Stories by: Roger A. Grimes

The news media is full of stories about e-mails and documents that were better off not sent. Last year an airline CEO accidentally sent an ultra harsh e-mail to complaining customers, the text of which was obviously not intended for the customers. Frustrated employees frequently send embarrassing internal memorandum to public news sources. And is there an e-mail user who hasn't regretted accidentally sending an e-mail to an unintended party? Whether e-mail or documents are sent intentionally or not, it is clear that content intended for a restricted audience is being shared with unauthorized parties on a regular basis.

I've had the pleasure of speaking and attending this year's AusCERT 2008 security conference held in Gold Coast, Australia. If you've never been to Australia, you're missing some of the best that life has to offer, and I feel the same way about the conference. Although a bit smaller than most US security conferences, it's intentionally kept small (around 1,000 participants) and makes up in quality speaker presentations and vendor participation what it lacks in headcount. One of the great attributes of the typical Aussie is their aversion to marketing hype, along with their ability to "cut the fat off a chicken" (as my grandmother used to say) and pull out the salient points. If a vendor tries to push marketing fluff about their product too much, they are likely to get verbally assailed rugby-style. Here are some of my favorite notes and quotes from selected speakers:

Check Point Software's new Web browser security software, called ZoneAlarm ForceField, integrates a host-based firewall, anti-spyware, Web site rating, anti-phishing, and keylogger-jamming into a limited virtualization environment with the elegant user interface you've come to expect from the ZoneAlarm brand. Its goal is to provide superior anti-malware protection against the increasingly prevalent and complex threats posed to Internet surfers.

I've written many times over the years, including as recently as last week, that letting users execute and install their own software will always allow viruses, worms, and Trojans to be successfully installed. Traditionally, I've recommended that users not have admin or root access, that they let system administrators choose what software is allowed and what is blocked. But this recommendation breaks down for several reasons.

In the first column of this year, I discussed computer security outlook and hopes for 2008. I forecast more of the same that we saw in 2007: more spam, more malware, more bad guys basically owning the Internet and our connected computers. I don't see any trends or new leaders with significant power to change the status quo.

It's security's dirty little secret: Not having your users logged in as root or administrator will not stop malware.

I first came across the Mu Security Analyzer when a co-worker on a multi-company government project raved about how the appliance found a zero-day vulnerability in an e-mail inspection device that was protecting a top secret government agency. It was a rather simple script bug in the other vendor's product, but it would have allowed uncontrolled code execution. The implication was that our top secret project could have been compromised by an external hacker running penetration tests against our e-mail services. Initially, the manufacturer of the compromised mail filter refused to believe that a weakness existed in its product. That is, until we sent the exploit, automatically generated by the Mu analyzer, that the vendor's engineers could run to see for themselves.

Remember when computer security was simple? Advice was as easy as, "Don't boot with a floppy drive in your A: drive" and "Don't enable the macro to run." Boy, do I long for the days of yesteryear.

Good computer security is driven by role-based, least-privilege access control. Each user should be given only the access that is necessary to perform their job -- no, make that the specific task they are performing at a specific point in time.

Amit Klein recently released details on DNS server cache poisoning attacks that affect both BIND (Berkeley Internet Name Domain) and Windows DNS servers. It goes to show that every time you think a problem with a well-known protocol or service has been solved, it may not be.

The recent OS X-specific Mac Trojan ignited many hot conversations on various security mailing lists last week. Supposedly, the excitement regarding the Trojan is that it is the first time profit-seeking criminals have paid attention to the OS X platform, versus script kiddies and the hobbyists. Personally, I don't know what the big deal is; Mac-based computers have been host to all the normal types of malware for more than two decades, albeit not as frequently as Microsoft Windows PCs.