“Unfortunately” I have been on vacation when we released the Security Intelligence Report last week. Nevertheless I would like to take the opportunity and look at it more from a EMEA perspective.

One of the interesting data points we always publish is the Malware Infection Rate. Remember, there is a huge amount of data we can collect from different like the Malicious Software Removal Tool, Microsoft Security Essentials, Defender, etc. given you agreed to share your data with us.

If we look at the heat map in EMEA, this is the picture you will see:

So, there are different countries which are red (highly infected) and green (not very infected). Now, obviously we do not have the same amount of data for all the countries. If we take the countries with more than 100’000 average executions per month of the Malicious Software Removal Tool, we see this ranking for the best and the worst countries worldwide (the bold countries have an execution rate with more then a million average executions per month):

Let’s take the EMEA countries in this list and see how they developed over the last three reports. The best countries first:

It is actually good to see that with the exception of Senegal all the EMEA countries in the top list could reduce their infection rate. Often this is based on a good collaboration between the public and the private sector.

But what about the other end of the ranking? Let’s see:

Here the picture is not as clear. Some countries like Serbia and Montenegro, Turkey etc. have a very bad 1H09 but then came back to their “normal” level. Unfortunately we cannot see a clear trend here but there are some countries, which are slowly improving (e.g. Russia). There is definitely coordinated activity needed in these countries. Turkey for example is working on pulling people together to address the issue.

If we turn it around and look at it from an Operating System perspective, we definitely see that newer Operating Systems are better than older (which was to be expected):

From the malware we can turn to the vulnerabilities. Since quite a while we are talking about having the problem moving up the stack, which is reflected in the picture on the industry-wide vulnerabilities:

This means as well, that you definitely should cover all your applications when you think about patch management and you have to do this for all your vendors:
When it comes to patching, we see a fairly good coverage with Windows Update, Microsoft Update and WSUS. Especially if you are looking at the relative growth compared to the Windows installed base:

So, you see: There is a lot of great information in the Security Intelligence Report – go and look at it.

Even though I did not go into the details here but Rogue Security Software is still a huge a problem out there and there is a chapter again on this theme as well!

Finally, if I could have three take-away, this would be it:

• Get a coordinated approach to fight malware between the public and private sector
• Move to the latest version of software, wherever you can
• Cover all the products you have with your Patch Management processes

Roger

Years ago I was sitting in a healthcare event, when a researcher was talking (very excited) about the idea of having a pacemaker with Bluetooth access to fine-tune the system and read information from the sensors. Even though this might medically be a great idea, I would be fairly reluctant having such a thing in my chest…

I fairly often at security events just switch on my mobile phone and look for discoverable Bluetooth devices – I always find an alarming number. Even though this is by itself no vulnerability, it would be interesting to see what happens if my mobile would ask me: “Do you want to connect with Joe’s pacemaker”? Scary idea…

There is now a research going on about what happens if implantable technology gets infected with a computer virus. Interesting: First human 'infected with computer virus'

Roger

On different social media this article actually gets tremendous coverage: KHOBE – 8.0 earthquake for Windows desktop security software. Now, before you read the rest here, I am not an AV-specialist nor do I have very deep, deep knowledge on the details of our file system drivers and the Windows kernel. I just try to apply common sense to this attack:

I was reading through the article and I definitely understand that if you are able to publish a table with almost all the AV-vendors being flagged as “vulnerable” you may drive some attention to your website and to your work. If we do not find one single AV-solution which is not vulnerable in the table, it is kind of strange to start with – oh, it just seems that they forgot to mention a few ;-) - but still you make a lot of noise which seems to be the goal here!

Now, applying common sense to what they did: My understanding is that you have to own the box in order to run the attack – if I am not completely mistaken, you have to be admin to run the attack. Wow, now I am really scared of this: If somebody owns my box, is admin on my box, the most important thing they will do is to apply an attack, which involves having the right timing in place, to switch off my AV? Come on. You just switch off the AV by using a script or do it manually but for sure not with a complex attack.

This is simple risk management. If your biggest risk in your security model is that an attacker, who is already admin on a box applies this attack – I have to congratulate you. If not, well, let’s go back to the real problems we have to address.

Roger

Just an update on my recent post  on The “KHOBE – 8.0 earthquake” – What’s behind it. In the meantime we worked with Matousec and confirmed that neither Microsoft Security Essentials nor Forefront Client Security are affected by this “vulnerability”.

So, to me it is as I stated above: Make noise but for sure not on a “scientific” basis as then they would not only have mentioned the “vulnerable” products but the ones which were not exploited.

Roger

The week before the last one, it happened to me – like it happened to thousand of other travelers all across the globe: I got stranded. Luckily for me I should have been flying out from home rather than flying home and being “stuck” home is much easier to handle :-)

At least for me. I was actually to fly to Croatia to keynote a huge customer event and hold a session on Cloud Security in addition – and I was still at home. Therefore we decided to do something which we always talk about but rarely really implement: I did the keynote on LiveMeeting – we used the Cloud.

It was an interesting experience. In the past I only did LiveMeetings with customers, therefore more a 1:many meeting, only once before I did a large audience. What did I/we learn?

• For non-English literate people, it is harder to follow the presentation on slides and video compared to me being on stage.
• I am not seeing the audience, so I am talking to the camera. Something the people working in TV probably are used to – I am not. The audience basically could have left the room without me noticing it…
• In large audiences you need somebody running the event and moderating questions on site.
• It worked really, really well and the customers where fairly impressed by this.

To me, there is the question why we do not do that more often. Instead of flying in to a country in the afternoon of a given day, have a customer meeting in the morning and flying back home in the afternoon, I could have breakfast with the family in the morning, having the customer meeting in my home office and have lunch with the kids, when they come from school. Saved a lot of money, saved a lot of energy and CO2…

Often it is just a matter of wanting to do it. As soon as we do not find a date where we can physically meet, we do it on LiveMeeting and realize – for a lot of cases, it just works.

Therefore let’s save money and energy and leverage technology much, much more!

Roger