Author Archives: ALee

Vanya Kaspersky home and safe

Some people might have heard the news that the son of Eugene Kaspersky was kidnapped last week. This sort of nightmare scenario is the worst thing any parent could imagine and so it is with some relief that I can post that Vanya is home and safe, and the kidnappers are awaiting trial, having been captured.

A message from Eugene is here:

https://www.facebook.com/notes/eugene-kaspersky/vanya-is-back-home-safe-and-sound-thanks-for-your-support/10150156314765998

I am sure every member of AVIEN will join me in sending my best wishes to Eugene and family, and expressing our gladness that this awful situation turned out with the best possible result in the circumstances.
Andrew Lee

 

20 years of Windows Malware

An interesting, if rather lengthy, article over at InfoWorld discusses the long history of Windows malware (though the first few viruses mentioned are strictly speaking not Windows malware at all rather DOS .com infectors).

I’m not really sure what these articles tell us, more than that it’s been a long and fairly inglorious progression from the early days of hobbyist malware to the crime driven tsunami of fraudware that we have now. Of course it’s always interesting to revisit the past, but I’m not convinced it tells us much about the future. One thing is sure though, as the systems on which we run the world have progressed, so have the malware and security issues that we face. This is unlikely to change, and with new platforms and new paradigms, we will face new security challenges.

Talking of new challenges, some of you might be aware that I’ve got a new job, so I’ve pretty much left the running of AVIEN to David Harley, and I’ll leave it to him to take it forward in his own inimitable style. As with the progression of malware (and indeed progress in general) looking at the past doesn’t always mean that what you see is relevant to the future. AVIEN grew out of a specific need – to get fast information shared between beleaguered security admins – and developed from there into a network of interested professionals. I still feel there’s a need for it, as clearly do the members, but it remains to be seen exactly what form it will take in the future – however, with David at the helm, I’m sure it’s in good hands.

Andrew Lee
(Former) AVIEN CEO

VB Seminar 2010

I spoke at the VB 2010 Seminar in London on ways that Social Engineering can affect your business’ users.

During the talk, I used some links for demos (many thanks to my good friend Dave Marcus for originally showing me a few of these). For those that are interested, here are the links:

 

Andrew Lee
AVIEN CEO

AVIEN Sponsors VB 2010

Virus Bulletin 2010

In honour of our 10th Anniversary here at AVIEN, we’re sponsoring the pre-dinner drinks reception at the 20th Virus Bulletin Conference in Vancouver next week. In case you didn’t know AVIEN was formed out of conversations held at Virus Bulletin in 2000, and the relationship has been a long and friendly one between the two companies. We’re proud to help bring a part of the conference to the attendees.

Andrew Lee
AVIEN CEO / CTO K7 Computing

One from the “Don’t send stupid emails” department

In a frankly bizarre incident, a young British teen has been banned (for life) from entering the USA, after sending an abusive and threatening email to the Whitehouse email account. The 17 year old escaped criminal prosecution, but will be denied the opportunity to ever visit the land of opportunity.

Though this lad probably just got a bit annoyed and did something silly, one thing this does show is that young people simply aren’t being taught how to act on the internet (though reading USENET would have shown you that not many people do, young or old). Surely citizenship classes should also include information on how to be a good netizen, and schools IT curricula should include at least a basic understanding of personal security and how email works.

Full report from the BBC News site is here http://www.bbc.co.uk/news/uk-england-beds-bucks-herts-11296303

Andrew Lee
AVIEN CEO / CTO K7 Computing

Snakeoil Security

This is a really good article about how poor  security products can appear to work, but actually increase the problem:

http://ha.ckers.org/blog/20100904/the-effect-of-snakeoil-security/ *

The article also links to a good article about the ACUTrust product (which no longer exists) http://ha.ckers.org/acutrust/ – which contains the following quote

“like most systems that use cryptography it is not a vulnerable algorithm, but the system that uses it is”

This really does bear repeating as many times as possible. Just because a product claims to use cryptography – most will claim to be using AES256 – doesn’t mean they’re using it in a way that makes the system secure. Cryptography is all too often a security panacea, a ‘buzzword’ that makes the user feel like they’re safe, but the importance is, as always, in the implementation.

One of the best examples of this sort of failure I’ve seen recently is this http://gizmodo.com/5602445/the-200-biometric-lock-versus-a-paperclip. The incredibly secure biometrics in the lock mean nothing if the manual lock can be opened with a paperclip. Adding a stronger mechanism to a weaker one does not strengthen the system.

So why does this sort of failure happen so frequently? It really happens because security practitioners, as well as the people who buy security products, often don’t see the big picture. Security is about people, and what people will do (or not do) to the systems that they are presented with. A classic example is enforcing a strict ‘strong’ password policy that means that users write down their password, and stick it to the monitor so they don’t forget it.

Security isn’t really about products, or technologies – those can be enablers, but it is about seeing where the weaknesses are, understanding the risks, and taking what measures are possible to ensure those risks are minimised. Buying into ‘hot’ products is not a reasonable investment if you don’t understand what you are buying and why you’re buying it.

I personally am coming to believe that the greatest failure of security over the last 20 years is that we have failed to understand that we are securing (for and against) people not technologies, and people do the strangest things.

Andrew Lee
AVIEN CEO / CTO K7 Computing

* Thanks to @securityninja for the original link

HP Webscan opens a hole in your enterprise

In an interesting piece of research, Michael Sutton details the vulnerability opened up by leaving HP’s Webscan service enabled on your network attached scanner/printer devices.

http://research.zscaler.com/2010/08/corporate-espionage-for-dummies-hp.html

This really does highlight the fact that, when thinking about security, it is never good to assume anything. Any device attached to your network should be thoroughly examined, and the benefits considered.

Of course, it also is a big failure on the part of HP not to ensure such services are secured by default (or at least must be specifically enabled). Hopefully they’ll fix this, but for now, if you own an HP scanner/printer/fax device, then it’s worth checking you’re not exposing sensitive documents to the wrong people.

Andrew Lee
AVIEN CEO / CTO K7 Computing

AVAST takes $113 Million in capital

In what seems to be something of a trend for big investments or buyouts of AV companies, AVAST, the Czech based makers of the popular free AVAST Anti-virus, have sold a minority stake in their company to investment firm “Summit Partners”.

http://www.itnews.com.au/News/229866,avast-takes-113m-equity-injection.aspx

AVAST (formerly ALWIL software) has long been in the ‘free’ anti-virus game, as one of the pioneers of that model, and clearly it seems to be working for them. It should be interesting to see what they do with the cash and how their product line develops over the next few years as they compete with their big neighbour AVG, also Czech based and big in the free AV game.

Andrew Lee
AVIEN CEO / CTO K7 Computing

Also blogging at http://blog.k7computing.com

Breaking news: Intel Buys McAfee

Intel announced today that it has bought out McAfee, http://mcafee.com/us/about/intel_mcafee.html

It’s definitely a time of consolidation in the industry, and this is an interesting move on the part of a player that hasn’t so far gotten it’s feet wet in the software security arena (although Intel Capital has invested in other AV companies such as AVG).

What this means for consumers could be interesting, as the AV could be much more closely tied to the processor architecture.
Anyway, congratulations to all my friends at McAfee, next time we meet, the drinks are on you.

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

Update 20/08/2010: Of course, I neglected to mention that Intel did of course have an AV product called LANDesk some years ago, that was bought by Symantec, so Intel isn’t totally new to this game.

Sins of Omission

It’s not really related to malware, but this is an interesting article that brings up a few issues that should be highligthed.

http://www.bankinfosecurity.com/articles.php?art_id=2846

Firstly, the cheque images in question are used as a security feature, you can view them online to see when and where they were cashed, and they are attached to a specific transaction. Those who don’t have a US bank account might not be familiar with such a system – however, the fact that the cheque now exists online should be a red-flag for security, and you would expect it to be protected as part of the bank account (your cheques, after all, have your signature on them, along with your bank details and a sample of your handwriting). The key to the success of this breach was that the images were all stored in a single online database. This in itself is a huge vulnerability.

Secondly, just because something is not a regulatory requirement, doesn’t mean that it shouldn’t be done as a matter of course. Holding such a database, and knowing that it contains data that would be very useful in fraud, then it makes sense to use encryption to protect it - so in this case fact that they were not encrypted simply makes it worse. It’s like saying that we were only required to put locks on the doors, but the regulations didn’t state we needed to close the windows.

Many European banks are moving away from paper driven cheques, and that would of course reduce or eliminate this specific attack, but what doesn’t seem to be happening is any assumption by the banks of attack. For instance, my bank has implemented some rudimentary anti-phishing protections, but it still uses a very weak password based account entry, which any key-logger could get around (unless of course I’m using a secure browser like K7SecureWeb or SafeCentral), and that combined with  a screen-scraper could easily compromise the anti-phishing measures.

Probably, as things get more serious (in terms of fraud) for the banks, there will be much more concentration on securing things. For now, the sad fact is that the consumers are not driving this, because they don’t care – the losses are to the banks, because of consumer protection (at least in the EU and USA). The reason my bank (along with most other British and US banks) have such poor security is that at the moment, the customers aren’t demanding higher security. That, coupled with silly things like only implementing the letter, rather than the spirit of regulation, is not going to bode well for the online banking in the near future.

Meanwhile, the Anti-malware industry gets a harder and harder rap for not being able to clean up all the mess, while what really needs to happen is for everyone to take a bit more responsibility for their actions, and understand that there are real threats out there, that cannot just be addressed by anti-malware alone, nor indeed any purely technology based solution.

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing