Category Archives: Andrew Lee

Professor Klaus Brunnstein

Many people in the security industry have expressed their regret at the passing of Professor Dr Klaus Brunnstein, who died on 20th May 2015, just a few days before his 78th birthday, as I noted in an article for ITSecurity.

I’ve been particularly struck, though, by the fact that so many people were willing to share their thoughts: not only at ESET (where so many people expressed their regret that I felt I had to post the article at a vendor-neutral site so that it wouldn’t look like some kind of twisted PR exercise), but also by the many people who responded to requests for comments before the article was published and even after it was published. I’m only sorry I couldn’t include all the commentary I received.

I think it all indicates just what a legacy Klaus leaves behind him, not just politically, and not just to the security industry (including CARO and EICAR) and to academia (notably the Virus Test Center at the University of Hamburg), but to the entire online world. The article and the links it includes give only barest impression of how immense his contribution was, and just how much he’ll be missed personally. As Andrew Lee observed:

A thoroughly decent man. Sadly missed, he wasn’t able to make it to the CARO conference a couple of weeks ago. I only met him a few times, but it was always memorable.

David Harley
ESET Senior Research Fellow

Not even the end of an era

Well, not entirely, my last post notwithstanding.

Andrew Lee and I have been busily housekeeping and fitting various bits of ideas and web pages together over the last week or so, and have managed to keep more of the old site together than I originally anticipated. So I hope it won’t sound like I’m blowing my own trumpet if I say that that my last post wasn’t quite the Last Post after all. Or, indeed, the Flowers of the Forest.

I’m a little hard-pressed right now, but I’ll get back here with some more details. That doesn’t mean I won’t be making more use of the AVIEN Portal, but that won’t be with quite the same urgency.

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

The end of an era…

…but not of AVIEN.

Since AVIEN has gently declined from being a major player on the fringes of the anti-malware industry to a few low-volume mailing lists, I’m reducing its footprint on the web and the drain on the pocketbooks of Andrew Lee and myself (subscribers haven’t been charged for some time, so there is no income with which to maintain the sites). Existing and future blog articles will be available from the AVIEN portal from next week (the first week in August, 2011). The existing AVIEN web site (including this blog page) will be taken down when the domain is transferred to Small Blue-Green World, but some of the content will also be transferred in some form. 

Thanks again to Andrew Lee for maintaining the sleeping giant for so long. Unfortunately, its current sleeping quarters mean running at a significant loss, so we have to change the decor a little. However, the fact that quite a few people want to remain on the new mailing list is encouraging, and I don’t think we have to call in the undertaker just yet.

David Harley CITP FBCS CISSP
De-facto CEO, I guess….

(Intellectual) Property is Theft?*

First of all, congratulations to Andrew Lee on his new role as CEO of ESET LLC. It’s as well that my work for AVIEN is unpaid, as otherwise he’d be my boss twice over. 😉 Reading the press release here, it includes substantial references to AVIEN and the AVIEN book, to which many AVIEN members contributed, as did Andrew and myself.

That was a very worthwhile project, but one of the less attractive aspects was the readiness of a great many people to generate and distribute pirated copies: apparently the time and effort it took us all to generate that book doesn’t deserve any recompense. In fact, I had a pirated PDF copy sitting on my desktop before my author’s (hard) copies arrived…. That wasn’t the first of my books to be pirated, let alone the only one. But it seems that the pace has picked up in recent years.

So imagine my joy on reading in the Vancouver Sun that ION Audio are about to market a device that can scan a 200-page book in 15 minutes. (Thanks to Robert Slade, my co-author on Viruses Revealed, for bringing this gem to my attention.) Well, it’s basically just a more ergonomic type of scanner, and hopefully dedicated pirates will find that having to turn all those pages by hand will still have a negative effect on their sex lives.

I don’t think there’s much doubt, though, that for every individual who has a legitimate and possibly legal reason to scan one of their books into machine-readable form (i.e. for iPad, Kindle etc.), there will be many more who will see this as a way to profit from the labour of others without asking the question “why do I have the right to assume that authors should go through the pain of writing and publishing with no right to any sort of return?”

What is really infuriating, though, is that it doesn’t seem to have occurred to ION that it is marketing rather more than a legitimate tool for honest students and educationalists. Or maybe it doesn’t care, because it can’t be used to copy ION hardware.

* http://en.wikipedia.org/wiki/Property_is_theft

David Harley CITP FBCS CISSP
AVIEN COO

AVIEN Sponsors VB 2010

Virus Bulletin 2010

In honour of our 10th Anniversary here at AVIEN, we’re sponsoring the pre-dinner drinks reception at the 20th Virus Bulletin Conference in Vancouver next week. In case you didn’t know AVIEN was formed out of conversations held at Virus Bulletin in 2000, and the relationship has been a long and friendly one between the two companies. We’re proud to help bring a part of the conference to the attendees.

Andrew Lee
AVIEN CEO / CTO K7 Computing

One from the “Don’t send stupid emails” department

In a frankly bizarre incident, a young British teen has been banned (for life) from entering the USA, after sending an abusive and threatening email to the Whitehouse email account. The 17 year old escaped criminal prosecution, but will be denied the opportunity to ever visit the land of opportunity.

Though this lad probably just got a bit annoyed and did something silly, one thing this does show is that young people simply aren’t being taught how to act on the internet (though reading USENET would have shown you that not many people do, young or old). Surely citizenship classes should also include information on how to be a good netizen, and schools IT curricula should include at least a basic understanding of personal security and how email works.

Full report from the BBC News site is here http://www.bbc.co.uk/news/uk-england-beds-bucks-herts-11296303

Andrew Lee
AVIEN CEO / CTO K7 Computing

Snakeoil Security

This is a really good article about how poor  security products can appear to work, but actually increase the problem:

http://ha.ckers.org/blog/20100904/the-effect-of-snakeoil-security/ *

The article also links to a good article about the ACUTrust product (which no longer exists) http://ha.ckers.org/acutrust/ – which contains the following quote

“like most systems that use cryptography it is not a vulnerable algorithm, but the system that uses it is”

This really does bear repeating as many times as possible. Just because a product claims to use cryptography – most will claim to be using AES256 – doesn’t mean they’re using it in a way that makes the system secure. Cryptography is all too often a security panacea, a ‘buzzword’ that makes the user feel like they’re safe, but the importance is, as always, in the implementation.

One of the best examples of this sort of failure I’ve seen recently is this http://gizmodo.com/5602445/the-200-biometric-lock-versus-a-paperclip. The incredibly secure biometrics in the lock mean nothing if the manual lock can be opened with a paperclip. Adding a stronger mechanism to a weaker one does not strengthen the system.

So why does this sort of failure happen so frequently? It really happens because security practitioners, as well as the people who buy security products, often don’t see the big picture. Security is about people, and what people will do (or not do) to the systems that they are presented with. A classic example is enforcing a strict ‘strong’ password policy that means that users write down their password, and stick it to the monitor so they don’t forget it.

Security isn’t really about products, or technologies – those can be enablers, but it is about seeing where the weaknesses are, understanding the risks, and taking what measures are possible to ensure those risks are minimised. Buying into ‘hot’ products is not a reasonable investment if you don’t understand what you are buying and why you’re buying it.

I personally am coming to believe that the greatest failure of security over the last 20 years is that we have failed to understand that we are securing (for and against) people not technologies, and people do the strangest things.

Andrew Lee
AVIEN CEO / CTO K7 Computing

* Thanks to @securityninja for the original link

Sins of Omission

It’s not really related to malware, but this is an interesting article that brings up a few issues that should be highligthed.

http://www.bankinfosecurity.com/articles.php?art_id=2846

Firstly, the cheque images in question are used as a security feature, you can view them online to see when and where they were cashed, and they are attached to a specific transaction. Those who don’t have a US bank account might not be familiar with such a system – however, the fact that the cheque now exists online should be a red-flag for security, and you would expect it to be protected as part of the bank account (your cheques, after all, have your signature on them, along with your bank details and a sample of your handwriting). The key to the success of this breach was that the images were all stored in a single online database. This in itself is a huge vulnerability.

Secondly, just because something is not a regulatory requirement, doesn’t mean that it shouldn’t be done as a matter of course. Holding such a database, and knowing that it contains data that would be very useful in fraud, then it makes sense to use encryption to protect it - so in this case fact that they were not encrypted simply makes it worse. It’s like saying that we were only required to put locks on the doors, but the regulations didn’t state we needed to close the windows.

Many European banks are moving away from paper driven cheques, and that would of course reduce or eliminate this specific attack, but what doesn’t seem to be happening is any assumption by the banks of attack. For instance, my bank has implemented some rudimentary anti-phishing protections, but it still uses a very weak password based account entry, which any key-logger could get around (unless of course I’m using a secure browser like K7SecureWeb or SafeCentral), and that combined with  a screen-scraper could easily compromise the anti-phishing measures.

Probably, as things get more serious (in terms of fraud) for the banks, there will be much more concentration on securing things. For now, the sad fact is that the consumers are not driving this, because they don’t care – the losses are to the banks, because of consumer protection (at least in the EU and USA). The reason my bank (along with most other British and US banks) have such poor security is that at the moment, the customers aren’t demanding higher security. That, coupled with silly things like only implementing the letter, rather than the spirit of regulation, is not going to bode well for the online banking in the near future.

Meanwhile, the Anti-malware industry gets a harder and harder rap for not being able to clean up all the mess, while what really needs to happen is for everyone to take a bit more responsibility for their actions, and understand that there are real threats out there, that cannot just be addressed by anti-malware alone, nor indeed any purely technology based solution.

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

Virus Bulletin Seminar Announced

Virus Bulletin have announced the first in a new series of Seminars. Aimed towards the corporate IT Admins and security practitioners, the day long seminar will look at protecting organisations in the modern age of Internet enabled crime.

Speakers include

  • Bryan Littlefair, Vodafone Group
  • Bob Burls, Police Central e-Crime Unit
  • Graham Cluley, Sophos
  • Alex Shipp
  • David Evans, Information Commissioner’s Office
  • Andrew Lee, K7 Computing
  • Martin Overton, IBM
  • Richard Martin, UK Payments Administration

http://www.virusbtn.com/seminar/index.xml

There’s an early bird price available, and seats are likely to fill up fast, so get in early!

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

More AMTSO stuff

They say there’s no such thing as bad publicity, though quite who ‘they’ are, and why ‘they’ would make such a clearly daft statement is beyond me. It seems that AMTSO has had it’s fair share of bad publicity recently –  a further example is the piece by Ed Moyle over on his blog at http://www.securitycurve.com/wordpress/archives/1773. It’s a long article, but it does show that Ed clearly doesn’t understand (or doesn’t want to accept) what AMTSO is trying to do – maybe that does just mean that AMTSO needs a better PR representation. Anyway, once again Kurt Wismer (or perhaps I should adopt his anti capitalist rendering and use kurt wismer) has provided some excellent analysis of Ed’s piece over on his blog at http://anti-virus-rants.blogspot.com/2010/07/i-see-standards-organization.html

There’s little more that really needs to be said from my perspective. For the record, I personally agree with Kurt (just can’t seem to get my head around the ‘kurt’ thing), in his analysis of the NSS report done by AMTSO – which seems to be at the root of this whole anti AMTSO campaign. The central point is that NSS did a good job, and came very close to the ideal – (if you haven’t read the review, then it’s here). It’s unfortunate that that has been taken as a negative thing or a slight against them to say that they did not fully meet the ideal standard set by AMTSO – it was still far better than many other tests, and I have every hope that people are sensible enough to recognise that. It’s hard for me to see quite how Ed jumps from that report to an accusation that AMTSO is ‘Slapping the labs’ – an argument even harder to see when a lab like Dennis Technology Lab (who have very similar methodology to NSS) voluntarily submitted their own test for the AMTSO review process (see the report here).

If there’s one thing we can learn from this, it’s that it does seem that there’s a double standard here – testers can criticise AV vendors with impunity in their reviews and tests of AV products, but when someone tries to apply that same process and rigour to the tests done by those testers, that is somehow anathema. Personally, I think that’s shoddy thinking, and I have no doubt that AMTSO will continue to strive, as it has done from inception, to provide the public with an insight into tests, and to support good testing practice (and incidentally point out less than ideal practice where needed).

Andrew Lee
AVIEN CEO / CTO K7 Computing