Following RSA President Art Coviello on the keynotes this morning was John Thompson, CEO of Symantec.  The topic of the keynote was "Information Centric Security: The Next Wave."

On one hand, this was one of the more interesting sessions of the morning, because John brought up his Research Labs VP, Steve Trilling, who shared lots of interesting security factoids from their research:

• 70% of malware during the latter half of 2007 stole PII
• Symantec believes we may have reached an inflection point where more malicious code is created daily than non-malicious code
• The bad guys have all the elements of a full scale economy, including specialized job roles and a supply and demand market dynamic

In the underground economy:

• Stolen e-Bay accounts sell for $8
• Bank can accounts sell for $1000
• Credit card number can go for as little as $0.40
• World-of-Warcraft level 70 accounts go for $4 and up

This last point was interesting - a WoW account can be worth 100x that of a valid credit card number.  As was said in the keynote "even in virtual worlds, there is real money for hackers."

On the other hand, there wasn't a lot of new information discussed concerning the title - information centric security.  Mr. Thompson did say that we should start taking a more information-centric approach to security, or as he paraphrased it, "take a risk-based approach to protecting data."  But is that really a new approach?

Most of the security professionals (not security technologists or security product folks, necessarily) have advocated a risk-based approach to protecting data for as long as I can remember.  It is still a good idea, don't get me wrong, but I don't see it as the "next wave".

One other call to action which John Thompson made was the call for a national approach to security and privacy disclosure laws.  He pointed out that, in addition the well-known California law, 40 other state-level bills are currently being considered.  In my opinion, should they pass, it would make it really tough for companies to remain compliant.  I echo his support of the need for a more national solution.

Regards ~ Jeff

X-posted to: http://blogs.technet.com/security and http://www.microsoft.com/security/rsa2008/default.mspx

Wi-Fi over Ethernet combines electromagnetic resonance--the ability of a EMF to excite signals in wires--with excess wired capacity in a manner similar to how broadband over powerline works. Where properly equipped 802.11af Ethernet switches and adapters are available, coupled with WOE-capable Wi-Fi systems, the Wi-Fi signals will simply be picked up and carried by the Ethernet network. Switching and transmission then become limited to the extent of the wired network--which will improve throughput and range. (A future standard might allow passive powering of lightweight devices from Ethernet, which is a neat reversal.)

This is in the same category of new convergent standards such as Bluetooth over 802.11 and FireWire (IEEE 1394) over IEEE 741-2007: ways to provide better specs on one standard by combining it with another that has a complementary purpose.

Now, of course, modern computing systems tend to include gigabit Ethernet and Wi-Fi, so why do we need a third modality that combines the two? Partly because of new devices like the MacBook Air and smartphones like BlackBerrys with Wi-Fi built in. Without an Ethernet adapter, the range of these devices can be limited, and throughput restricted.

You were waiting for the magic number: How fast is WoE? Nearly 1600 Mbps raw speed, and about 30 Mbps of raw throughput. Before you scoff, remember that you might be able to use WoE over hundreds of meters across a switched Ethernet network, where a Wi-Fi signal might stretch just a hundred or two hundred feet. If Wi-Fi beats WoE, a computer will use Wi-F.

The Wi-Fi Alliance hasn't set the date of their certification yet, but I'm told it will happen any day. The mark will be added to the list of A, B, G, Draft N, WMM Power Save, and other symbols, as AF. The industry is considering a campaign around the phrase, "WoE is me(tm)!" trying to capture the excitement of the new synergy. Again, unfortunate acronym.

The IEEE has finalized and approved a draft, but final ratification isn't expected until 1 April 2009.

Having eliminated all terrorism in the real world, the U.S. intelligence community is working to develop software that will detect violent extremists infiltrating World of Warcraft and other massive multiplayer games, according to a data-mining report from the Director of National Intelligence.

Another article.
You just can't make this stuff up.

Virus from China, the gift that keeps on giving

An insidious computer virus recently discovered on digital photo frames has been identified as a powerful new Trojan Horse from China that collects passwords for online games -- and its designers might have larger targets in mind.

"It is a nasty worm that has a great deal of intelligence," said Brian Grayek, who heads product development at Computer Associates, a security vendor that analyzed the Trojan Horse... The authors of the new Trojan Horse are well-funded professionals whose malware has "specific designs to capture something and not leave traces," Grayek said. "This would be a nuclear bomb" of malware.

Mocmex is its name. Reportedly, it can evade hundreds of anti-malware and firewall products, including the Windows Firewall. I suspect that this succeeds only when users are logged in as administrators, so here's yet another reason to stop doing this altogether, as is the US Government with its new Federal Desktop Core Configuration for Windows XP and Windows Vista.

The virus actually propagates to just about any kind of removable USB storage device, jumping from various well-concealed hiding places on your PC whenever such a device is inserted. Picture frames are implicated because the virus apparently originated in the factory where the frames were built (in turn sold by Best Buy, Sam's Club, Target, and Costco, but now discontinued). Amazingly, according to the UK security firm Prevx, over 67,500 variants of this thing exist!

Even more amazing:

[Mocmex] isn't the only piece of malware involved. Deborah Hale of Sans said the researchers also found four other, older Trojans on each frame, which may serve as markers for botnets -- networks of infected PCs that are remotely controlled by hackers.

There is W32.Rajump, which deposits the same piece of malware that infected some of Apple's video iPods during manufacturing in October 2006. It gathers IP addresses and port numbers from infected PCs and ships them out, according to Symantec. One destination is registered to a service in China that allows people to conceal their own IP addresses.

Then there is a generic Trojan; a Trojan that opens a back door on PCs and displays pop-up ads; and a Trojan that spreads itself through portable devices like Mocmex does.

More reasons to disable Autorun, I suppose. Yet this isn't a cure-all: if you're logged in as administrator, the virus helpfully re-enables Autorun. Sheesh! If you own one of these frames, SANS suggests that you take it to a friend who has a Mac or Linux box and plug it in there. Yeah, that's good advice; there exist no viruses for these operating systems, correct? It's irrelevant which operating system you're using -- if you run with full privileges, you'll get 0wn3d soon enough.

It's fascinating that the thing targets online games, although it could certainly harvest just about any private information stored on your PC. Mining online game accounts might be pretty profitable, you know. Consider the number of people who pay real money for virtual (=fake) stuff in World of Warcraft, Runescape, and whatever else. I suppose losing their passwords to picture frames might help such people regain a tenuous foothold on reality.

On the 16th episode of The Silver Bullet Security Podcast, Gary talks with Greg Hoglund, who runs the popular rootkit.com, CEO of HB Gary, and co-author of Rootkits: Subverting the Windows Kernel and Exploiting Software. In addition to shameless self-promotion of their new book, Exploiting Online Games, Gary and Greg discuss the natural tendency of certain types of code to allow exploits, how disclosure is a good thing when it comes to revealing exploits, and the use of rootkits by the “good guys.” Greg also makes us concerned that his 11-year-old daughter may 0wn our box.

• Rootkit.com
• HB Gary
• Greg’s Blackhat presentation from 2006: Hacking World of Warcraft(r): An Exercise in Advanced Rootkit Design [rar, 2.35M]
• Exploiting Online Games
• AWL Software Security Series