The researchers’ new approach, called CloudAV, moves antivirus functionality into the “network cloud” and off personal computers. CloudAV analyzes suspicious files using multiple antivirus and behavioral detection programs simultaneously.

In general, that’s not a bad idea. It might save a few CPU cycles on your local workstation by not having to directly virus scan files. Then again, you have to use network resources uploading each file to the cloud, where it is scanned for you.

Each time a computer or device receives a new document or program, that item is automatically detected and sent to the antivirus cloud for analysis.

The privacy concerns here are obvious. Would you trust CloudAV to receive a copy of every file you want to virus scan? How sure can you be that they don’t use the contents for something else, or accidentally leak private information?

I think this idea has more merit as an internal virus scanning system for a large organization. That way sensitive data doesn’t have to leave the corporate boundary, or be sent to a third party. The benefit is that you have a more thorough and updated virus scanning engine, possibly using several different products at once.

Researchers develop next-generation antivirus system.

On a side note, I recently learned that Ruby treats zero as a true value. I find that rather irritating.

Not to spoil the ending, but it did make me want to give Plone a try. I currently do mostly Python with Django for the web stuff at work, and its been great so far. But it certainly couldn’t hurt to try out something different and see how it fits in…

…the most consistent and intense complaint from team members was that their team leaders were unwilling to confront and resolve problems associated with poor performance by individual team members.

Everyone knows that there will be conflicts whenever a group of people attempt to work towards some goal. But once in a while, the entire team suffers because of just one person constantly going against the grain. And it’s frustrating when your leadership seems to refuse to do anything about it, even after you’ve made the situation crystal clear to them. As Jeff says on his blog: “…if your team leader or manager isn’t dealing with the bad apples on your project, she isn’t doing her job.”

Sometimes the problem isn’t that a team member is necessarily doing negative things, but rather not doing anything at all. Why keep someone around when he’s completely unproductive? Unless, of course, you only care about spending your client’s money.

The claim behind this feature is that you can have a secret encrypted file system that will remain undetected, and so you can deny its existence if your drive is confiscated somehow. Schneier and the other authors prove that this deniability is rather weak. Since the encrypted file system is stored and used within a normal operating system (Windows, Linux, etc.), traces of its existence are scattered throughout the unencrypted parts of the hard drive. There are swap files, temporary files, and other remnants created by various applications, such as word processors.

Since the paper [PDF] came out, TrueCrypt released version 6.0, which addresses many of the issues presented in this paper. But the bottom line is that you shouldn’t depend on this deniability feature. It’s much safer to encrypt the entire disk, to ensure that sensitive data isn’t left on unencrypted portions of the file system. The only problem with this method is that you can’t deny having anything encrypted.

• Techworld
• Ruby Inside
• ZSFA
• Matasano Chargen

The list of CVEs created to track these bugs:

• CVE-2008-2662
• CVE-2008-2663
• CVE-2008-2725
• CVE-2008-2726
• CVE-2008-2664

The funny thing is, these vulnerabilities were created in the run-time implementation of Ruby, which is itself written in C. So it’s really not all that surprising, considering how hard it is to write secure, large, bug-free C programs.

This is a cut and dry example of why the insider threat is such a major issue. I guess some companies need to learn the hard way: Disable all accounts belonging to terminated employees; if it’s an admin (or the IT director), change all the root passwords as well. Of course, this implies that a company has to keep track of all the accounts an employee might have, which is not easy. The important thing to remember is that this is more of a people/policy challenge than a technical one.

This article by Ed Skoudis lists a few of them, with handy examples of how the commands might be used in a security investigation. He mostly talks about wmic, openfiles (which I had never heard of before), and netstat. Unless you’ve done recent Windows administration work, you’ve probably never had to use wmic, but it’s really powerful, with tons of options. Also, be sure to check out the second part of his article, which goes into more advanced command line tricks - like “for” loops and querying the registry.

A more comprehensive list, although less detailed, was published by Kevin Beaver. There is overlap, but Kevin mentions a few addiontal commands.