Stories by Roger A. Grimes

  • Old apps, new vulnerabilities

    One of the best security defenses you can have is a fully patched computer. Not just the OS, but all applications -- large and small -- should be completely up to date. But making sure you have the latest patches isn't enough. You have to check and see if the older, vulnerable versions of the software you patched aren't still installed and available. Unfortunately, many well-known applications, when patched, do not remove the older versions. Malicious Web sites can often choose which version your client runs, so while you think you're safe with the latest patches, the older versions of your software can be called, instead, to execute a known vulnerability you had long ago stopped worrying about.

  • IIS versus Apache: Re-examining the statistics

    As a Microsoft employee, I try to avoid writing on areas that blatantly promote Microsoft. However, I think this question is generic enough to involve Microsoft in the discussion: Can IP addresses ever be used for statistical analysis of malicious Web sites?

  • Should vendors close all security holes?

    In the past I have argued that vendors should close all known security holes. This week a reader wrote me with a somewhat interesting argument that I'm still slightly debating, although my overall conclusion stands: Vendors should close all known security holes, whether publicly discussed or not. The idea behind this is that any existing security vulnerability should be closed to strengthen the product and protect consumers. Sounds great, right?

  • DNS attack puts in perspective

    A few years ago, I had the privilege of seeing some root DNS servers in action at VeriSign's main headquarters. It's something I had wanted to do for over a decade, and I was literally slightly shaking with excitement (yes, I am that big of a geek).

  • Security Advisor: Wireless drivers are under attack

    Wireless network card drivers have been under attack since the Black Hat USA 2006 conference, and nearly every super-popular driver now appears vulnerable. Security researchers, David Maynor and Jon Ellch, started things off by targeting an Apple MacBook's wireless driver at the August show, and hackers' interest in the new attack vector was quickly piqued.

  • Is this the end of antivirus?

    I first heard that the antivirus scanner was dead in December 1989. Experts had postulated that the increase in the number of different computer viruses, which at the time numbered almost 200, would quickly outpace the ability of antivirus scanners to keep up.

  • How SSL-evading Trojans work

    SSL-evading Trojans bypass the secure and authenticated tunnel mechanisms that are the safety backbone of today's Internet banking and financial institutions. As with any Trojan, this type can do anything allowed by the user's security permissions.

  • The Good, The Bad, The Vendor

    <b>Patch management is tough business.</b> First, somebody - a good guy, the vendor, or a bad guy - discovers a vulnerability. The vendor replicates the vulnerability, confirms the problem, and sets about making a software patch. The vendor's programmers and tech people find the root of the problem and come up with a solution. The solution is coded, and the patch is regression tested. After thorough testing, the patch is released to users. Administrators get the patch, determine criticality in their environments, install the patch in a test environment, and then deploy to their production environment. At least, this is the way it's supposed to be.

  • Microsoft security is nothing to sneeze at

    I frequently have people write to me to discuss how much Windows sucks and how great open source is. They say it as if Windows is my only security problem and Linux, Apache, and Firefox are our saviors.

  • The buzz about fuzzers

    Writing perfect secure code is hard. Daniel J. Bernstein has probably come the closest to it in practical, publicly released software. With his almost maniacal drive for security perfection, he has written multitudes of software that remain unbroken.