2006-10-19

IE7 and security: Don't count on it

As if to reinforce all of the beliefs of security analysts and pundits regarding Microsoft's true commitment to Trustworthy Computing, Secunia is reporting on an "Arbitrary Content Disclosure Vulnerability" affecting IE6 and, you guessed it, IE7. The fact that this was found less than 24 hours after IE7 was released is all the commentary that is needed.

It all leaves me wondering: was it spending hundreds of millions of dollars dealing with EU and US antitrust actions, or the mudslide-like erosion of trust of its customers the worse of the two outcomes of Microsoft tying IE to the Windows operating system, and was it
really that important to eliminate Netscape as a competitor?

2006-10-17

2007 Department of Defense Cybercrime Convention Preview

A few months ago, a coworker and I submitted a topic for presentation at the 2007 DoD Cybercrime Convention. We were happy to learn a few weeks ago that it has been accepted. If you haven't been, or aren't familiar with the conference, I'll give you a brief overview:

The DC3 is a technology, technique, and information sharing conference specifically for the US Department of Defense and law enforcement officials (LEO). Few outside of that community are privileged to attend; even as a knowledgeable SME of a large contractor, I was lucky to have been able to go last year. The goal is to keep costs down so that our civil service employees can afford to attend, and the vendor-sponsored gimmicks are generally kept to a minimum. Last year's conference rated as a "pretty good," on my scale from "would rather have been auditing" to "first SANS experience." Others who attended and presented, like Taosecurity's Richard Bejtlich, also had some good things to say, after a well-justified rant about how poor Alan Paller's keynote was. Keynote speakers weren't so hot, and presentations ranged from thinly-veiled sales pitches that I walked out of, to incredible demonstrations by Dr. Memon (Fornet and Reassembly of Fragmented Files) and Kevin Mandia (Performing Malware Analysis). But the "good" made putting up with the "bad" worthwhile.

Our presentation is Wednesday morning, 1/24/2007. The lecture title is Advanced Attacks from the Front Line: How our Adversaries Threaten Mission Success (currently misspelled on the webpage). For a bit of insight, in case anyone reading this can attend, the abstract is as follows:

The US government and DoD do not constitute the entire front line defense of state secrets targeted by our nation's adversaries. The cleared contracting community, as designers and manufacturers of weapon systems, possesses sensitive information critical to mission success; information equally coveted by the same adversaries. This presentation will discuss the highly-skilled, highly-organized threats contractors face when defending this data, highlighted by two recent case studies. Evolving tactics and trends, their effectiveness against traditional defenses, and new techniques to counter them will be presented. Opportunities to face this threat as a joint government-contractor force abound, and will be articulated at the end of this discussion.