Security Watch

Microsoft's Strider Project Unveils URL Tracer

New Web tool lets users see if a URL leads to malware or typo-domains.

• By Russ Cooper
• 05/08/2006

URL Tracer is yet another security tool out of Microsoft's "Strider" project, a project designed to identify and enhance security across Microsoft products. The tool will be of interest to anyone who is working on developing corporate Web surfing policies or rules for content filters. It is not a tool a typical user would use.

While the tool provides the ability to block sites which deliver questionable advertising content, or parked domains, it requires first-person analysis to develop such a list. One can imagine that in the future such lists would be as available as real-time blackhole lists (RBLs) that are made available for SMTP servers. Microsoft's online help provides examples of how to use the tool and what to look for in the results.

According to a Washington Post article, terrorists are concerned about their privacy and the security of their systems. Pro-terrorist sites have been found that provide advice and tools to help terrorists avoid detection, remain anonymous and prevent spyware infections.

It was interesting to note the translations that were provided in the article, many of which suggest that the advice sites are providing false or misleading information, or at the very least show a significant lack of useful knowledge. It's difficult to tell whether these quotes were chosen just for that reason, or if this represents the majority of such postings.

Physical Security
U.S. company Everdream has released a new service intended to assist when a managed computer is lost or stolen. Once the system has an agent installed, it can be tracked and provided instructions by Everdream, presumably after the customer has reported it lost or stolen to Everdream. Assuming the agent is still installed, which is a big assumption, the next time the machine is connected to the Internet, the agent will send information to Everdream announcing its presence. Everdream then instructs the machine -- according to the customer's preference -- to delete files or encrypt them. IP connection information is also recorded, intended to aid law enforcement in locating the actual system for recovery.

Of biggest concern would be the possibility that the agent could be maliciously targeted to trigger a delete or encryption without the customer's knowledge or consent. Everdream also offers online backup and restore capabilities via an agent. If the same agent is used for both, the possibility for abuse is even greater. Further, assuming that a criminal is going to simply connect a stolen machine to the raw Internet unaltered is fairly naive. Cybertrust's forensics strongly suggest that systems stolen from inside a corporation are being targeted for the data they contain, suggesting the criminals are knowledgeable about the corporation, therefore making it likely they'll be aware of the agent's presence. Those that are stolen outside of a corporation are typically stolen for their property value, meaning the system is most likely going to be wiped clean prior to use, removing the agent in the process.

Privacy
IBM is once again touting "Secure Blue," a hardware encryption technology designed to perform bulk encryption. First discussed in 2001, Secure Blue was then envisaged as a device to handle the setup of SSL sessions, removing the load from other hardware. Today Secure Blue is being described as a way to keep data encrypted at all times, other than when it is actually being displayed. By decrypting prior to being sent through a processor, and encrypting again on output, the data stays encrypted in memory. IBM's Charles Palmer, manager of security and privacy for the company, suggests that trusted computing platform modules (or TPMs), a seemingly similar technology, would melt if it attempted to handle the volume of encryption Secure Blue is designed to handle.

Where, oh where, are the implementation details? Certainly the concept of keeping everything encrypted except when it's being handled by the processor is an improvement over only keeping it encrypted on disk, but the ability to quickly encrypt/decrypt is only one aspect of a functioning implementation. We'll have to wait and see whether anyone takes up the technology and provides a working implementation that, say, runs Windows XP. Until then it's just another interesting technological breakthrough by IBM.