Security Watch

Microsoft's Strider Project Unveils URL Tracer

New Web tool lets users see if a URL leads to malware or typo-domains.

Human Factors
Microsoft's research department has released a new tool, URL Tracer, which reveals all of the links beneath a given URL. This allows you to see what third-party domains are being linked to from within a given site, possibly links to adware and/or spyware domains. The tool can also scan for domains that are based on typo errors related to the desired URL. Some typo-squatting sites serve up adult content, and URL Tracer allows you to block such domains.

URL Tracer is yet another security tool out of Microsoft's "Strider" project, a project designed to identify and enhance security across Microsoft products. The tool will be of interest to anyone who is working on developing corporate Web surfing policies or rules for content filters. It is not a tool a typical user would use.

While the tool provides the ability to block sites which deliver questionable advertising content, or parked domains, it requires first-person analysis to develop such a list. One can imagine that in the future such lists would be as available as real-time blackhole lists (RBLs) that are made available for SMTP servers. Microsoft's online help provides examples of how to use the tool and what to look for in the results.

According to a Washington Post article, terrorists are concerned about their privacy and the security of their systems. Pro-terrorist sites have been found that provide advice and tools to help terrorists avoid detection, remain anonymous and prevent spyware infections.

It was interesting to note the translations that were provided in the article, many of which suggest that the advice sites are providing false or misleading information, or at the very least show a significant lack of useful knowledge. It's difficult to tell whether these quotes were chosen just for that reason, or if this represents the majority of such postings.

Physical Security
U.S. company Everdream has released a new service intended to assist when a managed computer is lost or stolen. Once the system has an agent installed, it can be tracked and provided instructions by Everdream, presumably after the customer has reported it lost or stolen to Everdream. Assuming the agent is still installed, which is a big assumption, the next time the machine is connected to the Internet, the agent will send information to Everdream announcing its presence. Everdream then instructs the machine -- according to the customer's preference -- to delete files or encrypt them. IP connection information is also recorded, intended to aid law enforcement in locating the actual system for recovery.

Of biggest concern would be the possibility that the agent could be maliciously targeted to trigger a delete or encryption without the customer's knowledge or consent. Everdream also offers online backup and restore capabilities via an agent. If the same agent is used for both, the possibility for abuse is even greater. Further, assuming that a criminal is going to simply connect a stolen machine to the raw Internet unaltered is fairly naive. Cybertrust's forensics strongly suggest that systems stolen from inside a corporation are being targeted for the data they contain, suggesting the criminals are knowledgeable about the corporation, therefore making it likely they'll be aware of the agent's presence. Those that are stolen outside of a corporation are typically stolen for their property value, meaning the system is most likely going to be wiped clean prior to use, removing the agent in the process.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

Privacy
IBM is once again touting "Secure Blue," a hardware encryption technology designed to perform bulk encryption. First discussed in 2001, Secure Blue was then envisaged as a device to handle the setup of SSL sessions, removing the load from other hardware. Today Secure Blue is being described as a way to keep data encrypted at all times, other than when it is actually being displayed. By decrypting prior to being sent through a processor, and encrypting again on output, the data stays encrypted in memory. IBM's Charles Palmer, manager of security and privacy for the company, suggests that trusted computing platform modules (or TPMs), a seemingly similar technology, would melt if it attempted to handle the volume of encryption Secure Blue is designed to handle.

Where, oh where, are the implementation details? Certainly the concept of keeping everything encrypted except when it's being handled by the processor is an improvement over only keeping it encrypted on disk, but the ability to quickly encrypt/decrypt is only one aspect of a functioning implementation. We'll have to wait and see whether anyone takes up the technology and provides a working implementation that, say, runs Windows XP. Until then it's just another interesting technological breakthrough by IBM.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular