During the keynote at the Cisco Collaboration Summit in San Francisco, held Nov. 9 to 11, CEO John Chambers wanted to make very clear that the networking company thinks video is absolutely important for effective collaboration.
Along those lines, Cisco Systems released a number of products and technologies to make video more accessible for users -- whether those users are in the office, on the road or working for a trusted partner. In addition, video is designed to be easier to use for one-on-one contact or group encounters, as well as for asynchronous information dispersal mechanisms like wikis or blogs.
At the summit, Cisco's representatives demonstrated many of the new capabilities on stage:
Video 1 (which is part one of two) demonstrates Cisco's ability to deliver a platform that fosters enterprise online communities, allows users to establish communications from within those communities and allows users to post, view or search video content. Using Flip video cameras, users can upload media directly into the community or a conversation via a PC or an iPhone.
Video 2 (part two of two) shows individual users joining a telepresence session using various hardware and software, and injecting documents and recorded video into the call, and demonstrates the promised future ability for WebEx users outside the corporate network to join the same telepresence session.
Video 3 demonstrates Cisco communication capabilities working across a range of devices (BlackBerry and iPhone, for instance, plus their integration with Microsoft Office Communications Server and Cisco's various desktop solutions -- moving calls between various devices to show how the session is maintained even though the presentation capabilities of the different devices vary. Cisco also unveils its new desktop wireless IP Phone.
In his examination, he found that seven out of 10 malware samples tested were able to successfully run on a fresh Windows 7 installation employing the new, quieter UAC that is the default in the new operating system.
Ugly. Not a surprise, but ugly. Also, it's not a test designed to be passed.
In essence, the default setting for UAC in Windows 7 is, "Don't notify me when I make changes to Windows settings." So when Wisniewski downloaded malware samples onto the PC and ran them--simulating a user intentionally downloading and running a file obtained via e-mail or the Web--he was purposefully making changes to Windows settings, so UAC did not prompt him. The system acted as it was told to do, so it should come as no surprise that UAC did not block the malware installation.
The shortcomings in Windows' 7 UAC design have been apparent for quite some time. In my August review of the RTM of Windows 7, I postulated that "the new settings--including the new default--serve to worsen the security protections UAC affords," a theory that seems to be borne out by this study. Basically, with Windows 7's UAC, Microsoft decided to step back from trying to save users from their own mistakes--leaving that role primarily to third-party security solutions.
Indeed, Wisniewski comes to the same conclusion, that, "You still need to run antivirus on Windows 7."
Leaving that argument aside, what Microsoft should be doing is figuring out ways to change the way people compute. That default UAC setting is only the default setting for users who are part of the Administrators group. Users that only have standard User privileges instead, by default, get the strongest option--to be notified when the user or programs make changes. And since the standard user doesn't have rights to automatically elevate their tokens in order to make the change anyway, they would have to enter over-the-shoulder administrator credentials to make the change.
Certainly, I like to see security companies--or even Microsoft--publish the results of similar tests, focused on systems operated in a more secure manner. Malware running on an unprotected system with admin privileges is not news, while malware that runs and stays resident without admin rights certainly would be.
Research in Motion today announced November availability for the Blackberry Bold 9700, their newest smartphone for GSM/UMTS networks. When comparing some of the key specifications of the Bold 9700 against that of its predecessor - last year's BlackBerry Bold 9000 - the new phone looks like a modest upgrade that adds some nice enhancements, while taking some other unique features away.
Certainly, the new device measures in slightly slimmer and lighter than last year's model, a welcome improvement given the Bold 9000 was one of the larger devices in RIM's stable. The BlackBerry Bold 9700 also promises a welcome enhancement in battery performance (for both talk time and standby time), promising longer usage despite the same size battery and same speed processor under the hood.
In what hopefully will be a welcome addition, the Bold 9700 features a small trackpad in place of the trackball featured on the Bold 9000, and other recent models such as the Tour, Curve or Pearl. Although I haven't had the chance to try out the trackpad yet, I hold out hope it will offer some relief against the annoyingly constant scrolling needed to navigate long Web pages or documents on those trackball-equipped devices.
Unfortunately, it appears that RIM also taketh away, as the Bold 9700 abandons the 802.11a support that was so unique to the Bold 9000, settling instead for a more common 802.11b/g implementation. While the loss of the 5 GHz Wi-Fi radio probably won't be a big deal for many, I nonetheless find the subtraction disappointing given that the recently ratified 802.11n standard will certainly drive more enterprise Wi-Fi traffic into the 5 GHz band in the near future.
The Bold 9700 will ship with the long-awaited BlackBerry 5.0 OS, which promises to deliver enhancements to BlackBerry calendar capabilities and e-mail management when used in conjunction with a Blackberry Enterprise Server 5.0 implementation.
Certainly, the new device measures in slightly slimmer and lighter than last year's model, a welcome improvement given the Bold 9000 was one of the larger devices in RIM's stable. The BlackBerry Bold 9700 also promises a welcome enhancement in battery performance (for both talk time and standby time), promising longer usage despite the same size battery and same speed processor under the hood.
In what hopefully will be a welcome addition, the Bold 9700 features a small trackpad in place of the trackball featured on the Bold 9000, and other recent models such as the Tour, Curve or Pearl. Although I haven't had the chance to try out the trackpad yet, I hold out hope it will offer some relief against the annoyingly constant scrolling needed to navigate long Web pages or documents on those trackball-equipped devices.
Unfortunately, it appears that RIM also taketh away, as the Bold 9700 abandons the 802.11a support that was so unique to the Bold 9000, settling instead for a more common 802.11b/g implementation. While the loss of the 5 GHz Wi-Fi radio probably won't be a big deal for many, I nonetheless find the subtraction disappointing given that the recently ratified 802.11n standard will certainly drive more enterprise Wi-Fi traffic into the 5 GHz band in the near future.
The Bold 9700 will ship with the long-awaited BlackBerry 5.0 OS, which promises to deliver enhancements to BlackBerry calendar capabilities and e-mail management when used in conjunction with a Blackberry Enterprise Server 5.0 implementation.
With the long-awaited 802.11n standard finally ratified earlier this month, I had expected to see an outpouring of marketing from all the enterprise wireless LAN companies touting the long-awaited announcement. However, as I polled the various companies over the last few weeks, I instead found that most companies were more interested in talking about their newer technology enhancements (whether those pertained to vulnerability testing, perimeter enforcement or service-level optimization) instead of focusing on the ratification of the standard and the large wealth of customers waiting to upgrade that is speculated to be out there waiting for the ratification to finally happen.
Indeed the feeling I got time and again from these companies was, with the WiFi Alliance announcing a few months ago that the ratified standard would be compatible with their Draft 2.0 certification process, that the barriers to adoption were already out of the way and that customers had nothing to worry about in this regard. While this sentiment is technically correct, I nonetheless was surprised to not see each and every wireless company trumpeting the event and hawking their wares.
Well, Aruba Networks made the first big move today (Meru's Cash for Clunkers promotion aside), announcing new hardware and some extremely aggressive pricing. In Aruba's estimation, the two biggest barriers to adoption they were seeing from prospective clients were: 1) implementers were waiting for ratification of the standard, and 2) buyers found the cost of entry too high. With the first concern now abated, Aruba's announcement takes square aim at the latter, firing the first volley in what I expect will be a long, steep, and beneficial (for the customer) price war.
First of all, Aruba announced a new access point - the AP-105. Priced at only $695, the AP-105 features 2 by 2 MIMO (Multiple Input Multiple Output), two radios (one locked to 5GHz band, the other 2.4GHz and 5GHZ capable), and a single Gigabit Ethernet port. Designed to be unobtrusive, the AP105 only offers internal antennae (no external connectors).
Like their existing lines of access points, the new AP-105 will work with all existing Aruba controllers running recent or current software revisions. Also like the other APs, customers can unlock additional features via licensing - features like mesh networking, intrusion detection sensor capabilities or remote access point secure tunneling.
In the second part of the announcement, Aruba also announced a price drop on the highest-end models of their current line of 802.11n access points - the AP-124 and AP-125. Previously priced at $1,295, these access points can now be purchased for $995 apiece. These high-end access points again feature dual radios, but with a 3 by 3 MIMO design, external antennae connectors (on the AP-124) and dual Gigabit Ethernet ports.
The AP124 and AP125 are currently FIPS 140-2 certified, and Aruba has also submitted the AP-105 for certification, although they anticipate the process may take anywhere from three to 12 months.
With news of eBay's Skype sale out of the way, Skype employees are apparently free to start disseminating information once again. As such, Skype today in blog posts reacted to a pair of security concerns that I've written about recently.
One post outlined a new hotfix for Skype 4.1 that, among other things, takes the first baby step toward helping users deal with incoming invite spam. The hotfix purports to make unclickable any links presented within an invite request. While I'd rather see Skype work to change the way invite requests are currently commingled with real contacts within a user's contact list, or actually block the incoming spam, it's a start.
I'm actually waiting to apply the hotfix until I get my next spam invite so I can see the differences in action. I'll add a screen or video as soon as I have something to show.
In the second note, Skype finally responded to the recent news circulating about the Trojan PeskySpy, which aims to steal the audio of a Skype call and send the conversation to parts unknown. In the post, the author links to the Symantec post about the threat, rather than the less detailed post about the Trojan by Sophos that first captured my attention.
The post clarifies that the Trojan hooks into Windows APIs and uses these hooks to collect Skype output rather than directly attacking Skype code. Instead, the Trojan sits in between the audio hardware and Skype, intercepting the data payload after Skype decrypts it (or before Skype encrypts a transmission) on a Windows-based host.
As a side note, that second Skype post mentioned represents the first addition to the Skype Security blog since April.
A couple weeks ago, I pondered what the future would hold for the current iteration of Skype, whether feature and particularly security enhancements would be put off until eBay launches a whole new system to work around their ongoing legal problems with Joltid.
At that time, my question revolved around the issue of Skype spammers, as I consistently found unwanted people had injected their profiles into my contact lists - or so I thought. Instead, as I later learned, my problem was more with Skype's presentation logic rather than the actual security. For while the spammers were displayed among my contacts, their presence there represented an invite to connect rather than an actual contact.
The problem with that presentation logic is that for obvious spam accounts, I never clicked on the account to see the difference. Instead I would just block it and move on. What would make more sense would be to present invites in a separate window or dialog box that requires a user's specific approval, rather than acting like users should and would automatically want every invite to be added to the contact roster.
Either way, Skype knows they have an increasing spam problem, as was addressed on one of their blogs recently. Unfortunately, while the blog tells of a company initiative to fix the problem, there are no details to be had on what the company will actually do or when they might do it. In a nutshell, Skype is saying "We're working on it, stay tuned." Meanwhile, the onus remains on users to identify and report spammers.
But my overarching question about ongoing security development on the current Skype still remains, as the company may face a more pressing test looking in the near term, as Sophos Labs today revealed some information about a Skype Trojan that has been written, and for which the source code is currently being distributed.
"The Trojan injects a dll component into a running process of Skype. The dll then hooks the "send" and "recv" APIs in this Skype process to the Trojan's own custom functions. This allows the Trojan to extract and save the audio and video data, and send it back to the attacker. We're detecting both the executable and the injected dll as Troj/Skytap-Gen based on samples we've seen so far."
The upshot of this Trojan is that, no matter how secure your system may be, if the caller on the other end is infected, your call gets recorded no matter.
Let's hope Skype has a more clear plan - and timeframe - to deal with this threat.
Update: Differing slightly from Sophos' report, Symantec research indicates this Trojan operates by "hooking various Windows API calls that are used in audio input and output" and that the problem doesn't lay within Skype itself. In other words, the Trojan hooks into Windows subsystems Skype utilizes, and the Trojan then listens for and records Skype calls specifically.
By no means have I done an exhaustive check of all the anti-malware companies yet, but it looks like virtual machine licensing is going to be a major differentiator between various products as we move toward the release of all the 2010 software suites.
"Our company policy is a single-user license applies to one box, and any VM sessions on that box. A single-user license is set up to allow multiple installations on one box with W7 and XP mode both running."
This becomes a pretty important distinction once Windows 7 and XP Mode come into play for those running Win 7 Ultimate, Professional or Enterprise (or any other hypervisor for that matter). Personally, I quickly found that a migration from Vista32 to Win7 x64 necessitated that I run a VM only for my legacy Cisco VPN client, which won't work on 64-bit machines.
Unfortunately, not every security suite is going to license VMs in the same manner. I'm currently testing one product (I can't say which due to an embargo), and I just learned that protecting the host and the client will count as two licenses.
So, as you evaluate what security to put on your new Windows 7 PC come October, remember to weigh how much security is going to cost you, if you need to spin up an instance to support some legacy application.
One thing new with Windows 7 RTM since the Release Candidate -- is that the default administrator account is now disabled by default (the account was also disabled in Vista SP1 and SP2). When Windows 7 (Ultimate x64 in my case) is installed, the user creates a personal log-in and password, and this account is automatically made part of the local Administrators group. At the same time, a second Administrator user account gets created in the background with no password, but the account is disabled by default. In the RC this account was enabled, but no more. *
I discovered this little tidbit as I configured my system for least privilege user mode. After I slid the UAC (User Account Control) slider bar to maximum protection, I logged into the Local Users and Groups dialog to change the name of the Administrator account and add a password. Unfortunately, I failed to notice the account was disabled by default. As a result, once I deleted the Administrators group membership from my personal account, I found I had therefore locked myself out of the ability to access any UAC-protected tools -- such as Computer Management or Add/Remove Programs. As there was no active Administrator account in my case, both UAC and RunAs were useless and there was no active Admin account with which I could actively log on.
Then I learned Microsoft only went halfway with this significant change, and, man, the other half is really badly done.
As a last recourse, I rebooted and hit F8 during the OS load to get to the Advanced Boot Options. I selected Windows 7's new "Repair Your Computer" option, which loads a slimmed-down user interface for the recovery tool. I selected my account with my limited rights credentials from a drop-down menu and was presented with a single option: Startup Repair. The tool ran a series of diagnostics -- it didn't say what at that time, but I later learned it was running file-system, disk and registry validation checks -- then presented me with the option to restore the computer using System Restore. I was not allowed to select which System Restore settings to use, although the system appeared to use the most recently saved settings.
The restore was completed, and voila, permissions were returned to a workable state.
Upon further investigation, however, I found that in the preboot environment I could also log in and effect changes using the otherwise disabled local Administrator account, but only under certain circumstances. Specifically, when no other local administrator accounts are present, the disabled Administrator account appears in the log-in drop-down box and can be suddenly be accessed. And as I mentioned above, even after all these years of Microsoft receiving criticism for this lack of attention to security, the Administrator account has no password by default.
An admin logging into the recovery tool has a lot more options at his or her disposal, too. As an admin, I could perform the same auto-fix tests, perform System Restores with the ability to select the settings to use, run a System Image Recovery event to restore from a disk backup, run memory diagnostic tests or access the command line for more possible actions. And from the command line I could change drives over to the main drive (from the pre-executable one) and read anything I wanted, even copy it to a USB stick and take it with me.
Certainly, we know that a data thief with physical access to the machine typically means game over. Boot to a LiveCD or a USB stick that can see into NTFS (NT File System), and thieves can take whatever they want. The usual countermeasures are then to block boot from CD or USB at the BIOS, and put a BIOS password on the system. But, heck, now Microsoft puts in the hacking tools for you -- no need for third-party boot media.
Users could protect themselves by fully encrypting the drive with BitLocker so the intruder only sees garbage. Oh, wait, that's only for Ultimate and Enterprise customers, not the vast majority of people who will use Home Premium. Never mind.
Honestly, it's hard to take Microsoft seriously about the security of its products when you can drive a bus through some of their holes. I know the circumstances of this case were a little unique (who among you plan to remove your admin rights?), but in my book, disabled should mean disabled. Microsoft should NOT be creating as default an admin account with no password, then opening up the account for use in certain situations.
Word to the wise: Even though that admin account is disabled, do yourself a favor and put a password on it. You probably won't regret it.
I've got Skype set to accept incoming calls, video calls or instant messages only from people in my Contact list. Yet every time I log into Skype, I see a few chat messages from obvious spam accounts, asking me to "rate my Webcam" or "meet in private."
Inevitably, when I flip over to my contact roster, I notice that the spammers have added themselves to my contact list, freeing them to bother me in other ways if I don't immediately block them.
I first noticed this problem with one of the first non-beta builds of Skype 4.0, but it certainly continues through to the latest builds of 4.1. And I'm hardly the only one experiencing this, and it doesn't seem particular to whether the user is on a Mac or a PC.
A PR guy working with Skype suggested that accounts accessing Skype from multiple computers may find the security settings differ slightly from instance to instance -- which may lead to this problem. I access Skype from two different Windows PCs, a MacBook and my iPhone. On the computers, I've found the privacy settings all match. If those same privacy settings exist on the iPhone, I've yet to find them, so perhaps the hole lies there. But if so, Skype needs to add those settings to its iPhone instance.
One can't help but wonder if the potentially pending divorce of eBay from the underlying Joltid technology Skype uses has led to a stoppage or massive slowdown of development on the Skype we all currently use. eBay recently announced a development initiative for a replacement peer-to-peer technology to replace the existing technology, in case the legal wrangling between eBay and Joltid goes south.
If eBay is investing in a massive project to reinvent Skype for release sometime in 2010, it stands to reason the company is not actively working to improve the current Skype much. And it remains unclear whether Joltid will or can undertake that work in eBay's stead.
But if Skype security problems are not addressed, and the network devolves into a morass of spam and illicit contacts, will users stick around to see whether the new technology is even worth their time?
Responding quickly to the SMS-based vulnerability to the iPhone demonstrated this week at the Black Hat conference in Las Vegas and first revealed earlier this month at a conference in Singapore, Apple released version 3.01 firmware for their fleet of mobile devices on Friday.
The vulnerability research, performed by Charlie Miller and Collin Mulliner, demonstrated ways that an attacker could crash the connectivity or telephony subsystems of the iPhone through a series of invalid SMS messages, or even introduce exploit code to the device.
According to the limited information Apple provided about the fix, version 3.01 only addresses the SMS vulnerabilities and it apparently does not include other features or fixes at this time. Specifically, the Apple knowledgebase article says:
Available for: iPhone OS 1.0 through iPhone OS 3.0
Impact: Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution
Description: A memory corruption issue exists in the decoding of SMS messages. Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution. This update addresses the issue through improved error handling. Credit to Charlie Miller of Independent Security Evaluators, and Collin Mulliner of Fraunhofer SIT for reporting this issue.
I've downloaded the new code via iTunes, finding the updated firmware (for the 3G and 3GS models) weighing in at 297.9 MB. After downloading, the install went smoothly and took about 10 minutes. In a quick scan around the device, I've yet to see any changes in the user interface other than an acknowledgment that the update was successful.
Given the potential severity of the SMS vulnerability now that the exploit has been discussed in a public forum, I would advise users and mobile administrators undertake the update as soon as possible. However, I feel that corporate administrators particularly will feel the pain of this update because of the lack of attention Apple has paid towards true enterprise management tools for the device.
While Apple has made some strides towards enterprise friendliness with version 2.0 of their profile tools - allowing administrators to push out certificates, usage policies, and VPN settings - Apple has done nothing to address remote firmware management on a device fleet.
Blackberry administrators can turn to their BES servers to deploy critical firmware updates. Android and WebOS administrators (however few of those there may be at this time) can expect the carrier to deliver patches (albeit in a staggered and somewhat unpredictable fashion). Windows Mobile and Symbian administrators can turn to 3rd party tools for the same functionality.
But iPhone administrators have to email all their users to tell them to do it themselves - presuming the users have access to iTunes and some decent bandwidth - or run a time-inefficient depot station and demand the users bring the devices in for immediate upgrade. Neither solution is effective for large deployments because neither ensures the work will get done.
Because we haven't yet seen any in-the-wild attacks on the SMS vulnerabilities, time to patch may not be critically important in this particular instance. But quite possibly in the near future, Apple will find themselves facing a critical vulnerability with a zero-day remote exploit in the wild, and they will find their delivery methods failing a most important segment of their customer base.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=7e881a85-8b7a-4d38-b0bd-4f30cadb5a18)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=338c8899-df64-444c-a551-23b04dbdac23)
