Keystroke loggers are nothing new. Often surreptitiously installed on a user’s PC, keyloggers record keyboard actions and log them, or subsequently upload the data to a third party. It was more than three years ago when the first federal prosecution involving keylogger crime took place. They’ve been a favorite weapon in the arsenal of malicious hackers for even longer than that; they’ve been incredibly effective as a method for stealing usernames, passwords and other information that can be used to penetrate enterprises and steal identities. However, keyloggers are no longer being used exclusively for evil. Just recently it was revealed that the FBI has used them on a number of occasions, including in the investigation of alleged mafia kingpin Nicodemo Scarfo Jr., and helped lead to the arrest of Josh Glazebrook, a 15-year-old student who pleaded guilty last month to emailing bomb threats to his Washington high school.Lately we’ve seen discussion among IT pros regarding the merits of using keyloggers in the enterprise. It bears asking what keylogger capabilities are coveted by security professionals that would make them desirable over other, more traditional client-based monitoring tools. Are they cheaper, easier, or just more fun?

Halvar Flake, a fixture at the Black Hat training and briefings for the last several years, won’t be there this year, thanks to a mix-up with customs. Flake, whose real name is Thomas Dullien, arrived in the U.S. this weekend from his home in Germany and passed through immigration without any trouble, but was then stopped by customs inspectors after they saw printed training materials in his suitcase that he planned to use for his classes in Las Vegas this week. As Flake writes on his blog, the customs folks wanted to know “who exactly I am, why I am coming to the US, what the nature of my contract with Blackhat is, and why my trainings class is not performed by an American citizen. After 4 hours, it became clear that a decision had been reached that I was to be denied entry to the US, on the ground that since I am a private person conducting the trainings for Blackhat, I was essentially a Blackhat employee and would require an H1B visa to perform two days of trainings in the US.”

This all sounds a bit extreme for what is essentially a paperwork error, but unfortunately it’s not all that uncommon. Adam Shostack points out on his Emergent Chaos blog, this incident likely will cost Flake time and money down the road:

Halvar has been coming to the US to train people for six years. So here’s my question: Has the law changed? Why did this happen? What’s happened may be that he didn’t use precisely the right words to get through the line, and now he’ll be spending (my guess) $10,000 on lawyers to be able to re-enter the US.

I’m increasingly concerned about this–the police can detain you in a variety of ways, offer implicit threats of arrest, and there are certain very specific legal formulas you can invoke. For example, I’ve been told that you must ‘demand’ an attorney, rather than saying “I’d like an attorney,” in order to preserve your rights. If a cop is asking you questions, you must ask “are you detaining me?” in order to get an honest answer. No one should be required to know these formulas–not me to preserve my rights through an encounter with the police, and not Halvar to preserve his ability to enter the US.

Flake is known as one of the top reverse engineers in the industry and his training classes typically sell out well in advance. Hopefully he’ll get things put right and this won’t prevent him from coming back to the U.S. in the future.

We have a full crew of four reporters (me, Bill Brenner, Mike Mimoso and Rob Westervelt) heading out to Vegas next week for Black Hat and we’ll be filing tons of stories and blog posts from the road. If past years are any indication, there will be no shortage of interesting things to cover. If you’re not headed to the show, be sure to check our special Black Hat landing page frequently for the latest news and after-hours happenings starting on Tuesday. And if you’ll be in Vegas, please stop one of us and say hello. We’ll be the ones with the 1,000-yard stares mumbling something about Blue Pill.

Companies are beginning to seek out more security talent in niche areas according to the latest job skill and certification research from Foote Partners LLC. Security certification premiums increased 2.2% over the last six months compared to other areas that are flat or losing ground, according to David Foote, president of the research firm. I interviewed Foote today to find out what niche areas may be highly coveted.

The premiums could be embedded into base pay or in addition to base pay in terms of bonus or variable pay. Among the certifications paying a premium: (There’s no big surprises here) certified information systems security professionals (CISSP), certified information systems auditor (CISA), certified information security manager (CISM). Some extensions doing well: CISSP - management and professional, architecture and professional, engineering professional. These are earning between 10-16% of base pay.

Foote said that on average, for one certification in information security, people are earning 9% of base pay. Out of 151 certifications that Foote Parnters surveys, overall the average individual certification is at 8% right now. Only 1% more than the average may not seem like much, but Foote said it is significant, because security certification premiums are surging while many of the other certifications have been declining over the last year.

Some security skills in high demand: Autocorrelation, incident response, forensics, packet-level network skills, applications network use and packet skills, identity management and LDAP, wireless security, VoIP security, and Legal compliance, audit and remediation.

Foote also said that small specialty security consultancies are having trouble filling positions. Although Foote’s survey has had a pretty good finger on the pulse of the job market, (he says he tracks over 67,000 IT worker salaries and IT skills pay), it’s still very hard to know exactly how the job market is doing since there’s so many factors involved. I’m curious as to what you’re seeing in the job market. Is it easy to get a security job today? How do you make yourself stand out to a prospective employer? Comment here or send me an email at rwestervelt [at] techtarget [dot] com.

Technorati Tags: security+jobs, job+market, security+certifications,

It appears that the big communal witch hunt over the URL protocol-handling bug has resulted in both Microsoft and Mozilla admitting some level of culpability. Originally, each vendor pointed the finger at the other one. Mozilla officials said it was Microsoft’s fault because Internet Explorer was sending Firefox bad data; and Microsoft said nope, it’s Firefox’s fault for not validating input. Fun. But after Microsoft officials agreed that there was an issue with IE, Mozilla has come to the same conclusion, saying that Firefox also has a problem. Mozilla’s security team, headed by Window Snyder, is investigating the issue now, Snyder said in a blog post:

We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well. We should have caught this scenario when we fixed the related problem in 2.0.0.5. We believe that defense in depth is the best way to protect people, so we’re investigating it now.

We are working to make sure that we are giving you as much information about pressing security issues as possible. We make real-time updates as we find out new information because we are committed to an open and transparent security process.

David LeBlanc, a security guru at Microsoft, also got in on the act Tuesday with a post about security dependencies and why the whole IE v. Firefox discussion misses the larger point:

One of the bits of background information needed to conduct a threat model is the external dependencies – in here, we list what we depend on, and what we expect them to do. An extremely critical part of a threat model is to ensure that the item we’re depending on actually agreed to do what we expected. When we’re looking for problems here, trying to find mismatches between what someone expects in their external dependencies and what the external dependency actually guarantees is often a productive source of things to go tidy up.

Thus if we’re following along with how Frank [Swiderski, co-author of a book on threat modeling with Snyder] and Window say to do threat modeling, and were going to threat model some generic URL handler, we might have an external dependency on the browser that’s invoking us. The problem is that it could be any browser. We might notice that some browsers might present the user with scary warnings, and so on, but what we should build on is what’s guaranteed. If IE or Firefox have some behavior, that’s interesting to note, but you could be hosted by DavidsDodgyBrowser that doesn’t check anything. Or worse yet, you could be hosted by TomsVulnFinder browser that’s just really rude and gives you obnoxious inputs. It’s pretty clear that a URL handler would be making mistakes if it assumed anything about how well formed its inputs were, given that there’s no telling what sort of browser it might be interacting with.

It’s nice to see this finally getting to the point where customers will have some protection from this problem, instead of a bunch of rhetoric. But the question is why it took so long. Instead of spending time writing dueling blog posts and crowing about the problem being in the other guy’s browser, both Mozilla and Microsoft would have served their customers better by putting some serious time into researching the problem and seeing whether there was anything they could do to prevent it. In the end, users don’t really care whether one browser is passing bad data or the other is failing to validate that input; all they want is a safe browsing experience.

You can add one more bit of goofiness to the usual fun and games at Black Hat this year: the first annual Pwnie Awards. A tongue-in-cheek look at the most notable security events of the year, the awards are meant for “celebrating (or making fun of) the achievements and failures of security researchers and the wider security community,” according to the Web site. You can submit nominations for work done in one of seven categories between June 1, 2005 and May 31, 2007. The categories are:

• Best server-side bug
• Best client-side bug
• Mass 0wnage
• Innovative research
• Lamest vendor response
• Most overhyped bug
• Best song

The list of judges is almost as good as the category names: Dave Goldsmith of Matasano Security; Mark Dowd of IBM; Dino Dai Zovi of MacBook pwning fame; HD Moore, creator of the Metasploit framework; Dave Aitel of Immunity; Halvar Flake of SABRE Security; and Alexander Sotirov of Determina. Nominations close on Saturday and the awards ceremony is on Aug. 2 in Vegas.

If anything other than “Symantec Revolution” wins for Best Song, you know the fix was in.

Security researchers have discovered a flaw in a toolbar issued by the popular business networking site LinkedIn that could allow an attacker to conduct a denial of service attack or take complete control of an affected system.

The LinkedIn toolbar is used in conjunction with Microsoft Internet Explorer to conduct a search for contacts and connect users to the LinkedIn network.

Danish vulnerability clearinghouse Secunia rated the flaw “highly critical” in its SA26181 advisory because attackers can exploit the flaw remotely. A working exploit code is publicly available and the flaw remains unpatched, Secunia said.

According to the researchers that discovered the flaw, Jared DeMott and Justin Seitz, of Rockford, Mich.-based VDA Labs, the flaw can be easily exploited.

“If a user, with the LinkedIn toolbar installed, is tricked into browsing a website that contains the above code — game over,” the researchers said in their advisory.

The French Security Incident Response Team (FrSIRT) said the issue is caused by a buffer overflow error in the toolbar ActiveX control when processing malformed arguments passed to the “search()” method.

The research firms said users can set the kill-bit for the affected ActiveX control as a temporary workaround until a patch is released.

Technorati Tags: LinkedIn, LinkedIn+flaw, toolbar+security

Microsoft is trying to upgrade its image in the privacy community a bit and on Monday the company, along with Ask.com, called on other search providers to come to the table for a discussion on how best to handle user search data for advertising purposes while still protecting users’ privacy. The announcement is pretty vague, simply asking “other technology leaders, consumer advocacy organizations and academics to come together and join them in working on the development of these principles, which could include developing and sharing best practices to provide more control for consumers.” But it seems like a not-so-subtle attempt by Redmond to pressure Google to step up its game. Google has been a frequent target of privacy advocates who complain that search giant retains too much user data and stores it for too long. And the company also is in the midst of a proposed acquisition of online ad firm DoubleClick, a transaction that is under investigation by a number of regulatory bodies.

In the announcement, Peter Cullen, Microsoft’s chief privacy strategist, had this to say: ““As search and other online services progress, it’s important for our customers to be able to trust that their information is being used appropriately and in a way that provides value to them. We hope others in the industry will join us in developing and supporting principles that address these important issues. People should be able to search and surf online without having to navigate a complicated patchwork of privacy policies.”

Microsoft also said it is changing the way it handles some user data in its Windows Live application. The enhancements include anonymizing user search data after 18 months by deleting cookie IDs, IP addresses and other identifiers. It’s quite interesting to see Microsoft taking the lead on this. It was not that long ago that federal regulators and consumers were ripping Microsoft for its privacy policies, especially the way it handled data collected from users of its Passport online ID system. Now, with Google under the gun, Microsoft is raising its hand and saying, Look how we’ve changed. But, as the New York Times points out, Yahoo does them both one better by retaining search data for just 13 months, and Ask.com is even working on a way for users to do completely anonymous searches.

A denial-of-service attack on Virgin America’s Web site Thursday temporarily slowed online ticket sales for the start-up airline.

Based in Burlingame, Calif., Virgin America began selling tickets for its inaugural flights on its Web site and via phone on Thursday. In the afternoon, the site began to experience delays and some inaccessibility due to a DoS attack, said Virgin America spokeswoman Abby Lunardini. Service was restored by late afternoon, a few hours later.

“The problem was identified, corrected and resolved,” she said.

The airline is scheduled to launch its low-cost service from San Francisco to New York and Los Angeles Aug. 8.

There’s not a lot of passion in the security blogosphere this week over any topic in particular, but there are some nuggets worthy of note, including an announcement in the Symantec Security Response blog about a makeover for the company’s ThreatCon.

Many security organizations use a measurement system to give customers a sense of the overall security picture at a given moment. The SANS Internet Storm Center has its Infocon while IBM ISS has its Alertcon and Kaspersky Labs has its virus alert box, which gives you a picture of a peaceful hillside when malware levels are normal. There are also places where you can find several of these on one screen, such as the Computer Network Defence site. But Symantec’s ThreatCon is one of the more popular security meters.

Dave Cole, product management director for Symantec Security Response, says the ThreatCon now offers more insight into phishing activity, spyware and adware, spam, malicious attacks and vulnerabilities, including non-Microsoft vulnerabilities and zero-day exploits. More options have also been added so users can “explore the entire threat environment, interact with the new Attack Explorer tool, and view Symantec’s Threat Watch.”

Cole said the main goal was to make it more interactive, comprehensive and visually appealing.

I had no problem with the old ThreatCon, though I do like the changes based on what I’ve seen so far. Since there are now so many different kinds of malware and attack vectors, it makes sense to offer customers more of a breakdown. Now they can drill down deeper into the areas that pose the most risk for their companies.

Check out the new ThreatCon and share your thoughts.

More on the Firefox/Internet Explorer flaw

Mozilla updated Firefox to fix several security flaws this week, including a vulnerability connected to Internet Explorer that has caused some controversy. The controversy has centered around whether the flaw was a problem from Microsoft’s side of the fence or Mozilla’s. Both sides have appeared reluctant to own this one.

And Thor Larholm, one of the researchers who brought this problem to light, says in his Larhom.com blog that the Firefox update isn’t the end of the story.

“Mozilla has just released Firefox 2.0.0.5 which purportedly fixes one of the attack vectors of the Internet Explorer input validation flaw that I previously detailed,” he wrote. “I will go on the record as stating that this does not actually fix the flaw in Internet Explorer, but simply patches one of the myriads of attack vectors.”

He said he can still automatically launch a wide range of external applications from Internet Explorer and provide them with arbitrary command line arguments.

As for who is most responsible for this flaw, Larholm says the assessment Mozilla put in its MFSA 2007-23 bulletin matches his thinking. Mozilla says in that bulletin, “This fix only prevents Firefox and Thunderbird from accepting bad data. This patch does not fix the vulnerability in Internet Explorer.”

Of course, Microsoft has already declared that this is not a vulnerability in a Microsoft product.

As I mentioned last week, there’s a bigger issue here than which browser the flaw came from.

People need to take care when browsing the Internet. If you are visiting porn and gambling sites or shopping online using a site that doesn’t clearly outline how the merchant is protecting your credit card data, you’re asking for trouble no matter which browser you’re using.

Some advice is worth repeating.

The Internet crash of 2007

I end this week’s column with some blogosphere buzz about a new parody video from The Onion with the following headline: “Breaking News: All online data lost after Internet crash.”

Security bloggers like Todd Towles (Thoughts of a Technocrat) and Dave Lewis (Liquidmatrix) are either linking to it or pasting it right into their blogs.

My favorite part: The dejected blogger who, after finding that all his data was gone, declared that his life is boring now and he wants to control/alt/delete himself.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.