The researchers' new approach, called CloudAV, moves antivirus functionality into the "network cloud" and off personal computers. CloudAV analyzes suspicious files using multiple antivirus and behavioral detection programs simultaneously.

In general, that's not a bad idea. It might save a few CPU cycles on your local workstation by not having to directly virus scan files. Then again, you have to use network resources uploading each file to the cloud, where it is scanned for you.

Each time a computer or device receives a new document or program, that item is automatically detected and sent to the antivirus cloud for analysis.

The privacy concerns here are obvious. Would you trust CloudAV to receive a copy of every file you want to virus scan? How sure can you be that they don't use the contents for something else, or accidentally leak private information?

I think this idea has more merit as an internal virus scanning system for a large organization. That way sensitive data doesn't have to leave the corporate boundary, or be sent to a third party. The benefit is that you have a more thorough and updated virus scanning engine, possibly using several different products at once.

Researchers develop next-generation antivirus system.

Britain used to pride itself on respecting privacy more than most other democracies do. But there is not much objection among Britons as “talking” surveillance cameras, fitted with loudspeakers, are installed, enabling human monitors to shout rebukes at anyone spotted dropping litter, relieving themselves against a wall or engaging in other “anti-social” behaviour.

Ross Anderson, a professor at Cambridge University in Britain, has compared the present situation to a “boiled frog”—which fails to jump out of the saucepan as the water gradually heats. If liberty is eroded slowly, people will get used to it. He added a caveat: it was possible the invasion of privacy would reach a critical mass and prompt a revolt.

Skype may want to change their architecture slightly, so that users can initially join the network without logging in, and possibly allow not-yet-authenticated users to accept incoming data connections.

There is a good post about this topic on Security Fix.

In this inspiring talk, Janine Benyus provides fascinating examples of biomimicry -- humans mimicking nature in the products we build and the systems we implement. With 3.8 billion years of research and development on its side, evolution has already solved problems that human designers and engineers struggle with.

Why, then, is this fiasco at Black Hat in DC taking place? Chris Paget, of IOActive, created a simple proof of concept RFID cloner in his spare time over the course of a month. He then put together a 75 minute briefing on how it works, and how to build your own. There was no reverse engineering or hacking necessary, since RFID technology has been patented and therefore public knowledge.

Unfortunately for Mr. Paget, he demonstrated his device at the recent RSA Security Conference, using a typical HID access card and reader. HID happens to be one of the best selling implementations of RFID cards, and is a big company with too many lawyers. So when they came across the video of his demo, they decided it infringed on their intellectual property and therefore was not appropriate for presentation at Black Hat. Of course, the fact that Paget was going to show that unencrypted RFID should not be used in presumably secure access cards (the products that HID sell) had nothing to do with it.

Reminicent of the Cisco escapade at Black Hat in 2005, HID contacted IOActive and the conference organizers, demanding that they cancel the talk and remove the slides from everyone's printed materials. Once again, there was a lot of ripping paper out of conference proceedings to do.

I can't blame them for giving in to the legal pressure, since defending themselves in a legal battle would be much too costly. The real losers in this situation are you and me. First of all, they are restricting what appears to be free speech, in the name of protecting corporate interests. Second, as RFID technology becomes ever more pervasive, I believe it should come under increased scrutiny. Not only are RFID chips appearing in all kinds of products, but they are also embedded in our passports and the new "Real ID" identification cards. Full disclosure is the right answer here, not security through obscurity.

Luckily the truth will get out, someone else will release the schematics for this or another simple cloner, and HID and its competitors will be forced to reexamine their implementations. At the very least, having this fiasco in the headlines will alert more corporate security folks to the vulnerability of their favorite access solution.

Yes, the hypervisor is a "new layer that's another opportunity for attack." However, if you convert 10 physical servers into 10 VMs running on one hardware platform, you just decreased your exposure on the hardware and physical security side from 10 to one. That's especially true if the servers were running on disparate hardware platforms, which is often the case. You would have fewer drivers to worry about updating, and require less floor space in a secure data center.

There is also the mention of "VM sprawl" in the article. The idea is VMs will pop up out of no where and be unmanaged and unprotected, since the proper security controls will not be in place. In my experience, I have not seen enterprise VMs created by accident or somehow without the VM administrators knowledge. Sure, someone can download VMware Server and load up a virtual machine on his laptop. But that's no different than the problem of users downloading other unauthorized software - you have to try to prevent it with policy and technical controls on the workstation.

In fact, I believe VM technology will improve our ability to manage servers, and keep our security policy enforced. Using a product like VMware ESX, you can configure a "template" VM, and deploy it as many times as needed. For example, you can make a template for your standard Windows 2003 server, with all the patches, configuration settings, security tools, and typical applications - then deploy it 10 times, and you've got 10 good servers up and running. There's one less excuse for not having time to properly setup security before deploying a server.

Overall, I'm glad this topic is making some headlines, to get those of us in the infosec world thinking about virtualization. As always, there are trade offs that need to be taken into account.

Also new, SP 800-84 is called Guide to Intrusion Detection and Prevention Systems [pdf]. It discusses IDPS technologies that are network-based, host-based, designed for wireless networks, and those that do network behavior analysis. The document has a good overview of how IDPS works in general, and goes into details of the various implementations. There's even a section on how to select the right product for your situation.

The third new document is SP 800-97, Establishing Wireless Robust Security Networks [pdf]. This is basically a guide to the IEEE 802.11i standard, which provides much-needed security enhancements to the familiar 802.11 family of wireless standards. The first few sections are an overview of 802.11, with some history lessons on WEP and why it was such a failure, but the rest of the document is great for anyone trying to understand what 802.11i has to offer. Now if I could just get my neighbor to put a password on her access point...