Category Archives: Ken Bechtel

Virus Researchers are community outcasts

Lately I’ve been reading a lot of blogs and articles attacking and defending AMTSO and their attempt at establishing standards for the testing of counter-malware products. Unfortunately I think BOTH sides are missing the larger picture here. AMTSO was formed to address some critical shortcomings in the testing of counter-malware products: some tests were arguably unethical, most unscientific and some just poor from the word go. So where does the dissent come from? It comes from the very people who done or supported those poor non-science based tests. Yet it goes beyond that. The people who are condemning AMTSO and their efforts are in some cases well respected in the general security arena, and are very knowledgeable, and this is the rub. These people, most people in academia, and in management as well do not recognize Malware research and prevention as a specialty niche. They attempt to apply the same rule-set to fighting a malware outbreak as they do a simple intrusion, and see nothing wrong with that solution.

A majority of people not engaged in the Malware field as a profession still feel that the average Security Professional has the same knowledge and skill sets as used by the Counter Malware Professionals. Unfortunately nothing can be further from the truth. It goes beyond the abilities and skills for reverse engineering, programming, and identifying abnormal network traffic. This argument goes back to at least the early 1990’s when in a panel discussion a firewalls specialist attempted to answer a question about a virus. On that panel was Wolfgang Stiller, creator of Integrity Master Anti-Virus, Wolfgang interrupted him saying along the lines of “look I’m here for the virus questions, I would never presume to speak with authority or experience on firewalls issues, but you presume to have the same experience and expertise with viruses that I do, and that is mistaken”. Similar exchanges have happened on other panels with people such as Robert Vibert and Rob Rosenberger, among others. These are also the same people who demand that anti-malware products protect against threats that are not viruses, nor are they specifically malware, but “Potentially unwanted programs”. So this is not a new phenomenon. The question in my mind is why does it still exist?

Anti-Virus ‘Experts’ helped establish the disaster recovery field, and were among the very first to teach classes in th at subject. It was the Anti-Virus Researchers who developed the field of Computer Forensics, in both cases it was the Anti-Virus field that had the necessary expertise and skill set needed to fill the holes and expand the career field. So now that Disaster Recovery, and Computer Forensics are recognized as specialty fields and given a high degree of respect from schools and management, what happened to the Anti-Virus researcher? Their mindset is not of an operational nature, they bore easily, some may even say they have attention deficit disorder (ADD), yet they are anal about doing things the same way every-time. They dwell on minutiae, arguing to the point of splitting hairs. I sometimes think some of my colleagues can SEE the traffic on the wire in their minds eye. Yet with all this contribution to the Computer Security Community they are still (almost purposely) maligned and misunderstood. At a Virus Bulletin Conference, I stated that we as a community must take action or go from the ranks of professional, to the ranks of the tradesmen. I still don’t know what action that is, or how to go about it, but AMTSO is a good step in that direction, and the naysayers need to start looking outside their comfort zone and realize they know enough to be dangerous and not enough to be helpful at this point.

Ken Bechtel
Team Anti-Virus
Virus Researcher and Security pontificator

The Real Lovebug

I don’t think I’ve ever seen “Kramer versus Kramer”, but I did actually read the novel by Avery Corman, a long, long time ago. And I have a vague recollection of Ted Kramer saying something to his wife Joanna about the birth of their son, and of her responding that she doesn’t remember Ted having been there. Hold that thought…

Suddenly, there’s a whole rash of anti-malware vendors reminiscing about VBS/Loveletter, which is, in epidemiological terms anyway, ten years old today. There’s a massive amount of information about what it actually did, of course, complete with copious screenshots, so I won’t waste time reproducing that information – I doubt if you’ll be faced with a Lovebug infection at this stage in the game.  There is even a certain amount of discussion about which company “discovered” it.

As someone who works for an anti-malware vendor, I have nothing to say about that: I was certainly very active in the anti-virus field by that time, but I didn’t work for a vendor. In fact, I was working in security systems administration for a medical research charity, so I didn’t get a vendor’s eye view of the drama, but very much the customer view.

I do know how I became introduced to the Love Bug, because I included a note about it in the case study Rob Slade and I included in a book we wrote in 2001 called “Viruses Revealed”. One of our end users reported receiving an attachment containing gibberish – Outlook wasn’t in common use on that site, and other clients couldn’t interpret the code. The Helpdesk analyst who picked up the call realized that “gibberish” might well denote program code, and passed it on to me. And, in fact, the most cursory inspection of the code indicated that it was clearly meant to be infective, so I passed a copy straight to the vendor from whom my company was licensing AV at the time.

No, I’m not claiming to be patient zero: by that time, I was starting to see mail from other corporate AV specialists – that is, people specializing in malware management but not working in the anti-virus industry – seeing the same malcode. What I wasn’t seeing at that time was information from the industry.

That was a little before the birth of AVIEN (the result of a meeting at the 2000 Virus Bulletin conference later that year), but I remember talking to several of the same people who later exchanged information on other malware outbreaks on AVIEN lists. These less formal exchanges of information and opinions during the first phase of the Loveletter epidemic were immensely valuable as we all evolved strategies suited to our particular environments for dealing with the threat (and the waves of copycat malware that quickly followed), while we waited for signatures from our vendors of choice. Unfortunately, I don’t have access to those emails anymore, but I used an AVIEN mailing list to ask some of those who were there at the time what they remembered.

Some remember risking life, limb and speeding tickets trying to get to the office  in order to take hands-on remediative action. Ken Bechtel remembers getting 12 messages on his pager and three phone calls before he’d even left home, and subsequently, he says, “I remember 36 out of 48 hours of work blocking vbs at the PMDF, and creating a custom SMS script to create a special named DIRECTORY to prevent a file from being dropped.”

Mike Blanchard was due at a training session that morning, but was similarly pounded by pager messages and phone calls and had to turn around en route and get to the office. (He actually received a ticket for turning around in someone’s driveway, but successfully fought the case because of the nature of the emergency.)

Thankfully, I was already at work, so there was no risk of my being charged with running too fast on a London Underground station…

So to all those industry professionals I’m now immensely proud to call colleagues, I’d like to say thank you for all your help over the years, and not least for the excellent job you did ten years ago in producing updates for Lovebug and the wave of semi-clones that followed.

But as far as Lovebug is concerned, I don’t remember you being at the birth. 🙂

David Harley FBCS CITP CISSP
AVIEN Chief Operations Officer

Airport security and Defense in Depth

I know this Blog is devoted primarily to computer security, specifically emphasizing Malware issues. I’d like you to indulge me for a small side trip to another area of security that impacts most of us, and hopefully this will fire some stray neurons and perhaps give ideas and insight to how we do business.

This all started during one of my latest business trips. We’re told flying is a privilege, not a right, or necessity. I, like so many business travelers, get annoyed being treated as a criminal because I have the audacity to travel by air for business needs. So, let me get things right, I pay for the privilege of being treated as a potential terrorist because in the course of conducting commerce, my employer sees a business need for me to fly to my destination? I also have the honor of paying $25 to check a bag so I can have the luxury of clean clothes when I arrive at my destination? Now I have the honor of sitting next to someone whose weight is such that the seat back tray can not come completely down, while he’s overlapping my already too tight seat, forcing me into the aisle/ wall? Now, my noise-canceling ear buds are worth every penny I paid, but where can I get odor blocking nose buds to block the garlic and other odors emanating from my seatmate? Add in maintenance or weather flight delays, running to gates, layovers longer than three hours, and suddenly I’m not feeling so privileged, and am understanding why fewer people are flying.

It was about this point in my flight when I started playing the old game of “what if”. In this case, what if I owned a domestic airline? How would I address security while making the customer feel more comfortable? I think rather naturally, my first thought went to my seat-mate, and I thought, if you need a seatbelt extender, you need to buy a second seat. Sorry if this offends anyone, and I know they’re shrinking seat size to fit more people on already increasingly full flights, and people of average sizes are cramped but I’m thinking he had to be as uncomfortable as I was, and a second seat (while increased expense to him) would have alleviated that issue rather handily. Next and probably the most revealing thing came when I tried opening my baggie of “Mini Pretzels”. That baggie of airline supplied snacks did not want to open, and I was reduced to using my teeth to get a tear started. Now normally I’d reach into my pocket and pull out my Leatherman Brand multi-tool, and use the knife blade to cut open the bag, but due to security, it was in my checked baggage. Here we go I can hear the cries now, “what kind of uncivilized fool carries a knife in this day and age?”, “Typical Yank, needs his knife and gun”, etc. Well, according to my education, it’s uncivilized and unsanitary to use your mouth to open packages. If memory serves right, Miss Manners said something about the practice lacking proper etiquette. I was taught early it was simple tools like the knife that elevated us above animals, and made our behaviors less animalistic.

Proceeding on the line of thought, I thought about why these rules were in place. The answer came down to preventing skyjacking and making the flying public feel more secure in their flight. Well now, here I am in my element, SECURITY. So let’s take a look at the security and vulnerabilities of modern aircraft. As many have written previously, the flight deck is the weakest point of any aircraft. Like others before me I thought of the isolation of the bridge and flight crew, separate entry points, toilet facilities, rest facilities, etc.

Then a light bulb went off. The weak point isn’t the flight deck, but like in most security issues the personnel. The flight crew itself is the weak point. They are the ones who are directly attacked to gain control of the aircraft. So if we remove them (and flight controls) the aircraft is secure against any kind of take-over attack, right? So who flies the planes? Simple, the same people.

The fact is, most modern aircraft already fly from near take-off to landing by computer, add to this the advances on remotely manned aircraft (such as the ‘unmanned’ drones in the warzones), and the U.S. Air Force openly talking about unmanned fighters in the not so distant future, why not in commercial aircraft? I realize some people are not going to be comfortable without a face they can put “in control”, so it maybe necessary for the short term to have a flight trained deck officer with a manual override capability on each flight. However, as people become more accustomed to the technology, this need will go away. The manual override will need to be designed so that the on-board crew can not activate it themselves, unless some critical event occurs and the aircraft loses communications with the ground, or a ground controller agrees making a two-key type system.

Now, with no flight deck, box cutters, guns, or even bomb threats have no value. There’s no one to take control from. That being the case, there is no need for everyone to be treated as a criminal and go through metal detectors, have our bags scanned and searched, or even go through the full body scanners. The only legitimate threat is explosives, and the destruction of the aircraft.

Looking from a skyjacker/ terrorist point of view, they already know that after 9/11, passengers will not allow an aircraft to be taken over and used as a weapon again. That’s why we’re already seeing attacks like the shoe and underwear bombers. This threat can be addressed by a more cost effective low tech manner, namely well trained K-9s. Think of it, no more security lines, one (or more) dog team behind the baggage check to sniff checked baggage, and several roaming the facility and at congestion points and boarding gates.

So a quick recap, less security officers would be needed, less flight crews, pilots could work from central facilities (like the military drone operators do), enabling them to work 8 hour shifts with less pilot fatigue, and errors like overshooting airports due to pilot inattention. Pilots may even be able to monitor multiple simultaneous flights, if not, at least, moving from one flight to the next is under 5 minutes. Giving increased turn around time. Some will question the wisdom of not checking for knives and firearms. I ask you to use logic and not emotions. Most murderers want to get away; they’re not going on a killing binge on an aircraft where they are already a prisoner with no escape route. As for mass murder/ suicide, other passengers will not be defenseless, and will be able to stop an evil doer before it gets out of hand.

What about explosive decompression? The well educated know this is simply Hollywood hype and not a threat to a modern aircraft from a firearm.

I do believe this to be technically feasible. However I don’t think this will ever happen. Simply because it’s a real security solution, not security theater. Governments will lose control of some power over the traveling public. People will lose jobs, Unions will lose members (and the resulting income and power), and this does not play to people’s fears and emotions, nor provide a visual “security blanket”. Finally, like any security solution, it’s not perfect, but for once a real security solution, that would produce solid results at reduced costs and increased liberties.

Now I know this is already long, but to tie it to the computer security world, how many of our efforts are security theater, rather than actually addressing the root security issue? How many times do we have to put in a layer to provide a feeling of security with out being beneficial and inadvertently impacting our customers? Just something to think about next time we’re asked to “do something”, and if anyone from the airline wants to implement my ideas, I’d welcome it.

Ken Bechtel
Team Anti-Virus
Virus Researcher and Security pontificator

iPhones, Facebook, and malware friendliness

Being the conscientious security professional, I do the best to keep all my Computing devices current on OS and application patches. This goes for every server in the lab to the iPod Touch and everything in-between. Last Night while checking iStore for App updates, I was advised that Facebook released a new version of their app.

As a force of habit, I looked at what the update addressed. Rather interestingly it made the Application more “user friendly”. the first item on the list was to be able to synchronize my friends with my contacts. This allows me to import things such as contact information, and profile Photos from Facebook to my “Contacts” or address book. Not too bad as such, although some of my “friends” like to use their dog, or a comic character as their photo. Neat feature, now should David Phillips ever leave OU, well, when he updates his phone number and email, I won’t need to worry, my iPod will update automajically. However, I don’t get to pick and choose which Photos to sync, so when an old High School Chum update their Photo from a nice head-shot, to something less than professional, well, I’ll have no choice there.

Now that is rather nice and user friendly, but at the same time, suddenly, Facebook is also Pushing messages, wall posts, friends requests, friend confirmation, photo tags, events and comments. In fairness, I did have to approve Facebook access, and authorization.

So here’s the rub, as normal user, I would say yea sure, that’s what I want, I want to know when David Harley posts the next AVIEN Blog to Facebook. But suddenly, Facebook has access to my address book, (Contacts to be precise) AND is able to push to my always on device (iPhone and iPod Touch use same app). This disturbs me greatly, as now my email addresses are harvestable (and who’s to know), as well as potentially malicious information being pushed to my phone. Am I paranoid? I’m envisioning a compromise at FB, which is now using iPods and iPhones to send SPAM, emails and SMS messages

As we often said in the past, a more user friendly environment directly translates to a more Malware Friendly environment. I only hope more mobile device users take the steps I did and NOT allow pushes, and the like.

Ken Bechtel