EMC executive takes over at storage vendor Xiotech

EMC executive Alan Atkinson is taking over as CEO of Xiotech, a storage company that just secured $10 million in new financing. Glassmeyer is also general partner of Oak Investment Partners, which owns a majority stake in Xiotech. Nine data storage companies to watch Atkinson was co-founder and CEO of WysDM, a data protection vendor sold to EMC in April 2008. Atkinson remained at EMC as vice president of the company's Storage Software Group, but on Thursday was announced as Xiotech's new CEO. Xiotech said its previous CEO, Casey Powell, will remain on the board of directors and will be a "strategic advisor to Atkinson." "With his extensive knowledge of and experience with data storage, Alan Atkinson is the right leader to take Xiotech to the next level," Ed Glassmeyer of Xiotech's board of directors said in an announcement. Atkinson's 21-year career includes positions at StorageNetworks, Goldman Sachs and AT&T Bell Laboratories.

Xiotech, based in Eden Prairie, Minn., plans to use the cash to expand its Intelligent Storage Element technology with new products to be released early next year. He takes over at Xiotech just after the company announced a $10 million funding round from private investors. Xiotech says its ISE architecture is designed to provide 100% usable storage capacity, to improve efficiency but without a performance hit. Atkinson marked his first day on the job at Xiotech with a blog post. "I can honestly say, after 20+ years in the storage industry (I'm really not THAT old), I've never seen a company this size with so many talented storage folks," he wrote. "We have more patents than most companies five times our size." Follow Jon Brodkin on Twitter

Programmer slip-up produces critical bug, Microsoft admits

Microsoft acknowledged Thursday that one of the critical network vulnerabilities it patched earlier in the week was due to a programming error on its part. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," read the MS09-050 security bulletin released Tuesday. The flaw, one of 34 patched Tuesday in a massive security update , was in the code for SMB 2 (Server Message Block 2), a Microsoft-made network file- and print-sharing protocol that ships with Windows Vista, Windows 7 and Windows Server 2008. "Look at the two array references to ValidateRoutines[] near the end," said Michael Howard, principal security program manager in Microsoft's security engineering and communications group, referring to a code snippet he showed in a post to the Security Development Lifecycle (SDL) blog. "The array index to both is the wrong variable: pHeader->Command should be pWI->Command." Howard, who is probably best known for co-authoring Writing Secure Code , went on to say that the error was not only in new code, but a "bug of concern." The incorrect variable - "pHeader" instead of "pWI" - produced a vulnerability that Microsoft rated critical, its highest threat ranking. "An attacker who successfully exploited this vulnerability could take complete control of an affected system. Attackers could trigger the bug by sending a rigged SMB packet to an unpatched PC. As he did in July when he admitted an extra "&" character in a Microsoft code library created a widespread vulnerability in most company software - and software crafted by third-party developers such as Sun, Cisco and Adobe - Howard argued that the SMB 2 mistake was virtually impossible to catch without a line-by-line review. "There is only one current SDL requirement or recommendation that could potentially find this, and that is fuzz testing," said Howard. "The only other method that could find this kind of bug is very slow and painstaking code review.

Humans are fallible, after all." Fuzzing - subjecting software to a wide range of data input to see if, and where, it breaks - did uncover the bug "very late in the Windows 7 development process," Howard said. This code was peer-reviewed prior to check-in into Windows Vista; but the bug was missed. Although the preview versions of Windows 7 that Microsoft handed out to the public - both the beta from January 2009 and the release candidate posted in May - included the bug, Microsoft caught it in time to patch the RTM, or release to manufacturing, final code that will officially ship next Thursday. That vulnerability, which received attention because exploit code went public , also affected Windows 7 prior to the RTM build. The SMB 2 bug in question was not the one that Microsoft publicized last month in a security advisory.

Howard also said that he thought Microsoft's SDL process has handled the "low-hanging bugs" in the company's code, leaving what he called "one-off bugs" that are difficult to detect using automated tools. "The majority of the bugs I see in Windows are one-off bugs that can't be found easily through static analysis or education, which leaves only manual code review, and for some bug classes, fuzz testing," he said. "But fuzz testing is hardly perfect." Most analysts this week urged Windows users to put the MS09-050 patches on a high-priority list, if only because exploit code for one of the three SMB 2 vulnerabilities was public knowledge. Microsoft echoed that in its monthly deployment recommendations . This month's security updates, including MS09-050, can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Botnet production eerily like commercial code practice

Botnets are elaborate command-and-control systems used by criminals for sending spam, stealing personal information or launching denial-of-service attacks through hijacked computers. People don't understand why their machines are infected as they've beenrunning antivirus continuously," says Gunter Ollmann, vice president of research at Damballa, a security start-up specializing in botnet detection. "They're stumped." The answer, he says, is that botnet code designed to infect computers typically makes use of evasion techniques such as "noise insertion" and "chaffing," generating redundant strings of code that does nothing but make it harder for antivirus or other detection methods to find it, because it "will stop a string-inspection system from seeing them," says Ollmann, who has 20 years experience in the malware-analysis arena, including as chief security researcher at IBM. Botnet code is often hidden using "crypters," specialized tools such as the "God of War Crypter," to hide malware through encryption. But their underlying malware code structures share common ways to evade detection, and even mimic some commercial code practices, such as digital methods to prevent copying and reverse engineering, says one researcher.

These are all just components that could be used in a botnet. One protector popular with cybercriminals is Themida, a tool from Oreans Technologies, mainly used in gaming software to prevent reverse engineering. "Most of the hacker sites will contain PDF guides on how to use these," Ollmann says. "Botmasters have built up almost a production line of systems."  Do-it-yourself (DIY) malware construction kits are sometimes offered free as source code, though binary fully featured DIY kits carry a payment charge. "By offering the free version of the source code, they're showing there's something new and establish their credentials,"  Ollmann says. "Forums get very interesting. And over the past year or so, botnet fabrication has turned to "protectors" to prevent anyone from using debugging and analysis techniques to reverse engineer botnet code, Ollmann says. It's like watching a kid's show, with competitors pirating each other tools, very scrappy." It's a fast-paced code development environment, and if botnet code has been out for more than about three months, "you can probably pick it up for free because it's been pirated," Ollmann says. One of the more troubling aspects of all this, Ollmann says, revolves around sites in The Netherlands for trading and selling malware code where it's evident that a number of the participants don't appear to be professional cybercriminals but simply misguided young people who "think security is cool fun" and want to build up a reputation by demonstrating they can develop malware and attack tools. The country-specific sites are international in scope, most use English as the shared language, but some are in Russian, too.

In most countries, development and dissemination of malware tools isn't illegal, expect perhaps in France, which is known to have some of the strictest laws in this regard, Ollmann says. Their particular talent is "they're very well-organized in how to hide and how to move about." But when it comes to making use of these tools to construct botnets, it appears the professional criminals that go against the enterprise with botnets "aren't necessarily more advanced" than anyone else and "it's clear they haven't developed the tools themselves," Ollmann contends.

How to stop IT managers from going rogue

Research shows that nearly half of all data breaches come from inside an organization, sometimes by those trusted to protect sensitive corporate or customer data, which is why industry watchers say enterprise IT departments need to invest in technology that ensures no one person has all the power. Often they can simply log in as administrator and it can be difficult to monitor who actually made what change and when," says Andras Cser, senior analyst with Forrester Research. "There are a lot of http://www.networkworld.com/news/2008/071608-insider-threat.html ">insider threats today and many organizations have access policies that violate best practices." Companies like e-DMZ, Cyber-Ark, Cloakware, Lieberman Software and BeyondTrust attempt to address that need. Entitlement management: Access control on steroids "The problem with large organizations is that IT people often have access to production and other sensitive passwords.

Symark acquired BeyondTrust and took on its name in September. This week BeyondTrust released an updated version of its IT administrator password management software. The combined company focuses on technology to manage administrator access to Unix and Windows systems. PowerKeeper 4.0 falls in the category of privileged account management software, Cser says, adding that preventing disgruntled IT managers from wreaking havoc is one reason to purchase such a product, another is to keep compliant with regulatory standards. "This is a good product for managing password vaults and performing fine-grained privileged access management for Unix systems, and now Windows systems," Cser says. The appliance uses automated password resets and management workflows to ensure that privileged accounts cannot be accessed in inappropriate ways. PowerKeeper 4.0 is an appliance, available in physical or virtual form factors, that installs in a customer environment inside the firewall with access to the systems it will manage within the data center.

This version works with intelligent adapters to any operating system, database or device using SSH and Telnet, communicating with the devices and providing coverage for all systems in heterogeneous environments, the company says. "The administrator that sets the policies can't also be the person in charge of monitoring access in our system," says Saurabh Bhatnagar, vice president of product management for BeyondTrust. "It complies with security and compliance regulations that require a segregation of duties and deals with regulating access to shared accounts so everyone isn't logging in as the same admin." PowerKeeper is part of the company's suite of privileged access lifecycle management products that addresses access, control, monitoring and remediation capabilities when managing passwords and access to IT environments. PowerKeeper 4.0 is now available as part of BeyondTrust's PowerSeries Early Adopter Program. This version also automatically discovers and brings under management computers found in Active Directory, which the company says helps provide more coverage more efficiently by using automation. "Security, compliance and management efficiencies are the three main drivers for customers," Bhatnagar adds, saying that typically security managers or chief compliance officers would be the target customer. The PowerKeeper appliance or virtual machine costs $25,000, which includes enough licenses to manage 100 systems and an unlimited number of users. Follow Denise Dubie on Twitter Do you Tweet?

Security researchers ask: Does self-destructing data really vanish?

Researchers this week published a paper describing how they broke Vanish, a secure communications system prototype out of the University of Washington that generated lots of buzz when introduced over the summer for its ability to make data self-destruct. But interesting wasn't good enough for researchers at Princeton University, the University of Texas and the University of Michigan, who wondered how well the system could really stand up to attack. I gave the system a whirl back in July and found it to be pretty interesting. Ed Felten from Princeton describes in the Freedom to Tinker blog how he, a fellow researcher at Princeton and peers at the University of Michigan and University of Texas figured out how to beat Vanish.

Such networks, the same kinds used to share music and other files, change over time as computers jump on or off. Their paper is titled "Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs."  Vanish exploits the churn on peer-to-peer networks by creating a key whenever a Vanish user puts the system to use and then divvying up that key and spreading across the P2P net. As such, portions of the key disappear forever and the original message can't be unencrypted. This led to some interesting technical discussions with the Vanish team about technical details of Vuze and Vanish, and about some alternative designs for Vuze and Vanish that might better resist attacks." Later, Felten ran into an ex-student now at the University of Texas who happened to be investigating Vanish as well, and they wound up collaborating. "The people who designed Vanish are smart and experienced, but they obviously made some kind of mistake in their original work that led them to believe that Vanish was secure - a belief that we now know is incorrect," Felten writes. Felten wrote that after reading about Vanish during the summer "I realized that some of our past thinking about how to extract information from large distributed data structures might be applied to attack Vanish. [S]tudent Scott Wolchok grabbed the project and started doing experiments to see how much information could be extracted from the Vuze DHT [Vuze is the P2P network used by Vanish and DHT is a distributed hash table]. If we could monitor Vuze and continuously record almost all of its contents, then we could build a Wayback Machine for Vuze that would let us decrypt [vanishing data objects] that were supposedly expired, thereby defeating Vanish's security guarantees." Felten goes on to tell an interesting tale about the timing of this realization and the experiments that followed. "We didn't want to ambush the Vanish authors with our break, so we took them aside at the [Usenix Security conference in Montreal in August] and told them about our preliminary results.

The University of Washington researchers investigated the other researchers' findings, updated Vanish and issued a report of their own on the experience.  Among other things, they came up with a way to make breaking Vanish more expensive, Felten writes. We do encourage researchers, however, to analyze it and improve upon it. The University of Washington researchers sum up their latest findings here as well, noting that Vanish does not have to be wedded to Vuze and in fact might be better based on a hybrid system that uses multiple distributed storage systems.  They write: "However, we recommend that at this time, the Vanish prototype only be used for experimental purposes. We strongly believe that realizing Vanish's vision would represent a significant step toward achieving privacy in today's unforgetful age." For more on network research, read our Alpha Doggs Blog. Follow Bob Brown on Twitter.