Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    March 2013
    S M T W T F S
    « Feb   Apr »
  • Email Subscription

  • About Us

    Archive for March, 2013

    In my previous blog post, I discussed some key takeaways that I got from the talks I attended in the recently concluded RSA 2013 in San Francisco, California. This time around, I want to share in length, some of these noteworthy sessions.

    Innovation Sandbox

    Innovation Sandbox was a packed session that Hugh Thompson ran quite deftly. Ten startups were selected and given three minutes to explain their technology, followed by a two-minute question-and-answer session, with questions coming from the judging panel, made up of industry experts.

    All the company representatives talked about what they were doing and had to prove why their solution would work and generate revenue in the future. A white board session followed where thoughts from the audience were taken and put on an online whiteboard. 

    The participants also had the opportunity to meet (or “date”, as they put it) with potential investors in an igloo-styled hut. Winners from previous years were also present to share their experiences and mingle with the participants.

    Panel discussion on future of end point security

    This panel discussed how changes in end-points are changing the security landscape. Bring Your Own Device (BYOD) and Virtual Desktop Infrastucture (VDI) are ensuring that enterprises no longer have the same control over theirs networks and devices that they had in the past. Solutions such as traffic filtering, network access control (NAC), software defined security (SDS) vs. traditional solutions were discussed. There was no definitive answer  – each technology has its uses, pros, and cons – but the points that came out from these discussions were quite insightful.

    Awareness Doesn’t Matter: A Behavior Design Approach to Securing Users

    This session talked about how user behavior could be used to trigger potential security alerts. This is an interesting area for research, but in actual usage is prone to false positives. However, in situations where security is an absolute must and false positives can be tolerated, this may be of use.

    Malware Hunting with Sysinternals

    Mark Russinovich, the author of the Sysinternals tools suite,  gave a brilliant talk about what’s new with Sysinternals tools and how these can used for malware analysis. His aim was to show how to carry out a quick analysis if there are any suspicious files on a system. He also discussed future developments, like more color coding for faster visualization of event. Russinovich kept the tone of his talk light, thanks to his wit and sense of humor.

    Read the rest of this entry »

    Posted in Targeted Attacks | Comments Off on RSA Conference 2013 – What’s Hot and What’s Not, Talk By Talk

    The annual RSA Conference is perhaps the biggest gathering of information security professionals from around the world. The topics that were discussed this year ranged from cloud security, mobile security to behavior based solutions.

    With 22,000 participants, this year’s conference had a huge turnout. RSA 2013 was the perfect venue to pick-up the latest information about varied security topics, gather thought-provoking insights, and network with other experts and colleagues.

    During the conference, I attended several interesting talks, which I will discuss in detail my next blog post. For now, I will share with you my high-level takeaways from these discussions:

    • There is an increased involvement and interest from the government, which was evident from the buzz generated by the recent White House executive order on cybersecurity. Both the government and security industry expressed the desire for tightening cybercrime laws. The government encouraged more participation from the private sector and work as one. The Department of Homeland Security (DHS) also announced its initiative to share real time classified threat information with security vendors.
    • Cloud Security was well discussed and generated a lot of interest from users.  A good part of the first day was dedicated to the Cloud Security Alliance Summit. There were some interesting keynotes from Mark Weatherford of DHS,  former American Express CEO Jim Robinson, and Trend Micro Vice President of Cloud Security Dave Asprey. Some of the key issues of cloud security were highlighted and best practices were discussed.

    Read the rest of this entry »

    Posted in Malware, Mobile, Targeted Attacks | Comments Off on RSA Conference 2013 – What’s Hot and What’s Not

    The annual Pwn2Own hacking contest is always a rather frightening demonstration of how available exploits are. Year in, year out, the latest browsers and Web plug-ins fall to researchers demonstrating cutting-edge ways to craft exploits and defeat the latest security precautions put in place by various software vendors.

    Most vendors, however, have become quite good at patching vulnerabilities as they are discovered in contests like this. For example, both Chrome and Firefox have received updates that fixed the flaws uncovered at Pwn2Own. Flash and Internet Explorer will receive similar updates next month.

    We’ve talked before about how to best secure Java and PDF readers. What about Flash?

    Can you do without it?

    If you’re really security-minded, yes, you can do without Flash. To a large degree, Flash’s usage is now limited to online video, games, annoying ads, and the navigation menus of websites. (Among other things, the rise in popularity of smartphones and tablets – which generally don’t have Flash – has played a role in that development.)

    If these are things that aren’t important to you, you can safely remove Flash and not have your day-to-day browsing experience be affected. For many people, the stumbling block is likely to be online videos. It may be a good idea to check if your favored video site has HTML5 support. For example, Youtube has HTML5 support – but it’s as an opt-in beta.

    Is it built into your browser?

    Some browsers actually have Flash directly integrated into them, making updating them relatively painless. Internet Explorer 10 (on Windows 8) receives Flash updates as part of Windows Update. Flash is completely integrated into Chrome, so auto-updates for Chrome also ensure that Flash is kept up to date.

    Using these browsers ensures that the version of Flash for that browser is kept up to date by the browser itself as part of its own auto-update. This minimizes your exposure to exploit kits, as many cybercriminals (due to the cost of cutting-edge exploits) will prefer to use long-patched security flaws, aware that many users don’t always run the latest version of software.

    How do I keep my version of Flash up-to-date?

    Today, Flash comes with its own auto-update installer. However, it won’t hurt to check manually every now and then whether the version you have is up to date.

    To do that, you can visit Flash’s about page and check what version you have installed. If you need to download an updated version,  the about page helpfully provides links to the download for Flash Player.

    Even if you use multiple browsers, you only need to do this twice: one to check on Internet Explorer, and another for non-IE browsers collectively.

    Read the rest of this entry »

    Posted in Exploits | Comments Off on Flash Safety 101

    Two weeks ago, I attended RSA 2013 Conference in San Francisco and was impressed by the number of participating security vendors. The addition of the Human Element and Breaking Research in the technical track sessions also provided a refreshing stroke to this year’s presentations.

    Below are some of my experiences and insights on some noteworthy discussions involving security awareness, hacking back, and going offensive legally.

    The 7 Highly Effective Habits of a Security Awareness Program

    Samantha Manke and Ira Winkler of Secure Mentem discussed their views on the difference between security training and security awareness. They highlighted the importance of a security culture in companies in enabling employees to apply best computing practices on a daily basis, resulting to long-term security awareness within the organization.

    They presented the results of their recent study conducted among Fortune 500 companies in the Health, Manufacturing, Food, Financial and Retail sectors. This study focuses on security awareness campaigns that companies implemented and how effective these were. They came up with key findings that lead them to create their 7 Highly Effective Habits of a Security Awareness Program, which are:

    1. Create a Strong Foundation
    2. (Have) Organizational Buy-in
    3. (Encourage) Participative Learning
    4. (Have) More Creative Endeavors
    5. Gather Metrics
    6. Partner with Key Departments
    7. Be the Department of HOW

    My key takeaway for this session is of course the last part.  We, the information security professionals, should be the “Department of HOW” and not the “Department of NO”. We must focus on how to allow users to do what they want safely, not simply saying no to our own customers and further locking down systems.

    While I understand the need to establish dos and don’ts in company security policies, we should raise the bar and let security be a key part of solving business challenges, not an obstacle to it.

    Read the rest of this entry »


    Patch-Tuesday_grayAfter releasing 12 security bulletins resolving a whopping 57 security flaws last month, this month’s Patch Tuesday is relatively light.

    For March, Microsoft unveils seven bulletins, in which four are rated Critical and three Important. Three of the bulletins deemed Critical may allow remote code execution, resulting to attackers installing malware onto unpatched systems. The other critical bulletin may permit possible aggressors to gain admin rights, basically giving them control over vulnerable machines.

    The first of these Critical bulletins addresses flaws found on Internet Explorer versions 6 to 10 for all versions of Windows, including Windows 8. In particular, Microsoft noted CVE-2013-2888 as its exploit code is said to be publicly available, giving possible attackers enough information to create working exploits in the near future.

    The other critical bulletins concern Microsoft Silverlight, Office and Server Software. Two bulletins tagged as Important, both for Microsoft Office, may lead to unwanted exposure of important and personal data. The last Important bulletin addressing vulnerability in Windows may lead to elevation of privileges.

    However, this month’s roster of bulletins does not address the IE 10 vulnerabilities found during the Pwn2Own hacking contest last week, in which researchers were able to pawn MS Surface Pro by way of these IE flaws. More importantly, abusing these zero-day vulnerabilities enabled them to fully compromise Windows 8 with sandbox bypass.

    Read the rest of this entry »

    Posted in Vulnerabilities | Comments Off on Microsoft Unveils 7 Bulletins for March 2013 Patch Tuesday


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice