don weber posted an intriguing thought about the massive conficker worm actually making the internet more secure...
he's got some sound logic - it does shine the spotlight on the problem and give people who know what to do an opportunity to convince decision makers to do the right thing and that could certainly make people more secure...
trouble is i made the mistake of saying something similar in the previous decade... technically it was more along the lines of 'it would be good if X were bigger/more damaging because then people would sit up and take notice'... as you can imagine then along came something that was bigger/more damaging and people did sit up and take notice... where's the trouble with that you say? i got what i wanted, right?
wrong... a lot of people were negatively affected for what turned out to be a temporary lesson... i'm sorry to say but one of the observations i've made over the past 19 years of following the malware problem is that people largely do not retain the lessons of the past and thus wind up repeating history over and over again...
this case is likely not going to be any different - while don suggests that the efforts put forth as a result of this mass infestation are going to make future mass infestations harder he neglects to mention that there have been plenty of mass infestations in the past whose cumulative effects should have made mass infestation darn near impossible by now if the effect had any kind of staying power...
but the effect doesn't have staying power, it's short lived... there certainly is a window of opportunity for people to push through smart policy/technology changes, but the window is not large - take advantage of it now while it's still open...
Wednesday, January 21, 2009
test branding fail
another fail, but of a different variety... thanks to pedro bustamante for bringing total protection testing to my attention...
total protection is a snake oil term that sends the wrong message to people and makes them believe they can be totally protected (which obviously they can't)... this is something people in the anti-malware industry should know already...
of course, you could say the same thing about mcafee - who i'm surprised don't own the trademark on this particular instance of snake oil, since they've got a product named total protection...
total protection is a snake oil term that sends the wrong message to people and makes them believe they can be totally protected (which obviously they can't)... this is something people in the anti-malware industry should know already...
of course, you could say the same thing about mcafee - who i'm surprised don't own the trademark on this particular instance of snake oil, since they've got a product named total protection...
anti-virus usage fail
how do you top a virustotal usage fail? you attempt to commit virustotal usage fail but use samples that aren't even malware in the first place...
that's what john strand did in a video embedded in daniel miessler's post "Metasploit 3.2 Makes AV Look Silly | DiD is the Only Answer"...
the premise may sound ok - you can create executables using metasploit that won't be detected by the (perhaps severely) cut-down versions of anti-virus products that is used by virustotal... supposedly this points to a problem with anti-virus technology in general, but ask yourself this - is it really a problem that you can create executables that virustotal can't detect? and if so, why?
is the output from metasploit malware? if it is then hdmoore is a bad man and should be stopped (and it's not like we can't find him)... i don't see a lot of people calling him a bad man, though, or suggesting he needs to be stopped - that says to me that metasploit and it's output are not malware or at least occupy that gray area between malware and benign software... as such, if these things aren't malware then why are we expecting anti-malware programs to detect them? the av world knows that if it ain't bad then you shouldn't be catching it and if metasploit output is bad then why aren't we doing more about it?...
if it's not malware then stop expecting anti-malware apps to do anything about it... if it is malware then go after the root cause (isn't that bejtlich is always talking about being the more effective strategy dealing with the malware problem?)...
ultimately, the video and the post it's in make a good point - that you shouldn't be relying on av as your sole form of protection - but the argument would be better served by using a legitimate av failure as an example instead... better still would be to take an approach that doesn't seek to tear down a largely successful anti-malware control in the first place - you can promote defense in depth without erroneously trying to make av look like it's useless... tearing av down does not actually promote defense in depth, it promotes the search for the next great anti-malware hope that we can replace av with - and that's not going to help anybody because all preventative measures (even whatever people replace av with) fail...
that's what john strand did in a video embedded in daniel miessler's post "Metasploit 3.2 Makes AV Look Silly | DiD is the Only Answer"...
the premise may sound ok - you can create executables using metasploit that won't be detected by the (perhaps severely) cut-down versions of anti-virus products that is used by virustotal... supposedly this points to a problem with anti-virus technology in general, but ask yourself this - is it really a problem that you can create executables that virustotal can't detect? and if so, why?
is the output from metasploit malware? if it is then hdmoore is a bad man and should be stopped (and it's not like we can't find him)... i don't see a lot of people calling him a bad man, though, or suggesting he needs to be stopped - that says to me that metasploit and it's output are not malware or at least occupy that gray area between malware and benign software... as such, if these things aren't malware then why are we expecting anti-malware programs to detect them? the av world knows that if it ain't bad then you shouldn't be catching it and if metasploit output is bad then why aren't we doing more about it?...
if it's not malware then stop expecting anti-malware apps to do anything about it... if it is malware then go after the root cause (isn't that bejtlich is always talking about being the more effective strategy dealing with the malware problem?)...
ultimately, the video and the post it's in make a good point - that you shouldn't be relying on av as your sole form of protection - but the argument would be better served by using a legitimate av failure as an example instead... better still would be to take an approach that doesn't seek to tear down a largely successful anti-malware control in the first place - you can promote defense in depth without erroneously trying to make av look like it's useless... tearing av down does not actually promote defense in depth, it promotes the search for the next great anti-malware hope that we can replace av with - and that's not going to help anybody because all preventative measures (even whatever people replace av with) fail...
Wednesday, January 14, 2009
my thoughts on benevolent botnets
pete lindstrom recently penned a post on the idea of benevolent botnet... it's not the first time i've seen this topic come, up - martin mckeay posted about a related idea of battling botnets with botnets (presumably one side of that fight would be benevolent botnets)...
my thoughts run something like this - implicit in the idea of the botnet is that the computers that make up the botnet are being remotely controlled without authorization from their owners and therefore no botnet can be considered benevolent...
if the collection of connected computers are being controlled without authorization then you're stealing cycles at the very least, as well as a certain amount of bandwidth in order to communicate with the command and control server...
if the computers are being controlled WITH authorization from their owners then you have a distributed computing project, not unlike seti@home or distributed.net - and you can't really call either of those botnets...
so much like the very act of self-replication makes supposedly good viruses bad, the very act of unauthorized remote control makes supposedly benevolent botnets malicious...
my thoughts run something like this - implicit in the idea of the botnet is that the computers that make up the botnet are being remotely controlled without authorization from their owners and therefore no botnet can be considered benevolent...
if the collection of connected computers are being controlled without authorization then you're stealing cycles at the very least, as well as a certain amount of bandwidth in order to communicate with the command and control server...
if the computers are being controlled WITH authorization from their owners then you have a distributed computing project, not unlike seti@home or distributed.net - and you can't really call either of those botnets...
so much like the very act of self-replication makes supposedly good viruses bad, the very act of unauthorized remote control makes supposedly benevolent botnets malicious...
virustotal usage FAIL
from rich mogull's post There Are No Trusted Sites: Paris Hilton Edition:
yes, boys and girls - in spite of my prior warning on the matter, in spite of didier stevens' thoughtful post on the matter, and in spite of hispasec's own post on the matter, people still don't get that virustotal is for testing suspected malware not anti-malware...
it doesn't matter if your sample size is 1 or 1000, using bad virustotal results to bolster the argument that av sucks (when it's well known that virustotal's results don't/won't match av user experience) is a big fat FAIL...
rich isn't the only one failing here, though, he's just the most recent example... 'incident handlers' at the internet storm center do this on a regular basis, as do quite a few others...
the devil's in the details folks, start paying attention... since the detective capabilities displayed in the context of virustotal do not represent the real detective capabilities of the products used by virustotal, what point can there really be to posting the detection rates (as dancho danchev likes to call them)? that's right, basically none - not only do they bear no relationship to what is conventionally thought of as detection rates, but also they are NOT accurate...
now repeat after me: virustotal is for testing suspected malware, not anti-malware...
The best part? Only 12 of 37 tested AV vendors catch the trojan. All of who that give me crap for hammering on AV can go away now.
yes, boys and girls - in spite of my prior warning on the matter, in spite of didier stevens' thoughtful post on the matter, and in spite of hispasec's own post on the matter, people still don't get that virustotal is for testing suspected malware not anti-malware...
it doesn't matter if your sample size is 1 or 1000, using bad virustotal results to bolster the argument that av sucks (when it's well known that virustotal's results don't/won't match av user experience) is a big fat FAIL...
rich isn't the only one failing here, though, he's just the most recent example... 'incident handlers' at the internet storm center do this on a regular basis, as do quite a few others...
the devil's in the details folks, start paying attention... since the detective capabilities displayed in the context of virustotal do not represent the real detective capabilities of the products used by virustotal, what point can there really be to posting the detection rates (as dancho danchev likes to call them)? that's right, basically none - not only do they bear no relationship to what is conventionally thought of as detection rates, but also they are NOT accurate...
now repeat after me: virustotal is for testing suspected malware, not anti-malware...
Wednesday, January 07, 2009
suggested reading
geez, i need an alarm clock to remind me to do this or something...
- PC Got a Virus? Consider Getting Help Offline - Security Fix
well it just goes to show, if you can't trust a suspect machine to report it's own infection state (as the saying goes) then you certainly should trust it for making online purchases - Multi-Layering and User Education: a random thought from AVAR | ThreatBlog
one of my favourite topics - user education, and an interesting framing to boot... user education as simply another layer in a multi-layered defense... not only does that correctly imply that it's inherently an imperfect control just like all the others, it plants it squarely where it belongs - along side all the other controls, all working in unison... - hype-free: Actively working against security...
this sound eerily familiar, but lets not talk about where i've heard this before... all i can say is i've always known it was a bad idea, and i don't care if the customer's departments don't co-operate with each other - either get buy-in from IT or go over their heads to force co-operation, but don't surreptitiously bypass their security defenses just because it's an inconvenience for you... - Andrew Hay » Blog Archive » Tactics Must Evolve
security pros need to be students of military history and tactics? hear hear... i know security isn't really like warfare but strategy and tactics are a much bigger part of security than some people wish to admit - ThreatExpert Blog: How to Defeat Koobface
great post - i always like to see people identifying exploitable weaknesses in malware - Scammers Evade Spam Filters by using Email ‘From’ Fields | TrendLabs | Malware Blog - by Trend Micro
i almost laughed when i saw this - it seems so obvious now, why hasn't this happened sooner? (or has it?) - iSpy an iPhone Spy - F-Secure Weblog : News from the Lab
well what do you know - mobile malware for the iphone... i know some people don't count these sorts of tools as malware, but this is the very picture of spyware, just like neo-call's spyphone or vervata's flexispy... - Roger Thompson: Awww.... puppies!
scamming with puppies... the bad guys are sinking to new lows... - Major Web browsers fail password protection tests | Zero Day | ZDNet.com
i've always said it was better to use a password manager that was separate from the browser and unable to respond to content on webpages (because some 3rd party tools are just a little TOO integrated) but now i actually have figures to point to show why - Lois Lane and the Craigslist fake landlord scam - Graham Cluley's blog
a super(b) example of scamming a scammer - Most Abused Infection Vector | TrendLabs | Malware Blog - by Trend Micro
always interesting to find out which methods of attack are the most active... right now it seems to be downloads (though apparently not drive-bys) and droppers (not surprised at all about that one)... - Is there no end to the AutoRun madness? | Zero Day | ZDNet.com
a good comparison of the autorun infection vector across multiple versions of windows - Graham Cluley's blog - Facebook data loss fiasco
i got one of the same emails graham talks about here - yes folks, facebook is training their users to be phishing victims...
Subscribe to:
Posts (Atom)