Archive for the ‘AVIEN’ Category

The edge of reason(ableness): AV Testing and the new creation scientists

Wednesday, July 7th, 2010

First, let me start out by saying that I am in a bad mood. I probably shouldn’t write when I’m in this mood, because I’m in danger of just ranting, but I’m going to anyway. I’m in a bad mood because I am pretty fed up that some people are so deliberately trying to destroy something I’ve personally (along with many others) worked very hard to build in the last couple of years.

I’m in a bad mood because writing this is distracting me from the many other things that I need to do, and get paid to do.

I’m in a bad mood because I’m fed up with hearing that I, and others like me, have no right to comment on things that fall directly within my realm of expertise (and goodness knows, that’s a narrow enough realm) – and that if I do, it’s simply self-interested nonsense.

Secondly, let me also point out that although I’m now going to reveal that, yes, I’m talking about Anti-Malware Testing, and may mention AMTSO, I’m not speaking on behalf of AMTSO, nor my employer, nor anyone else, but me, myself and I (oh, that there were so many of us).

So, “What’s the rumpus?*” Well, in what has become an almost unbelievable farce, the last few weeks have seen mounting attacks on the AMTSO group and what it does.

For some background – those who are interested can read these articles.

http://kevtownsend.wordpress.com/2010/06/27/anti-malware-testing-standards-organization-a-dissenting-view/

http://krebsonsecurity.com/2010/06/anti-virus-is-a-poor-substitute-for-common-sense/

There are some very good points in the second (Krebs) article, although cantankerous is not something that I would say characterizes AMTSO all that well – as Lysa Myers has pointed out ‘AMTSO is made of people‘, and I think the generally negative tone employed is a shame. The first (Townsend) article is way more problematic; there’s just so much wrong with Mr Townsend’s thinking that I don’t really know where to start. Fortunately, Kurt Wismer has already done a great job of responding here, and David Harley an equally competent job here.

So why my response? Well, probably because I certainly am cantankerous.

I’m also, almost uniquely in this industry (David Harley is another), formerly one of those “users” that Mr Townsend is so adamant should be controlling the process of AMTSO’s output – indeed, the whole of AVIEN was set up in the year 2000 as an organisation of interested, non-vendor employed, users – albeit users who knew something about anti-malware issues. We were users responsible for protecting large enterprises, who wanted to be able to share breaking anti-virus information without the interference of Vendors or the noise of such cesspools as alt.comp.virus. We wanted good, reliable information.

I, like David Harley, later joined the industry as a Vendor, but I still understand what it is to be a user, and that was also a huge consideration in the setup of AMTSO – as so many have said before, and I want to reiterate here, bad testing of anti-virus products hurts everyone, the user most especially.

However, this debate is much more than just one on which we can ‘agree to differ’  – like whether Germany or Spain has the better football team might be – it’s much more fudamental than that.

Indeed, the only real analogy that comes close is that of the battle currently raging between the so called  faith based ‘science’ of creationists (let’s not prevaricate, Intelligent Design is just a euphemism for Creationism), and the research based science of evolutionary biologists and so on.

On the one hand, you have anti-malware researchers, professional testers and so on; people who study malware every day, who constantly deal with the realities of malware exploiting users, and who understand better than anyone the challenges that we face in tackling malware – if you like, the “Richard Dawkinses of anti-malware” (though I certainly would not claim to match his eloquence nor intelligence) -  and on the other hand, we have those outside the industry who say that we’re all wrong, that we’re just a “self-perpetuating cesspool populated by charlatans” (yet none the less, a cesspool at which the media feeds most voraciously), that nobody needs AV, and that everything the AV community does or says is bunk.

What I find so extraordinary (in both cases) is that those who are most in a position to provide trusted commentary on the subject are so ignored, in favour of those who have shrill, but ill-informed voices. Why is it that information from a tester; who may have just woken up one morning and decided to ‘test’ antivirus products; is taken on faith as being correct and true; and yet, when a group of professional people give up their time voluntarily, and work together to try to produce some documentation that sets out the ways in which anti-malware products can be tested effectively (and, no, that has nothing in particular to do with the WildList) and reliably, is it so violently decried as self-interested nonsense. It’s a terrible shame that science is so deliberately ignored in the face of popular opinion. Unfortunately, millions of people CAN be wrong, and often are.

AMTSO is not about dictating truth, but rather pointing out ways in which truth can be reliably found (and importantly, where it cannot).

I refuse to lie down and take it when someone tries to tell me that I’ve no right to point out the truth – and I’m not talking about truth based on some millenia old scripture, but real, hard, repeatable, scientifically verifiable, researched fact. If that makes me as unpopular as Richard Dawkins is to a creationist, then so be it.

If you’re interested in understanding why anti-virus testing is so important (and why so many professional testers participate in AMTSO) then, please, do have a read of the AMTSO scriptures er… documents, here.

Andrew Lee – AVIEN CEO, Cantankerous AV researcher.

* If you’ve not seen the excellent movie “Miller’s Crossing” you won’t know where that quote comes from.

(Thanks to Graham Cluley for pointing out that the first link didn’t go to the correct page.)

Tags: , , , ,
Posted in AVIEN, Andrew Lee, Anti-Malware, Anti-malware Testing, David Harley | 11 Comments »

Breaking up is never easy…LoveBug, the day after.

Wednesday, May 5th, 2010

The LoveBug/Loveletter/Iloveyou worm (much more geekishly called VBS/Loveletter.a@mm by, well, AV geeks) has become one of those legendary events in malware history. The fact that 10 years on we’re still writing about it. Not only that, but many of us will remember exactly where we were and what we were doing when we first heard about it – in fact many more might remember it than were actually there :) .

Still, I remember exactly where I was – I was in Reading, at Microsoft headquarters attending a security seminar and my Blackberry (one of the very early ones, with a greyscale LCD screen), started to go off regularly. I grabbed the next train back to Dorset, got into work, and spent the next ten hours ensuring that nothing bad was going to happen on our network. Many other people have written about their memories of the day – 10 years ago yesterday – including Graham Cluley and Mikko Hypponen, and indeed our own David Harley, and I’ve nothing to add to that. You see – we were using Lotus Notes (~shudder~) and not one single system got infected – although we did get a tremendous amount of email, which very quickly got blocked once we knew the attachment name. No, I remember the Loveletter for what happened 10 years ago TODAY, the 5th of May. And, it is a tale I felt worth sharing, about how even good information about one situation is not necessarily applicable across the board.

Although they were not directly under my responsibility, my team had involvement with the IT systems of all the schools across Dorset, and while none of the systems we were responsible for were affected by Loveletter, this was not true of other systems within the schools, which were under supervision of the school’s own IT personnel. On the morning of the 5th of May, I sent out a message to everyone on our network to the effect that “Our network was not affected by the VBS/Loveletter worm, and no damage resulted from any mails that were opened within our network, but we request that you remain vigilant and avoid opening attachments that are not work related. We also suggest that you install an Anti-virus product at home, and ensure that any mails with the subject “ILOVEYOU” are deleted without being opened” This was the very last time I ever sent out such a message, not because it was incorrect, but because the information ended up being spread outside of our organisation – particularly in schools, where I’m sure people felt they were being helpful by forwarding my email – at which point I got several very angry phonecalls and emails abusing me for my lack of intelligence. The reason? The information was only true of our organisation, and those whose networks DID end up getting affected (Loveletter also deleted .jpg/jpeg images) were angry that I so downplayed the risks of the worm while they were watching it eat through all the images on their servers and workstations. In fact, many of the schools were running Microsoft Exchange and Outlook, and once their systems were infected, many pupils lost work.

This highlights the fact that information is often specific, it isn’t necessarily relevant to all situations. Think of it like fire extinguishers; they have specific uses on specific types of fires – don’t go spraying a water extinguisher onto an electrical or fat fire, you will get burned.

User education is often very difficult, and one of the reasons it is so is that there are so many variables, so many different ways that things can go wrong. In a way the Loveletter worm was one of the first Phishing attacks – it combined clever social engineering with malicious code to steal passwords. David Harley and I have written fairly extensively on Phishing, including examining whether the sort of ‘anti-phishing’ quizzes we’ve seen on some security sites are actually of any use. As far as I’m concerned, the jury is still out – there’s far too little common sense, too much irrelevant information, and it takes (literally) a lifetime to become a security expert; you can’t expect people to learn in five minutes.

As David mentioned yesterday, AVIEN was formed out of the need for non-vendors working in the AV industry to get fast and accurate information about spreading threats – I was glad to find that the instances where such information got so wildly misconstrued as in my Loveletter incident were few and far between. AVIEN also has its 10th birthday this year – more of that later in the year.

As an aside, I later applied for a job at one of the schools that had been affected, imagine how my heart sank when my interviewer turned out to be one of the people who had written me an angry email…no, I didn’t get the job! Anyway, it’s all water under the bridge, and since it is the 5th of May, my greetings to all my Mexican/Southern Californian friends, who will no doubt be regretting their today’s activities tomorrow morning.

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

Tags: , , , , , , , , , ,
Posted in AVIEN, Andrew Lee, Anti-Malware, Lovebug, Management and security, Phishing, VBS/Loveletter, Virus, Worms | No Comments »

The Real Lovebug

Tuesday, May 4th, 2010

I don’t think I’ve ever seen “Kramer versus Kramer”, but I did actually read the novel by Avery Corman, a long, long time ago. And I have a vague recollection of Ted Kramer saying something to his wife Joanna about the birth of their son, and of her responding that she doesn’t remember Ted having been there. Hold that thought…

Suddenly, there’s a whole rash of anti-malware vendors reminiscing about VBS/Loveletter, which is, in epidemiological terms anyway, ten years old today. There’s a massive amount of information about what it actually did, of course, complete with copious screenshots, so I won’t waste time reproducing that information – I doubt if you’ll be faced with a Lovebug infection at this stage in the game.  There is even a certain amount of discussion about which company “discovered” it.

As someone who works for an anti-malware vendor, I have nothing to say about that: I was certainly very active in the anti-virus field by that time, but I didn’t work for a vendor. In fact, I was working in security systems administration for a medical research charity, so I didn’t get a vendor’s eye view of the drama, but very much the customer view.

I do know how I became introduced to the Love Bug, because I included a note about it in the case study Rob Slade and I included in a book we wrote in 2001 called “Viruses Revealed”. One of our end users reported receiving an attachment containing gibberish – Outlook wasn’t in common use on that site, and other clients couldn’t interpret the code. The Helpdesk analyst who picked up the call realized that “gibberish” might well denote program code, and passed it on to me. And, in fact, the most cursory inspection of the code indicated that it was clearly meant to be infective, so I passed a copy straight to the vendor from whom my company was licensing AV at the time.

No, I’m not claiming to be patient zero: by that time, I was starting to see mail from other corporate AV specialists – that is, people specializing in malware management but not working in the anti-virus industry – seeing the same malcode. What I wasn’t seeing at that time was information from the industry.

That was a little before the birth of AVIEN (the result of a meeting at the 2000 Virus Bulletin conference later that year), but I remember talking to several of the same people who later exchanged information on other malware outbreaks on AVIEN lists. These less formal exchanges of information and opinions during the first phase of the Loveletter epidemic were immensely valuable as we all evolved strategies suited to our particular environments for dealing with the threat (and the waves of copycat malware that quickly followed), while we waited for signatures from our vendors of choice. Unfortunately, I don’t have access to those emails anymore, but I used an AVIEN mailing list to ask some of those who were there at the time what they remembered.

Some remember risking life, limb and speeding tickets trying to get to the office  in order to take hands-on remediative action. Ken Bechtel remembers getting 12 messages on his pager and three phone calls before he’d even left home, and subsequently, he says, “I remember 36 out of 48 hours of work blocking vbs at the PMDF, and creating a custom SMS script to create a special named DIRECTORY to prevent a file from being dropped.”

Mike Blanchard was due at a training session that morning, but was similarly pounded by pager messages and phone calls and had to turn around en route and get to the office. (He actually received a ticket for turning around in someone’s driveway, but successfully fought the case because of the nature of the emergency.)

Thankfully, I was already at work, so there was no risk of my being charged with running too fast on a London Underground station…

So to all those industry professionals I’m now immensely proud to call colleagues, I’d like to say thank you for all your help over the years, and not least for the excellent job you did ten years ago in producing updates for Lovebug and the wave of semi-clones that followed.

But as far as Lovebug is concerned, I don’t remember you being at the birth. :)

David Harley FBCS CITP CISSP
AVIEN Chief Operations Officer

Tags: , , , , , , , , , , , , ,
Posted in AVIEN, David Harley, Ken Bechtel, Lovebug, Michael Blanchard, VBS/Loveletter | 2 Comments »

Who Will Educate the Educators?

Friday, January 22nd, 2010

@vmyths, otherwise known as Rob Rosenberger, notes on Twitter that

“3doz firms THAT EMPLOY COMPUTER SECURITY EXPERTS got whacked in a zero-day attack. How about some “education” for THEM, eh?”

Well, “computer security experts” is a somewhat fuzzy term, and a little pejorative: when the media use it, they usually mean themselves, or the company that supplied the press release they’re recycling. When they actually mean computer security professionals, it’s usually in the sense of “so-called security experts who can’t see what is absolutely clear to any right-thinking journalists.” A somewhat similar mindset, perhaps, to those denizens of Security-Basics who believe that anyone who has letters after his name has to be a blithering idiot with no actual security experience. No, I’m not getting into that argument again…

But let’s assume that Rob means the same group that I probably would, if I couldn’t avoid using the term: information security professionals not necessarily working within the security industry. (I know there sometimes seems to be far too many of us who are in the industry, but most of us are OK, honestly.)

A group, in fact, rather like the subscribers to the first incarnation of AVIEN: people with a wide range of job titles, skill sets and responsibilities, from independent researchers to experienced managers and system administrators to people who suddenly found themselves landed with (some) security responsibility for their company. (Yeah, me too…)

Well, it’s true: if you’re going to make people responsible for security, you do need to ensure that they already have some experience and training, or that they at least receive some training to jumpstart them into the role. Especially if, like me, you believe that part of the security professional role is to take some responsibility for the education of others. (Yes, I know that there’s a sizeable section of the security community that believes there’s no mileage in trying to educate the end-user - http://www.eset.com/download/whitepapers/People_Patching.pdf - but I’m not getting into that argument right now, either.

Before we start blaming everything (yet again) on lazy, incompetent, uneducated security experts though (and hopefully that isn’t what Rob meant), let’s remind ourselves of a few pertinent facts.

  • As my colleague Aryeh Goretsky has pointed out, banks with security guards are not immune to bank robberies. “Mitigation of risk != elimination in its entirety.”
  • When a company hires security professionals, it doesn’t necessarily mean it listens to those professionals. Especially when listening to their advice entails spending significant sums that could be better spent on upgrading the catering on the Executive floor.
  • The corollary to assuming that employing security professionals (even competent individuals with exemplary support from the Boardroom) is enough to eliminate risk, is that if some malicious actor does get through, someone has “failed” and needs to be fired. That’s just lazy thinking: not so different to giving the bank janitor a uniform, a revolver and six shells, and saying “Hey, you’re promoted: now our asses are covered.”

Let’s not forget Spaf’s first principle of security administration:

If you have responsibility for security, but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.

That observation by Professor Eugene Spafford is as accurate now as it was when I first read it nearly twenty years ago…

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

Tags: , , , , , , , , , , , , , ,
Posted in AVIEN, David Harley, education | 2 Comments »

AVIEN tiptoes into Web 2.0

Wednesday, November 25th, 2009

First the blog, then the twitter account, now the Facebook group. I don’t have a clear agenda for the group: to some extent it’s an exercise designed to force me to make more use of Facebook. It’s certainly an opportunity for AVIEN members to leap in at an early stage if they have ideas on how we could make good use of the group. However, it’s open to non-members, too, as I’d like to see more engagement with the public and media, which we’ve pretty much lost lately. Of course, if there’s a feeling that we’d benefit from a group for internal use, we could do that too.

I’ve also put up an AVIEN FB page, but there’s nothing to see there right now.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

Tags: , , , , , ,
Posted in AVIEN, David Harley, Facebook | No Comments »