Monthly Archives: August 2010

AVAST takes $113 Million in capital

In what seems to be something of a trend for big investments or buyouts of AV companies, AVAST, the Czech based makers of the popular free AVAST Anti-virus, have sold a minority stake in their company to investment firm “Summit Partners”.

http://www.itnews.com.au/News/229866,avast-takes-113m-equity-injection.aspx

AVAST (formerly ALWIL software) has long been in the ‘free’ anti-virus game, as one of the pioneers of that model, and clearly it seems to be working for them. It should be interesting to see what they do with the cash and how their product line develops over the next few years as they compete with their big neighbour AVG, also Czech based and big in the free AV game.

Andrew Lee
AVIEN CEO / CTO K7 Computing

Also blogging at http://blog.k7computing.com

Breaking news: Intel Buys McAfee

Intel announced today that it has bought out McAfee, http://mcafee.com/us/about/intel_mcafee.html

It’s definitely a time of consolidation in the industry, and this is an interesting move on the part of a player that hasn’t so far gotten it’s feet wet in the software security arena (although Intel Capital has invested in other AV companies such as AVG).

What this means for consumers could be interesting, as the AV could be much more closely tied to the processor architecture.
Anyway, congratulations to all my friends at McAfee, next time we meet, the drinks are on you.

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

Update 20/08/2010: Of course, I neglected to mention that Intel did of course have an AV product called LANDesk some years ago, that was bought by Symantec, so Intel isn’t totally new to this game.

Sins of Omission

It’s not really related to malware, but this is an interesting article that brings up a few issues that should be highligthed.

http://www.bankinfosecurity.com/articles.php?art_id=2846

Firstly, the cheque images in question are used as a security feature, you can view them online to see when and where they were cashed, and they are attached to a specific transaction. Those who don’t have a US bank account might not be familiar with such a system – however, the fact that the cheque now exists online should be a red-flag for security, and you would expect it to be protected as part of the bank account (your cheques, after all, have your signature on them, along with your bank details and a sample of your handwriting). The key to the success of this breach was that the images were all stored in a single online database. This in itself is a huge vulnerability.

Secondly, just because something is not a regulatory requirement, doesn’t mean that it shouldn’t be done as a matter of course. Holding such a database, and knowing that it contains data that would be very useful in fraud, then it makes sense to use encryption to protect it - so in this case fact that they were not encrypted simply makes it worse. It’s like saying that we were only required to put locks on the doors, but the regulations didn’t state we needed to close the windows.

Many European banks are moving away from paper driven cheques, and that would of course reduce or eliminate this specific attack, but what doesn’t seem to be happening is any assumption by the banks of attack. For instance, my bank has implemented some rudimentary anti-phishing protections, but it still uses a very weak password based account entry, which any key-logger could get around (unless of course I’m using a secure browser like K7SecureWeb or SafeCentral), and that combined with  a screen-scraper could easily compromise the anti-phishing measures.

Probably, as things get more serious (in terms of fraud) for the banks, there will be much more concentration on securing things. For now, the sad fact is that the consumers are not driving this, because they don’t care – the losses are to the banks, because of consumer protection (at least in the EU and USA). The reason my bank (along with most other British and US banks) have such poor security is that at the moment, the customers aren’t demanding higher security. That, coupled with silly things like only implementing the letter, rather than the spirit of regulation, is not going to bode well for the online banking in the near future.

Meanwhile, the Anti-malware industry gets a harder and harder rap for not being able to clean up all the mess, while what really needs to happen is for everyone to take a bit more responsibility for their actions, and understand that there are real threats out there, that cannot just be addressed by anti-malware alone, nor indeed any purely technology based solution.

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

Virus Bulletin Seminar Announced

Virus Bulletin have announced the first in a new series of Seminars. Aimed towards the corporate IT Admins and security practitioners, the day long seminar will look at protecting organisations in the modern age of Internet enabled crime.

Speakers include

  • Bryan Littlefair, Vodafone Group
  • Bob Burls, Police Central e-Crime Unit
  • Graham Cluley, Sophos
  • Alex Shipp
  • David Evans, Information Commissioner’s Office
  • Andrew Lee, K7 Computing
  • Martin Overton, IBM
  • Richard Martin, UK Payments Administration

http://www.virusbtn.com/seminar/index.xml

There’s an early bird price available, and seats are likely to fill up fast, so get in early!

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing