After the burst of the bug bubble, I’m left wondering who at SerNet decided the Badlock marketing campaign was a good idea and why. It certainly was not, as claimed, to raise awareness for a critical bug that needed immediate patching.
In the current state of cyber security, the bad guys have the upper hand. Cybercrime is an industry, in which huge investments are made by criminal elements. Why? Because ROI is basically guaranteed. Building attacks takes time, requires patience, research, persistence and a good plan that considers the predictability of IT systems and users. Unfortunately, the bad guys seem to have an infinite amount of all of these, and IT systems and users are fairly predictable. So, are we forever doomed to pay millions of dollars in unsuccessful attempts to protect ourselves?
Topics: Moving Target Defense
Explosive news about vulnerabilities found in FireEye's security software are hitting the headlines. ZDNet, Ars Technica, PCworld and more reported about the findings by the Google Project Zero researchers. First, let’s give kudos to FireEye for acting quickly on the discovery and release a final patch in a matter of days, thus preventing a nightmare in which a remote code executing would lead to compromise the entire computer system and network of their customers.
We often get asked how our Moving Target Defense (MTD) approach differs from ASLR. While the concepts may sound similar, ASLR is missing several key elements to make it successful at countering 0-day and targeted attacks.
Have you ever wondered what happens to zero-day exploits after their big splash on day zero? Often 0-days are developed to target a specific organization, as in this Pawn Storm-related instance reported by Trend Micro, which targeted specific people within the Foreign Affairs Ministry.