrusted" Web sites to minimize... more

TAGS: Malware

April 18, 2008

Virtual machines aren't really more secure

I've been at several recent conferences where virtual machine (VM) and security “experts” were telling audiences how VM technology can be used to improve computer security. Wow! They are either drunk on the marketing Kool-Aid, misinformed, or simply trying to misrepresent VM capabilities to sell more product. VM technologies are very cool, and great at saving money (and space, electricity, and more), but in all but a small minority of cases, they will not improve your overall security posture. Most of the time, using VM technology will increase overall risk. In a large percentage of the cases I've been involved... more

TAGS: Virtual machines