Category Archives: security blog

Professor Klaus Brunnstein

Many people in the security industry have expressed their regret at the passing of Professor Dr Klaus Brunnstein, who died on 20th May 2015, just a few days before his 78th birthday, as I noted in an article for ITSecurity.

I’ve been particularly struck, though, by the fact that so many people were willing to share their thoughts: not only at ESET (where so many people expressed their regret that I felt I had to post the article at a vendor-neutral site so that it wouldn’t look like some kind of twisted PR exercise), but also by the many people who responded to requests for comments before the article was published and even after it was published. I’m only sorry I couldn’t include all the commentary I received.

I think it all indicates just what a legacy Klaus leaves behind him, not just politically, and not just to the security industry (including CARO and EICAR) and to academia (notably the Virus Test Center at the University of Hamburg), but to the entire online world. The article and the links it includes give only barest impression of how immense his contribution was, and just how much he’ll be missed personally. As Andrew Lee observed:

A thoroughly decent man. Sadly missed, he wasn’t able to make it to the CARO conference a couple of weeks ago. I only met him a few times, but it was always memorable.

David Harley
ESET Senior Research Fellow

VB Seminar 2010

I spoke at the VB 2010 Seminar in London on ways that Social Engineering can affect your business’ users.

During the talk, I used some links for demos (many thanks to my good friend Dave Marcus for originally showing me a few of these). For those that are interested, here are the links:

 

Andrew Lee
AVIEN CEO

Snakeoil Security

This is a really good article about how poor  security products can appear to work, but actually increase the problem:

http://ha.ckers.org/blog/20100904/the-effect-of-snakeoil-security/ *

The article also links to a good article about the ACUTrust product (which no longer exists) http://ha.ckers.org/acutrust/ – which contains the following quote

“like most systems that use cryptography it is not a vulnerable algorithm, but the system that uses it is”

This really does bear repeating as many times as possible. Just because a product claims to use cryptography – most will claim to be using AES256 – doesn’t mean they’re using it in a way that makes the system secure. Cryptography is all too often a security panacea, a ‘buzzword’ that makes the user feel like they’re safe, but the importance is, as always, in the implementation.

One of the best examples of this sort of failure I’ve seen recently is this http://gizmodo.com/5602445/the-200-biometric-lock-versus-a-paperclip. The incredibly secure biometrics in the lock mean nothing if the manual lock can be opened with a paperclip. Adding a stronger mechanism to a weaker one does not strengthen the system.

So why does this sort of failure happen so frequently? It really happens because security practitioners, as well as the people who buy security products, often don’t see the big picture. Security is about people, and what people will do (or not do) to the systems that they are presented with. A classic example is enforcing a strict ‘strong’ password policy that means that users write down their password, and stick it to the monitor so they don’t forget it.

Security isn’t really about products, or technologies – those can be enablers, but it is about seeing where the weaknesses are, understanding the risks, and taking what measures are possible to ensure those risks are minimised. Buying into ‘hot’ products is not a reasonable investment if you don’t understand what you are buying and why you’re buying it.

I personally am coming to believe that the greatest failure of security over the last 20 years is that we have failed to understand that we are securing (for and against) people not technologies, and people do the strangest things.

Andrew Lee
AVIEN CEO / CTO K7 Computing

* Thanks to @securityninja for the original link

Happy Birthday Dear Mikko…

Actually, I don’t know when Mikko Hypponen’s own birthday is, but the F-Secure blog is six years old today (the first AV vendor onto the scene).

Makes me feel like a raw beginner. 😉 Though in fact, I was publishing alerts and advisories on an NHS (internal) web site in a blog-like format a year or two earlier, I think. This was before I joined the AV industry, of course (the NHS is the UK’s National Health Service).  However, even the earliest F-Secure blogs (http://bit.ly/cOvLLL) look a lot more professional than those. In my first couple of years at the NHS, I had to generate an advisory in an approved format, generate a PDF, then pass it on to someone else to post it onto a web server. That, of course, was hardly real-time. If  there was no-one around to do it or they were really busy, it might take days or even a week or two. Which was a bit of a problem at a time when fastburning massmailers and virus hoaxes could come out of nowhere and pass through the mail systems like wildfire.

In my previous job, I used to generate text files that people could access via a shell script calling lynx from the Unix command line, accessed from PCs and Macs using telnet or kermit for terminal emulation. Happily, technology has moved on.

Sandbox? We used to dream of living in a sandbox.

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macviruscom.wordpress.com