Cloud & Telecom Security

It’s reported that Rising damaged users‘ Outlook Express.

Rising is the largest anti-virus vendor based at China. It just began its globalization journey by tapping Japan market.

The incident was firstly report at Nov.7. The Rising anti-virus software – Kaka was found to kill the Outlook Express folders as virus files.

Rising has apologized to their users for this wrong operation and promised to correct this and help users to recover their files.

It’s another outstanding wrong operation of anti-virus vendors after Symantec at May.18, 2007.

拉丁美洲的一个关于网络犯罪的会议上发现了一个有趣的现象。当前的网络犯罪越来越多的体现出高度地域化的特征，换句话说，网络攻击、钓鱼等被定制为只针对某个特定的国家或者地区，或者用户群体。这些定制过的攻击很少会越过设定的边界。这样定制过的地域化的恶意攻击变得更加隐蔽，更难被国际范围的反病毒公司检测发现，所以可以隐蔽持续更长的时间。 从这个意义上来说，本土防病毒公司将会更有优势，国际反病毒公司需要开设更多的本地化的研究中心和快速响应中心来应对这种地域化的趋势。

5/18早晨给我们留下了深刻的记忆，由于Symantec公司病毒代码库2007.5.17 rev 18的错误，sav将简体中文版Windows XP的两个关键的系统文件c:\windows\system32目录下的netapi32.dll和lsasrv.dll误报为 backdoor.haxdoor病毒, 并提示用户推荐删除该文件。用户当然服从命令听指挥，系统也就在重起时隔离这两个文件,导致无法正常重起,出现蓝屏。

这次看似简单的误杀，给安全经理们出了一道难题，甚至说将安全经理们放到了一个窘迫的境地。通常，我们都会努力引导用户提高安全防范意识，保证安装反病毒软件并及时升级代码库，遵从安全指令。可是，这次事故让最遵从安全策略、最具有安全意识的企业员工们无所适从。让执行效率越高的企业桌面信息系统承受越高的损失。

作为对国内用户的安抚，Symantec据说要在国内建设SRC，以提高对国内病毒样本的响应速度和查杀比例。另据说Symantec因为此次事故，还特意修改了内部流程，将原来全自动的病毒代码发布流程又改回到以前带有人工确认的环节。

零日攻击促使我们不断地加快补丁发布和安装速度，促使我们实现实时的病毒代码库升级，“作为欧洲领先企业安全软件提供商，提供世界最强杀毒引擎，拥有三十万级的病毒特征库，每隔一个小时自动更新病毒库。”这是市场上较为常见的宣传材料了，巨大的病毒库和快速自动更新显然是其中两个最招人惹眼的广告用语。

这样的快速和自动化带来了安全吗？还是带来了更多的风险？我们宁愿相信这次是Symantec的一次偶然事故。因为我们现在别无选择，只能将自己的企业网络的安全寄托在这几个厂家的可信度上，寄托在他们内部的流程成熟度上，期望他们内部的管控持久而有效，不会出现报复员工恶意植入后门逻辑炸弹… 作为一个企业，这样做事出无奈，然则可以接受。但是，从国家安全的层面，物种的多样性看来是安全进化的必要环境了。

This morning, Symantec’s worldwide customers found their computers failed to reboot, in the mean time the helpdesk was plunged into a hot pot. The rough root course is that Norton released wrong virus code definition by identifing a few system files(.exe and .dll) as virus and removing them. This will cause system reboot failure.

It’s a very severe incident from a global security perspective. One wrong operation might cause corruption of tens of millions of computer worldwide. In addition, security managers are put into a very embarrassed situation: whether or not you push users to install anti-virus software and keep virus code updated. It seems that both side will hurt you and the authority of security policy.

Till now, only Simplified Chinese version Windows XP SP2 system is reported to be impacted. Two system files under C:windowssystem32: netapi32.dll, and lsasrv.exe are identified wrongly as virus.

Users are prompted that these two files are infected by virus and need to be quarantined. If users follow the prompt, after reboot, the system corrupts…

At this moment, Symantec doesn’t release any news, notification, anslysis, solution, workaround on it officially.

[Tags]Security,Symantec,Anti-Virus[/Tags]

Feld expressed his dislike to those fashion words in his famous blog:

I’m personally going to boycott the phrase “Web 3.0” since “Web 2.0” makes me tired enough. There have been some great quips going around the system about this, including Gordon Weakliem’s “I haven’t even gotten around to upgrading to Web 1.0 Service Pack 2”, Michael Parekh’s “Web 2007 versions”, Peter Rip’s “Web 2.0 + 1”, and Nick Bradbury’s “Web 3.0 Does Not Validate.” While I recognize the inevitability of the newest increment of the Web x.0 label, I don’t have to like it.

My points is that they are interesting stuff. Some guys like to use fashion words to attract eyeballs. As long as they can illustrate the essential points, just let it be.

I use Security 2.0 to describe the new trends in network security area, e.g. internal control, identity and access management, and etc. That differentiate themselves from the original anti-virus plus firewall plus IDS. No matter what you call them, they just exist there. right?

时间如白马过隙，匆匆忙忙中2005年就结束了，现在2006年的时针转的似乎比去年更快。有朋友提醒说总该回首一下、前瞻一下，拖了一段时间，总算写下几段文字，也算对自己和朋友有个交代。

2005年不能算是安全市场的丰收年，写下战国七雄的文字后，未料到其中已有玩家遭遇“宏智”-like的不幸，我自认不是乌鸦嘴，这事肯定与我无关，-:(

还是看看后面的技术发展吧。我借用了Gartner公司的新技术发展曲线，将若干我想到的安全技术都拎出来，给他们找了个位置。欢迎大家批评、评论。

请看： Read more…