Wednesday, June 27, 2007

more on whitelisting

or perhaps moron whitelisting... yes dave, i'm taking the bait with the emperor's robin bloor's new clothes article about the decline of anti-virus and the rise of whitelisting... and it's pretty good bait too, since i wrote the rise of whitelisting (anything look familiar?) over a year ago in response to something else robin wrote when his misguided anti-virus-is-dead campaign was still new (a day old judging by the posting dates)...

i haven't really seen much new material that i didn't cover myself in that first response - exotic execution, accuracy of local whitelist management, and scalability of global whitelist management are all outstanding problems with whitelisting... finding out that the whitelist vendors themselves admit to the unmanageable scope of their own efforts is one of the few new things that have come up since then...

robin doesn't address any of this, of course, and like the emperor's new clothes there really isn't anything there in his new article... 2 whitelist companies merged and became bigger than either was before - big woop...

the only interesting things were the comments on the register's mirror of the article... vesselin bontchev hit the nail on the head several times (and i'd expect nothing less, though i wouldn't have expected vess to be first to post on the register - ugh), but what interested me most was the suggestion that robin bloor's 'research' is funded by the whitelist industry...

clearly this would be some segment of the whitelist industry that is misguided enough to think that anti-virus companies are actually their competitors... it's apples and oranges though, av companies won't be competitors until they start offering whitelist technology of their own... what's so misguided about this, though, is that if they actually manage to take av's place on peoples' desktops they're ultimately going to wind up also taking av's place in peoples' cross-hairs... if they displace anti-virus then people will necessarily become just as disenfranchised with whitelisting as they are with anti-virus because whitelisting has failings too...

in the comments robin does admit that whitelisting won't stand on it's own and that additional technologies will be needed to complement it but weasels out of saying what... i suspect intuitively he knows the answer: at the highest, most abstract level, what complements a whitelist? that's right, a blacklist... though he expressly derides the idea as "positioning" in his article and says that you should nevermind it, the fact is that known malware scanning and application whitelisting are natural companions...

i want to call robin bloor a troll, i really do, but if he's being funded by whitelisting companies then what he really is is a shill... either way, i'm done with him - when my arguments (and most other peoples' arguments) now are the same ones i posted if march of '06 there really is little point in continuing with this... besides, considering the uptick i get in hits based on searches involving the term whitelist when he posts more nonsense, i'm pretty sure the counter-arguments are being heard without additional effort on my part so i can put that you are being trolled feeling to rest...

Tuesday, June 26, 2007

looking for security wizards

well what do you know, the agnitum folks have come up with a quiz to test your security smarts...



Are you an Internet Security Wizard?
Are You an Internet
Security Wizard?


25 out of 30 on my first try... that's 25 correct guesses at what the agnitum folks thought were the right answers since many of the questions didn't seem to include the right answers as far as i could tell - for example, since when is self-replication not the thing that most precisely characterizes a computer virus? this is a quiz to determine who's a security wizard, right? sure average folks might not be expected to know such details but we're talking about wizards here...

then there's question about what cannot be spyware that was accompanied by nothing but options that could be considered spyware... yes, it's possible to have self-replicating spyware (malware categories are not mutually exclusive), yes it's possible to have spyware that changes your browser's start page (otherwise spyware authors would just throw in that one extra feature to avoid having their creations labeled as spyware), and yes a keylogger is most definitely a kind of spyware (what, you think keeping track of what keys you typed and sending them to a 3rd party doesn't count as spying?)...

the quiz also doesn't tell you which questions you got wrong or what the right answers were so it doesn't really help the non-wizards learn and advance themselves... i actually think the underlying idea behind the quiz is a good one, but not if people can't learn from it...

then again, maybe they're just looking for security wizards to help them write a better quiz...

the end of an era

since i'm generally known for being blunt anyways i'll get right to the point - comp.virus is gone...

of course, in any practical sense comp.virus has been gone for a good long time, but even after all this time i've kept my newsreader subscribed to the group hoping it would eventually come back... it's finally time to remove the subscription - the group itself was slated for removal on june 25 2007...

i have fond memories of the group - back before i even got on the internet i read comp.virus thanks to an internet<->fidonet gateway... what i found was a place with a lot of knowledgeable people talking about exactly the kind of thing i wanted to read about - viruses... oh sure, there was the fido VIRUS and VIRUS_INFO echos (in fact those still exist, though they're mostly unused now-a-days) but i wanted more...

of course it wasn't long after i found comp.virus that it fell out of use (for reasons that nick fitzgerald has probably explained too many times already) and alt.comp.virus was used as a substitute (which proved interesting for all sorts of reasons)... alt.comp.virus (and the more recent alt.comp.anti-virus) are unmoderated, however, and without that control over the quality of the content most of those knowledgeable folks i was introduced to first in comp.virus and then in alt.comp.virus eventually moved on to less noisy pursuits...

i guess the good old days have been gone for a long time, but the removal of comp.virus is like going back to your old neighborhood and discovering one of your favourite spots has been turned into a parking lot...

oh well, we still have the FAQ i guess...

Monday, June 18, 2007

100% virus-free... again...

well, the marketroids are at it again and this time they work for panda software:
SLA (Service Level of Agreement): 100% virus-free guarantee.
and
Together with quarantine management, this enables absolute protection against viruses, worms and Trojans. We are committed to offering a 100% virus-free service.
and once more for the trifecta
With respect to the antivirus filtering service, TrustLayer offers a 100% virus-free contractual guarantee.


y'know, if it wasn't for that 'absolute protection' bit (that sounds familiar), i might have believed they had the best of intentions at heart and simply meant that they'd give you your money back if they failed to keep the viruses out (not that that will necessarily compensate a business for the cost they'll incur when malware slips through and their guard was down due to a false sense of security)... not unlike the marketing message i knocked messagelabs for years ago (in fact, the service being offered doesn't sound fundamentally different either)...

even if i were inclined to believe they had the best intentions, the road to hell is paved with such intentions... consider how the message has evolved as it's traveled, first to yahoo finance
Panda Software guarantees that email filtered through TrustLayer will be 100% free of virus.
and then from there to the daily incite
What's old is new again. Panda guarantees 100% virus-free email. Join the club, the other email security services have been doing this for years. And how do you prove it anyway?
mike rothman at least knows to take this with a grain of salt but not everyone is as savvy - who knows what other paths it's taken and what false impressions it's given...

100% virus-free (aka 100% protection) are the magic words you do not say, it's the promise you do not make... this is why i distrust marketing: not only do they generally not really know they technology they're selling but, as this example indicates, they often don't know the business/industry either.... i've said it before, i'll say it again; 100% protection / 100% virus-free is the archetype for anti-virus snake oil and there really is no excuse for it anymore... somebody failed anti-virus marketing 101...

as always, vote with your wallet... if you want intellectually honest av vendors, market pressure is the tool you need to use...

Sunday, June 17, 2007

and then hell froze over

anti-virus companies do not hire virus writers, if i've said it once i've said it a thousand times... oh sure, there was that one example where a company which wasn't even in the security industry (their main focus being graphics) hired benny (aka marek strihavka) to be the lead developer of their anti-virus software (which wasn't actually for public consumption at the time) because they felt he was reformed (even though he still makes viruses available on his webpage) and was then thoroughly denounced by multliple members of the av industry... then, of course, there's the case of sven jaschan who was hired by a security company - but again NOT an anti-virus company or even a company looking to make anti-virus software, so one could say that he doesn't count (especially since his hiring resulted in the company losing an av company it had hoped to partner with)...

it may seem like these violate the av companies don't hire virus writers rule but in reality these edge cases (neither company is technically an anti-virus company) actually reinforce the rule by virtue of what the av industry does in response...

so you can imagine, then, how far my jaw dropped when john sharp, founder of authentium, solicited applications from students who graduated from a virus writing curriculum:
Authentium to George Ledin's students: if you're interested in a job, we'll look at your resume. Based on your training, our assumption is that you're going to do a better job helping us detect and defeat malware than someone without this knowledge.


now, i realize one might argue that people who learned to write viruses in school don't have the same motives as those who write and release viruses (though it occurs to me that a virus writing curriculum would appeal to exactly the type of person who would write and release viruses so you may actually be dealing with a population whose bad apple content is higher than average) and the debate has been weighed in on by far more influential individuals than myself - but, with many companies refusing to hire such students just as they would virus writers, mr. sharp's words are unexpected to say the least... i wonder if he's shared his philosophy with helmuth freericks, who was listed as the vp of r&d at authentium when he signed the public letter against teaching virus writing that's being hosted by the anti-virus information exchange network...

things get more interesting than that, however... authentium's (formerly command software system's) command anti-virus used to license the f-prot scanning engine and given the identical naming produced by the two it seems like it still does... that engine is produced by frisk software international... frisk has made his feelings on the subject of virus writing curricula very clear, stating that it's ethically unacceptable, so it'll be interesting to see what if anything becomes of this if authentium really does hire students who've taken such courses...

Thursday, June 14, 2007

when misunderstanding hurts you

today's post by tyler reguly about a revelation he found in f-secure's marketing message caught my eye because i think it exhibits some misunderstandings that i suspect are probably not unique to him so i'm going to try and clear up some of the confusion...

the statement that triggered all of this was that f-secure ships out around 6 updates per day... in tyler's words:
When you are pushing out that many updates it tells me one of two things. i) You are “sweatin’ the small stuff” or ii) You have a bad QA process and need to push out fixes.
he goes on to investigate whether there is enough malware to justify that many updates and finds that no-one is producing write-ups of new threats at anywhere near that rate...

the key misunderstanding here is what exactly those threat write-ups represent... they are not the only pieces of malware that the respective av companies encounter, far from it, they are just the ones that have distinguished themselves enough from the background noise of hundreds of pieces of malware being processed per day to warrant a write-up... nobody maintains a repository of malware write-ups equal in quantity to the amount of malware their product detects, that's just too much work for too little return, so they pick out the ones that are significant in some way such as ones that do something genuinely new, or ones that have in hindsight proven to be a slightly more significant threat than the vast majority...

notice the word hindsight... it is, unfortunately, not possible to predict which pieces of malware will make it big and which won't so it's not possible to use that as a criteria for issuing an update... technically sophisticated viruses have gone nowhere while barely functioning frankenstein creations have run amok... as such, all the anti-virus companies can do is try to minimize (within reason) the window of opportunity that a potentially significant threat will have... in fact, sometimes the failure to become a significant threat (certainly a desirable outcome) hinges on the rapid and widespread deployment of detection capabilities for it...

f-secure accomplishes this with around 6 updates per day... some companies ship updates hourly (and have been doing so for years now)... these aren't fixes (at least not generally), it's not a QA problem, there genuinely are sufficiently many pieces of malware being processed each day to warrant this update frequency... does that mean they're sweating the small stuff? maybe so but it's only because there's no way to know what's going to become big...

Monday, June 11, 2007

the slow death of someone's credibility

robin bloor doesn't show up on my radar very often, but when he does it always seems to be about how anti-virus is dead, dying, or doomed in some way... this time it's about the slow death of anti-virus technology...

dave lewis thought it worth pointing to (thus leading to the blip on my radar) and the folks over on the authentium blog went against their better instincts and actually responded to it...

it's a good response, too, and it touches on a point i've also made about whitelisting - specifically that the numbers of good programs (ie. those that would be put on the vendor supplied whitelist) far exceed those of malware... why this is interesting is because one of the main arguments against anti-virus technology is a fundamental disdain for enumerating bad things on the premise of it being too big of a problem... clearly, if enumerating good things is several orders of magnitude harder than enumerating bad things then this particular argument is garbage... it's nice to see that a whitelist vendor is owning up to the enumeration cost, even if some whitelist proponents are unwilling... to the unwilling i would say imagine if the TSA used a whitelist instead of a blacklist - do you think telling most people they can't fly because they aren't on the fly list would work better than telling a few people they can't fly because they are on the no-fly list?...

this time around mr. bloor wants us to believe that, because whitelisting is gaining traction in the market, his prognostications about whitelisting replacing blacklisting are gradually coming true... seemingly choosing not to consider the possibility that the trends he's noticed are nothing more than the maturation of the whitelisting market, and unperturbed by history's numerous examples of the av industry adding technologies to their portfolios rather than replacing the old with the new, mr. bloor's arguments seem rather ridiculous...

but then again, they're coming from the same guy who thinks traditional polymorphism and server-side polymorphism are comparable - that because traditional polymorphism (where the transformation function responsible for the polymorphism is carried with the self-replicating malware and therefore open to attack by the av'ers) has been around for 16 years that the av industry should have developed something capable of dealing with the newly emerged server-side polymorphism (where the transformation function isn't carried by the malware and thus isn't generally open to attack) by now...

so should anyone take him seriously when he says whitelisting is better than av and that it's going to replace av? no, because whitelists are not going to replace blacklists, whitelists aren't better than blacklists, they're just different from blacklists... whitelists don't have the same weaknesses blacklists do just as blacklists don't have the same weaknesses that whitelists do... the notion that we would or should use only one type of technology to protect ourselves from malware is antiquated and fundamentally broken - there is no silver bullet, no panacea, and if you don't employ a multi-layered strategy (aka defense in depth) then you're just setting yourself up for unnecessary failure... i have to wonder, when av technology is still here 10 years from now, will robin bloor be eating crow or will he still be forecasting av's death like some inverted version of monty python's parrot skit...

Wednesday, June 06, 2007

threat agents

one way to look at security is that it is (by and large) an attempt to prevent bad things from happening as much as possible (or at least as much as is cost effective) and to minimize the impact of those bad things that slip through... in other words, it's about preventing and/or negating threats...

but what is a threat, besides just a bad thing that could happen? the word threat is actually used in a number of different ways (and somewhat ambiguously) corresponding to the variety of ways threats can be classified/categorized... for example one can categorize threats by what's being threatened (ex. computers, networks, data, etc.), by what property of that thing is being threatened (ex. confidentiality, control, integrity, authenticity, availability, or usability), or even by the specific nature of how it's being threatened (ex. a DDoS attack, identity theft, etc)...

very often, however, the term threat is used to label the thing that is doing the threatening (ex. web-based threats)... despite being called threats, what these actually are are threat agents; that is they are agents that pose and sometimes carry out threats to whatever it is that is/was being threatened... usually, when something bad happens, something (some agent) caused it to happen so the obvious approach to preventing the bad thing from happening is to find some way to deal with the agent(s) that would cause it - in essence, addressing the security threat at the root, but in order to do that one needs to be aware of and consider the details peculiar to that type of agent, so . . .

at the most general level, the agents of concern in information technology are biological, technological, and environmental...

  • biological
    for our purposes, biological threats are usually people... they can be other things, of course - it's certainly possible for other living things to cause undesirable events with security implications (be it a moth stuck in a relay, or animals chewing through cables, etc.) but usually it's people and those people are either internal or external to the organization interested in that which is being threatened...

    • external people
      these are almost exclusively blackhats, moreover they are people who start their attacks from the outside without any privileged access to the thing they're attacking... these could be crackers, virus spreaders, phishers, spammers, scammers, bot herders, or some other kind of malware profiteer... if they can be found, the law is generally the best (not necessarily the most effective, mind you, due to potential cross-jurisdictional complications) tool for eliminating the threat they pose...

    • internal people
      often referred to as the insider threat, these are people who do have privileged access to the thing being threatened (or at least to means by which that thing can be accessed)... the insider threat can take the form of either a malicious insider or a thoughtless insider...

      • thoughtless insiders
        the threat posed by thoughtless insiders is the threat of an accidental security breach... thoughtless insiders aren't trying to attack the system, they just forget to take the care they ought to take or just don't know any better... being insiders, they have privileged access to potentially valuable resources and are generally the only ones who can accidentally affect the security of those resources... because the nature of the threat is accidental, training is an obvious choice for dealing with the threat... though there are some dissenting opinions on the effectiveness of training, with the proper motivation (the stick is good, but it might be better with a carrot) suitable personnel should be capable of operating in a secure enough manner...

      • malicious insiders
        unlike thoughtless insiders, malicious insiders are trying to attack the system... these are motivated and often intelligent attackers who may (but don't necessarily need to) use many of the same methods that external people do... also like external people, the law is a good tool for dealing with them and there's the added bonus that being an insider should obviate jurisdictional complications...


  • technological
    when i refer to technological agents, i'm referring to either software or hardware (the shades of grey in between those to are generally collapsible to one of those to, ex. firmware can be thought of as a special kind of software)...

    • hardware
      there is all kinds of hardware that could be used to affect the security of a system (ex. taking a sledge hammer to a computer is probably going to affect the usability of that computer and the availability of any data that was on it) there are some kinds of hardware that pose intentional threats to the security of your data/computer/network... examples of hardware that pose a threat to the confidentiality of data include hardware keyloggers as well as RFID cloning hardware or even TEMPEST hardware... whether or not the hardware agent requires some kind of physical contact, it is a physical thing that can be found and/or can be blocked in some way (be it an air-gap or some kind of shielding)...

    • software
      software agents are logical entities that (for the time being) generally can only directly affect other logical entities (ie. data)... they exist in some type of memory, whether it's RAM, the hard disk, an EPROM, or some other storage area, and can generally be located if one knows what to look for and the agent is in a state where it's incapable of interfering with that process... software threat agents can be further broken down into malware and other attack tools...

      • malware
        malware is a kind of malicious software agent that runs on the victim machine... the category can be subdivided into many different types (which i've tried to do and will eventually continue to do in my what is it series of posts) but for now lets just stick to self-replicating (viral) and non-replicative (non-viral) malware...

        • non-replicative malware
          non-replicative malware is the majority of what is being created and deployed right now... an instance of non-replicative malware is, by and large, an agent that acts as a proxy (not in the network sense, but in the more general sense) for the person deploying it - that is, it's carrying out that person's intent or acting for that person... for example, maybe they can't watch you log into your bank directly, but if they can fool you into running a keylogger or password stealer (or a dropper or downloader that in turn introduces a keylogger or password stealer) then that malware will watch you log in for them... as such, not only can we try to address the software agents themselves but we can also try to address the people responsible for them and hopefully eliminate them as a source of future malware...

        • self-replicating malware
          self-replicating malware (viruses and worms) can act as proxies for a human agent, just as non-replicative malware does... however, unlike non-replicative malware, self-replicating malware doesn't stop affecting new victims when the person who made/deployed it grows tired of it and moves on... instead, self-replicating malware just keeps going and going no matter what happens to the person originally responsible for it...

      • other attack tools
        not all software agents need to run on a victim's machine in order to affect security... mass mailers, password crackers, keygens, DoS tools, packet sniffers, and many others are all capable of doing bad things without running on a victim's machine and that means they can't be located and neutralized by the same means that malware can... generally speaking, dealing with the person who uses such tools (ie. external human agents) is probably going to be more feasible than trying to locate and eliminate instances of the software itself (though some anti-malware vendors have done an almost decent job of scaring people away from using many of these sorts of tools)...

  • environmental
    environmental agents like fire, water, tornadoes, crashing vehicles, etc. are a little esoteric as agents go but they can affect data, computers, and networks, and not just their availability either... if a tornado tears through a building with confidential paper-based records, a hospital for example, those records may very well not stay confidential (it's raining medical charts!)... now for many other threat agents, dealing with them involved detecting/locating them and neutralizing the threat those specific agents posed (whether by changing, isolating, or eliminating the agent)... that also works for some environmental agents too (ex. you can detect a fire and extinguish it) but, as the tornado example indicates, sometimes you can't do anything to affect the agent (you may instead want to isolate the thing you wish to protect from the agent)...


(yes, i know i focused more on malware than anything else... i am a malware-centric sort of guy, after all... still, sometimes i like to think about the larger context and how malware fits into it...)