Skip to content
October 7, 2015 / clintonkarr

Blurred Lines: Cyber Security Attacks Become Physical

Last week, Brian Krebs reported that a Russian security vendor was attacked by Molotov cocktails after it published its analysis of an ATM skimmer. When cyber attacks become physical, it is an interesting trend to observe. Unfortunately, it seems the trend has been increasing during the past few years, with reports of physical attacks, “swatting” and even kidnapping, which can all be tied back to cyber security.

Most cyber attacks have real-world consequences, most frequently these consequences are economic; however, some cyber attacks have physical ramifications. For example, Stuxnet attacked Iranian SCADA systems that were being used to enrich uranium gas. The result was the physical failure of centrifuges.

The hacktivist group, Anonymous, also straddles this cyber-physical line. Early Anonymous operations include Project Chanology, which combined denial-of-service (DDoS) attacks with real-world protests. Later Anonymous operations, such as Operation Payback, were conducted almost entirely online through DDoS attacks. More recently, Anonymous has participated in real-world protests, such as the Occupy Movement, donning its eponymous Guy Fawkes masks and taking to the street to demonstrate solidarity.


Another practice that crosses the cyber-physical line is doxing, the tactic of researching personally identifying documents (hence: doxing) about a target for the purpose of further harassment. A more recent trend related to doxing is swatting, which spoofs phone calls to 911 in an effort to dispatch emergency services – primarily police and SWAT teams – to respond to the false report of an emergency situation.

In 2013, Brian Krebs found himself the target of a swatting attack (at the same time his Web site was under a DDoS attack) after reporting about a black market identity theft Web site. Krebs later learned that the young hacker responsible for the attack “got pissed that you released the site he uses.”

Krebs, in turn, was able to deduce the identity of one hacker and provided it to the police, which resulted in his eventual arrest. However, Krebs believes this arrest may have been a diversion from his true attacker.

It is worth noting that the swatting attack against Krebs was motivated by his publication and analysis of identity theft attacks. Similarly, the Molotov cocktail attacks against Dr. Web was motivated by the analysis of its ATM skimmer attack.

The “International Carders Syndicate” attacked Dr. Web after warning it to remove all references to ATM malware from its site. Dr. Web CEO Boris Sharov believes the Molotov attack was ordered over the Internet, “through a black market where you can order almost any crime…all the attacks had been ordered by the Internet. And since they never succeeded against our office, it showed us that not much money was paid for these attacks.”

Here we get to the most likely modus operandi for many of these cyber attacks that become physical: money. Brian Krebs was swatted because he threatened the economics of an identity thief. Dr. Web was firebombed because it threatened the economics of ATM  skimmers. Eugene Kaspersky, son of Kaspersky CEO Yevgeny Kasperky, was kidnapped for a ransom. Silk Road mastermind Ross Ulbricht, hired multiple hitmen through his black market forum, in an effort to track and kill those that sought to expose him.

Unfortunately, it seems that lines between the digital realm and the real world are increasingly blurring. It is unlikely that these cyber-motivated physical attacks will be the last. The only good news for information security practitioners is that it remains highly unlikely that any of these physical attacks would ever target their enterprises. These physical attacks have been motivated by money (or desperation) when the anonymity of the Internet has been threatened.

One final parting thought is that if cyber attacks are becoming physical, why can’t cyber security become physical as well? In fact, it can. Bromium vSentry utilizes hardware-isolated micro-virtualization, which creates a secure environment where users tasks are isolated from each other, the protected system and the network. If you’re interested in learning more about how physical security can be applied to information security, please visit:

October 2, 2015 / clintonkarr

Infographic: State of Endpoint Security

During the past year, Bromium has conducted information security surveys at RSA, Black Hat and beyond! Today, we’ve collated that information into an easy to read infographic!


October 1, 2015 / clintonkarr

CTIA Super Mobility 2015 – Understanding Mobility and Risk

CTIA Mobility Survey – Understanding Mobility & Risk

Earlier this month, Bromium attended the CTIA Super Mobility 2015 conference, as part of the Microsoft Startup Alley. The conference, which focuses on full mobile immersion, was a departure from the typical security conferences that Bromium attends. As a result, Bromium took the opportunity to connect with some of the biggest users and proponents of mobile technology to better understand their mobile usage patterns as it applies to security and risk. What we found should come as no surprise since the majority of attendees were not focused on security. For example, mobile users connect to public networks even though they are aware of the risk. Read on for the full findings.

Question #1: How do you define mobility?

  • Mobile devices
  • Mobile/remote users
  • Both mobile devices and mobile/remote users


The intention of asking this question was to determine how mobile users define mobility. Certainly, there is some confusion about the term since the concept of mobile security tends to focus primarily on mobile devices, such as mobile device management. However, mobile security is much more than just mobile devices, as mobile and remote workers should also be considered under the umbrella of “mobility.” Ultimately, the survey reveals that mobility should be defined as both mobile devices and mobile users, suggesting that mobile security should do more to focus on mobile users.

Question #2: Do you ever access your corporate network, corporate files or corporate email account from your personal devices?

  • Yes
  • No


Question #3: Do you ever access your corporate network, corporate files or corporate email account from a public network?

  • Yes
  • No


Questions #2 and #3 unveiled mobile usage patterns, both related to mobile devices and mobile users. Virtually every mobile user has accessed corporate assets from their mobile device, in part because of a mobile addiction that has us checking our smart phones more than 100 times per day. The access of corporate assets from mobile devices should be viewed as a relatively minor security concern since mobile devices have yet to experience any major security breaches, outside of the occasional issue with malicious apps finding their way into app stores.

More concerning for information security professionals is that nearly two-thirds of mobile users will access corporate assets from public networks (a concern that will be underscored by the responses to the next question). There are significant risks to connecting to public networks, including compromised networks, man-in-the-middle attacks, sniffing and snooping, or malicious rogue networks; each with the ultimate goal of intercepting your traffic or infecting your machine. Information security professionals need to be aware that the overwhelming majority of end users are connecting to corporate assets from unsecured public networks, so they can take the appropriate precautions.

Question #4: Which precautions do you take when connecting to public networks? (select all that apply)

  • Connect via VPN
  • Avoid entering sensitive information (bank accounts numbers/passwords/etc.)
  • Browse using SSL/encrypt traffic
  • Avoid connecting to public networks
  • No precautions


Speaking of appropriate precautions, 14 percent of mobile users take no precautions when connecting to public networks; a finding that should be at least a minor concern to information security professionals since the vast majority of mobile users connecting to public networks are accessing corporate assets. On the bright side, a quarter of mobile users claim to avoid connecting to public networks (of course it is entirely possible they may still connect to public networks; they just claim to avoid them). It is also encouraging that more than a third of mobile users connect via VPN, which can greatly bolster security. Ultimately, a large number of mobile users are connecting to public networks with no precautions or in a grey area of security.

Question #5: Which of the following public networks have you accessed from a corporate laptop? (select all that apply)

  • Coffee shop/restaurant
  • Airport
  • Hotel/convention center
  • Transportation (airplane/subway/bus)
  • Municipal WiFi/government building (library/courthouse/etc.)


Question #6: Rank in order the security risk for each of the following public networks (1= low risk; 5=high risk)

  • Coffee shop/restaurant
  • Airport
  • Hotel/convention center
  • Transportation (airplane/subway/bus)
  • Municipal WiFi/government building (library/courthouse/etc.)


It is interesting to review the results of these questions in tandem because they reveal that even though mobile users recognize the risk of connecting to public networks in coffee shops, airports and hotels, the majority of mobile users will connect to them anyway.

Coffee shops, airports and hotels/convention centers are quite clearly considered the most risky public networks, while transportation and municipal WiFi/government buildings are considered less risky.

Simultaneously, 85 percent of mobile users have connected to a public network from a corporate laptop at a hotel or convention center. This should be quite concerning for information security teams in light of attacks like DarkHotel. Likewise, nearly two-thirds of mobile users have connected their corporate laptops to public networks in coffee shops/restaurants and airports.

It just goes to show you that when it comes to end users, security is an afterthought. Even though these mobile users realize the security risk of connecting to these public networks, they still connect to them in droves. It is unrealistic to expect to be able to change end user behavior, so instead information security professionals must take proactive measures to protect their users.

One example of proactive protection is Bromium vSentry, which isolates threats to prevent data breaches by utilizing micro-virtualization. Micro-virtualization prevents unknown and untrusted Internet content (Web sites and emails) from ever accessing critical system files. Bromium captures each threat in its own micro-VM, monitoring its activity and alerting security teams with real-time threat intelligence. Bromium threat isolation succeeds where signature-based solutions fail because it provides proactive protection instead of reactive detection.

September 1, 2015 / clintonkarr

Are We Witnessing the Death of Flash?

Flash has been getting a lot of attention recently, as Amazon and Google each announced they would be blocking or pausing Flash ads. This should come as no surprise to anyone that has been following trends with Flash. Previously, Bromium research indicated that 90 percent of security professionals believe their organization would be more secure if it disabled Flash. Additionally, the Bromium threat report, “Endpoint Exploitation Trends 1H 2015,” highlighted the growing issues with Flash:

In the past six months Adobe Flash Player took the coveted top space as the most exploited application. From an exploitation point of view, the architecture of Adobe’s AVM has multiple flaws allowing attackers to craft ROP shellcode on the fly thus bypassing ASLR and DEP. This combined with evasion techniques described in this report makes a nasty combination, with practically every user vulnerable.

Death of Flash

The reason that Flash exploits are so popular is because Flash advertisements are so prevalent. According to Ad Age, 84 percent of online ads are delivered through Flash, which makes it a green field for cyber attacks. Unfortunately, as is the case with so many industries, security has been an afterthought to the advertising industry, who had no financial motivation to develop a more secure delivery model.

That changes now that Google is forcing the issue with its Chrome internet browser. Beginning September 1, Google Chrome will be “intelligently pausing” Flash ads. Flash video players will still work, but non-essential Flash content will be blocked. Part of the motivation for blocking Flash ads is a better user experience; Flash ads can be noisy and intrusive, even draining battery life.

There is no doubt that blocking Flash ads will improve security. Bromium research has written extensively about malicious advertising, which can be targeted to specific users of operating systems, browsers and plug-ins. Therefore, even though Chrome will be blocking Flash, malicious Flash ads will remain a viable attack vector for other browsers because they can be easily targeted.

Where does this leave organizations? They remain vulnerable to zero day attacks if they leave Flash enabled and unpatched. And yet, even when a patch emerges, a new set of challenges comes with it: do you race to deploy the newest patch? Or do you test to make sure it integrates with legacy systems?

Of course, the third option is to deploy threat isolation security solutions. This latest zero-day and others like it can be secured by isolating the browser in a micro-VM (such as Bromium vSentry). By isolating the threat, security and ops teams granted the grace period needed to test and deploy these critical patches.

A chain is only as strong as its weakest link. Today the weak link is Flash, tomorrow it will be something else. The internet today is a constantly changing and expanding chain made up of potentially weak links. Disabling flash is a good move, but in the end it’s just another reactive band aid. Unless a new approach to security is taken we will be back in the same position with a different link next week or next month.

August 27, 2015 / clintonkarr

TechCrunch: Psychology of Insecurity

Today, TechCrunch has published “The Psychology of Insecurity” by Bromium CTO Simon Crosby. You can read the whole article here:

The recent Ashley Madison hack isn’t the only high-profile one to make headlines this summer. The personal and private information of more than 21.5 million current and former federal employees and over a million unique fingerprint scans were leaked in an attack on the Office of Personnel Management (OPM) that is believed to be the work of the Chinese. Government officials said longtime security lapses left the OPM vulnerable to hackers. As a result of the OPM hack, Director Katherine Archuleta has been forced to resign.

Why do we keep reading about a litany of breaches? Don’t cyber pros understand they are looking after our most sensitive personal data? Yes they do, but to understand their actions demands a more detailed examination of the psychology of security from the perspective of the security professional.

August 25, 2015 / Bill Gardner

Why Malvertising Matters

Malvertising has been back in the news recently. Malvertising

This is no surprise to us here at Bromium, check out the report we issued on malvertising via YouTube last year.

In our paper we concluded that ad networks could be leveraged by, or even replace attack kits to target organizations and effectively distribute malware by the bad guys. Unfortunately this appears to be coming true. The question is what impact will this trend have on our organizations?

The answer is that this trend has the potential to have a tremendous negative impact on our security. Why? Because malvertising often powers drive by downloads that can compromise a system without ever requiring the user to do anything but visit a popular, legitimate web site that is unwittingly part of a malvertising network.

Let’s face it, we have all been focused on spear phishing attacks that have factored into so many successful breaches in recent years, and that is one reason this new attack channel is so dangerous. Conventional wisdom is that if you filter your users from accessing obscure, “uncategorized” or unknown web sites, or sites with poor “web reputation” scores with a web gateway that you will be safe from drive by attacks.

Malvertising effectively bypasses web filters, after all, who is going to black list YouTube or many of the popular news sites we have been seeing delivering malvertising payloads? These sites are selected by the attackers to have pristine web reputations and bypass current defenses.LAVA Bootkit

Malvertising is a very effective delivery channel for targeted waterhole attacks as well. The image included is a snippet of a Bromium LAVA trace we received from a customer earlier this year showing delivery and isolation of a very nasty Bootkit from an IT support oriented web site via a malvertisement. Very nasty indeed, undetectable by AV engines (we tested it against AV comparatives with no hits) and targeted at the right people in the organization if your goal is to establish a privileged beach head in an organization.

So malvertising really does matter if you are concerned with security. I am sure we will be hearing and seeing more on this topic as the future unfolds….

August 12, 2015 / clintonkarr

Bromium Black Hat Survey: Endpoint Risk Five Times Greater Than Network or Cloud

Today, Bromium published “Black Hat 2015: State of Security,” a report that analyzes the results of a survey of more than 100 information security professionals at Black Hat 2015.

Key findings from “Black Hat 2015: State of Security” include:

  • The Endpoint Is the Source of Greatest Security Risk — The majority of information security professionals cited the endpoint as the source of the greatest security risk (55 percent). The second most common response was insider threats (27 percent). Network (9 percent) and cloud (9 percent) were selected less frequently.

  • Security Professionals Pan Flash — The overwhelming majority of security professionals believe their organization would be more secure if it disabled Flash (90 percent); however, 41 percent believe disabling Flash would make their organization less productive or break critical applications.

  • Implementing Security Patches Is a Challenge — The majority of organizations implement patches for zero-day vulnerabilities in software, such as Flash and Internet browsers, in the first week (50 percent first week; 10 percent first day); however, 22 percent take more than a month to deploy.

  • Critical Infrastructure Is at Risk of Cyber Attack — The majority of Black Hat attendees cited financial services (30 percent), energy (17 percent), healthcare (17 percent) and government (12 percent) as the verticals at the most risk of cyber attacks. Interestingly, financial services was also selected as the vertical that has implemented the best security practices (60 percent).

  • Windows 10 Improves Security, But Not Enough — The majority of information security professionals believe Windows 10 improves security (56 percent), but many (33 percent) believe these improvements are not enough.

Most notably, information security professionals find the endpoint is by far the source of the greatest security risk. This is only logical when you consider how frequently end users connect to untrusted networks such as hotels and coffee shops. Even more concerning is the end user’s tendency to click on any Web site and open any email, which are the most common sources of malware.

The survey illustrates the challenge with hardening against malware attack vectors. If 90 percent of information security professionals think their organization would be more secure with Flash disabled, why don’t they disable Flash? The unfortunate reality is that security often takes second priority to operations. A fact further illustrated by 40 percent of information security professionals noting that disabling Flash would break critical applications. Likewise, 22 percent of information security professionals have to wait more than a month to implement critical patches – most likely because of operations teams.

The end result is an increased risk of cyber attack on critical infrastructure, financial services in particular. The good news is that financial services are well prepared; financial services are typically more tech savvy and early adopters of new technology.

Speaking of new technology, the majority of information security professionals seem happy with Windows 10. Windows 10 adds better sandboxing and whitelisting capabilities, but security pros still feel it is inadequate due to the latent attack surface.

Bromium vSentry addresses many of the challenges with micro-virtualization to isolate threat. Threat isolation prevents data breaches by maintaining a strict separation between user tasks and the system host. Even unpatched zero days cannot be exploited to any permanent gain. The battle for the endpoint continues to wage and information security professionals are right to be concerned with the risk, but Bromium is here to help.

August 11, 2015 / clintonkarr

Breaking the Unbreakable Comb: The Importance of Bug Bounty Programs

When I was a kid, I remember going to the barber shop with my brother, who was given an “unbreakable” comb by the barber. My brother promptly snapped it into two pieces. It was not unbreakable to him.


I am reminded of this story because Oracle CSO Mary Ann Davidson published (and subsequently deleted) a blog post decrying security researchers that “reverse engineer” Oracle software to identify vulnerabilities, claiming it was a violation of Oracle’s licensing agreements.

Davidson made many inflammatory remarks that have incensed the security community, such as comparing bug bounty programs to boy bands with companies throwing their underwear at security researchers (gross). And yet, Davidson admits “Ah, well, we find 87% of security vulnerabilities ourselves.”

Ah, well, that still leaves a pretty significant security gap, doesn’t it?

In regard to patching vulnerabilities, Davidson contends “We will also not provide credit in any advisories we might issue. You can’t really expect us to say ‘thank you for breaking the license agreement.’”

It’s a strange attitude for a CSO. In contrast, tech giant Microsoft recently announced that it was doubling its bug bounty program from $50,000 to $100,000. Recently United Airlines rewarded a researcher with one million miles for identifying a bug. Even Tesla pays a nominal reward.

To give Davidson the benefit of the doubt, as CSO of Oracle, it is her job to improve its security. As Davidson notes “I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find, it really is “whack a code mole”) when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues.”

This opinion seems pretty similar to comments Microsoft security chief Mike Reavey made in 2012, “I don’t think that filing and rewarding point issues is a long-term strategy to protect customers.”

Perhaps Oracle will experience the same change of heart as Microsoft, now that Davidson’s comments have been made public. To be certain, Oracle is sure to be feeling the heat from the security community.

As CSO security reporter George Hulme aptly Tweeted:

“BREAKING NEWS: APTs and cyber criminals announce they will no longer reverse engineer Oracle because it is a violation of the terms”

In other words, when security vulnerability research is outlawed, only the outlaws will research security vulnerabilities to exploit Oracle users.

Recently, Bromium Chief Security Architect Rahul Kashyap spoke with CSO about responsible vulnerability disclosure, concluding that “Full Disclosure is a spirit, it’s an attitude — you cannot kill that easily with laws and layers of documentation.”

July 31, 2015 / Simon Crosby

The Best Virtual Desktop Ever: Windows 10 on a Surface Pro 3

Over the last decade many enterprises have tinkered with Virtual Desktop Infrastructure (VDI) as an alternative to PCs.    A VDI user accesses a remote, virtualized Windows desktop OS delivered “as a service” from the enterprise datacenter or service provider to a PC/Mac, thin client, Chromebook or a tablet.  But there’s another model for virtual desktops – one that is more secure, lower cost, and fully empowers the user: A Windows 10 PC or tablet, coupled to the cloud.  The “virtual” bit here is the virtualization of data and cloud app access, and the use of virtualization on the client device, for security

VDI is promoted as the best solution for IT teams facing desktop challenges: All VDI desktops boot from the same “gold” OS, so there’s only one image to patch; Data (emails, files, documents) are centrally stored; and users can access their applications and data from many devices, including personal gear. But though it offers benefits in compliance, VDI is at best a partial solution:

  • Though it seems secure – it does help a bit – VDI isn’t a security solution: Users will still click on bad things in their virtual desktop; moreover today’s VDI-aware malware persists across patching, rebuilds and reboots; and the session is only as secure as the access device – a compromised Bring Your Own (BYO) PC can steal login credentials and data. There are two endpoints to secure – the VDI desktop and the user device.
  • VDI brings real costs: Servers, virtual infrastructure to run the desktop; additional license costs; data center space, power and cooling; and tons of infrastructure complexity – there are more things that can go wrong.
  • The end-user experience, whilst good, is not perfect. It is still a challenge to deliver video and real-time media to a VDI user, and techniques like flash-redirect can be exploited as security holes.

But the idea of EUC tightly coupled with the cloud is spot on.  Re-thinking the model slightly delivers a desktop that is manageable, secure and compliant, and that users will love.  Windows 10 on a PC, tightly coupled with a cloud service such as Office 365 with SkyDrive is the perfect virtual desktop.  What’s more, it is the lowest cost EUC solution.

Let’s peel the onion back slowly. Local execution is what users want – for personal and corporate apps, and in particular media rich experiences.   Remoting protocols are fine for truly legacy applications.  A Windows 10 device that is coupled to the cloud using SkyDrive, Box or even Citrix ShareFile keeps data centralized and backed up, but gives the user maximum freedom for offline access.  Virtualizing data access is a more powerful concept than virtualizing and remoting execution. And powerful SaaS apps – such as Office 365 – offer richer functionality when you’re online, but are powerful and productive when you’re not.

But we aren’t done: Windows 10 with Virtual Secure Mode (virtualization security) uses virtualization locally to make the endpoint much more secure – with a secure boot process and protected credential store.  Windows as a Service ensures that devices are always patched, enabling IT teams to get out of patching – forever.  Windows 10 also offers built-in data loss protection (DLP) that can help ensure that files cached locally cannot be inappropriately accessed – again making use of the cloud: Azure AD.  This gives IT the opportunity to get out of running their AD system too.

The delivery of end user computing and applications as a service – the original motivation for VDI – is superior when the applications in the cloud deliver more value than local applications do.  Office 365, with Office Graph and its tight coupling to the core productivity suite, delivers far more value to end users than simply running local versions of the traditional fat Win32 applications, but when you’re offline local apps still work great.

Finally, the integrated Enterprise Mobility Management (EMM) capabilities in Windows 10 (offered in the Microsoft EMS suite) give enterprises the ability to manage Windows 10 devices with the granularity and precision that they expect for their iPads and smartphones.  Encrypted at rest, remotely wiped if lost, and easy provisioning of next-gen universal apps that are vastly more secure.

There will always be legacy applications that need to be delivered to users.  RDSH is a proven way to do this.  Windows 10, and Office 365, with EMS, address enterprise EUC challenges with a solution that users want. Add virtualization or micro-virtualization to the client device for security to achieve a solution that is local, touchable, zippy;  more secure and manageable; and that uses cloud services for management, security and to deliver a more compelling set of EUC services.


July 29, 2015 / clintonkarr

Endpoint Exploitation Trends (but what of Hacking Team!?)

Today, Bromium released “Endpoint Exploitation Trends 1H 2015,” a Bromium Labs threat report that analyzes security trends from the first six months of 2015. One of the primary themes to emerge from the report should come as no surprise: cyber criminals are attacking targets that have the most users. Pragmatically, this means that malvertising campaigns are being conducted primarily through news and entertainments Web sites and that Flash has been exploited more than any other popular software this year. It’s no surprise that exploits targeting the Windows Kernel are getting more popular for launching targeted attacks. The discovery of Duqu 2.0 targeting high-profile groups including a large cybersecurity company clearly proves this. As the industry adopts application sandboxing on popular apps, kernel exploits are expected to gain more attention by malware authors.

Threat Report Exploits

Hackers continue to innovate. Malware evasion technology continues to evolve to bypass the latest detection mechanisms deployed by security professionals. Ransomware has exploded in growth, more than doubling in size year-over-year. In 2013, there were just two ransomware families; today there are 16.


If you’re interested in these trends, you should read the full report; however, it is also interesting to note that this report does not address the recent Hacking Team disclosures since it only analyzed the first six months of 2015. Bromium Labs has conducted a thorough analysis of the Hacking Team, which is worth reading, but today I want to talk about the bigger trends and how they relate to this threat report.

In July, the Hacking Team, an Italian surveillance company was compromised, leaking customer lists, source code and internal emails. In the coming days and weeks, a Pandora’s Box of exploits and vulnerabilities was unpacked; Flash, Internet Explorer and even Java were targeted.

These Flash exploits were incorporated into the Angler, Neutrino and Nuclear exploit kits. This development ties back into our research, as discussed in “Endpoint Exploitation Trends 1H 2015:”


In the past six months Adobe Flash Player took the coveted top space as the most exploited application. From an exploitation point of view, the architecture of Adobe’s AVM has multiple flaws allowing attackers to craft ROP shellcode on the fly thus bypassing ASLR and DEP. This combined with evasion techniques described in this report makes a nasty combination, with practically every user vulnerable.

Angler Exploit Kit

All the Web attacks we’ve seen are still operated using exploit kits. We found Angler to be the most prevalent exploit kit for the last six months. Lately we have been seeing CVE-2014-6332 also known as ‘IE Unicorn vulnerability’ and several Flash exploits, such as CVE-2014-0497 and CVE-2015-0311 for propagating malware. Aside from that Nuclear Pack and Fiesta remain relatively popular.

These Flash exploits, coupled with this newest Flash zero-day, prompted Mozilla to temporarily block Flash from Firefox. Facebook’s CSO wants to kill Flash. YouTube has dropped Flash for HTML5 and streaming video site is making the same commitment. Will it really make any difference?

If these trends show us anything, it is that hackers have read “Who Moved My Cheese?” Internet Explorer was the most exploited software in the first half of 2014, but this year it is Flash; next year it will be whatever is easiest for attackers to compromise. What these trends really demonstrate is that all software is vulnerable.

More than 110 million records have been compromised in the first six months of 2015, which really demonstrates that the security industry is ineffective. I’ve written before about the challenge of patching never-ending zero days and I’ve called out the security industry on the vicious cycle of “assuming compromise.”

Security is almost always an afterthought when developing technology. Perhaps someday in the future, suppose 100 years from now, technology will be secure by design, but in the meantime we are living in a “lawless” era of vulnerabilities and compromise. Detection-based technologies are trying to solve an unsolveable problem.

The only way to prevent compromise is to prevent the initial unauthorized access. Threat isolation enforces the principle of least privilege to achieve this goal; unknown and untrusted content is isolated from access trusted systems. Bromium vSentry is a perfect example of this threat isolation; micro-virtualization isolates each vulnerable user task, preventing it from modifying the operating system or gaining network access.


Get every new post delivered to your Inbox.

Join 32,614 other followers