Security Watch

What Kernel Hooking is All About

Attackers now patching systems to allow for better attacks. Plus: Microsoft Office and Google Apps go toe-t-toe on security; insider threats growing, says report.

Security research outfit Matousec said last week that Norton Internet Security 2010, McAfee Total Protection 2010, Sophos, Trend Micro Internet Security Pro, Symantec and BitDefender all had flaws that allowed attackers to bypass the protections that these programs offer.

According to the researcher, the exploits can be executed without administrative access. What's the kicker? Well, the Windows kernel is the main target and vector from which to launch an attack.

The researcher goes on to say that the most common feature of the exploit is that it patches the Windows kernel to "enable it to intercept certain operations like opening files or killing processes," a method that researchers identified as hooking. Essentially, the malware in effect causes third-party products to execute Windows functions by updating the Kernel.

So far, the issue mainly affects Windows XP. Microsoft said that its own AV software, Microsoft Security Essentials, is not affected. Even so, spokespeople from Redmond did tell me they were looking into the issue. A response is expected this week.

Last week, spokespeople from McAfee and Kaspersky Labs, to name a few, went on the defensive, suggesting that administrative access is needed for any kernel hooking to work. Further, many security observers coming down on Microsoft's side said that Redmond's Malicious Software Removal Tool would probably catch the bug at the pass and that Security Essentials would probably stamp it out.

There will definitely be more to discuss in the coming weeks when just about every 800-pound AV software gorilla in the game seems to be affected by the glitch. 

Office Suite Security Deals
There's no doubt that Redmond's Office suite will remain dominant in the enterprise space for some time. Proponents of Microsoft's newly rolled out Office 2010 said that security features are vastly improved. Yet the paid version of the more malleable, Web-based Google Apps also features enhanced security, privacy controls and customer support with "guaranteed service levels."

In the end it may not be accessibility or usability that determines the ultimate outcome of the battle between two tech giants in this customer segment. Instead, a key question will be security.

Microsoft has stepped up to the challenge by putting its Office team through the ringer as part of its much-lauded security development lifecycle program.

Part of this gauntlet of development included a new process for "triaging" Office exploits so as to include newer zero-day exploits in the discussion and during the design phase, and several work items were identified to strengthen the trustworthiness of Office documents. Given the rise of malicious Office documents passed through e-mail and around the Web by hackers and other saboteurs, trustworthiness is key.

Didier Vandenbroeck, a Microsoft security program manager, wrote in his blog last week that by combining a holistic and practical approach, the SDL aims to reduce the number and severity of vulnerabilities in Office and other Microsoft products.

Meanwhile Google has said it will not so much focus on new security and other features as on changes in user behaviors in framing its Google Apps strategy.

To that end, what Microsoft has gotten right is its ability to understand that changes in hacker behaviors are just as important.

The next steps should be to make sure future iterations of Internet Explorer security are also sound, to complement Office apps.

Report: Insider Threats Mushrooming
Misuse of enterprise computing resources and outright theft of critical data are among the top security concerns of IT pros. This, according to a study from research outfit Computer Economics.

You can always tell when exhaustive research has been conducted when it takes less time to hack into a system than it takes to read the title of the report. The report is titled (take a deep breath): "Malicious Insider Threats: Countering Loss of Confidential Information, Fraud, Sabotage, & Other IT Security Threats Posed by Trusted Insiders." (Now, exhale.) In short, the report details four of the most common insider threats in the enterprise space:

  1. Unauthorized access to confidential files
  2. Unauthorized disclosure of data contents to internal and external players by company employees
  3. Fraudulent transactions
  4. System sabotage

A good remedy for these risks, especially in trying times like these when the disenfranchised and disgruntled are being dissed, is to set up policies that limit access based on segregation of duties and to institute tighter access controls.

For instance, a writer of developer code, whenever possible, should not also be the network administrator and the systems administrator and the security administrator. Such overlapping tasks are unavoidable at some of the smaller enterprise shops, but there should still be monitoring and checks and balances.

Another example here is the use of orphan passwords. When a person is laid off or is leaving it would probably be wise to immediately -- if not promptly -- turn off passwords and restrict access to critical information for that person. But that's obvious, right?

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


comments powered by Disqus

Subscribe on YouTube