Category Archives: Aladdin

Social aspects of web security – the March edition

It’s that time of the year again… March madness is engulfing us with news and pre-season activities, and everyone is out and about to see what we would be seeing in the coming months. Just as we have portrayed before, eCrime is a social animal just as well, and is not going to let the action go by without having a chance to have a go at the crowd.

As usual – it’s the same technique all over again – using SEO (Search Engine Optimization) to grab high ranking in search results and leading users clicking on the related links to a variety of malicious content. We have see similar techniques used during the US presidential election season covered quite elaborately in the past, and don’t be surprised to see more of the same hitting the next seasonal event as long as it can attract enough “eyeballs” on search engines.

The great AV vs. AV debacle starts again?

It’s been a while since security vendors clashed on technology and made “bold” statements referring to the competition. Maybe is the recession, and in an attempt to grab some attention (and bolster sales), come statements such as “Heuristics are dead” (with a response from Sunbelt), and a direct jab at a competitor from Damballa.

My positions on these are clear – signatures are pretty much the past, but still have their place as a “last mile” solution that can speed up scanning for known threats. Heuristics are the natural evolution of signatures in the binary world, and the main focus should be on dynamic real-time scanning of web content which is the actual attack vector that eventually (when and if successful) brings in the binaries that the signatures/heuristics need to scan.

Not to side with anyone particular on this matter, this kind of communication is usually not that helpful for people looking to get a security solution. I would opt for the more educational “this is what the threat looks like, this is what you would usually get from other vendors, and this is our edge which makes us better”. This approach may open another Pandora’s box – the “independent” testing labs, but that’s another issue to be dealt with (how independent is the test, what is the test focused on, test material and samples, configuration, who sets the guidelines, etc…).

Nevertheless, I hope that we’ll see some more informative and research oriented (or at least research based) statements that we could all benefit from the next time someone rolls out a new technology.

It’s a browser! It’s an Operating System! It’s… brOSer?!

After looking into the security issues and requirements that Microsoft has been working on in terms of the future browser, and based on our earlier predictions on the matter, comes an interesting interview with Google’s Chrome Javascript head Lars Bak. Specifically check out the 3rd page of the article which discusses the ever increasing ambiguity between the browser and the OS.

“The web is becoming an integral part of the computer and the basic distinction between the OS and the browser doesn’t matter very much any more.”

Great stuff and definitely something to watch for from Google as well (competition is wonderful isn’t it?).

More on the browser OS – from Microsoft Research

After talking about how your next operating system is not going to be related to Windows or Mac or Linux (hint – you are reading this post using it… more details on our Annual report and predictions paper), I came across this research from Microsoft (direct to the PDF here) that talks about how to construct a secure browser OS given the fact that web browsing has moved quite substantially from viewing static web pages to almost running an OS on the browser.

The MS guys portray a secure browser constructed as a multi-principal operating system, while covering a lot of security fundamentals that are missing or lacking a proper implementation in modern browsers. A highly recommended reading and definitely worth following up on.

If Gears was a problem then how about running Gmail offline on Air?

So, yesterday I wrote about the new (and much expected) vulnerabilities in Google’s Gears technology. The issue is clear – Gears is picking up speed and traction as Google’s applications start to use it (i.e. Gmail, Docs, etc…) and its security model is being scrutinized. And then I stumbled across GeeMail. It’s basically offline Gmail without using Google’s technology. How do you do that? Simple – use Adobe’s Air™, as if one technology was not enough to deal with, try mixing and matching two for some added confusion and security standard overlap.

Just like Gears, Air has its benefits, (admittedly, I’m using them both), but seriously, this is just too much! So what’s the next step? Gmail offline using Adobe Air with Silverlight UI running through Yahoo! Pipes backend? Back in the days we used to follow a simple methodology – keep it simple (I’m omitting the latter part). Doing things just for the sake of using a specific technology is so 90’s “war of the programming languages”… everyone moved on to the simple model of using the right tool for the right job. In our case, even the review shows that the technology mix-up didn’t really cut it.