http://www.secureworks.com/research/blog Information security analysis and commentary from the research team at SecureWorks. http://www.secureworks.com/research/blog/index.php/2008/05/06/the-race-to-zero There has been a fair amount of controversy as of late surrounding The Race to Zero contest to be unofficially held at DEFCON 16 this coming August. To briefly summarize, contestants are to be given samples of computer viruses/malware and access to a contest portal. http://www.secureworks.com/research/blog/?p=89 http://www.secureworks.com/research/blog/index.php/2008/04/18/jon-ramsey-on-rsa Last week I attended the RSA Conference, the largest information security conference in the world. Alan Turing was the conference mascot and the question âwhat would Turing doâ was frequently asked. Turing was a brilliant computer scientist, considered the father of modern computing, capable of seeing the math in everything and envisioned an age when machines would be as intelligent as humans. http://www.secureworks.com/research/blog/?p=87 http://www.secureworks.com/research/blog/index.php/2008/03/20/speaking-in-atlanta-at-outerz0ne For any of you that will be in the Atlanta area, I encourage you to come down to the Outerz0ne 4 security conference this weekend. It's my first time attending Outerz0ne, but I'm told it has a great small conference atmosphere and plenty of end-of-day revelry. This year's collection of talks looks to be the strongest yet. http://www.secureworks.com/research/blog/index.php/2008/03/20/speaking-in-atlanta-at-outerz0ne-4/ http://www.secureworks.com/research/blog/index.php/2008/03/07/javascript-considered-harmful There is an old saying that says, "To survive a bear attack you don't have to outrun the bear, you just have to outrun your friend." This analogy can also be applied, to some degree, to the Internet as well. In some instances, you don't have to completely secure yourself from hackers, you just have to be more secure than the next organization. Hackers go after low hanging fruit because it gives the most bang for their buck. This year it appears that client side attacks represent that low hanging fruit. The modern web browser is an incredible, complicated piece of software with a large attack surface. http://www.secureworks.com/research/blog/index.php/2008/03/07/javascript-considered-harmful-or-how-i-learned-to-stop-worrying-and-love-noscript-by-hunter-king-security-researcher-with-the-secureworks-counter-threat-unit%e2%84%a2/ http://www.secureworks.com/research/blog/index.php/2008/03/04/character-encoding-issues Recently, Core Security announced a vulnerability in VMware Workstation (Server and ESX are unaffected) that allows a guest operating system to break out of its virtualized environment and interact with the host operating systems. They discovered it was possible to break out of the virtualized environment by using a directory traversal attack on a shared folder designed to allow data to be passed between the guest operating system(s) and the host operating system. http://www.secureworks.com/research/blog/index.php/2008/03/04/character-encoding-issues/ http://www.secureworks.com/research/blog/index.php/2008/02/26/transparency-and-security Last week something very interesting happened in the IT world. Microsoft made a pledge to open up many of the of the APIs and communication protocols that are used in the Windows OS, SQL Server, Office file formats, Exchange, and others. If this holds true, it marks a big change in the way that they've protected their internal data, and that is going create a big stir throughout the IT industry. But, the stir is going to mean different things to different people. http://www.secureworks.com/research/blog/index.php/2008/02/26/transparency-and-security/ http://www.secureworks.com/research/blog/index.php/2008/02/20/linux-kernel-vmsplice-vulnerability http://www.secureworks.com/research/blog/index.php/2008/02/20/linux-kernel-vmsplice-vulnerability/ http://www.secureworks.com/research/blog/index.php/2008/02/11/secureworks-assists-ftc-in-spammer-takedown A federal judge has ordered spammers to pay more than $2.5 million for violating federal laws including the CAN-SPAM Act. SecureWorks provided expert testimony including an analysis of spam messages and an explanation of the methods used to send the spam. http://www.secureworks.com/research/blog/index.php/2008/02/11/secureworks-assists-ftc-in-spammer-takedown/ http://www.secureworks.com/research/blog/index.php/2008/02/04/tax-season-presents-opportunities-for-scammers It is tax time in the United States, and scammers are seizing the opportunity to launch new attacks on your bank accounts and steal your identity. http://www.secureworks.com/research/blog/index.php/2008/02/04/tax-season-presents-opportunities-for-scammers/ http://www.secureworks.com/research/blog/index.php/2008/01/23/cia-confirms-cyber-attack-caused-multi-city-power-outage In the movie "Live Free or Die Hard," street-wise cop John McClain battles it out with the bad guys using computers to carry out their crimes. In this movie, we are introduced to a term called a "Fire Sale" where hackers take out critical systems to cause chaos. It is literally a movie plot terror threat, and seems pretty unlikely to happen outside of the theaters. http://www.secureworks.com/research/blog/index.php/2008/01/23/cia-confirms-cyber-attack-caused-multi-city-power-outage/