Category Archives: ESET

Securing Infrastructure

A few months ago, I was invited to contribute a short essay to an eBook published by Mighty Guides on ‘What are the greatest challenges you face in securing your network and applications infrastructure?’

Well, it’s been a while since I was directly involved in securing a major organization’s infrastructure, but I figured the principles haven’t changed much in the last ten years or so… I was a bit taken aback to find that the publication was sponsored by one of ESET’s competitors and that it would only be available at first by registering with that competitor’s web site. Not that I have a problem with the company concerned getting some return on its investment, but Mighty Guides should really have made clear to all the contributors that there might be a problem for people who work for other companies. (Fortunately I’m a freelancer, so there’s no conflict of interest as such, but some people who do what I do are employees.)

However, the section to which I contributed is now available without registration on Slideshare – as is at least one other section – and will eventually be available in full on the Mighty Guides site. If you can’t wait and don’t mind registering in order to get a full copy, you can find it here.

David Harley
ESET Senior Research Fellow

Support Scam Resources Update

Added a link to the AVIEN support-scam resources page: to be precise, an article for ESET in which I commented on some recent developments in the support scam landscape, including a pointer to Jerome Segura’s article for the Malwarebytes blog: Support Scam Cold-Calling: the Next Generation.

Also referenced in the article and well worth a read is a recent post by Jean-Ian Boutin (also for ESET).

David Harley
Small Blue-Green World
ESET Senior Research Fellow

Recent scam resources page updates

It occurs to me that I haven’t flagged here a couple of updates to the scam resources page that I’ve made this month. 

  • Misrepresenting System Utility Output [6th August]
  • Support Scam Anna-lytics and a very dodgy phone number [9th August 2012]

I need to put in some anchors to those sections, but at the moment they’re at the top of the page anyway.

David Harley CITP FBCS CISSP
AVIEN Chief Dogsbody
ESET Senior Research Fellow

‘Tech Support’ Scam Resources Page updated

I haven’t updated the scam resources page on the AVIEN blog site since November 2011. Mea Culpa. However, that doesn’t mean I haven’t been beavering aways at raising awareness of this scam among readers of my blog, the security industry, and (not least) law enforcement. So I’ve finally got around to updating the page.

Firstly, I’ve changed the name to something more unwieldy (less wieldy?), but a bit more explicit as to exactly what it’s about.

Secondly, I’ve added quite a few links to resources. Depressingly, most of them are my own blogs – I can’t believe how hard it is to get people to take notice of this scam! – but I shouldn’t forget to mention my friends and colleagues Steve Burn (MalwareBytes), Craig Johnston (independent researcher) and Martijn Grooten (Virus Bulletin), with whose help I’ve put together a couple of somewhat massive papers to be presented at CFET and Virus Bulletin later this year.

David Harley CITP FBCS CISSP
AVIEN & Small Blue-Green World Dogsbody
ESET Senior Research Fellow

Sick of Stuxnet?

Even if you’re not thoroughly sick of the word Stuxnet, you may well be pretty confused as to what “the truth” about it is. I know I am…

I think it will probably be a while before we get the whole picture, though there are a couple of last minute presentations scheduled for the Virus Bulletin conference in Vancouver next week that should be very interesting indeed: well, for sad Geeks like me, anyway. (I hope to see some of you there, maybe at the pre-drinks reception.)

I’ve spent quite a lot of the past couple of weeks working with some colleagues from ESET on a Stuxnet paper (67 pages long, so you’d think I’d be all Stuxnetted out by now). While we can’t predict all the surprises those papers will unfold, there’s some fairly detailed analysis and some observations that go a little against the “cyberwar on Iran” flow. Stuxnet Under the Microscope, by Alexandr Matrosov, Eugene Rodionov, David Harley and Juraj Malcho, September 2010 is available on the ESET white papers page at http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Changing Passwords: Should You Pass On It?

I’m seeing a lot of traffic about a story in the Boston Globe and taken up elsewhere suggesting that changing passwords is “a waste of time”. Well, actually, the study by Cormac Herley doesn’t exactly say that, and I suggest that you read the actual study to see what it does say. It’s actually well worth reading and makes some excellent points, though it’s not a particularly new paper, and some of the points it makes are much older. 

Should you stop changing passwords? Well, you probably don’t have much choice, in general. You should certainly use strong passwords, where possible (some systems actively work against you in that respect, by only accepting limited password options). Randy Abrams and I wrote a paper for ESET last year that discussed some password strategies, and one of the points made there was: 

 “It’s sometimes useful to consider whether frequent changes are really necessary or desirable. After all, if you’re encouraging the use of good password selection and resistance to social engineering attacks, and making it difficult for an attacker to use unlimited login attempts, a good password should remain a safe password for quite a while.”

I don’t think that the “change passwords every thirty days” mantra has been as universally enthused over by security specialists as the Globe suggests. System administrators (not always the same thing as security specialists) do often enforce such measures, of course. But while I was working on some notes for a journalist today on social engineering, I came across this quote in a paper I presented at EICAR in 1998. (I’ll have to put that paper up somewhere: it’s actually not bad, and not particularly outdated.)

“Documented research into social engineering hasn’t kept pace with dialogue between practitioners, let alone with real-world threats. Of course password stealing is important, but it’s [also] important not to think of social engineering as being concerned exclusively with ways of saying “Open, sesame…..”

Even within this very limited area, there is scope for mistrusting received wisdom. No-one doubts the importance of secure passwords in most computing environments, though the efficacy of passwording as a long-term solution to user authentication could be the basis of a lively discussion. Still, that’s what most systems rely on. It’s accepted that frequent password changes make it harder for an intruder to guess a given user’s password. However, they also make it harder for the user to remember his/her password. He/she is thus encouraged to attempt subversive strategies such as:

  • changing a password by some easily guessed technique such as adding 1, 2, 3 etc. to the password they had before the latest enforced change.
  • changing a password several times in succession so that the password history expires, allowing them to revert to a previously held password.
  • using the same password on several systems and changing them all at the same time so as to cut down on the number of passwords they need to remember.
  • aides-memoire such as PostIts, notes in the purse, wallet or personal organizer, biro on the back of the wrist…..

How much data is there which ‘validates’ ‘known truths’ like “frequent password changes make it harder for an intruder to guess a given user’s password”? Do we need to examine such ‘received wisdom more closely?”

Nor do I claim that those thoughts were particularly original: luminaries like Gene Spafford and Bruce Schneier have made similar observations. That doesn’t mean you should accept uncritically what they, or I, say. But it’s always worth wondering if received wisdom is really wise.

And as Neil Rubenking points out, an attacker isn’t going to waste time on trying to crack your password with brute force if he can trick you into telling it to him, or into running a keylogger. Which takes me right back to that social engineering paper… [Update: now available at http://smallbluegreenblog.wordpress.com/2010/04/16/re-floating-the-titanic-social-engineering-paper/]

David Harley FBCS CITP CISSP
AVIEN Chief Operations Officer
ESET Research Fellow & Director of Malware Intelligence
Mac Virus
Small Blue-Green World

Also blogging at:
http://www.eset.com/blog
https://avien.net/blog/
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://chainmailcheck.wordpress.com
http://amtso.wordpress.com

That’s it, I’m Out of Here…

John Ozimek of The Register has pointed out some issues around blogging, journalism and freedom of speech in an article called “It’s official: Blogging is a dangerous business”.
http://www.theregister.co.uk/2010/01/07/blogging_report/ 

He’s referring to a report published by Reporters Sans Frontieres at:
http://www.rsf.org/IMG/pdf/Bilan_2009_GB_BD.pdf
.

Of course, when you compare the figures for casualties of one sort or another for “real” journalists, the trend looks less dramatic (for instance, one blogger died in prison whereas 76 journalists are reported as having been killed). However, there is a distinct and alarming upward trend: nearly three times as many bloggers and “cyber-dissidents” were arrested in 2009: 151 as compared to 59 in 2008. Similarly, physical assaults on bloggers went up by 35%, and the number of countries affected by online censorship went up by 62%.

Fortunately for me, my geographical location and the nature of the work I do spares me most of those risks, though I suspect that there are one or two testers who wouldn’t mind slapping me round a bit. 😉

That’s not to say that there aren’t less dramatic risks to being a blogger, though: I pointed out some of them in an AVAR paper last year.
http://preview.tinyurl.com/ylfu3e6 

Still, compared to the 30 journalists killed in a single day in the Phillipines, the odd flame from other bloggers, commenters, and the occasional suit doesn’t seem to bad.

Which reminds me that we don’t seem to have any takers for AVIEN members to swell our blogger population so far. C’mon, live dangerously! 🙂

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

‘Tis the season for crystal balls…

And yes, I’m working on a crystal ball document today for ESET, making use of Randy Abram’s blog at http://www.eset.com/threat-center/blog/2009/12/14/que-sera-sera-%e2%80%93-a-buffet-of-predications-for-2010 and ESET Latin America’s extensive document (already published in Spanish at http://eset-la.com/centro-amenazas/2256-tendencias-eset-malware-2010). But marketing departments and the media like that sort of thing.

In fact, many such articles are essentially retreads rather than dramatically insightful. However, Anton Chuvakin posted a blog yesterday that shows not only insight, as I’d expect, but a certain panache. Not that I wouldn’t expect that too. 🙂

http://chuvakin.blogspot.com/2009/12/security-predictions-2010.html

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/