sneakemail is no longer free

well, y'know what they say, all good things must come to an end and the free ride at sneakemail.com appears to be one of those things. as of sometime earlier this month sneakemail.com moved to a paid service and existing accounts were switched over to the one month trial setup.

if you're using sneakemail then this is probably something you want to know about (i found out quite by accident) because when the trial is over your emails won't get forwarded to your real email address anymore.

i've been using sneakemail for years now, and directing others their way. it's a great service and it's helped me keep spam in check so i don't want to say that their service isn't worth the $2 a month fee, but recurring charges are the bane of my existence so i'm not sure what i'm going to do. this is complicated by the fact that i have so many addresses with them (most of which get no traffic, but still). switching to another service would be a pain due to a several years long habit of using sneakemail as well as all the existing addresses i'd have to switch over. plus there's no guarantee that the next one will turn out any better in the long run. paying the fee would also be a pain, and an ongoing one at that.

but enough of my griping - you're now forewarned, go do something about your account if you're a sneakemail user. you have less than 30 days.

malware classification fail

here's one from the drafts pile, hopefully it's not too stale


i'm wondering what the anti-malware world is coming to when the leading vendor classifies something as a trojan even though it clearly discloses what damage it does.

by this logic, every copy of every operating system also ships with a trojan horse program, either in the form of the delete command or the format command.

one of the basic requirements of a trojan is that it tricks the user into executing it - the original trojan horse wouldn't have gotten very far if there was a warning sign on the outside that said it contained enemy soldiers that would sack the city when night fell. so too would suspected malware not get very far if it plainly disclosed what it does.

this game is at worst a potentially unwanted program - in other words, grayware. we can't just go around calling every bad program (or even just every bad non-viral program) a trojan anymore than we can go around calling all malware viruses. not using the proper terminology is a great way to confuse everyone and confusion is something we don't want to sow, right?!?

av vendors are not like drug pushers

one of the erroneous ideas i sometimes come across is that av vendors are a little like drug pushers - that they want to keep you the user addicted or otherwise dependent on signature updates because charging you for regular signature updates is the only way they can make money.

this notion is complete, uninformed bullshit.

the first problem with this idea is the money aspect - if you haven't noticed, the major av vendors come out with a new version of their products (not just new signature updates) every year, not unlike microsoft comes out with a new version of ms office every few years. you have to pay microsoft to upgrade your ms office installation so it shouldn't take a rocket scientist to realize that av vendors make money the same way. they also make money from those who just renew at the end of the year instead of buying the new version because the signature and engine updates cost money to develop.

now you might think that just plays into a more fundamental issue, that they're purposefully adhering to a technology that requires updates/upgrades so that you need to pay each year but that's also nonsense. both the threat landscape and the operating environment itself are constantly changing, there's no protective technology that won't require updating to accommodate that fact. furthermore, there are always improvements that can be made to the way a security product (any security product) does it's job - the only way to get those improvements out to people is in the form of updates/upgrades, and the only way to pay for the research and development behind those improvements is to charge somebody money and it's only fair that the people they charge for the improvements are the people who benefit from those improvements.

still think they're intentionally dragging their feet with regards to non-signature-based technologies for some reason? fine, lets look at our old friend thunderbyte anti-virus. thunderbyte was an anti-virus suite back in the early 90's before av suites were even heard of. it had the signature based scanner, sure, but it also had the most transparent heuristic engine (by which i mean it told you what properties a file had that made it suspicious) i'd ever seen (then or since), it had rudimentary application whitelisting, it had behaviour blocking, it had integrity-based generic detection and cleaning. thunderbyte even marketed av hardware. the folks at thunderbyte were pioneers who in a very real sense built a better mouse trap and believe it or not the world did not beat a path to their door. the product was ultimately a failure in the market (their technology was bought by norman data defense which, with all due respect to the folks at norman, is a much more obscure company), not because it wasn't a superior product (it was), nor because it was too much of a niche product (it was readily available in computer stores where i live despite coming from a different continent and i imagine it was available in stores elsewhere as well), but because the market wasn't ready for it. just because you build it doesn't mean they will come - it might work like that in the movies but not in real life. it would be unreasonable to expect other vendors to waste their money developing technology that the market wasn't already clamouring for - the reason vendors have been slow to develop these alternative technologies is because the market for those technologies has been slow to develop. there weren't enough customers demanding the technology for it's development to make good business sense.

why are ethics so undervalued?

why are ethics so undervalued? i honestly don't know the answer to that question but i'd like to explore the topic and explain what i mean.

first i'd like to dispel any fears that i'm about to go on at length about people not understanding the difference between right and wrong - i think most people do understand the difference. that said, i don't think most people appreciate the difference - which is to say i don't think it holds much meaning for people, i don't think it's important to them.

i'll give you an example. not too long ago anton chuvakin posted an article on FUD - specifically one that is, if not an outright endorsement of FUD, at the very least an argument that sometimes it's a good thing. i'm not going to pick too much on the notion of endorsing the use of manipulation in the workplace, what interests me in this discussion was something he wrote in response to a blog post criticizing his stance:

personally, I think that “trumping with ethics” is a low card in intellectual arguments! IMHO it is one step above name calling

i don't think there can be any question that this statement represents a remarkably low valuation of the topic of right and wrong.

by way of contrast, i would place ethical right/wrong one step below technical right/wrong - and those of you who know me know how highly i value technical accuracy (hint: i make enemies simply by correcting people).

so where does such a huge difference in values come from? and what does it mean for the security community that anton is not only not an outlier but in all likelihood far closer to the norm than i am. have we become an "ends justify the means" sort of society? is security as a goal something we need to promote at all costs?

i suppose i need to better understand why it means as much as it does to me, so i guess i've got some soul searching ahead of me, but nowhere in that search do i expect to find why it's so much easier for others to put aside. i don't get many comments on my posts (since normally i know the answer to the question i'm asking) but in this case i'm hoping to hear what others think so please feel free to comment.

some new snake oil from kaspersky

i found this out thanks to a thread at wilders - apparently kaspersky is taking a page out of the mcafee snake oil playbook. mcafee has total protection and now kaspersky has total security.

i've been over this time and time again - this kind of branding is snake oil. the obvious implication that the average person would draw is that they simply have to use kaspersky total security and then they can be totally secure. that's a false sense of security and the folks at kaspersky know it.

obviously someone cares more about market share and getting to make commercials with jackie chan than about intellectual honesty.

oh crap - looks like bitdefender did same thing.

being a whitehat means taking sides

you wouldn't think this needs to be said, but apparently it does - being a whitehat means taking sides. more than that, it means taking the side aligned (more or less) with the general public's interests - doing things for their direct or indirect benefit.

and so it is that i always seem to find myself surprised by people who call themselves whitehats but who sacrifice the public's interests for their own agendas. those people are just lying - to others and perhaps even to themselves - about how good of a 'good guy' they really are. these are greyhats at best or, perhaps more likely, blackhats.

one such case that came up recently was that of peter kleissner (another post on the subject here), an ex-employee of the av vendor ikarus software who released proof of concept attack code and then, after being ousted from his position within the av industry, came up with a service to help malware authors evade the av industry.

i suspect mr. kleissner doesn't actually think of himself as a whitehat anymore, even though he would have generally been considered one at the time his descent started. the thing that stands out most to me, however, and the thing i think needs underlining is the following quote:

I won't make a difference between black hats and AV companies. To me it's not good or bad, it's just technology.

which seems to suggest he doesn't care to draw a distinction between good and bad. there's a word for that boys and girs, and that word is amoral. while it is true that he is still quite young, he is 18 and he was part of the av industry for over a year. i'm curious how one at such an impressionable age could manage to be part of the av industry and still manage to avoid having his moral compass align with that industry and community.

i'm still here

i know it's been a while - i'm still alive, just preoccupied with other things. i'm going to try to clear out some of the backlog of things i intended to write about. expect some old subjects for the next little while.

sector.ca's wall of shame was dead-on...

... and you should all be ashamed of yourselves for being caught on it.

for those missing the background, last week's sector security conference had this thing called the wall of shame. it was information gathered by sniffing the network. a lot of people thought it was gathered by sniffing the wireless network but it was actually gathered by sniffing the wired network. they got all in a huff because they thought by using the secure wireless option they'd actually be secure.

are you face palming yet? yeah, securing your wireless connection to a network doesn't secure your use of that network. this is a network none of those people controlled - it's about as secure as a public access terminal in a cybercafe and still they thought it was safe? these are security pros no less, at a security conference.

this is pretty unbelievable to me, that security pros can't keep their own shit secure at a security conference. no wonder security appears to be so hard and we have so many breaches - you folks aren't paranoid enough! you absolutely belong on a wall of shame if you thought you could use some strange networking service and just naturally be secure. use an encrypted tunnel to a proxy on a network you control for crying out loud, or better still just don't use the network at all.

i didn't even bring a laptop (or any electronics device except for a cheap mp3 player) and i managed to enjoy the conference without incident. i could say the reason i didn't bring any connected devices was because i've heard of shenanigans like this at security conferences in the past (as should you all have), but the truth is i just like to travel light.

it both scares and saddens me, though, to think that some of my data might actually rest in the hands of some of these people. frankly i think we need a version of the darwin awards for security and you folks on the wall of shame are all contenders. i can't decide, however, whether it should be called the shannon awards or the kerchoff awards.

finally, while i realize there are legitimate concerns about the legality of how the wall of shame was implemented, i would also argue that if you think the law is going to solve your network security problems then you might be a security idiot. the law is a deterrent, but as preventative controls go it's not particularly reliable.

what is credentialed malware?

credentialed malware is essentially (and perhaps more aptly described as) multi-user malware. not multi-victim malware, mind you, but multi-attacker - it is designed to be used by multiple attackers with differing levels of access to the malware's collection of functionality.

credentialed malware really only makes sense in the context of a criminal organization where different members of that organization have different roles and different levels of trust.

it also only make sense (from a tactical perspective) in cases where attackers would need to physically access the compromised machine(s) (ie. a public kiosk) in order to pull of a successful attack. if the machine could be accessed remotely or if the machine could send data out to remote destinations then there would be no need to employ multiple human agents to mask the maneuvers required to make the attack work.

back to index

(thanks go to nicholas percoco and jibran ilyas for introducing me to this concept)

my sector '09 experience

last year i was lucky enough to get my employers to send me to the sector conference (the second one ever) and this year that luck continued. just as i did last year, here is a description of my experiences at sector '09.

first a note, perhaps a reminder to myself, who knows - but if you're going to attend a conference that, logically requires you to get out of bed at 6:30am in order to do what you need to do in the morning and make it there, you might want to go to bed earlier than 1:30am. people don't want to see you yawning during their talks, or when they're talking to you directly in the halls (or whatever). it makes them think they're boring you, even if they aren't.

the conference started off with a great keynote by chris hoff about the cloud - check that, about cloud computing because there is no "the cloud" according to chris; though the fact that it is clearly illustrated on many network architecture diagrams (representing everything else) seems to contradict him. however, and the fact that this became clear to me as a result of his keynote is one of the things that made it great, that rudimentary abstraction on old-school network architecture diagrams has little to do with the discussion of cloud computing. now i wish i'd seen his "4 horsemen of the virtualization apocalypse" talk last year.

next up was the first session of the day and this year, like last year, i spent it in kevvie fowler's talk - this year it was about catching sql injection by examining the sql cache. again, like last year, my decision to attend this talk was based on the perception that doing so would allow me to bring value back to my employers (who paid for my admission) and kevvie didn't disappoint.

following that was the lunch keynote given by andrew nash of paypal, talking about consumer identity. there didn't seem to be a lot of information there that i could use directly, either at work or at home, but some of his ideas/opinions seemed spot on. one of the concepts i don't like, however, (and i believe i've posted my complaints before) is something that i now know is called federated identity.

after that i attended roy firestein's talk about crimeware and web exploitation kits. aside from the fact that roy is one of those people who says anti-virus is useless (there seems to be one in every crowd, but if the sentiment were true then one has to wonder why malware writers continue to waste their time, energy, and money on developing innovative defenses from anti-virus) the talk was fairly interesting. one thing that struck me though (before the av is useless comment) was that roy (and others when i sit down and think about it) seem to focus more on and distinguish between what seem to me to be subtle distinctions between similar pieces of malware. i'm not sure why but those distinctions have started being less interesting to me these days. not that that stopped the talk from being interesting, mind you, that was just a thought that popped into my head while listening. i think i'd have more difficulty fleshing out a talk due to this mindset, were i to ever be in the position of trying to give one.

for the third session of the day i had decided to attend chris boyd's talk about security and gaming consoles. despite the fact that i don't own a gaming console myself (my gaming console experience is limited to a pong system, the colecovision, and the intellivision systems) and there isn't one at work, there were 2 reasons i wanted to attend this talk. the first was that chris is someone i've known online for a while now, and the second is that while this specific attack vector is outside my area of familiarity my suspicion is that the significance of this vector will increase in the future. the talk was quite interesting - some things were familiar, some i've seen analogs for in social gaming, others were new. the apparent cross-pollination of attack strategies is probably the most interesting thing to me because cross-pollination is not a unidirectional process and so i expect that some of the attack strategies that have been more or less peculiar to consoles so far will find their way out of the (thinly) walled garden of the console world.

as an aside, i also planned on introducing myself to chris after his talk but he had to go and recognize me beforehand. how, i don't know, since there are few photos of me online, fewer still that are current, and then of course there was my clark kent disguise (glasses, when i normally wear contact lenses). clearly, superman i ain't - but there's certainly nothing wrong with putting a face to a familiar name so i'm not complaining.

the last session i attended the first day was robert hansen's talk on information warfare and the future. as the talk was very much about the future, and as i don't actually put much stock in predictions i'll take the stance i always take in this context and wait and see. some of the descriptions of upcoming capabilities were quite provocative, however. the talk let out about 35 minutes early, so it was probably the shortest i saw while there.

letting out early at the end of the day can be a mixed blessing - for those who just wanted to go home they could get an early start, but i wanted to go to the reception at joe badalis which wasn't supposed to start until the last session was scheduled to finish so i tried to find something to do with the spare 35 minutes. that would have been easier if the vendors hadn't mostly already packed up for the day - it would have been the perfect opportunity for me to visit the booths since there was actual time (something that's harder to find during the day). eventually i just decided to go to the reception early (as apparently a number of others in the same boat already had). i had a good time there, talked to a few people, got a few business cards but unfortunately when i left the office on monday i had forgotten about sector so i didn't grab a handful of cards and thus had nothing to give in return. i also found out that apparently my day job is more unusual and interesting to other people than i ever realized - who knew?

after the reception was the speaker's dinner which i'm afraid i had to miss due to never quite figuring out where i was supposed to buy the $65 ticket, and a tweetup following that which i also missed since i doubted i could find something to do for the 2 1/2 hours between the end of the reception and start of the tweetup. apparently this worked out for the best as i was able to avoid seeing chris hoff give brian bourne (one of the organizers) a lap dance (or man-dance as i think i saw it called). yes, you read that right. the stills posted to twitter were bad enough, i can only imagine how scarred the people who saw it live must be.

the second day i attended (technically the 3rd day of sector, but i don't attend the first day because it's just training and their courses never seem to have enough relevance to me to justify the cost) started with a surprise. nicholas percoco and jibran ilyas' talk entitled "Malware Freakshow" was excellent. it did something that is actually exceptionally rare these days - it introduced me to a new malware classification which by itself is actually pretty rare, but unlike a lot of the more recent 'new' malware classifications i've heard recently this one actually sounded like a justifiable classification rather than a mashup of existing capabilities in a new package. credentialed malware, or malware designed to be used my multiple people with differing roles and privileges within a criminal organization is very much a sign of the times - computer related criminal enterprises have progressed to such a degree that malware actually comes in a multi-user flavour now and different users get different capabilities. that was quite neat and that alone would have made this talk my favourite, but there was more: all the real-life examples being used were the sorts of organizations that i could envision being customers of the company i work for (in fact it wouldn't surprise me if some of them were customers) - it was like worlds colliding (there's usually not much overlap between my day job and what i blog about) and i can't wait to share some of the stories with the guys at work tomorrow - especially since a procedural control that our product facilitates potentially could have thwarted the credentialed malware example.

following that talk i attended jerry mangiarelli's talk on sql injection - yes, a second talk on sql injection. again this is a relevance to the day-job sort of deal but it was good to hear some more about it, about the scale of the problem and that sort of thing. of course, considering how prevalent sql injection is now it's actually shouldn't be a surprise that there would be multiple talks on it or that someone would attend both.

then we had the lunch keynote for that day which was with adam laurie (aka major malfunction). it was quite a fun presentation as, just like adam, i like to break things too (especially at work, though i don't get to do it as much as i used to). he talked about breaking a number of things (like breaking into a state of the art hotel room safe with a pair of pliers and a screw driver), and he also talked a great deal about biometric passports. i didn't care that much for his treatment of biometrics, but having worked in the field (in an integration capacity) my views and populist views aren't likely going to match up.

after lunch i attended the sslfail.com panel discussion with tyler reguly, mike zusman, jay graver, and robert hansen (yes, robert hansen again - that wasn't in the programme). sslfail.com is something i've been hearing about for a while and wanted to know what all the hubbub was about and the panel did a pretty good job of raising my awareness of a number of issues (which was the goal they stated at multiple points throughout the discussion). one of the points i think was a red herring, however. the complaint about changes to the user experience over different versions of the browser is predicated on the idea that the ssl indicators are useful to ordinary people (since us technical folks are better able to adapt to such things). as has been covered in the past, however, at a fundamental level we just aren't wired to notice when something like a little lock icon is missing. that isn't a failure of ssl, it's a failure of the very concept of a safe-site indicator.

for the last talk of the day i chose to sit in on nick owen's discussion on approaching secure online banking. he's someone whom i recalled having a brief discussion with about authentication in the comments here at one point and i was interested to hear what he had to say. i was impressed to see that wasn't just saying X solves our problems, that he'd actually identified the different countermeasures appropriate to the different compromise techniques, etc. the banking industry specific stuff, i must admit, was way way over my head, however.

then things wound down and folks made their way to the keynote area for the final wrap-up. i said a brief hello to chris hoff, which seems to be a pattern now (note to self for next year: when it comes to con-tag, i'm it again), as well as introduce myself to tyler reguly briefly just as we were all getting ready to leave.

but anyways, it was great, i learned lots, met some great people, and had fun. hopefully i have the opportunity to do it again next year.

mcafee and malware creation

if you hadn't already heard, mcafee plans to teach a class on "malware experience" at a 4 day security conference they're holding this coming week. there were only a couple of reactions to it that i saw, notably david harley's post at threatblog and michael st. neitzel's post on the sunbelt blog. the sunbelt post in particular drew the attention of mcafee's dave marcus who clarified exactly what was going to be going on - to the extent that the controversy around the promise of showing attendees how to create new malware seems to have died a quiet death.

i could have weighed in when i first read about this but the wheels of change had already started to turn and i wanted to see where things went before i said anything. the end result, however, seems to be mcafee has placated people's concerns with hollow promises that instead of teaching people how to make malware from scratch, they'll instead be using an existing toolkit to create the malware. the implication is that since this toolkit produces malware that is already detectable (at least as far as mcafee's product goes) then they aren't really contributing to the malware problem. if you're detecting the distinct aroma of a barnyard right now, you're not alone.

there are a couple of problems here so lets go through them one at a time. the first is the simple fact that mcafee is in the anti-malware business. i've said this before and i'll say this again - if you're anti-X you shouldn't go around making X's and you sure as hell shouldn't encourage others to do so. the company's namesake reputedly got into trouble with the rest of the industry by offering such encouragement in the form of financial incentives (paying for new viruses). now in this new case it's all going to be done inside a closed environment to prevent undesirable consequences so there should be no problems, right?

wrong. the work in the classroom will take place in a closed environment, but i have no doubt that some of the attendees will subsequently play the home version of the game, running malware toolkits on their own environments and creating malware in less secured environments (you can't really believe that they'll learn everything they need to to handle malware safely in those 4 hours the class will run). a class like this encourages precisely this behaviour. it makes it seem ok for less experienced people to handle malware, and to that end even people who never attended the class will also play the home game if such behaviour is endorsed.

think that sounds far-fetched? it isn't, there are already well intentioned but ultimately unqualified people playing with malware and inadvertently contributing to the malware problem. it's been going on for years. sarah gordon covered this in her paper "The Generic Virus Writer II". that's a pill that the technologically inclined don't want to swallow, they think they understand malware well enough to prevent unintended consequences, but the reality is that most people lack the wisdom to appreciate the extent of their own ignorance.

finally, given the probable result of people playing the home game with the same malware toolkit used in the class, should they contribute to the malware problem they will do so in a way that benefit's mcafee because their product already detects all the output of the toolkit. they will be breeding demand for their product in an absolutely unethical way - by teaching people just enough to cause problems that their product can fix (others may as well, but it's impossible to know at this point).

mcafee is behaving irresponsibly and unethically, and i'm struck by how things seem to have gone full circle with them. while others seem to have let them off the hook because they're using a toolkit instead of teaching how to create malware from scratch, as far as i'm concerned the only difference is the sophistication of the malware creators they are going to produce. mcafee will be teaching a new breed of script kiddie and tarnishing the industry's reputation once again. congratulations on being part of the problem, mcafee folks.