Monthly Archives: January 2010

Happy Birthday Dear Mikko…

Actually, I don’t know when Mikko Hypponen’s own birthday is, but the F-Secure blog is six years old today (the first AV vendor onto the scene).

Makes me feel like a raw beginner. ūüėČ Though in fact, I was publishing alerts and advisories on an NHS (internal)¬†web site in a blog-like format a year or two earlier, I think. This was before I joined the AV industry,¬†of course (the NHS is the UK’s National Health Service). ¬†However, even the earliest F-Secure blogs (http://bit.ly/cOvLLL) look a lot more professional than those. In my first couple of years at the NHS, I had to generate an advisory in an approved format, generate a PDF, then pass it on to someone else to post it onto a web server. That, of course, was hardly real-time. If ¬†there was no-one around to do it or they were really busy, it might take days or even a week or two. Which was a bit of a problem at a time when fastburning massmailers and virus hoaxes could come out of nowhere and pass through the mail systems like wildfire.

In my previous job, I used to generate text files that people could access via a shell script calling lynx from the Unix command line, accessed from PCs and Macs using telnet or kermit for terminal emulation. Happily, technology has moved on.

Sandbox? We used to dream of living in a sandbox.

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macviruscom.wordpress.com

Educating the CIO

Useful and lengthy comment from Rob Rosenberger added to my blog at https://avien.net/blog/?p=368.

Also a pointer to a Vmyths article from 2005 that may bring back some unhappy memories for some of us…

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

Unnamed App Facebook Hoax/Scam

Flagged by Peter Kruse on a specialist list.

A¬†hoax is circulating on Facebook, warning about a virus that is¬†supposed to add an ‚ÄúUnnamed App” to the FB tabs.

SEO actually drives the incautious Googler towards fake AV.

I blogged this at some length at ESET, so I won’t repeat it all here.

http://www.eset.com/threat-center/blog/2010/01/27/unnamed-app-facebook-hoax

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

2nd Security Blogger Summit

This is an interesting event (of which I only became aware yesterday – thanks, Julio!) taking place in Madrid on 4th February. See:

http://www.securitybloggersummit.com/ 

(It’s in Spanish, but there are plenty of translation tools around nowadays to help with that for non-Spanish speakers.)

Although Panda is organizing the event, the company is being scrupulous about keeping it vendor neutral, so I won’t be attending on this, unfortunately (it looks really interesting).

The thought did occur to me, though, that a forum where independent security bloggers, industry bloggers and the media could discuss issues and approaches would be a Good Thing: a sort of AMTSO for bloggers.

Randy Abrams and I put together¬† a paper for AVAR last year on “practical, strategic and ethical issues that arise when the security industry augments its marketing role by taking civic responsibility for the education of the community as a whole” that seems quite relevant to that thought.

http://preview.tinyurl.com/ylfu3e6

Maybe I need to revisit it.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

Win32/Zimuse

Not a Conficker-sized issue, but interesting:

http://www.eset.com/threat-center/blog/2010/01/22/bemused-by-zimuse-dis-is-not-one-half

http://www.eset.eu/press-computer-worldwide-targetted-by-MBR-Worm

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

Who Will Educate the Educators?

@vmyths, otherwise known as Rob Rosenberger, notes on Twitter that

“3doz firms THAT EMPLOY COMPUTER SECURITY EXPERTS got whacked in a zero-day attack. How about some “education” for THEM, eh?”

Well, “computer security experts” is a somewhat fuzzy term, and a little pejorative: when the media use it, they usually mean themselves, or the company that supplied the press release they’re recycling. When they actually mean computer security professionals, it’s usually in the sense of “so-called security experts who can’t see what is absolutely clear to¬†any right-thinking journalists.” A somewhat similar mindset, perhaps, to those denizens of Security-Basics who believe that anyone who has letters after his name has to be a blithering idiot with no actual security experience. No, I’m not getting into that argument again…

But let’s assume that Rob means the same group that I probably would, if I couldn’t avoid using the term: information security professionals not necessarily working within the security industry. (I know there sometimes seems to be far too many of us who are in the industry, but most of us are OK, honestly.)

A group, in fact, rather like the subscribers to the first incarnation of AVIEN: people with a wide range of job titles, skill sets and responsibilities, from independent researchers to experienced managers and system administrators to people who¬†suddenly found themselves landed with (some) security responsibility for their company. (Yeah, me too…)

Well, it’s true: if you’re going to make people responsible for security, you do need to ensure that they already have some experience and training, or that they at least receive some training to jumpstart them into the role. Especially if, like me, you believe that part of the security professional role is to take some responsibility for the education of others. (Yes, I know that there’s a sizeable section of the security community that believes there’s no mileage in trying to educate the end-user –¬†http://www.eset.com/download/whitepapers/People_Patching.pdf¬†– but I’m not getting into that argument right now, either.

Before we start blaming everything (yet again) on lazy, incompetent, uneducated security experts though (and hopefully that isn’t what Rob meant),¬†let’s remind ourselves of a few pertinent facts.

  • As my colleague Aryeh Goretsky has pointed out, banks with security guards are not immune to bank robberies. “Mitigation of risk != elimination in its entirety.”
  • When a company hires security professionals, it doesn’t necessarily mean it listens to those professionals. Especially when listening to their advice entails spending significant sums that could be better spent on upgrading the catering on the Executive floor.
  • The corollary to assuming that employing security professionals (even competent individuals with exemplary support from the Boardroom) is enough to eliminate risk, is that if some malicious actor does get through, someone has “failed” and needs to be fired. That’s just lazy thinking: not so different to giving the bank¬†janitor a uniform, a revolver and six shells, and saying “Hey, you’re promoted: now our asses are covered.”

Let’s not forget Spaf’s first principle of security administration:

If you have responsibility for security, but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.

That observation by Professor Eugene Spafford is as accurate now as it was when I first read it nearly twenty years ago…

David Harley [Formerly FBCS CITP CISSP]
ESET Senior Research Fellow

 

Haiti: a more personal view

Further to Thursday’s blog on the Haiti situation at https://avien.net/blog/?p=349, Jeff Debrosse, ESET’s Snr. Research Director, has put up a blog at http://jeffdebrosse.wordpress.com/2010/01/15/haiti-info-and-update/¬†that includes some additional resources, as regards both help resources and security information resources relevant to the disaster.

On behalf of AVIEN I’d like to express our sympathy to Jeff, whose father is currently missing in Haiti, and our hope that he’ll turn up, safe and sound, very soon.

Can I also point out that while I’m pleased to include pointers to other resources, as I mentioned in a previous blog here, I do need to be able to verify them? Sorry!

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

Haiti-Related Resources

Help resources, mostly: blogged at http://www.eset.com/threat-center/blog/2010/01/14/haiti-help-resources because there was an issue re security blogging in general to which I wanted to add my 2 cents.

If you have additional resources you’d like to see added, mail me at dharley [at] eset.com. Here are the resources listed in the blog above right now (I’ve been updating them as I’ve seen them come in.)

That first resource includes a long list of contact information for legitimate organizations working in or for Haiti. It also includes some recommendations from the FBI via MSNBC for avoiding being scammed or worse by bad actors.

Update: Tom Kelchner includes some resources for self-protection in the modestly entitled blog at http://sunbeltblog.blogspot.com/2010/01/best-advice-on-avoiding-haitian-relief.html.

The ESET blog has also been updated to include those and other resources.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

Blackberry Flavour: Old Whine in a New Bottle

Connoisseurs of hoaxes will be pleased that an old friend has turned up in a new dress for a new platform.

Oliver Devane has reported on the Avertlabs blog (wow! that’s a long URL!) that he’s received an example of the type of message that reads something like “if you get a message from [whoever] don’t open it: he’s a hacker and will bring down your system”.

I’ve seen a heck of a lot of these over the years, but this one is different in one or two respects. Most significantly, it’s tailored for the Blackberry and sent out via Blackberry Messenger. I rather like the fact that the alleged hacker is apparently female. Somehow, this seems appropriate at a time when over 50% of the US workforce is, apparently, now also female. I guess the glass ceiling is cracking: maybe it’s the cold weather.

Interestingly, Oliver suggests that the explosion of social networks may be contributing to a rise in hoaxes, chain letters and other spam, because it’s getting easier all the time to add contacts across platforms.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

Transitive Phishing (updated)

Paul Ducklin’s thoughtful blog on “Taxation scammers open the batting for 2010” highlights a tax phish that manages to get round the “why should I click on that link when that isn’t my bank?” issue by offering a choice of bank links leading to a clone site. Neat, and “transitive phishing” is a good label for it. But the answer is the same. Don’t trust a link in email (are you listening, eBay?) Go to a URL you know you can trust, and if it means typing it in by hand, do that.

Update: Dmitry Bestuzhev¬†has pointed out to me that he blogged on this scam a day before Duck’s blog was posted. Indeed he did, but it was the two-stage site-spoofing that I found interesting, rather than the fact that it’s a tax scam. Still, he’s right that it’s worth noting in itself¬†that there is another round of tax scams, and the Analysts Diary blog is certainly a resource worth¬†keeping an eye on.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com