Tag Archives: Robert Slade

Anti-malware testing resource

Testing security software has been part of my life for almost as long as I’ve been involved with computing: not only in terms of evaluating the efficiency of products and technologies for the organizations I worked for, but as an independent tester (especially of Mac AV) way back in the 90s. I stopped testing when I began to foresee a time when I simply wouldn’t have the time or resources to do justice to what even then was a difficult job. There was a time around 2006 when I was discussing roles on both sides of the vendor/tester divide, but for better or worse, I went over to the dark side and focused on supplying consultancy services to the AV industry (primarily ESET). However, I didn’t escape the testing controversy, being involved almost from the beginning in in the Anti-Malware Testing Standards Organization (AMTSO) and even serving for nearly three years on its Board of Directors.

While I’m still in sympathy with the ultimate aims of AMTSO, when the organization decided that the blog I set up on behalf of the Board no longer met its needs, I found myself needing a platform where I could continue to provide independent commentary on testing issues. Hence, the Anti-Malware Testing blog. While most of the material there right now consists of articles I originally posted to the AMTSO blog (as an independent commentator, not on behalf of AMTSO) that are no longer available elsewhere, it’s primarily intended for new articles. (I am, however, currently working on a resource page similar to the one on the extinct amtso.wordpress.com blogsite, with links to useful articles, papers and other testing-related resources.)

Right now there are three new articles there:

  • Explaining the Anti-Malware Testing Blog is what the title suggests it is.
  • Imperva-ious to Criticism looks at Imperva’s continued defence of its flawed quasi-test methodology, which inappropriately tried to use VirusTotal as a measure of the detection abilities of anti-virus/anti-malware products.
  • A Little Light Relief is a little lighter in tone. Literally. It points to an entertaining article by Robert Slade. After all, if I had to take testing seriously all the time, I’d get very depressed.

Compliments of the season to all our readers, and very best wishes for the New Year.

David Harley CITP FBCS CISSP
Small Blue-Green World/Mac Virus
ESET Senior Research Fellow

Be Prepared

…and ordinarily, there’d be a witty allusion here to Tom Lehrer, who used the same title for one of his songs, but there’s a very serious edge to this post.

The part of the world I live in is mostly spared (touch wood) the sort of dramatic, extreme disaster that I sometimes discuss here in the context of disaster-related scams, blackhat SEO and so forth. Even flooding in the often-rainsoaked UK lacks drama compared to the impact it has in other parts of the world. But it’s depressing to think how much of my security writing in recent years has related to criminal exploitation of the 2004 and other tsunami, earthquakes and so on, and at the beginning of September I’m addressing the topic again at the CFET 2011 conference in the UK.

Many of my friends, acquaintances and readers are rather more used to the risk and reality of earthquakes, tsunami, forest fire, eruptions and so on, not least those who are situated close to the Pacific “Ring of Fire”, which has 75% of the world’s active and dormant volcanoes and experiences 80% of its largest earthquakes, and includes most of the West coasts of North and South America. However, a glance at the links on the Federal Emergency Management Agency’s page at http://www.fema.gov/ demonstrates that the US population as a whole is at enough risk from national disasters to justify the existence of the National Prepared Month Coalition. AVIEN’s US subscribers may well want to think about supporting the initiative (it’s free, it isn’t restricted to USians, and it gives access to some resources you may find especially useful in the US).

The point I really want to get over here, though, is less this particular initiative (though AVIEN does support it as a member, so you may hear more of this from me) than the importance of training for disaster as a mindset that we can all benefit from, even if we don’t live too close for comfort to a major fault line, like my colleagues in San Diego. Disaster is a beast with many faces, and not all disasters are “natural”.

Tip of the hat to Robert Slade for turning my attention to the issue (not for the first time, of course) .

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

Japan Disaster: Commentary & Resources

[Further links added March 13th 2011 (and a couple more on the same day). Extra links and commentary appended March 14th. More commentary re the Bing chaintweet subsequently added. And yet more  on related scams added March 15th. More miscellaneous resources and commentary on 16th and 17th March. Additional links on 23rd March]

This is an attempt to bring together a number of disparate blogs highlighting resources I’ve been collecting over the past couple of days, relating to the Japanese earthquakes and tsunami. Apologies if there’s nothing here that’s new to you, but I think it’s important to spread this information as far as possible. This will now be my primary resource for putting up any further information I come across. I don’t, of course, claim that it will cover a fraction of the coverage that’s out there.

  • Some blogs of mine:
  • http://blog.eset.com/2011/03/11/japanese-earthquake-inevitable-seo 
  • http://chainmailcheck.wordpress.com/2011/03/12/earthquaketsunami-scam-resources/
  • http://blog.eset.com/2011/03/12/disaster-scams-and-resources
  • http://blog.eset.com/2011/03/11/disasters-getting-involved
  • And one more that I’ve referenced below…
  • Urban Schrott of ESET Ireland on do’s and don’t’s for safe browsing and disaster scam avoidance: http://esetireland.wordpress.com/2011/03/11/security-warning-japanese-earthquake-scams-will-send-tremors-through-the-web/
  • Paul Ducklin at Sophos on clickjacking by ibuzzu.fr: http://nakedsecurity.sophos.com/2011/03/12/japanese-tsunami-video-exploited-by-clickjackers/
  • Norman Ingal at Trend with some detail on observed BHSEO and fake AV: http://blog.trendmicro.com/most-recent-earthquake-in-japan-searches-lead-to-fakea/ 
  • Robert Slade at Securiteam with an older post (from the time of the Haiti earthquake – but still relevant) on training for disaster: http://blogs.securiteam.com/index.php/archives/1346
  • More analysis from Kimberley at stopmalvertising.com: http://stopmalvertising.com/blackhat-seo/recent-japanese-earthquake-search-results-lead-to-fakeav.html
  • Paul Roberts at Threat Post: http://threatpost.com/en_us/blogs/experts-warn-japan-earthquake-tsunami-spam-031111
  • Guy Bruneau at Internet Storm Center: http://isc.sans.edu/diary.html?storyid=10537&rss
  • Sean at F-Secure:  http://www.f-secure.com/weblog/archives/00002119.html 
  • Mike Lennon at Security Week: http://www.securityweek.com/massive-influx-scams-surrounding-japans-earthquake-and-tsunami-expected
  • spamwarnings.com is showing examples of spam related to this event: http://www.spamwarnings.com/tag/devastating-tsunami 
  • IRS online charities search: http://www.irs.gov/app/pub-78
  • Charity Navigator offers independent evaluation of charities: http://www.charitynavigator.org/
  • Google’s crisis response page: http://www.google.com/crisisresponse/japanquake2011.html
  • An old but much-to-the-point article on disaster scams from PC World: http://www.pcworld.com/article/61946/beware_of_online_scams_for_disasterrelief_funds.html
  • Phil Muncaster: http://www.v3.co.uk/v3-uk/news/2033668/google-twitter-facebook-step-help-japan-earthquake-survivors
  • Google’s People Finder service: http://japan.person-finder.appspot.com/?lang=en
  • Bing’s response page including several organizations offering relief initiatives: http://www.microsoft.com/about/corporatecitizenship/en-us/our-actions/in-the-community/disaster-and-humanitarian-response/community-involvement/disaster-response.aspx. A useful page, but there’s an aspect to Bing’s retweeting PR effort (see http://www.twitter.com/bing) that I can’t quite like, as explained at http://chainmailcheck.wordpress.com/2011/03/12/faith-hope-charity-and-manipulation/.
  • US-CERT: Japan Earthquake and Tsunami Disaster Email Scams, Fake Anitvirus and Phishing Attack Warning [Yes, the Anitvirus typo is on the web site: some useful links, nonetheless] 
  • Latest news from NHK World: http://www3.nhk.or.jp/nhkworld/ 
  • Graham Cluley: Japanese Tsunami RAW Tidal Wave Footage – Facebook scammers trick users with bogus CNN video
  • Morgsatlarge on Why I am not worried about Japan’s nuclear reactors
  • Real photos of the damage (hat tip to Rob Slade: http://www.nytimes.com/interactive/2011/03/13/world/asia/satellite-photos-japan-before-and-after-tsunami.html?hp; http://www.cbc.ca/news/interactives/japan-earthquake/index.html. Not exactly security-related, but the sort of thing that’s being used to decoy people onto unsafe sites.
  • One from the Register that I missed at the time, though it’s basically a pointer to the Trend article above: http://www.theregister.co.uk/2011/03/11/japan_tsunami_scareware/
  • World Nuclear News: Battle to stabilise earthquake reactors
  • Lester Haines for The Register: Threat to third Fukushima nuke reactor: Authorities using seawater to battle overheating
  • Apparently I wasn’t the only person upset at Microsoft’s use of the disaster to promote Bing: BingDings* Force Change of Tune.
  • Here’s another clickjack scam brought to my attention by Graham Cluley: as he rightly says, it’s not likely to be the last. Japanese Tsunami Launches Whale Into Building? It’s a Facebook clickjack scam 
  • While Lewis Page describes in The Register how the Fukushima plant is actually performing “magnificently”, given the unexpected scale of the stress to which Japanese nuclear facilities have been subjected in the past few days: http://www.theregister.co.uk/2011/03/14/fukushiima_analysis/ Even if you’re not totally convinced that this is an argument for more nuclear powerplants, it’s certainly a welcome corrective to the FUD-exploiting scareware SEO that I suspect we’ll see over the next few days.
  • Graham Cluley on an SMS hoax: Fukushima radiation hoax SMS message spreads in Philippines (clue: it’s the hoax that’s spreading, not radiation…)
  • Nuclear Energy Institute: Information on the Japanese Earthquake and Reactors in That Region
  • Lester Haines: Fukushima reactor core battle continues: May be heading for meltdown, but no Chernobyl likely
  • Stan Schroeder for Mashable: AT&T, Verizon offer free calls and texts to Japan from US 
  • Ben Parr for Mashable:  Japan Earthquake & Tsunami: 7 Simple Ways to Help
  • Technet Blog: Microsoft Supports Relief Efforts in Japan
  • USA.answers.gov summary: Current Situation in Japan
  • Christopher Boyd, GFI Labs: Another “Whale smashes into building” Tsunami scam on Facebook 
  • Allan Dyer has mentioned that SMS “BBC FLASHNEWS” hoaxes like the one Sophos flagged at http://nakedsecurity.sophos.com/2011/03/14/fukushima-radiation-scare-hoax-text-message-spreads-in-philippines/ have also been circulating in Hong Kong.
  • Urban Schrott with some more scam info from Facecrook and elsewhere
  • Sophos on tsunami charity scams
  • Lots more links suggesting that radiation risk is way overblown, but I think we have enough of those to get the gist. Just be sceptical about alarmist reports that you can’t verify from reputable sites.
  • Business Standard on Cybercrime sets sail on tsunami sympathy
  • Symantec on Phishers Have No Mercy for Japan describing a fake American Red Cross donation site.
  • I’m also seeing a number of posts and articles suggesting that the situation regarding affected nuclear facilities is getting worse: I’m not qualified to separate fact and fiction in many of these cases, so I won’t try to track them here.
  • Allan Dyer describes one of the SMS hoaxes and a donation scam message pretending to be from AT&T: http://articles.yuikee.com.hk/newsletter/2011/03/a.html
  • Graham Cluley describes several Japan-related video links that actually lead to malicious javascript and a Java applet, plus some fake twitter email notifications: Spammed-out Japanese Tsunami video links lead to malware attack. See also Chet Wisniewski’s post SSCC 52 – Twitter HTTPS, net neutrality, car hacking, tsunami scams and Pwn2Own.
  • Jimmy Kuo forwarded a reliable donation link at at http://www.jas-socal.org/, and here’s a post from Tracy Mooney on charitable giving .
  • A series of other blogs from McAfee: http://blogs.mcafee.com/mcafee-labs/world-record-for-disaster-scam-site; http://blogs.mcafee.com/consumer/robert-siciliano/tsunami-scam-warnings-keep-coming-in; http://blogs.mcafee.com/consumer/consumer-threat-alerts/japan-earthquake-scams-spreading-quickly
  • Christopher Boyd on Japan “Miracle Stories” scams on Youtube… and Rogue AV results lurk in contamination comparison searches and ICRC Japan donation scam mails and .tk URLs offering surveys, installs and fake Tsunami footage and Tips for avoiding the endless Japan disaster files and A Japan-themed 419 scam…
  • Crawford Killian is tweeting a lot of more general Japan-related stuff that might be useful to you as background rather than as direct security stuff. http://twitter.com/Crof (hat tip to Rob Slade.)
  • Nicholas Brulez: Japan Quake Spam leads to Malware
  • John Leyden for The Register: Fake Japan blackout alerts cloak Flash malware: Scumbags continue to batten on human misery
  • Not directly security-related, but I can see it being used as a social-engineering hook: Timothy Prickett Morgan on Japanese quake shakes semiconductor biz: Boards and chip packages hit too.
  • An article by Amanda Ripley that has no direct security implication that I can see offhand, but I thought was interesting anyway: http://www.amandaripley.com/blog/japan_and_the_cliche_of_stoicism/
  • I probably won’t continue to add too many resources to this page that don’t have a direct and compelling security dimension, but if you are interested in the sort of footage of exploding reactors, tsunami hits and so on that blackhats use as bait for fake AV and clickjacking, the BBC has quite a few relevant videos: I know that because I watch the news. 🙂 I haven’t looked up individual links, but a quick Google search brings up several at http://www.bbc.co.uk/: no doubt searches of CNN etc. would bring up similar results. There’s lots of this stuff out there: no need to click on dubious links from unknown sources!

    David Harley CITP FBCS CISSP
    AVIEN COO
    ESET Senior Research Fellow

    

    (Intellectual) Property is Theft?*

    First of all, congratulations to Andrew Lee on his new role as CEO of ESET LLC. It’s as well that my work for AVIEN is unpaid, as otherwise he’d be my boss twice over. 😉 Reading the press release here, it includes substantial references to AVIEN and the AVIEN book, to which many AVIEN members contributed, as did Andrew and myself.

    That was a very worthwhile project, but one of the less attractive aspects was the readiness of a great many people to generate and distribute pirated copies: apparently the time and effort it took us all to generate that book doesn’t deserve any recompense. In fact, I had a pirated PDF copy sitting on my desktop before my author’s (hard) copies arrived…. That wasn’t the first of my books to be pirated, let alone the only one. But it seems that the pace has picked up in recent years.

    So imagine my joy on reading in the Vancouver Sun that ION Audio are about to market a device that can scan a 200-page book in 15 minutes. (Thanks to Robert Slade, my co-author on Viruses Revealed, for bringing this gem to my attention.) Well, it’s basically just a more ergonomic type of scanner, and hopefully dedicated pirates will find that having to turn all those pages by hand will still have a negative effect on their sex lives.

    I don’t think there’s much doubt, though, that for every individual who has a legitimate and possibly legal reason to scan one of their books into machine-readable form (i.e. for iPad, Kindle etc.), there will be many more who will see this as a way to profit from the labour of others without asking the question “why do I have the right to assume that authors should go through the pain of writing and publishing with no right to any sort of return?”

    What is really infuriating, though, is that it doesn’t seem to have occurred to ION that it is marketing rather more than a legitimate tool for honest students and educationalists. Or maybe it doesn’t care, because it can’t be used to copy ION hardware.

    * http://en.wikipedia.org/wiki/Property_is_theft

    David Harley CITP FBCS CISSP
    AVIEN COO