Frequency-X in 2008

Frequency-X_BlogEntry Meaningless Malware Counting? - July 25, 2008
If you were to scroll a little further down your favorite technology news site this week (somewhere below all the DNS and iPhone news/spam) you’ll likely see some snippets from the latest batch of half-year vendor-sponsored security reports. One particular statistic struck me as worth a closer examination… “It is estimated that the total number of unique malware samples in existence now exceeds 11 million…” according to Sophos.
Frequency-X_BlogEntry Cyberspying - July 18, 2008
Should you be worried about cyberspying as you travel the globe? A recent article in the Wall Street Journal – “U.S. Fears Threat of Cyberspying at Olympics” – discusses the dangers posed by Chinese hacking groups to travelers heading over for the Beijing Olympics. In particular, whether (and how) the U.S. government should publicly warn businesspeople and travelers of the threat.
Frequency-X_BlogEntry Strategic Security – Cloud-based MSS - July 14, 2008
Last month I covered how I’m expecting protection technologies to increasingly become embedded deeper in to the applications and platforms we rely upon– rather than the way in which security currently encases (or should that be ‘entombs’?) those very same applications. Today I’m going to cover how the third-party management of perimeter security devices will likely change over the next few years.
Frequency-X_BlogEntry Trojans on the up - July 07, 2008
While I think it’s important for security professionals to read these types of reports when they come out, it’s also very important to compare those findings with what other vendors are saying and what you’re actually observing on your own networks (or the networks and environments of the customers you work with) – and not to take any figures as gospel.
Frequency-X_BlogEntry 637 million Excuses Posted - July 02, 2008
It’s been a couple of days since the release of the paper “Understanding the Web browser threat” and it’s been interesting watching the public reception. Along the way there have been a few questions raised and observations made, and I thought I’d take this time to offer my thoughts on some of them.
Frequency-X_BlogEntry 637 million Users Vulnerable to Attack - July 01, 2008
You can sum up a lot in a single number. 637 million. That’s the approximate number of users currently surfing the Web on a daily basis with an out-of-date browser – i.e. not running a current, fully patched Web browser version – or, to put it another way, 45.2 percent of all Internet surfers have neglected to update their favorite Web browser and are potentially vulnerable to all sorts of nastiness.
Frequency-X_BlogEntry Strategic Security – Embedding it - June 12, 2008
 It’s easy enough to talk about the threats observed today, and not too difficult to extrapolate how those threats will evolve over the next couple of years, nor is it that difficult to discuss how current protection technologies function against the threat and the types of research or investment likely needed to combat their evolutionary descendents, but it gets a whole lot tougher if you have to dust off the old crystal ball and provide a longer-term perspective on the shift from tactical security technologies to strategic security delivery.
Frequency-X_BlogEntry DIY Credit Card - Chips and Smart Cards - June 09, 2008
Following on from last week’s blog concerning the apparent ease in acquiring online all the technologies necessary for making your own fake credit cards, I received several queries about how this relates to the newer contact-based smart card’s rollouts – i.e. credit cards with embedded chips.
Frequency-X_BlogEntry DIY Credit Cards - June 03, 2008
Over the last few years, if you’ve been following the Frequency-X blog, you’ve probably gained a fair understanding of the mechanics behind Internet-based credit card cloning and fraud. All the components needed to conduct this particular crime can be easily uncovered through a little searching of the Internet.
Frequency-X_BlogEntry Global Innovation Outlook - Security and Society - May 28, 2008
Over the last couple of weeks I’ve been privileged to participate in the Tokyo and Taipei sessions of IBM’s Global Innovation Outlook (GIO). For those of you who don’t know what the GIO is, it’s an annual program that began back in 2004 whereby IBM opened up its annual technology and business forecasting processes to the world.
Frequency-X_BlogEntry Are you Feeling Lucky? - April 24, 2008
Given the proliferation of site’s infected with malicious drive-by download attack code, it’s about time to retire Google’s “I’m Feeling Lucky” search button isn’t it?
Frequency-X_BlogEntry "Automatic Patch-Based Exploit Generation is Possible" - So say we all. - April 22, 2008
Over the weekend I managed to read a new security paper titled “Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications” that goes in to some depth of how to automatically reverse engineer security patches and create (reliable?) exploits.
Frequency-X_BlogEntry CAPTCHA's and Mechanical Turks - April 14, 2008
Last month I introduced the topic of “security ergonomics” and mentioned that I’d try to cover some of the presentation topics from the IBM internal conference a little later. Well, I guess it’s a little later, and the topic for today is CAPTCHA.
Frequency-X_BlogEntry A Second-order of XSS - April 01, 2008
Several people have approached me for more information about the spate of search engine iFrame injection attacks that have been occurring for the last few weeks. Dancho Danchev’s blog entry provides a good primer of the threat observed thus far, and lists some of the popular news sites that have been hit with the attack thus far.
Frequency-X_BlogEntry The Cost of Networking @ Blackhat - March 29, 2008
The second day of Blackhat Amsterdam proved to be just as good as the first, with the afternoons presentations generally being of more interest to me than the mornings (my perception may have been unduly tainted by the previous evenings late night meanderings and consumption of fermented liquids with the usual flock of pentesters).
Frequency-X_BlogEntry Apple Crumble @ Blackhat - March 28, 2008
It's been an interesting day at Blackhat Amsterdam.  As conference venues go, you can't really beat having Blackhat in Amsterdam - the city is alive at night (even if you manage to filter out the red hue around certain districts) - meanwhile, at the conference level, the actual number of attendees is pretty small, but the atmosphere is cozy and open to discussion; something not so common at other cookie-cutter security conferences.
Frequency-X_BlogEntry Security Ergonomics Posted - March 16, 2008
Last week, IBM’s top security and privacy professionals attended an annual internal conference down in Austin, Texas. Over three days there were around 40 sessions divided in to two streams covering diverse topics ranging from detecting Web application vulnerabilities using static analysis, through to European national e-ID card scheme evaluations.
Frequency-X_BlogEntry Mass Attack - March Madness? - March 13, 2008
I’m hoping you’ve all been following the latest mass web defacement and have ensured that your desktop systems are fully patched, and that you’re running a good anti-virus solution (with latest updates) because, if you’re not, it’s not particularly safe to be browsing the Web today – even browsing your favorite “safe” sites.
Frequency-X_BlogEntry Chip and PIN Tampering - February 29, 2008
There's an old(ish) saying amongst Internet security professionals, "if you can get physical access to it, you can 0wn it." Unfortunately too many organizations just don’t grasp the concept. Case in point – smartcard readers used for Chip & PIN transactions.
Frequency-X_BlogEntry Evolving Beyond CAPTCHA - February 25, 2008
Last week I was up in New York giving a fairly standard talk about the evolving threat landscape (“standard” – but ever-so-exciting). One of the running themes in my presentation material has to do with the complexity of some security solutions and how the evolution of the protection has, in many cases, evolved beyond the capability of people to use it efficiently – and inadvertently provided new avenues for attackers to socially engineer their prospective victims.
Frequency-X_BlogEntry Remotely Exploitable Trends in 2007 - February 12, 2008
For those of you who may have missed it, X-Force publicly released their annual threat report for 2007 yesterday. There are lots of interesting graphs and statistics in the report and, as with most scary security stats, you’ll probably be seeing them referred to lots of times throughout the year.
Frequency-X_BlogEntry The Vulnerability Disclosure Rate in 2007 - February 11, 2008
Last week a taster was provided as to the slight dip in new vulnerability disclosure rates for 2007. There have been several citations of the data after some of the security news blogs picked it up - along with some short external analysis pieces. I found it interesting that several reporters hypothesized that it was due to the selling of vulnerabilities. I don't think so - at least not directly, and not in the way that they think.
    Copyright 2001-2007 © Gunter Ollmann