Authentium Blogs

KoobFace Loves Its Hosting Service

noreply@blogger.com (John C. Sharp) — Fri, 05 Dec 2008 23:30:00 +0000

Okay, so you've heard about KoobFace, the new piece of malware that is infecting Facebook users this week.

The thing that burns me up about KoobFace and things like it is that they would barely matter if hosting companies were better regulated and occasionally policed.

Here's what we know. KoobFace, like most pieces of malware, tries to redirect users away from their intended destination to a site loaded down with more malware, or designed to fool you into downloading a fake antivirus product, etc etc.

KoobFace, in what many would consider an ironic act, is reportedly re-pointing users towards Geocities.com sites.

It is no secret that the malware manufacturers rely on hosting companies either implicitly (please abide by your SLA and ensure you don't remove our server from the net for at least 48 hours even if requested to do so) or explicitly (we know what you're doing and we like your money).

Let's call it as it is: Without a destination to redirect users to, many crimeware writers don't have a business.

Robert Sandilands recently blogged about the dramatic effect of closing down one bad hosting company in California. Spam dropped globally by a remarkable percentage - just from closing that one company.

Recommendation: Hosting companies should immediately be forced by the DHS to adopt a KYC, or "Know Your Customer" policy similar to the one that banks use when they sign up a new customer.

I personally think that would help greatly. At a minimum, there should be more similar policing actions like the one taken in California.

I guarantee you that if hosting companies were suddenly made responsible for the malware sitting on their servers - or at the very least, for checking that the folks renting them are not criminals - things would get easier for IT guys to control, and we could start building a safer online world based on certified and proven safe destinations - and responsible hosting companies.

InfoWorld Takes Fresh Look at SafeCentral

noreply@blogger.com (John C. Sharp) — Fri, 10 Oct 2008 20:01:00 +0000

I was enormously encouraged to find Authentium SafeCentral front and center on the home page of InfoWorld, next to a subheadline saying "was it (i.e. their recent recent review of SafeCentral) a misunderstanding about what the product actually does?"

Thank you, InfoWorld! And thank you, Roger Grimes - it takes a really big-hearted reviewer to take a second look at a product.

Note: In case you're new to this story, Roger originally tested a number of products for their ability to "shield" users from malware, or "sandbox" their activities. We scored poorly on this - mainly because we didn't stop malware from "entering the sandbox".

As I've explained in my previous blogs since, we don't do that. When we designed SafeCentral, our core objective was not to try and stop malware per se, but allow users to compute safely in the presense of it.

Our objective was to let folks go about their banking, buying, or information sharing safely - even in the presense of the most horrible viruses or spyware. Let me tell you why that concept is so powerful - and revolutionary. But first, an analogy:

Here's how antivirus software works: you are surrounded by bodyguards, highly-trained experts hired to recognize threats and deal with them before they can harm you. But if so much as one bullet skips through... you're dead.

Here's how SafeCentral works: you are invisible. You can surround yourself with bodyguards if you wish, but you don't really need them. Because the bullets have no target. They can't see you, can't have any effect on you. There is no such thing as "the bullet that slips through".

This was the revolutionary idea that myself and my co-patent developers had, and that our engineers and ops team have since matured into a ground-breaking product and service. If you want to try it for yourself free, just head over to www.safecentral.com.

If we have one problem that we need to solve with this product, it's getting the message out about how much this product changes the game. You can't fault Roger Grimes or InfoWorld for not seeing what we're doing if we're not advertising it correctly.

You might think that advertising an easy, invisible, but highly-effective technology that doesn't need updating shouldn't be hard, but advertising anything new is a challenge.

Twenty five years ago, when I was a copywriter at George Patterson Advertising (now Bates) in Adelaide, my first boss used to say "Your first responsibility is to make sure it says 'tuna' on the can". In our case, that means making sure "reverse sandboxing" is part if our messaging to users - and reviewers.

The good news is, based on the discussion I'm seeing around this point, people are starting to "get" what it is we're actually doing. Now we just need to figure out how to broadcast this news on a wider scale.

Of course, front page of InfoWorld is a pretty great start. ;-)

A Little Bit of Knowledge

noreply@blogger.com (John C. Sharp) — Sun, 05 Oct 2008 14:22:00 +0000

A couple of years ago, I decided to get better acquainted with basic software programming, as a means of better understanding the challenges faced by my developer colleagues.

This had an unexpected effect. Since then, I've become a bit of a weekend addict. As Professor Richard Dawkins has noted, there is something incredibly satisfying about stringing together a bunch of conditional statements against a set of inputs and desired outputs - and then seeing the result pop up in front of you.

When it all works, it's a lot of fun. But I'm starting to suspect that in addition to the thrills described by Dawkins, there are other benefits that occur when someone from the corporate, or 'sales and marketing' side of the house starts playing with conditional statements on the weekend.

One of them is a more tangible level of respect. I've always had a ton of respect for developers, but that respect has sharpened now. I now also have an increased level of understanding of the challenges.

One example: I used to get exasperated whenever developers would talk about not being able to find a bug that was holding up delivery.

I would say, "Why can't you find it? Why is this so hard?"

Not any more. Developers, you are forgiven. Now, I too have sat for hours some weekends staring blankly at the screen in front of me - only to have it dawn on me that I didn't close a statement properly or call the right resource, after the hundreth walk through the code.

Lesson One: Bugs happen - we're only human.
Lesson Two: Code review should be done by someone other than the guy writing the code.

I also have learned the hard way why developers often insist on writing solutions from scratch. Yes, mash-ups can be fun - but they can also be unpredictable, and pieces of seemingly stable code can interact in weird ways.

And sometimes, unexpected updates (from the developers of one side of your code mashup) can destroy everything you've written (just ask a Facebook Apps developer) and take your project into a direction you never intended to go. No, it isn't always a good idea to 'buy it'.

Lesson Three: If it's fundamental to the business, write it yourself.

Documentation? Guys and girls, please spend all the time you like documenting your code - I get it now. Those little comments are worth their weight in gold - the more the merrier. Dev wikis, toolkits and forums can expand your developer network exponentially - providing the documentation is there.

Lesson Four: Documentation is as critical as the code to success.

The other benefits are a greater understanding of the way developers work. I now understand the requirement that when you're faced with something hard, you really need to bolt yourself down for 18 hours (or 36 hours) and have someone feed you Coke and pizza - because when you're working towards the middle of two ends of a two thousand line piece of code, it can be really hard to 'pick up the thread' (that's a developer pun) if you stop.

Lesson Five: Create a workplace for coders that is free from distractions.

One other thing I've learned is that coding and rocket science are similar in that they are not necessarily difficult (having worked extensively with both rocket scientists and coders, I feel qualified to make that statement) - but they do require a ton of knowledge. The more up-to-date and extensive that knowledge the better. Fewer things will blow up.

Note: If you can find a development manager capable of winning respect based on their past experience, willing to 'manage' rather than code, and willing to share knowledge with your young team and mentor them, I suggest that you pay them very very well. There is no greater value.

Lesson Six: Experience is critical. Put a "hands off" grown-up in the room with your young wizkids.

Finally, a word on testing. Too many people think quality assurance (QA) testing is finished once you've fired up a clean VM image and tested your software. This is BSQA - if you're not testing your code in the real world, with real users, on real machines, you're fooling yourself as to its quality and value to end users.

Lesson Seven: Real coders test on real machines using real users.

I should emphasize that my own coding efforts remain just a hobby (my stuff sits on an outside hosting company server, not at the company) - and my understanding remains a helicopter-level appreciation at best. But the experience has been very valuable and has given me a greater appreciation of the depth of skills we have at our company.

And as for the aphorism "a little bit of knowledge is a dangerous thing", my response is this: a little bit of knowledge is only dangerous when the person with that little bit of knowledge remains ignorant of the sheer amount of knowledge that exists outside that subset.

In my case, I believe my little bit of knowledge has led me to an enhanced understanding and greater appreciation of the scale of knowledge we have in our organization, the real time required for quality work to be done, and the kind of specialized skills that are needed to create great software.

And that's a good thing.

Effortless Security

noreply@blogger.com (John C. Sharp) — Wed, 01 Oct 2008 18:30:00 +0000

Getting the messaging right around a new product offering takes time - especially when that product is as new and as game-changing as Authentium's SafeCentral.

The tradition view of security - that you're only as secure as the last set of virus definition files you downloaded - has been around since the dawn of the Internet. Security companies have all spent a ton of money driving that message home. Reveiwers still base most of their reviews on IT security products on a score out of 100.

The difference between this defensive model, and what we're doing with SafeCentral, is night and day. SafeCentral is "effortless security" - or as Corey O'Donnell, our head of Marketing likes to say, it's "Security Made Simple".

We designed SafeCentral so you can transact securely irregardless of what kind of malware has infected your PC, or infected the DNS servers upstream of you.

This design allows us to protect people in the "real world" of drive-by downloads, hacked wifi hotspots, teenagers that borrow your PC, and ever-more-sophisticated social engineering attacks.

SafeCentral creates a situation where staying secure becomes effortless. No worries about updates, vendors missing a virus, no "zero day attack" concerns. It doesn't matter if there is a keylogger on your PC. With SafeCentral running, it can't get at your data.

Compared to the cost and inefficiency of ongoing treatment, immunization provides an effective defense that is almost effortless in comparison. That's what we're aiming to do here - easy, effortless, effective security.

Think of it as immunization versus a surgical mask. That's the message that we'll be working on improving in the coming months, and folks start to get used to the idea of a future without virus definition files, filters, and walled gardens.

Note: It's no secret that most banks now have initiatives around protecting consumers and are actively looking for software to enable this.

We believe banks and other financial insitutions would be smart to consider the wisdom of an effortless, highly-effective, holistic solution like Authentium SafeCentral versus traditional higher-maintenance alternatives.

Sandboxing Is Not What We Do

noreply@blogger.com (John C. Sharp) — Wed, 01 Oct 2008 16:06:00 +0000

One of my favorite sources of information and smart advice on the web is InfoWorld and one of my favorite IT writers there is Roger Grimes. So it was a pleasant surprise yesterday when I received a Google alert that Roger had done a review on us.

Unfortunately, the review turned out to be a general review of "sandboxing" products - one that we should never have been included in. Sandboxing is not what we do.

Sandboxing, defined as the attempted creation of a computing environment free of malware, tries to keep certain apps and processes free of malware using various defensive techniques reminiscent of traditional approaches to security.

What we do is entirely different - as Ray Dickenson, our CTO, is fond of saying, we do "reverse sandboxing":

"Authentium’s SafeCentral service delivers secure web browsing even on computers that are compromised with data-stealing malware."

In other words, SafeCentral allows consumers to safely bank or transact from computers that teenagers have downloaded horrible, horrible things onto.

This is poles apart from most defensive strategies and traditional approaches, such as walled garden-style sandboxing - and in my view, is much closer to what consumers need.

Note: I'm not negative on sandboxing as an approach. All security technologies have a role to play and there are some outstanding sandboxing technologies - Prevx being one such example. But what these guys do and what we do is very different.

IT folks - and marketing executives - looking for complimentary approaches should consider the virtues of both - our approach, and the approach of the sandboxing companies. I happen to think "reverse-sandboxing" is a much more consumer-friendly and effective approach to keeping folks safe.

Note: If you'd like to learn more about why SafeCentral is different, Ray's white paper on Reverse Sandboxing can be downloaded from here - please scroll to the bottom of the page for the link.

How Criminals Hacked gov.palin@yahoo.com

noreply@blogger.com (John C. Sharp) — Fri, 19 Sep 2008 14:29:00 +0000

I decided to wait a day before posting about this to see if anything popped up that indicates the criminals that took over VP Candidate Sarah Palin's email address did anything special.

Nope. This was social engineering, plain and simple. According to the BBC, the hackers simply contacted Yahoo customer support and asked for the password to be changed.

When challenged by the security questions (What is your mother's maiden name? What is the name of your pet?), the criminals used "information from Wikipedia and other online databases helped to establish Mrs Palin's date of birth, zip code and other personal information."

As in:

"Okay Mr Bush, I can reset that password for you... but I need to ask you a couple of questions first... what is your mother's maiden name, and what is the name of your pet?"

The answers are, of course, "Pierce" and "Barney". Date of birth? July 6th, 1946. Zip code? The White House has its own: 20500.

Challenge-response has been an underlying security principle since the whispering of passwords upon approaching castle gates in pre-Roman times. But in an era where people can quickly and easily learn everything about you, easily-guessed questions are passe.

Over the past couple of years, many major sites have improved the strength of these challenge response mechanisms a little by allowing users to input their own questions.

But too many of these sites compromise this action by defaulting to common questions that are easily researched, such as "mother's maiden name", or guessed "city in which you were married".

Ultimately, where we are headed is towards trustworthy computing, powered by technologies like Authentium SafeCentral, which does a great job of protecting login credentials - and securely storing web site passwords.

Note: The criminals apparently left their fingerprints on the theft. One interesting conundrum will be whether on not C-Tunnel will be forced to turn over logs relating to their anonymizing of the session to the Secret Service.

My guess on that is "yes, they will".

Beware: Skype "Security Center" Scam

noreply@blogger.com (John C. Sharp) — Thu, 04 Sep 2008 23:45:00 +0000

I use Skype a lot to chat with friends and business partners outside the US. It's cheap, and the quality is often better than POTS (Plain Old Telephone Service)-based systems. However today, my Skype client almost bit me.

The above message (see screen shot) came in as I was on my normal telephone line and immediately caught my interest.

A Security Center warning? Via a Skype client?

Now, as the founder of a security software company, you'd probably expect me to be immune to social engineering attacks by now, and ultimately, I was. But it took me a few seconds. This is one well-crafted scam, and Skype is becoming so rich with features that for a moment, I wondered if Skype had in fact integrated with the Windows Security Center.

Then, the fog lifted.

A call to Robert Sandilands and the other hard-working guys in our Authentium virus lab confirmed that this social engineering scam and others (including dating offers) are starting to become reasonably prevalent on the Skype service.

Skype users, heed this advice: if you see a "Repair Service" warning come in over Skype, DO NOT click on the links.

According to Eric in the lab, the link takes you to a fake web-scanner complete with animated progress bar and a pretend file tree that will pretend to find spyware/viruses, then try and scare you into handing over your credit card details.

"The link at the bottom of your SKYPE snapshot image leads to a page that does a mock scan of your system (but what it really is just HTML code and java-script displaying several filenames pre-stored in a java-script file, with a progress bar and such, and then displaying number of infections found)..."

"...which then prompts the user to visit another webpage that asks the user to purchase their antispyware solution and prompts the user for shipping and billing information, credit card information, country and state of residence, etc. The page is written to look very professional with privacy statements, etc."

Skype users - please be careful, and please ignore "Security Center" security warnings that appear in the Skype interface - they are scams. And be prepared - we can expect to see a lot more of these Skype-based social engineering attacks in the future.

Password-Stealing Virus in Space

noreply@blogger.com (John C. Sharp) — Wed, 03 Sep 2008 16:35:00 +0000

Remember how in Independence Day, the aliens were thwarted by a virus uploaded from Jeff Goldblum's Mac? Wired magazine has a news story out about a recurrence of malware-related activity in the International Space Station.

A NASA spokesperson confirmed to Wired yesterday that this was not the first time this has happened.

"This is not the first time we have had a worm or a virus," NASA spokesman Kelly Humphries said. "It's not a frequent occurrence, but this isn't the first time."

You can read the rest of the article here.

Google Chrome's Big Weakness: Screen-Stealing

noreply@blogger.com (John C. Sharp) — Wed, 03 Sep 2008 15:40:00 +0000

Google Chrome improves the security profile normally associated with browsers, but it also leaves users exposed to one of the largest vulnerabilities: screen-stealing.

Screen-stealing is a real problem and a major objective of spyware and malware developers. It is a great way for criminals to gather information they can use to commit identity fraud, or outright identity theft.

Here's some instances in which you *don't* want criminals stealing shots of your web browser:

When you're banking
When you're doing your taxes
when you're applying for a new license
When you're paying your bills
When you're doing email in your browser
When you're entering account details
When you're viewing family pictures
When you're modifying settings
When you're opening a new account somewhere

If you're considering doing any of these things securely, you should probably avoid Google Chrome for the time being in favor of a truly secure browsing environment.

The screen-shot above of Google Chrome was lifted right off the desktop, mid-way through a new account sign-up at a major bank. There are literally thousands of examples of malware out there that can do this.

Authentium SafeCentral does not allow screen shots to be captured: SafeCentral prevents screen shots from being used by online criminals and identity thieves. Google Chrome is not able to stop this from happening - nor are IE, Firefox, Safari and Opera. Only SafeCentral has the ability to prevent screen-stealing.

If you need to bank online securely, go over to SafeCentral and download it. It takes about the same amount of time as downloading Chrome, but it is much more secure.

Google Chrome: First Impressions

noreply@blogger.com (John C. Sharp) — Tue, 02 Sep 2008 21:16:00 +0000

Okay, I'm writing this blog post inside of Google Chrome, the brand new browser from our friends at Google. But as I was posting a screenshot into Blogger (a Google company), I experienced a blow-up complete with an image reminicent of what I used to see when my Mac 128k blew up:

You might say "hey, it's day one - cut them some slack!" But that would be boring. Besides, people need to know. So here's some instant things that I instantly hate, plus a couple of reasons why you still need a safe browser:

1. Web pages used to look different in just three popular browsers - now they are going to look different in Firefox, IE, Safari AND Chrome. More work for me and every one else that owns a web site. Thanks a lot.

2. Freaking-out fonts! I just went on Facebook and the fonts look ever so slightly - and weirdly - different. Why?

3. Yellow highlight around the form text field. I hate this as much as I hate seat belts and bicycle helmets.

4. Unexpected behavior - inside the Blogger edit window , I used to just click on an image to highlight it - now the browser thinks I want to travel there. Uh-uh. That's what Crl-Click is for.

5. Only slightly better security than Firefox. Not mind-blowing, not even close to comprehensive.

6. If this truly is representative of the front-end of cloud computing, we aren't going to be saying goodbye to desktop apps for some time to come - and Chrome adds nothing to the overall security of your device, save a slightly safer browser.

Anyway, that's five minutes worth of feedback. As far as #5 (security) goes, if everything works as advertised, Chrome will create a safer Internet browsing experience, but nothing even close to what our SafeCentral secure desktop provides.

We go deeper (in terms of operating system-level protection), broader (we protect *all* desktop apps, not just web apps running in your browser), and further (we protect DNS lookup requests and all of the associated infrastructure and files.

In other words, ignore page 26 of the comic book. Google attempts to protect only what is in the browser - and only does so in a limited way. We protect everything. Authentium SafeCentral rules the roost when it comes to holistic security - i.e. securing your Internet browsing and your desktop.

In Google Chrome's favor, the rendering speed is faster, and the support for multi-processing seems to work well (I recovered from the above issue without having to restart the browser). It is a very clearn UI. The bookmark import worked just as well as it does on Firefox.

Add to all this the fact that someone has bothered to redesign the idea of browsing from scratch (yet, BMW-like, incorporate the good stuff from years gone by), and Chrome may yet become a standard - we can only hope it doesn't grab a mere 15% market share and force yet another test case on the world's web developers.

Note: "Chrome" is a reference to what browser developers call the user interface, or visual part of the browser. If you've done any browser add-on development using XPI or XUL, the Firefox extension and UI languages, you'll be able to instantly relate - the rest of humanity is probably wondering why call it anything - other than "the Google browser".

Note: to get Chrome started on Vista, I had to navigate one amusing screenshot (the first shot in the battle?) - this is the screen shot that I was trying to post earlier, but couldn't:

FoxIT Exposes IE8 Beta Privacy Limits

noreply@blogger.com (John C. Sharp) — Fri, 29 Aug 2008 20:54:00 +0000

There is a breaking story out of the Netherlands this hour regarding the recently-announced privacy features of the new Microsoft IE8 browser currently in beta.

Webwereld reported that forensics firm FoxIT has found that retrieving a user history is trivial, even with IE8's new privacy features turned on. Christian Prickaerts, a researcher with FoxIT had this to say about the IE8 beta:

"The privacy option in this beta is mainly cosmetic. For a forensic investigator, retrieving the browsing history should be regarded as peanuts. The remaining records in the history file still enable me to deduce which websites have been visited."

The IE team's response was interesting: "InPrivate Browsing is to prevent other users of the same computer to gain access to the browsing history. The feature isn't designed to protect a user's privacy from security experts and forensic researchers."

That isn't a great response. "Security experts" could conceivably write tools based on their techniques that are user-friendly, defeating the whole purpose. Which brings us to the real issue at stake here, and the reason why the stated design aim was to secure the browser history from "other users".

The feature has been roundly dubbed "porn mode" by many in the blogosphere. However, now that these issues have been raised, one wonders how many people desiring of this "porn mode" feature will migrate from Safari, the current "private browser" of choice, to IE.

Firefox, which has had issues of its own, is helped greatly by its adoption of a truly open developer polatform. Several plug-ins for the browser have been written using the XPI and XUL framework and tools that increase Firefox user security to acceptable levels.

Of course, the above is not an unbiased view - we have had the goal of building a secure and private browsing environment for several years, not for the stated purpose above, but for ensuring the privacy of online banking transactions.

With SafeCentral, we've achieved that purpose, and we now have the best solution for browser privacy on the market today - with the added claim of offering a security posture that protects privacy from the hardware layer of the PC all the way to the user's (private) web server of choice.

How do we achieve better security that the leading browser manufacturers? By not just focusing on the browser, and more specifically, its plug-in environment. Authentium SafeCentral includes its own secure virtual desktop, supported by a system-level security library developed over many years, a secure look-up system, and a global secure DNS infrastructure.

Because of this clsoed system, we are able to offer much greater control of what is stored (or not stored) when it comes to user privacy.

Phishing 1.0 Attacks Persist

noreply@blogger.com (John C. Sharp) — Fri, 22 Aug 2008 13:23:00 +0000

I received a "warning" this morning - a "Sun Trust Banks Installation and Upgrade Warning" pretending to be from SunTrust Bank - requesting that I head over to the bank's "Upgrade Department" and download a "the latest software updates".

I'm pretty sure that if I called SunTrust and asked to speak with the "Update Department", the request would be met with some form of confused silence.

I find it interesting that these "Phishing 1.0" scams are still being sent out. The formatting alone looks pretty dire, and I wonder who, if anyone, might still be uninformed enough to click on such an obvious fraud.

True, it was addressed to me personally, and has a return email address that looks genuine. This combination may just prompt a consumer to click on the link. Despite some obvious malformations, the URL also looks somewhat official.

I saw a much better attempt a few days ago that targeted one of the leading main street banks in the UK and did a much better job of looking official and sounding convincing.

Some are calling these kind of attacks "Phishing 2.0" - phishing that actually looks real, as opposed to the easily picked-apart example above, that combines with malware that looks inviting (free antivirus) but is potentially extremely harmful.

If you're a bank, trying to communicate with customers so you can educated them about these threats can be difficult - many of the Phishing 2.0 scams include privacy notices and all kinds of promises concerning data security. They are much more carefully crafted than the example above.

One positive move you can make to reduce the effectiveness of these scams is to encourage users to use a secure browsing environment, such as Authentium SafeCentral when banking or trading online.

We have excellent protection in place against these kind of threats, and SafeCentral also enables a secure communications channel that can be used for customer education - and actual security warnings.

Comments on "The State of PC Security"

noreply@blogger.com (John C. Sharp) — Thu, 21 Aug 2008 11:36:00 +0000

I'm a fan of Internet.com. I met their CEO, Alan Meckler, at a conference in Singapore a few years ago, where he was speaking about the power of newsletters and blogs to create and engage an audience.

So it was with disappointment that I downloaded and read the latest Internet.com white paper entitled, "The State of PC Security".

Much of the paper (in fact, the first three quarters) was up to the usual standards of research and reporting, with a solid article by Kenneth van Wyk benchmarking Linux and Mac security, and a good article on the current state of patching by Andy Patrizio, in which he quotes some interesting statistics from a recent study conducted by Secunia that showed just 5% of 20,000 surveyed computers were patched and fully up to date.

However, the final article "We Need to Rethink PC Security Software", written by Adrian Kingsley-Hughes, was rather a disappointment. He had nothing good to say about the PC security industry, or the people working in it. Instead of offering insights about how to protect PCs and users (against phishing and viruses, for example), he simply painted PC security software as unnecessary.

Fast-emerging threats, such as zero day attacks, man-in-the-middle attacks, man-in-the-browser attacks, root kits, and HOSTS file mods, were not even mentioned.

Now, I think I understand how the "sponsored white paper" works - if the sponsor is a patch management or software compliance company (i.e. like Secunia), then "reducing faith in end point security" serves an editorial purpose that serves the sponsor.

But white papers are supposed to inform, as well as serve their sponsor, and I personally think Kingsley-Hughes could have done better than simply rail against the number of alerts offered by his security suite. He could have easily supported the sponsor's argument for keeping a device and its applications fully-patched without writing things like:

"My take on the situation is that security companies have done a good job of convincing people that their products are essential if you are to keep your system free of badware (that's not true, but I'm not going to get into that argument right now), and as such the incentive to develop a good, solid product is lost."

This is simply untrue. The fact is, security software companies are innovating at a rate never seen before in the industry, and providing service at unprecedented levels.

Let me name just a couple of terrific innovations that I think have recently made the world a safer and more enjoyable for PC users: McAfee Site Advisor, Firefox v3's terrific Antiphishing and Identity Services, Authentium SafeCentral (our unique secure browsing service - which incorporates the Firefox 3 security innovations), the various Anti-Rootkit technologies produced by multiple vendors including F-Secure and Panda, SecureZIP, and in the world of business end point security, WebSense Express and the equally excellent Spector 360 (from our fellow Floridians just up the coast).

These products all provide excellent levels of utility - and a level of quality and efficacy that was unavailable years ago.

These improvements are important to note. High efficacy is much more necessary today that it was years ago - the kind of hacks we are seeing today are sponsored by criminals and involve unprecedented levels of sophistication, and not only in terms of the layered approaches we're seeing to deployment and data theft: social engineering has now reached a level of sophistication (personalized emails from government departments citing case numbers, accurate addressee information, seamless branding) where every contact with a corporation or organization is starting to become suspect.

In terms of service, when I look at the billions of emails we process in partnership with our spam-fighting friends at Microsoft, Google, WebSense and Secure Computing, and the constant improvements in process being brought online (30 minute update turnaround times, versus days or weeks years ago), I wonder how it is possible that all this hard work somehow gets missed by journalists.

At one point, Kingsley-Smith says:

"I've gotten to the point where I think I'd rather take my chances with the bad guys myself rather than bother with so-called security software".

Great. Hopefully, no one reading this article put it down and thought "that's good advice". I certainly wouldn't recommend it, and I think it was not useful for Kingsley-Smith to suggest it as the final paragraph in a white paper entitled "The State of PC Security". Computer users deserve better. So let me try and provide a different perspective.

The real state of PC security right now, from the user's perspective, ranges from "not protected" to "well protected". Advising PC owners to run even a fully-patched computer without security software is not responsible advice.

And while I agree that it is true that a perfectly-behaved, totally-informed person running a perfectly-patched PC could in theory potentially escape infection, or the exposure of their personal data or online banking credentials, in the real world, there is no such thing as a perfectly-patched PC.

Security software, such as our SafeCentral application, provides good insurance for those times when a phishing email fools you into clicking a link, or your chosen download turns out not to be the program (or content) advertised, or the bank's site gets overtaken by hackers, or your kids borrow your PC for five minutes and go somewhere without telling you.

Lions, Tigers, Hurricanes, Hackers

noreply@blogger.com (John C. Sharp) — Thu, 21 Aug 2008 00:32:00 +0000

As if dodging tropical storms and chasing hackers isn't challenging enough... today, a lion and a Bengali tiger escaped from a private zoo a few miles down the road from the Authentium offices in Palm Beach Gardens.

Both animals were later caught without injury to either animals or State wildlife officials. No damage or loss of life was reported. Luckily, the other five lions, four tigers and six cougars, stayed put, and were not part of the outlaw posse.

The zoo has released no official word, but it is believed yesterday's passage through the area of Tropical Storm Fay may have created an opportunity for the pair to escape.

Hopefully, by tomorrow, it will be business as usual, and the only dangerous creatures on our radar (or in our neighborhood) will be those in the malware business.

Hackers Welcome Joomla Security Fixes

noreply@blogger.com (John C. Sharp) — Mon, 18 Aug 2008 18:26:00 +0000

On Thursday, Joomla announced the 1.5.6 upgrade of its popular web-based CMS (content management system), a release designed to fix several security issues.

However, within hours of the security-oriented release, the Joomla web site was defaced by a team of hackers calling themselves the Red Eye Crew, bent on spoiling the fun.

The fact that Joomla's site got defaced isn't the newsworthy piece, though. The newsworthy piece is the fact that Joomla's site was defaced in a similar way almost exactly a year ago - in 2007.

I recall this because at the time, we were looking at purchasing a new CMS system and I was wading through one of various "Beginning Joomla" guides recently purchased from Barnes and Noble. For various reasons, we didn't end up going the Joomla route.

On Thursday, the PR folks did a reasonable job of explaining to folks why, on the eve of a security release, they should take the view that the hack was meaningless. But I'm not sure they went far enough. Joomla is a community - and any web-based hack is worrying to the people that have chosen Joomla as their web-based CMS.

Worse, the accouncement did not even acknowledge the previous issues, choosing to speak as if this were a one-time event:

"Nothing but good will come of this experience. There's nothing like first hand experience to remind us of the trust our end user community places in us and the importance of working harder and smarter towards improving security."

Nothing but good will come from this? This kind of statement only works the first time. The fact that this morning's hack was a repeat effort requires the organization to "get serious" - and do more than offer an apology for "poor operating procedures" - you can only do that once. That card was played last year (and possibly earlier - but evidence for this is mainly anecdotal).

On the Joomla site, the organization is encouraging users to adopt the new release for security reasons, and signs off by saying "In retrospect, we wish we'd followed our own advice more diligently."

When attacks occur a second, or possibly third time, you need to win back trust by committing to look deeper, and you need to personalize it as well, and offer to look at the people involved as well as the systems.

Five Steps to Avoiding a SCAM

noreply@blogger.com (John C. Sharp) — Mon, 18 Aug 2008 13:45:00 +0000

Candy Colp, our director of sales, sent me a copy of a news article from the magazine section of the Palm Beach Post this morning in which Jeffrey Deaver, author of The Bone Collector, talks about his experience with identity theft.

The article contained a list I hadn't seen before - the US Department of Justice's four recommended ways to avoid having your identity stolen. It's a simple method - just remember the word SCAM and what each letter stands for:

S is for: Be Stingy with Personal Information

Start by adopting a "need to know" approach to your personal data. Your credit card company may need to know your mother's maiden name, so that it can verify your identity when you call to inquire about your account.

A person who calls you and says he's from your bank, however, doesn't need to know that information if it's already on file with your bank; the only purpose of such a call is to acquire that information for that person's personal benefit.

Also, the more information that you have printed on your personal bank checks -- such as your Social Security number or home telephone number -- the more personal data you are routinely handing out to people who may not need that information (buy Frank Abagnale's book "Stealing Your Life" for some insight into what criminals do while waiting in the check-out line).

If someone you don't know calls you on the telephone and offers you the chance to receive a "major" credit card, a prize, or other valuable item, but asks you for personal data -- such as your Social Security number, credit card number or expiration date, or mother's maiden name -- ask them to send you a written application form.

If they won't do it, tell them you're not interested and hang up.

If they will, review the application carefully when you receive it and make sure it's going to a company or financial institution that's well-known and reputable. The Better Business Bureau can give you information about businesses that have been the subject of complaints.

If you're traveling, have your mail held at your local post office, or ask someone you know well and trust another family member, a friend, or a neighbor to collect and hold your mail while you're away.

If you have to telephone someone while you're traveling, and need to pass on personal financial information to the person you're calling, don't do it at an open telephone booth where passersby can listen in on what you're saying; use a telephone booth where you can close the door, or wait until you're at a less public location to call.

C is for: Check your financial information regularly

If you have bank or credit card accounts, you should be receiving monthly statements that list transactions for the most recent month or reporting period.

If you're not receiving monthly statements for the accounts you know you have, call the financial institution or credit card company immediately and ask about it.

If you're told that your statements are being mailed to another address that you haven't authorized, tell the financial institution or credit card representative immediately that you did not authorize the change of address and that someone may be improperly using your accounts.

In that situation, you should also ask for copies of all statements and debit or charge transactions that have occurred since the last statement you received. Obtaining those copies will help you to work with the financial institution or credit card company in determining whether some or all of those debit or charge transactions were fraudulent.

Note: If someone has gotten your financial data and made unauthorized debits or charges against your financial accounts, checking your monthly statements carefully may be the quickest way for you to find out.

Also, if someone has managed to get access to your mail or other personal data, and opened any credit cards in your name or taken any funds from your bank account, contact your financial institution or credit card company immediately to report those transactions and to request further action.

A is for: Ask for a copy of your credit report

Your credit report should list all bank and financial accounts under your name, and will provide other indications of whether someone has wrongfully opened or used any accounts in your name.

M is for: Maintain your financial records

Even though financial institutions are required to maintain copies of your checks, debit transactions, and similar transactions for five years, you should retain your monthly statements and checks for at least one year, if not more. If you need to dispute a particular check or transaction especially if they purport to bear your signatures your original records will be more immediately accessible and useful to the institutions that you have contacted.

Even if you take all of these steps, however, it's still possible that you can become a victim of identity theft. Records containing your personal data -- credit-card receipts or car-rental agreements, for example -- may be found by or shared with someone who decides to use your data for fraudulent purposes.*

This is a good, sensible list and solid advice for every consumer - and if you follow it religiously, you will indeed reduce the chances of having your identity stolen. However, there is one addition step you should take.

If you've read my blog before, you already know that the fifth thing you should do to protect yourself from identity theft online is add another letter "s" to the above and download SafeCentral - Authentium's anti-identity theft service.

Source of list: U.S. Department of Justice

6,000 to 6,000,000,000 in 25 Years

noreply@blogger.com (John C. Sharp) — Mon, 18 Aug 2008 02:12:00 +0000

On November the 7th, 1988, USA Today reported that the world's first Internet worm, the Morris virus, had effectively propagating itself to 6,000 computers:

The "virus'' - a rogue program planted by a high-tech vandal - showed up last Wednesday, duplicating itself rapidly and using vast quantities of computer space. It apparently didn't destroy any information, but it clogged an estimated 6,000 computers at universities and military labs.

Though there is some dispute over this estimate, that 6,000 number fairly accurately describes the reach of a virus back then (it was estimated that 10% of 60,000 hosts connected to the Internet were affected.)

Today, a 6,000 PC outbreak would barely rate a mention outside the targeted organization.

Part of the reason is the massive scale of our telecommunications networks, worldwide. Two years prior to the publishing of the USA Today article, the number of hosts on the Internet was less than 2,000. In the year immediately after the publication, the number more than doubled - to 130,000 (computerhistory.org).

The growth has not abated. Today, the number of networked devices in need of protection has grown to an estimated 3 billion, possibly as many as 3.5 billion, if you include computers along with consumer cell phones.

This hard-to-believe 3 billion cell phone estimate comes from a reputable source - Jan Chipchase, one of the lead researchers at Nokia. He estimates that within another two years, i.e. by 2010, another billion cell phones will come online (according to the ITU, China turned on its 601 millionth cell phone at the end of March, 2008.)

Which means that if current trends continue, we're talking close to 6,000,000,000 networked devices online by the end of 2013.

This remarkable difference in scale - and the fact that in three to five years, the total number of potentially vulnerable networked devices could be almost 1,000,000 times larger than it was when USA Today reported on the above story in 1988 - is interesting to ponder in terms of past and future risk mitigation efforts.

As Chipchase reported in his TED talk, there are three objects that consumers grab when they leave home - their keys, their money, and their (increasingly, Internet-enabled) cell phone.

Yet, if several of the start-ups that myself and others are involved in have their way, within a few years, you will simply grab your cell phone on the way out the door: your house security and your cash will be embedded.

The door will lock behind you (upon you entering the correct PIN), and your SIM will be loaded with more cash than you currently carry with you in your wallet. Which means your entire assets are going to be IP-based and in need of protection - the kind of protection currently offered by a mere handful of non-government threat mitigation companies.

This is worthy of study. I happen to think that the researchers and engineers at the antivirus and antispyware and firewall companies have done a pretty stunning job of keeping devices (and their users) protected over the twenty years since the Morris worm outbreak.

But have we factored in enough R&D, enough new staff hires and training, enough process automation, enough industry cooperation, to take into account the fact that a consumers entire asset base will be online, not to mention the exponential rise in networked devices?

Are we adequately prepared for the fast-approaching situation in which the average consumer will effectively place their assets (or access to them) entirely in digital form, lock their houses via the Internet, or trust their lives to a networked heart monitor or medicine dispenser?

Back in 1988, there were few assets at risk - and no antimalware software. Authentium (Command) was one of the first to release a professional antimalware scanner in product form, with F-Prot Professional, in 1992 - and at the time of our v1.0 release, we protected computers from an incredible one hundred viruses.

Now, our complete update file contains almost one million signatures, a number that, like Moore's law, has been doubling roughly every eighteen months since that first release.

The fact that both key variables - the number of networked devices and the number of signatures - are increasing trending exponentially suggests that in the next few years, we are going to see some quite different approaches to security emerge, if only to alleviate the tax on networks due to update (and scanner upgrade) delivery.

Like the innovations of before, these innovations will come from the private sector, but this time, the stakes are significantly higher: as the world moves to a scenario in which a majority of the world's population and assets are online - including all the criminals, device blueprints, and software exploits.

Our own SafeCentral service provides a hint of one such innovation - it doesn't use definition files, and doesn't require knowledge of the malware targeting the user. There will be others.

Note: Yes, I know that some of the cell phones I'm referring to here are not "Internet-enabled" as such, but that doesn't mean they're immune to malware - the core subject of this blog entry. If you're interested in what cell phone viruses look like, read this.

The Viruses of Khan El Khalili

noreply@blogger.com (John C. Sharp) — Sat, 16 Aug 2008 16:00:00 +0000

I recently came back from a 16 country trip, during which I had a chance to meet and talk with IT security guys in lots of different environments.

What I discovered was that in some countries, consumers are overwhelmed with phishing and identity fraud-style attacks, including man in the middle and man in the browser attacks, while in other countries, destructive viruses are far more of a concern.

I also discovered that some markets have grown to the point where local language attacks and coding efforts are starting to pay dividends to hackers. This is not good news.

The other day in Cairo, I got to talking with an IT guy who does quite a number of large data center installations. He says one of the problems he faces is that western-based antimalware applications that are signature-dependent don't do a great job of detecting some of the local viruses.

He wasn't complaining - he spends a lot of his time re-imaging machines because of this (the best remedy when no disinfection routines are available), and it's good business - it also helps drive customers to adopt Linux, which is the fastest-growing part of his company.

But as we sipped our coffees by the eastern side of the Nile (in a very nice bar called Sangria), it was clear to both of us that a system that relies on constant re-imaging of devices is eventually going to be pushed aside in favor of one that doesn't (Ubuntu, anyone?).

Interestingly enough, in Japan, I noticed the issues they faced were more similar to Egypt that the US. More emphasis on data backup and protecting files from viruses, and less talk about spyware and the stealing of user credentials - which might explain why Trend Micro, a Japanese company, is, in my opinion, better at the former than the latter.

One of the reasons I think Rising and Jiangmin are doing well in China is because they are focused on viruses and other forms of malware (such as the Panda virus above) that target the Chinese market. The same could be said for Korea-based Hauri.

In the Southern hemishere, phishing and 419 scams, identity fraud, spyware, and all of the virsues and Trojans recently written to steal user credentials were far more prevalent issues. From South Africa to Australia, and north to regions such as Singapore to Europe and the UK, it was clear that user credentials, not devices, were more the focus of attacks.

Likewise in the Gulf countries I visited, where phishing, wifi hacks and man in the browser attacks increasingly dominate conversations. I heard from several IT guys, including several CSOs, about increased prevalence of local language attacks - something they never used to see at all until quite recently.

Clearly, as these individual markets grow, at a certain point, hackers start "going local" - creating demand for security solutions capable of protecting local users from locally-focused hackers. I expect this "going local" factor will start to have ramifications soon regarding antimalware testing and certification, which is currently very Europe-centric in nature, and design.

Because when it comes to local threats attacking narrowly-defined markets, even signature-based systems that feature great heuristics will find it harder and harder to keep up.

This last fact was one of the concepts that we kept in mind while designing Authentium SafeCentral, our "secure browser plus virtual desktop plus secure DNS service". When we designed this product we focused on five basic areas of vulnerability: the user, applications, the device, the network and the destination.

SafeCentral maintains a solid security posture, and enables secure transactions, regardless of your location, or where the malware was written. You could look at it as our investment in a future build on increasingly large, interlocked, local economies.

You can download a free copy here.

Note to the antimalware companies mentioned above - if you're interested in offering SafeCentral to your customers, we do have an OEM program: a large part of our antimalware business is OEM-based, through companies like Google, Microsoft and Symantec.

Protecting Your Online Trading Account

noreply@blogger.com (John C. Sharp) — Tue, 12 Aug 2008 00:57:00 +0000

Among the many entertaining stories in the book "Stealing Your Life" (mentioned below), Frank Abagnale relates the story of an online brokerage customer who has their account taken over by a hacker and used to trade options in Cisco Systems, to the tune of a $40,000 profit.

Now, if the story stopped there, you can imagine it becoming a modern-day version of "The Elves and the Shoemaker".

"I swear Honey, we had 2,000 Cisco options when I went to bed, but when I woke up, they'd all been sold - for a net gain of 170%!"

Unfortunately, like most stories involving identity theft, the story doesn't stop there. The thief isn't a charitable elf. He performs a risk-free set of trades, cashes out, and leaves you with those GM and Lucent shares you bought eight years ago.

Yes, you can go to your broker and explain your loss, and most of the time they'll believe you. But don't think this is the first time your broker has heard the "it wasn't me - I was hacked" story. Be prepared to have all your documents prepared, and get ready to prove your case.

Or better still, stop it from happening before it starts.

This is both harder (and, ultimately, easier) than it sounds.

Harder, because a lot of people try and apply enterprise security solutions to situations that are much different.

Easier, because it is possible to harden the user authentication mechanism against attack, so that user credentials are not easily stolen. You just need the right approach.

A lot of on-lines banks and brokerages have recently started experimenting with expensive physical tokens and "virtual keyboards" - on-screen keyboards that feature randomized, repainted numbers that users can click on with a mouse to gain access.

Both these approachs are seriously flawed.

Let's look first at Virtual Keyboards. Let me say this loud and clear: virtual keyboards are 100% useless. If you're infested with malware created by a hacker with an IQ even slightly above room temperature (and more than half of you that are reading this are infested with malware that matches this description), your randomized virtual PIN entries are going to get captured - in the form of JPG screen shots.

Print. Print. Print. Send as email (to hacker).

Hardware-based tokens can be equally problematic. It's not that these sleek-looking devices don't do their job and create credentials that are unfathomably hard to guess - they do. That isn't the problem.

The problem is that these credentials are susceptible to being stolen by hackers en route to the login page, via very simple forms of the Man In The Browser attack. See my earlier post on this subject a couple of months back.

So what's an online brokerage to do, if it wants to protect its customers, aside from keep paying its SIPC dues?

The technology issues seem overwhelming. If someone were to dream up a technology solution for adoption by online trading professionals, it would, on the surface, appear complex.

It would, out of necessity, include a combination of system-level command handling and file hardening approaches, desktop virtualization, a locked-down non-standard browser with update and plug-in controls, secure DNS infrastructure, secure application update channel, and the best in current third party anti-phishing systems. And all of this would have to work seamlessly and simply.

I'll spare you any further build-up: we've built this. The solution we've created to protect consumers against online trading fraud is called SafeCentral.

Authentium SafeCentral is currently being evaluated by online brokerages on four continents, and our first release went live just over three weeks ago at Firstrade, the top-ranked US online broker (Consumer Reports).

"Stealing Your Life" by Frank Abagnale

noreply@blogger.com (John C. Sharp) — Mon, 11 Aug 2008 22:55:00 +0000

Frank Abagnale is best known for writing a rip-roaring memoir that was adapted into the Steven Spielberg/Tom Hanks/Leonardo DiCaprio movie "Catch Me If You Can".

The scenes where Frank impersonates a PanAm pilot are my favorite - I think of them everytime I travel through MIA/Miami.

I contacted Frank (played by Leonardo DiCaprio in the movie) right after seeing the movie, to see if there was a way we could team up to fight Identity Theft.

At the time, Frank was helping to put together PrivacyGuard, now one of the most widely-deployed solutions on the market. We decided to keep in touch, once our respective identity protection products - PrivacyGuard, and SafeCentral (then called VirtualATM), launched.

As it turns out, Frank's product beat me to market by three years. And, as I recently found out, he followed up the launch of PrivacyGuard with an outstanding book on the identity theft problem.

Called "Stealing Your Life", the book is one of the best-researched and practical books on identity theft yet written - and easily the most readable.

As in "Catch Me If You Can", Frank is able to detail what criminals are thinking as they're plotting to steal your money. The stories he has to tell in "Stealing Your Life" are disturbing - in some cases, appalling.

I'm going to pick up on a couple that I have some additional color on and share them over the next week or so. In the meantime, I strongly suggest you go out and find this book, or order a copy through Amazon.

You won't find a more informative book on the wide-ranging forms of identity theft out there, and you certainly won't find another written by a former confidence guy.

If you'd like to review our own solution to identity theft, Authentium SafeCentral, just head over to our site and download the free trial version.

ID Theft: What is a 419 Scam?

noreply@blogger.com (John C. Sharp) — Sun, 10 Aug 2008 03:26:00 +0000

The term "419 scam" is synonymous with phishing and identity theft. I personally receive about a hundred million dollars' worth of these emails a day.

The variations are endless. The scams range from the baiting of the greedy and needy ("I AM THE FORMER CFO OF A LARGE BANK AND I HAVE 9.5 MILLION DOLLARS THAT I WISH TO SHARE WITH YOU") to out-and-out scare tactics ("SOMEONE HAS PAID ME $5,000 TO KILL YOU").

But what does "419" mean?

"419" refers to the name of the section of the Nigerian Criminal Code used to prosecute these crimes, when they are prosecuted. The section, one of several sections within Chapter 38 (Obtaining Property by false pretences; Cheating), reads as follows:

419. Any person who by any false pretence, and with intent to defraud, obtains from any other person anything capable of being stolen, or induces any other person to deliver to any person anything capable of being stolen, is guilty of a felony, and is liable to imprisonment for three years.

If the thing is of the value of one thousand naira or upwards [about seven $US], he is liable to imprisonment for seven years.

It is immaterial that the thing is obtained or its delivery is induced through the medium of a contract induced by the false pretence. The offender cannot be arrested without warrant unless found committing the offence.

A quick read of a half dozen Nigerian newspapers today turned up very few stories involving the successful prosecution of 419 email scammers. Attempts to pass and prosecute a law in Nigeria targeting computer crime in general, such as the above, have mostly failed.

This inaction at the government level has reduced many intelligent and proud Nigerians to despair. One London-based Nigerian expat, tired of the association with Nigeria and email scams, blames lack of government investment in Nigeria's younger generation:

"What has the local, state or federal government done in the last 20 years for example to prepare for the future of this generation of internet rats? What have they done or what are they still doing other than stealing, looting and gallivanting like nonentities?"

Many other in-country commentators agree. About the only positive seems to be the fact that voices are at last being raised. Maybe change (and a decent law) is in the air.

Note to recipients of 419 scam emails: 419 scams are unbelievably easy to avoid. If you receive an email from anyone, claiming:

a) you won a lottery you didn't enter
b) you have the same last name as the heir to a fortune
c) you are targeted for murder (unless you pay up)
d) you will have "bad luck" if you don't pass on the email
e) you are otherwise in line for a windfall

...you have just received a scam email of the variety commonly known as a 419 scam. Don't respond to strangers offering money by email. Don't get tricky and try and "scam the scammer" like some have attempted. Delete the email.

There is a much better chance you'll get five dollars in a card from your grandmother on your birthday that you'll see any money from one of these emails.

Note: I found a curious story tonight while researching this post. Rumor has it that Mary Winkler, the Tennessee woman convicted of shooting her 31 year old preacher husband in the back, owed $17,500 to the Nigerian "Yahoo Boys" (the local Nigerian lingo for 419 perps) at the time of the murder.

You can read more about this story, and others, here.

Counting Sheep

noreply@blogger.com (John C. Sharp) — Sat, 09 Aug 2008 03:37:00 +0000

Brian Krebs of the Washington Post wrote a nice article today about how sometimes security industry folks don't follow their own rules.

In fact, it turns out that security professionals can be pretty bad at remembering not to send their usernames and passwords over non-encrypted wireless networks - of the temporary type typically slapped up at conferences.

Thank goodness none of them were in a room full of hackers when their credentials were sniffed*.

You can get to Brian's post on the Black Hat "Wall of Sheep" here. The part where some of the people change their credentials after finding out they've been outed (even thought they are still connected to the same non-secure wifi network) is, well, illuminating.

*That's a joke, folks. The Wall of Sheep experiment takes place at every Black Hat conference, and always, unfortunately, they post similar results.

Bring Back "I Am Rich"

noreply@blogger.com (John C. Sharp) — Sat, 09 Aug 2008 01:12:00 +0000

Dan Frommer of the Silicon Valley Insider thinks the Apple iPhone "I Am Rich" application that Apple pulled from their store today is "for jerks" because it costs $1,000 and "doesn't do anything" except twinkle.

I disagree entirely.

I think Armin Heinrich, the developer of "I Am Rich", is possibly smarter than just about any other developer on the iPhone platform. Not only has he created the first $1,000 program, he's come up with an app that acts exactly like a Rolex watch or a Gold Card, except in software.

Yes, you got it. "I Am Rich" meets a need that is as old as time: creating attraction by proxy.

Let's compare: Real gems are typically purchased from trusted brands/stores. Real gems feature hefty price tags. Real gems do nothing - except twinkle and assist in attracting mates, which in turn helps us, their owners, propagate the species.

Yes, I know, anthropologists and economists would have us believe that people also buy gems and precious metals in order to make their wealth more portable - but I think people also buy gems for the same reason people buy silver BMW convertibles and Apple iPhones: to show off/try to be more attractive.

Think about it. What need does the iPhone really serve, aside from creating a sense of status? Do we really need all those sleek, cool design components, just to make a call? If it's all about "personal communications" and "productivity-based applications", why isn't there a brown-paper-bag version? Why is the iPhone always on display?

The answer, as everyone knows, is that "cool is attractive" - and being cool is as important to us humans as shiny chrome objects are to bottle cap-collecting magpies.

"I Am Rich" may indeed be crass, and it may be a little too "in your face" for some (or possibly many) iPhone users - but that doesn't mean it deserves to get yanked from Apple's store.

One of the benefits of living in a free society is that you get to choose what kind of jerk you want to be. In revoking this application, Apple has acted more like an old-style communist dictatorship than an innovative, capitalist-led technology company.

Apple should recognize what's going on here and bring back "I Am Rich". It doesn't matter what people think of the app - revoking it wasn't cool, and will just create unfair competition for a space that Mr. Heinrich had targeted well - almost as well as Apple itself.

DNS - The Basics Explained

noreply@blogger.com (John C. Sharp) — Fri, 08 Aug 2008 00:15:00 +0000

I realized today why consumers sometimes get so fed up with news involving Internet security alerts: it's because sometimes the basics and the acronyms are not explained, which makes the rest of the news story hard to follow.

Take, for example "DNS", as in the recently-announced "DNS flaw" - currently the subject of much current news and speculation.

What, exactly, does a Domain Name Server do?

Let's start by explaining the concept of a "domain" on the Internet. The modern word "domain" originates from the Latin word "dominion". It's most commonly used by people to refer to their house, corner office, or area of expertise.

If you live in a block of condos, your domain is the condo in which you live. If you live in a house in the suburbs, your domain is your house. Your "domain" is simply your part of a much larger area - i.e. your condo, vs. the entire development.

Likewise, in Internet terms, a "domain" in simply a sub-section of the Internet.

The largest "top level" domains (i.e. the suburbs) use ".com", ".net", ".org", ".gov", ".edu" and similar suffixes to identify the type of top-level domain (.gov = government).

The next level down (i.e. your condo development) is usually the name of a company, organization, or government agency that is part of the top-level domain.

For example, the domain name "authentium.com" refers to the ".com" top level domain, then to the part of the Internet that is under Authentium's control. "Google.com" refers to the ".com" top level domain, then to the piece under Google's control.

Put another way, when you type the domain name "google.com" into your address bar, you are saying, I want to 1) Go to the commercial section of the Internet, then 2) Go explore the domain of the company Google.

"Finance.google.com" refers to a sub-domain of Google relating to finance. The smallest domain is on the left: The finance sub-domain is smaller than the Google domain. The Google domain is smaller than the ".com" top-level domain.

Now you're probably reading this, thinking "I thought I heard today that there was a problem with Domain Name Servers. How could there be a problem? I just type in a web site address, and so long as I spell the domain name correctly, I connect, right?"

Unfortunately, the answer is no.

The definition I just gave you is how us humans look at domain names. Computers - more specifically, the web servers that host the web pages of Authentium and Google - use a different form of domain name: a set of numbers called an Internet Protocol address, or IP address.

Human-version domain name: "google.com"
Computer-version domain name: "72.14.207.99"

Which is where the Domain Name Server (DNS) comes in.

DNS servers, or Domain Name Servers, are simply translation devices. What they do is take your request for "google.com" and turn it from "google.com" into the IP address 72.14.207.99, so that your request can be understood by the computers that form the Internet and sent to Google's domain for processing.

As you can imagine, translating the names of all the web sites we type in every day into numbers is a massive task - and that is what the ten million or so DNS servers do every day.

Sometimes, to make things faster, the servers store these translations. It is not uncommon for even small-sized Domain Name Servers, like the kind you might have sitting in a rack at your office, to contain thousands or even millions of similar "translations" in storage.

The problem with this approach is that hackers can make a ton of money by successfully changing the "translations". Typically, in a DNS hack, the hacker just takes your request for mybank.com, changes the IP address, and re-routes you to a look-alike site, so he can steal your username and password.

Now, the effort required to hack a DNS server is not trivial, and not likely to be successful with respect to large, well-organized organizations. But the recent announcement of a major flaw in the underlying DNS software has even seasoned pros working late into the night to get their fixes in place.

The good news is - since the announcement yesterday of the full extent of the "Kaminsky DNS flaw", a majority of the world's servers have been patched, including 70% of Fortune 500 companies.

The other good news is, our product SafeCentral provides a really nice set of protections that secure DNS requests and bypass the standard DNS infrastructure. If you're worried, give it a try. It also stops key-loggers and screen-scraping spyware.

Note: If I didn't do a good job explaining these basics, email me, and help me improve this post. The shorthand in here (yes, I know the Google domain includes multiple IP addresses, etc, etc) is by design - I just want to help folks understand the basics of DNS so they can get a handle on what this flaw means.

If you want to dig deep on DNS, head over to Kaminsky's blog at DoxPara Research.

VIP Laptop "Rematerializes" in Office

noreply@blogger.com (John C. Sharp) — Thu, 07 Aug 2008 20:07:00 +0000

Verified Identity Pass issued a press release today stating the they have "found" the laptop we reported was missing with over 33,000 personal profiles on it.

According to the firm's head of business development, the laptop was discovered in the office in which it was lost over a week ago. An "initial investigation" has revealed no tampering with the data.

Comments out on the blogosphere this afternoon range from the sarcastic ("that must be one a heck of a large office") to the suspicious ("Probably was put back after stealing the information" and "I would not use that computer - there is probably a hacker chip installed in there now") to the incredulous ("How do we know it's even the same laptop?").

I'm going with the "Gordian Knot" approach on this. I'm assuming VIP simply misplaced the laptop and found it sitting under a paper file somewhere. I am going to assume there was no attempt at cover-up, or no attempt to deceive -because that is the simplest explanation.

But I have a feeling that we're going to hear a lot more of these "discoveries" in future.

"Rediscovering" a laptop that has been reported missing with your entire company's customer base on it - after it has been missing a week - is a lot less painful than watching the story grow and your business shrink.

I am happy to assume this didn't happen in this case, but I'm quite certain folks looking for a quick solution in future will remember this approach, and apply it - safe in the knowledge that like me, most people will accept the news at face value.

Note: I originally read this occurred in NY. It didn't - it happened in SFO.

Boo! Are your employee's computers haunted?

noreply@blogger.com (Ray Dickenson) — Fri, 29 Oct 2010 16:47:00 +0000

These are scary times for information security professionals who face increasing demands for protecting sensitive company information and at the same time are supporting more and more employee-owned devices connecting to the corporate network.

In my last posting I mentioned an Information Week article that I will return to this week. The article describes how anti-malware software is not getting the job done. The author was focusing on enterprise IT organizations protecting corporate networks and devices.

But the successful evasion of software defenses that malware authors are enjoying in the enterprise is even more troubling when we look at the Bring Your Own PC model of corporate computing. In this model company employees use their own PCs and laptops to access enterprise resources. Bring Your Own PC could also be called "Bring Your Own Malware." If million dollar enterprise software budgets cannot keep the hackers away, how can we assume an employee-owned PC will be free of infection?

"Bring Your Own PC" could also be called "Bring Your Own Malware"

There are two eye-opening statistics in the Information Week article, derived from a Ponemon Institute survey of IT and IT security practitioners: Nearly 80% of companies report malware evades their antivirus systems, and almost half report malware infections take longer than 30 days to remove. That's a long time for malware-infected computers to continue connecting to corporate networks and accessing sensitive data--and these are fully managed PCs controlled by corporate IT. The numbers must be much worse for employee-owned PCs. Last year Trend Micro reported their results from monitoring 100 million compromised IP addresses: half of the addresses showed signs of infection for over 300 days.

Nearly 80% of companies report malware evades their antivirus systems, and almost half report malware infections take longer than 30 days to remove.

SafeCentral Enterprise delivers secure remote access even from machines that are compromised with malware. SafeCentral blocks the keylogging and other data-stealing techniques of malware, providing focused protection for web, VPN, remote desktop, hosted virtual desktop and other client sessions. You can learn more here.

Protecting Corporate Data on the Edge

noreply@blogger.com (Ray Dickenson) — Wed, 20 Oct 2010 20:23:00 +0000

Information is money and modern criminals know how to get their hands on both. Enterprise IT professionals are severely challenged these days to keep corporate data both protected and available to authorized users at the same time.

Going to Sea in a Sieve
Greg Shipley called out security software vendors in this InformationWeek article, pointing out that: "...we've spent billions of dollars on security technologies, and we still can't curb these threats. Intruders trot through firewalls deployed to block them, while malware flourishes on systems that antivirus vendors pledge to immunize."

When it comes to endpoint PCs I have to agree. The problem I see is that the Windows PC is too open, too programmable, with too many APIs and too many extensible applications like web browsers and productivity suites. This creates a rich environment for malware authors to infiltrate and take up permanent, or at least persistent, residence as a malicious ghost haunting the machine. From this position a malware operator can harvest sensitive data, including authentication credentials, customer records, employee data and other sensitive information.

IT teams have the strange mandate to deploy an extremely flexible operating system, but immediately take flexibility away from end users. This creates a tug of war between security and usability.

Benefits of Data Centralization
These facts are inducing a reverse in the swing of the IT pendulum, which is now moving back to centralization. Cloud-based apps, which keep data-at-rest in the data center, are helping to limit the physical spread of data and keep it under tight control behind many layers of physical and network protection. Hosted Virtual Desktops like Citrix XenDesktop do the same thing for entire virtual machines..allowing IT to build, deploy and maintain virtual PCs inside the data center and then deliver them over the Internet to thin client applications like the Citrix Receiver.

Don't Forget the Endpoint
Centralization is good for data, but not for people. The workforce has become more distributed, working from home or the road or a branch office. The point is that data can be stored centrally in the data center but it must be used out on the edge of the network; that's where the users are. In most cases, "the edge" still means a Windows PC or laptop (I exclude call centers from "the edge").

The information security benefits of data centralization are lost when unmanaged or semi-managed endpoint PCs connect to the data center. All the risks that Greg Shiply called out then come into play:

"Walking into the CEO's office and saying that the products you've spent a small fortune on are effective only at stopping novices and for checking off compliance forms? That takes more intestinal fortitude than most can muster."

Centralized Data with Secure Remote Access
I think the pendulum is swinging to a safer place. Centralizing data and functionality, along with endpoint lockdown and secure remote access create a formula that works. Network Access Control (NAC) was an attempt to ensure that only properly secured endpoint computers could connect to a corporate network. But NAC relies on the imperfect Antivirus and Firewalls Greg Shipley called out as ineffective.

Here at SafeCentral we are addressing the risks to data in use on remote endpoints differently. We do not protect the endpoint, we protect the data..while it is in use. We provide a Secure Desktop that protects against keyloggers, screen-scrapers, DNS redirection, code injection and other threats. From the Secure Desktop the user launches their VPN client and logs in, with full anti-keylogger protection for their username and password. Once connected to the VPN and while on the Secure Desktop, the user can only run applications white-listed by the IT administrator. "Thin client applications" like Citrix or Microsoft Remote Desktop are perfect fits for the SafeCentral Secure Desktop (see my earlier posting: Patented Data Loss Protection). Users can switch back and forth between the locked-down Secure Desktop and their normal Windows desktop, multi-tasking throughout the day. This gives them the benefit of extreme lock-down while accessing corporate data, with an option to switch out to the more open environment of the standard Windows desktop when they want. The data on the Secure Desktop remain protected.

Centralizing data and functionality, along with endpoint lockdown and secure remote access create a formula that works.

Examples of White-listed Clients on the SafeCentral Secure Desktop:

Cisco AnyConnect VPN

Juniper Netconnect VPN

Juniper Citrix Services secure proxy

F5 Firepass VPN

Citrix XenDesktop or XenApp

VMWare View 4.5 Client

Microsoft Remote Desktop Client

SafeCentral SafeBrowser (a locked-down web browser)

Attachmate

more on the way...

If you are interested in hearing more, please drop me a line at rdickenson/at/safecentral/dot/com or post a comment here.

$10 Million Stolen in 3 Months by an e-Crime Gang in London

noreply@blogger.com (Ray Dickenson) — Wed, 29 Sep 2010 03:35:00 +0000

The London Metropolitan Police Central e-Crime Unit arrested 15 men and women who stole nearly $10 million from online bank accounts in only 3 months. The gang infected the personal computers of unsuspecting Internet users with a mass-market crimeware trojan named "Zeus" and transferred the money out of their victims' online banking accounts.

Police representatives said the total amount of money stolen will likely climb as the investigation proceeds.

The Zeus trojan is a very effective piece of "crimeware," software designed to conduct online crimes, that can be purchased for $300 on black market websites. Willing criminals do not have to be computer experts to operate a Zeus network. The authors of the Zeus trojan have automated most of the details of the crimeware's operation, and even offer guarantees that it will not be detected by antivirus programs.

The Zeus trojan comes with a "Command and Control" server that collects stolen data and can be configured to control hundreds of thousands of infected PCs, issuing instructions on how and where to transfer funds automatically out of online bank accounts.

The Zeus trojan is a top money-earner for online criminals worldwide. We use Zeus in our tests of SafeCentral WebProtection and verify that SafeCentral blocks the trojan's data-stealing features. Below is a screenshot from a control test of the Zeus trojan, showing keystrokes being collected out of a Bank of America online banking session when SafeCentral is not being used.

Stolen Data Report from a Zeus Trojan Server

Patented Data Loss Protection from SafeCentral, Inc.

noreply@blogger.com (Ray Dickenson) — Mon, 06 Sep 2010 21:44:00 +0000

It's been a busy summer for SafeCentral and I am eager to share the results of our hard work. We've put out a couple of press releases recently that hint at the action going on behind the scenes: we got the first of 5 patents assigned to our Trusted Security Extensions (TSX) technology and just completed the sale of our antivirus business to Commtouch. First I'd like to say that the Commtouch folks have been a real pleasure to work with over the summer as we put together a deal that makes a ton of sense both to them and us. That transaction allows us to focus on proactive data and application protection powered by TSX and embodied in our SafeCentral product. TSX brings unparalleled protection to sensitive data for consumers and enterprises alike.

There is no better signal of our focus than renaming the entire company to SafeCentral, Inc.! We will be launching a new website in a couple of weeks that takes the wraps off some additional products we are bringing to market.

Our consumer product is going strong--we will be announcing several distribution partnerships for SafeCentral over the next few weeks. We will also be announcing some of the new things we have been working on for enterprise customers. Here is a sneak peek at endpoint data protection for thin client access methods such as Virtual Desktop Infrastructure (VDI), Virtual Applications, and Remote Desktop.

Data Loss Protection for XenApp Clients

SafeCentral featured on AOL.com

noreply@blogger.com (Ray Dickenson) — Tue, 27 Apr 2010 14:58:00 +0000

SafeCentral is featured today in one of the lead stories on AOL.com. In a story about phishing, "If You Get This E-Mail, Delete It ASAP," a sidebar focuses on how SafeCentral helps secure your online shopping and banking transactions. SafeCentral is available to AOL subscribers at a 50% discount.

Tax Season Starts with FBI Report on Doubling of Internet Crime

noreply@blogger.com (Ray Dickenson) — Wed, 17 Mar 2010 21:11:00 +0000

The IRS refunded $43.5 billion to tax filers last year, 72% of whom filed electronically (GAO report here). That much money and sensitive information flowing over the network attracts the attention of online thieves who move in like grizzly bears during a salmon run. Today I will share a few tips on how you can avoid being snatched up by the bad guys while you do your annual patriotic duty to help fund Uncle Sam.

First it is worth noting that dollars lost to Internet crime doubled from 2008 to 2009, topping half a billion dollars in the US. The 2009 Internet Crime Report released on Friday listed average losses at over $5,000 per incident with a mean loss closer to $500. The report pointed out that prosecution of online crimes is difficult because the victim and perpetrator "may be located anywhere in the world."

The same convenience that electronic tax preparation and filing presents to the tax payer can also work for the criminal. Simply having an electronic copy of your tax return on your computer can expose you to risk. Last August a Seattle man was convicted of fraud when a lucky break allowed authorities to catch him with tax returns, financial aid applications and other documents pilfered over the Internet from family computers across the country. Frederick Wood used file-sharing programs to search for keywords like "tax return" and find documents on personal computers thousands of miles away. He used information in these documents to commit financial fraud.

Tips for Safe Tax Filing

Start with a clean machine: don't use the same computer to prepare your taxes that you use for social networking like Facebook and Twitter. Online criminals use these services to spread malware via links that appear to come from friends, or even through display ads that can infect your computer even if you don't click on them.
Turn on WiFi Encryption: if your home network uses WiFi, make sure it is encrypted with WPA or at least WEP. Consult your wireless router manual or the manufacturer's website for setup instructions. Unencrypted wireless networks can allow thieves to connect to your network and gain access to sensitive documents on your computer even when you are not at home.
Run a full antivirus scan: antivirus can't catch everything, but running a full scan before performing sensitive work like tax filing will give you the best chance for privacy. These scans can take an hour or more to run, so plan ahead and let the scan run overnight before your marathon tax session.
Use unique passwords: if you are signing up for a new online tax filing service, resist the impulse to use that same password you use for everything else. Create a password that is memorable only to you--use something you can see from your computer, like "Green Vase" but mix it up with some punctuation and other characters: "Green--Vase:)" Just don't break the vase!
Remove dangerous programs: if you have a file-sharing program like LimeWire, remove it or carefully review the files it is sharing. Latest versions of LimeWire will no longer share documents by default, but many users do not update software and may be running with an older version. If you want to keep your file sharing program but be really sure you are not sharing sensitive files, ask a friend to connect to your library and see what you are sharing (see LimeWire's "Direct Connect" feature). You should know, however, that file sharing programs are a major source of malware infection.

While the Clean Machine is the best bet for safe filing, you may be planning on using your tax refund to buy your new laptop--this puts you in a bit of a chicken-egg situation. For you, we have SafeCentral. SafeCentral creates a "clean desktop" on your existing computer, shielding you from keyloggers and other nasty programs that try to steal your sensitive information. You can give it a try free for 14 days here on the website. That should be plenty of time to get your taxes filed and decide whether a small piece of your refund is worth the price of protecting you online all year with SafeCentral.

PC Magazine Four-Star Review of SafeCentral 2.6

noreply@blogger.com (Ray Dickenson) — Mon, 11 Jan 2010 16:47:00 +0000

We earned 4 stars in the PC Magazine review of SafeCentral 2.6 that review that appeared on Friday. I am very happy to see the review up on the PCMag.com home page.

The reviewer, Neil J. Rubenking, commends our ease-of-use and the real-time feedback we give users on the safety of their web sessions. Our support for 64-bit platforms, including XP, Vista and Windows 7 was also noted.

One of the "Cons" in the review is the closed nature of the SafeCentral browser. We do not allow any and all browser plugins. We see this as a strong positive. On our work computers we are used to the network admins at our companies limiting what we can install and run, and which websites we visit. We understand that these constraints are necessary to protect company assets. Now is the time for us to recognize that we need to exercise the same control over our home PCs and laptops. When we sign into our bank or online retirement account, we should think and act differently--we have more to protect at this moment that when we are watching the latest funny YouTube video or posting a photo to Facebook.

Just like the iPhone is carefully managed by Apple to ensure the quality and security of iPhone applications, we recognize that browser plugins can introduce additional risks into sensitive web sessions and seek to protect users from those risks. Increased security almost always comes with some impact on usability. With SafeCentral, though, you still can use your regular browser and those Digg and Flickr toolbars to do all your fun stuff. Use SafeCentral for serious web stuff like banking, stock trading and tax filing.

Twitter Hack and the Iranian Cyber Army

noreply@blogger.com (Ray Dickenson) — Fri, 18 Dec 2009 11:46:00 +0000

(See continuing updates to this story below.)

Earlier this morning a DNS hack took control of Twitter.com traffic and redirected to a website with a splash page proclaiming, "THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY." This hack has a lot in common with the Dr.Hiad website defacement I reported on two weeks ago.

New information
The so-called Iranian Cyber Army has defaced websites in the same manner as Dr.Hiad. At this moment (7:35AM Eastern Time) there is a website displaying the exact image that Twitter users saw earlier today during the Twitter hack event. A screenshot of that web page is shown below. The webpage contains an email link to the Iranian Cyber Army's Gmail account.

It is likely that the Twitter DNS attackers simply pointed "twitter.com" to the IP address of a defaced website like the one below. It would not make sense for them to point Twitter traffic to their own web server: that would allow them to be traced and possibly caught.

When the Twitter attackers realized they could take over Twitter's DNS, they had to decide where to point the traffic. Redirect it to comedycentral.com? Disney.com? Or how about a defaced webpage bearing the image of the Iranian Cyber Army?

There is some chance the Twitter attackers executed both the website defacement and the DNS takeover.

Screenshot of Iranian Cyber Army Website Defacement

DNS is Fundamental
DNS is the Internet service that kicks in when we type a website name into our browser or click a link on a web page. Type "twitter.com" into your browser and DNS will lookup the IP address of the Twitter web server so your browser can connect and download all those tweets. As fundamental as DNS is to our Internet experience, it has virtually no security, particularly on our home computers and Internet connections. Also, the DNS servers "up in the cloud" are rife with vulnerabilities that enable attackers to gain control and carry out pranks like the Twitter redirection this morning.

Updates

December 18, 2009 8:20AM - Update
The defaced website that Twitter users were directed to, shown in the screenshot above, is an online forum for the Green Freedom Wave, an Iranian reform movement.

December 18, 2009 9:08AM - Update
The Green Freedom Wave website was hosted at Netfirms, a managed web server company that is well-known to website defacers who exploit weaknesses in web and database servers. These web hosting companies offer lots of functionality, including web sites, databases and online shops, at very reasonable prices. However, these features also can make them vulnerable to compromise.

The website defacement is the minor part of this story. The DNS takeover is extremely serious, especially since it happened at Twitter.com, which receives over 20 million visitors per month. If the Twitter.com site had been redirected to a web page containing malware, a huge chunk of the Internet population would be infected. Perhaps I should say a "huger" chunk: 35 million computers infected per month with one type of malware.

December 18, 2009 10:35AM - Update
The Green Freedom Wave website was probably hacked using SQL Injection, Remote File Inclusion, or similar techniques that are well-documented on the web. Note the signature line of Dr.Hiad from my earlier post. Remote File Inclusion allows an attacker to exploit a script on the target website to replace the home page of the website.

December 19, 2009 7:49AM - Update
Busy day yesterday speaking to reporters and colleagues about the Twitter DNS compromise. Here are a couple of stories:

eWeek:
http://www.eweek.com/c/a/Security/New-Twitter-Attack-Details-Emerge-175634

Computerworld:
http://www.computerworld.com/s/article/9142485/Twitter_s_own_account_caused_blackout_says_DNS_provider

Securing the Cloud

noreply@blogger.com (Ray Dickenson) — Tue, 08 Dec 2009 23:38:00 +0000

I will be a speaker at a free cloud security webinar sponsored by Enterprise Florida on Thursday, December 10 and 2PM Eastern Time. Cloud computing is a topic generating both hype and anti-hype right now. The anti-hype comes mostly from the security community warning that the benefits of fast, easy development and hosting are just what we do not need right now.

Also presenting will be Chris Day, Chief Security Architect at Terremark, and Alex Eckelberry, CEO of Sunbelt Software. The event is moderated by Esther Schindler, author and industry expert.

See you there!

Dr.HiaD: Islamic Terrorist or Teenager Having Fun?

noreply@blogger.com (Ray Dickenson) — Wed, 02 Dec 2009 02:25:00 +0000

Click image for expanded view

Let me steal my own thunder and go with Teen Having Fun.

Earlier today the campaign website of Bill Connor, candidate for Lieutenant Governer in South Carolina, was defaced with a graffiti-like image in the typical fashion of juvenile hackers.

Screenshot of the Bill Connor Website Defacement
Source: FITSNews Political Blog (not verified)

Click image for expanded view

The hacked page included a small amount of Arabic text, which got the attention of the candidate and former US Army officer, who served in Afghanistan. A statement on his campaign's Facebook page said, "I do hope this serves as a wakeup call to the continuing danger we face in South Carolina from the threat of radical Islam and shari’a law."

"I do hope this serves as a wakeup call to the continuing danger we face in South Carolina from the threat of radical Islam and shari’a law."

Bill Connor

Was this a political act by Isamic extremists? Examining the facts makes it hard to draw that conclusion. There are many valid threats to our safety on the Internet today, but it is important to isolate the facts and not rush to judgement when it comes to identifying and prosecuting true crime online.

"Hi ADmin your security = 0" Thus reads the graphic that displaced the candidate's home page. That statement is a poke in the eye at the web hosting company that operates the web server (not the candidate) and is typical of widespread pranks conducted by computer savvy kids who enjoy exercising their technical skills to penetrate weak server configurations from far across the Internet and leave their mark.

"Dr.HiaD" in this case is the online nickname used by the hacker. Dr.HiaD has taken credit for over one hundred such website defacements. I have seen lists of URLs of over 4,000 web pages with his signature on them. Other pranksters have perpetrated many more thousands of website hacks and even keep track of their scores. See below a screenshot of one such scorecard showing recent defacements by Dr.HiaD. The score for all "players" on this website is a staggering 43,000 on December 1, 2009 alone.

Website defacement scoresheet of Dr.HiaD
Source: Ray Dickenson

Click image for expanded view

I have blocked out the website names in order to prevent readers from attempting to visit these sites, which may now host malware that can infect PCs. But you can see Dr.HiaD is a prolific defacement artist.

Another site Dr.HiaD hacked, that also contained a short snippet of Arabic script, was the website of a Chinese baby products company. Again, I will withhold the name of the site, but share the graphic that was posted there.

One of many other websites defaced by Dr.HiaD
Source: Ray Dickenson

Click image for expanded view

Who is Dr.HiaD? He appears on an Arabic hacker website with the below signature. Now, when it comes to teenage hackers, it is difficult to believe everything we read. Is Dr.HiaD really 15-years-old? Is Dr.HiaD from Morocco? Hard to say for sure, but I believe he (or she) is. These pranksters must balance two competing goals: (1) not getting caught and (2) claiming and receiving credit for their exploits. For young hackers, recognition normally trumps caution. On the score-keeping website mentioned above, there are hackers from Singapore, Russia, India, Switzerland, Germany and many more countries around the world. So Dr.HiaD really could be from anywhere.

Dr.HiaD Signature on Hacker Website
Source: Ray Dickenson

Click image for expanded view

One last point about the colors used in Bill Connor's website defacement. Some of the English letters appeared in white, green and red with black background. It is true that these are Islamic colors. But they are also the simplest colors to use in web pages. The RGB color codes for these colors are: FF0000, 00FF00, 000000, FFFFFF. Extremely simple for kids making web pages who do not want to be bothered with shades like 0CF1E2, CECE28. They are also stark and strong. Perfect for a prankster.

Let's close with a comment about the first screenshot above (source: Ray Dickenson). That one came from the website of an auto accessories company in China that was hacked by Dr.HiaD. Is this a photo of the real Dr.HiaD? Probably not. But it does convey something about the Dr's personality and the artistic flair of his or her pranks. Many teenagers who crave technical accomplishment and get into trouble pursuing recognition for their talents grow up to be valuable contributors in the computer field. Ask Michael "MafiaBoy" Calce or Kevin Mitnick.

December 2, 2009 - Update
I spoke with Susanne Schafer of the Associated Press about this story, and she wrote an article that appeared here.

December 3, 2009 - Update
The dramatic image in the first screenshot above comes from an Italian photographer, posted here on Flickr: Amegliocchi. One interesting connection is that a large number of Italian language websites were defaced by Dr.Hiad.

Connection to Dr.Hiad splash screen courtesy of TinEye, a pretty effective reverse image search engine. Want to find photos of you on the web? Try TinEye. If you dare :)

SafeCentral: New York Times article says it "protects users even if there’s malware on the computer"

noreply@blogger.com (Ray Dickenson) — Thu, 19 Nov 2009 03:50:00 +0000

A few weeks ago I demonstrated SafeCentral to Riva Richmond of the New York Times. She wrote an article appears in Friday's New York Times covering a "new breed of products" that address online identity fraud. The article features SafeCentral alongside other new services that directly address online threats to our identities and bank accounts. Riva Richmond points out that traditional tools like antivirus are struggling to keep up with the flood of high-tech crimeware that invades our computers to install keyloggers or conduct automated phishing.

This article is not an online holiday shopping scare fest. It provides helpful information on tools consumers can use to proactively protect themselves and remain safe and happy through the new year.

Twitter: The Internet is a more dangerous place

noreply@blogger.com (Ray Dickenson) — Tue, 03 Nov 2009 21:29:00 +0000

Twitter has made it extremely easy for people to share news and web links and at the same time has created a boon for online criminals. It is hard to find a web service that has done more to make malware distributors' jobs easier.

I don't mean just the explosive growth in the Twitter user base. Microblogging in general, and Twitter specifically, contribute to malware distribution in fundamental ways that must be re-examined and corrected.

Here are the Twitter features that make it so dangerous:

Twitter usernames are easily harvested in vast quantities

Criminals can send tweets to anyone on Twitter

Twitter encourages its users to share without thinking

Twitter and supporting services like bit.ly strip away critical context

Twitter is programmable and can be automated using their published APIs

Twitter features look like an Internet criminal's wish list.

While each of these features has appeared to some degree in other Internet services like email and instant messaging, Twitter has taken them to a new level and -- as icing on the cake -- got celebrities like Ashton Kusher and Miley Cyrus to help fuel the frenzy of massive sharing.

Before describing how these features introduce vulnerabilities hackers can exploit more easily than ever, let's be clear that this is not Twitter bashing. There is a reason Twitter has become so popular: it clearly meets a need shared by many millions of users. On Twitter.com we see people using the best features of the Internet to be more connected and more informed. But just as we think twice about attending large gatherings during a swine flu pandemic, we should also think twice about sharing links on an infected Internet.

Okay, let's look at our hacker wish list in more detail.

Twitter usernames are easily harvested in vast quantities

Compared to email, collecting huge lists of Twitter usernames is incredibly easy. Part of the attraction of Twitter is that anyone can see what all the users are up to, including seeing usernames. Showing everyone what everyone else is saying is a great way to encourage new users to join the fun. It's also a great way to build a list of users to target.

Quality email lists, on the contrary, are harder to build. Malware authors have been very creative in building tools to collect email address lists. The Warezov worm, for example, would scan a PC for email addresses and then send itself to those addresses to continue the process. These worms, however, require a user to open a binary attachment to start the process, and then require the next recipients to do the same.

Warezov and other email worms were pretty darn effective, but gathering lists of Twitter users does not require jumping through such technical and social engineering hoops. The public nature of Twitter usernames, combined with the Twitter API (see below), make it outrageously easy "crawl" across Twitter and build massive lists of users.

Here is an interesting look at a Twitter-crawling app created by some good guys -- repeat Good Guys! -- that demonstrates the concept.

Looking at the image above, it is important to note that not only are lists of usernames easy to build, but relationships between users are also publicly available on Twitter, raising the possibility of targeted attacks against organizations using (seemingly) inside information. ("Harry Reid said you should respond to this: [click here]")

Criminals can send tweets to anyone on Twitter

Now that we have a huge list of usernames that we generated in a couple of hours, our next step will be to send them malicious links to infect their computers. Before the rist of Twitter, there were other methods malware distributors used to get links in front of people. "Spim" is the term of sending spammy links through an Instant Messaging (IM) network. But the Instant Messaging model calls for users to establish relationships by a two-way handshake. I add a new user to my contact list, they see the request and choose to accept the relationship. Then I can send messages. Now, it is true that malware writers can circumvent this requirement for a handshake but, like the email address harvesting example above, it requires malware engineering to get around protection designed into IM systems. On Twitter there is no such requirement.

Twitter has a similar model wherein I follow you and you follow me. But you do not have to choose to follow me in order to see messages from me. I can follow you, see your tweets, and send a reply that you will see in your reply box. The Replies page is labeled "Tweets mentioning [myusername]". And on Twitter, who does NOT want to see tweets mentioning them? (Miley Cyrus aside.) Compared to the effort of hacking an IM system to send unsolicited links, Twitter makes it very easy for anyone to send links to arbitrary users.

So I build a huge list of usernames, follow all the users, wait for them to tweet and then reply with: "You are so right and this proves it: [click here]"
At this point, the only thing keeping my huge list of users from clicking the link is a good dose of caution. And Twitter is not about caution. Read on.

Twitter encourages its users to share without thinking

Stepping out of the technical realm for a moment, let's look at the Twitter social phenomenon. Twitter is not about privacy. Twitter is about massive-scale sharing. The tagline on the Twitter home page is, "Share and discover what's happening right now, anywhere in the world." And, "Join the conversation." THE conversation. Not one on one conversations with your known friends. We're talking about The Big conversation that we crawled through collecting our usernames up in step one.

Twitter does provide Public or Protected accounts. But the default setting is public and the message is clear: don't be shy. Jump in the deep end of the pool.

On top of that, the first step you see after creating an account is "See if your friends are on Twitter" and a web form that asks for your Gmail, Yahoo or AOL email password. Yes, your password. Twitter will log into your email account and retrieve your contact list to see if there are matching Twitter accounts. Doesn't this sound just like our friend Warezov described above?

Of course these are features designed to maximize the number of users and connections between users, and that's the attraction of Twitter. The sunny day scenario is positive one that helps build the Big Conversation. What we are doing here is looking at these features with an eye on how they contribute to the spread of malware across the Internet.

So to recap: we have a huge list of usernames with known relationships between users, we can send any of them a link that includes some apparently familiar context even though they don't know us, and the users are in a hurry. Tweets are short and sweet and meant to be posted and read frequently. This favors the social engineering malware distributor who hopes the users do not spend too much time deciding whether or not to click a link in a tweet.

Twitter and supporting services like bit.ly strip away critical context

Tweets are very short messages that don't leave a lot of room to establish familiar context. "Check this out: [click here]" is a classic line from emails that distribute malware.

The shortened URLs that appear in tweets remove all the warning signs that indicate dangerous links. When a link appears in your email, an IM message or a tweet it is important to inspect the URL and see where it goes before clicking on it. If we receive a message that looks like it is from a friend asking us to look at their vacation pictures, we have a chance to be suspicious if the URL ends in a .ru (Russia) or .cn (China). It's not likely that our friends chose a Russian or Chinese photo hosting service. Or if the link is purportedly from our bank but the URL looks like http://aimee.pl345xxx.ru/scripts/infector/clickit.html, we might be wary about clicking it.

Would you be suspicious of this URL?
http://aimee.pl345xxx.ru/scripts/infector/clickit.html

URL shortening services like bit.ly, tinyurl.com or tweetburner remove all the useful context and turn all URLs into generic nonsense. There is no chance for a user to screen out risky URLs when they are shortened.

How about this one?
http://bit.ly/YTmnD

Then there is the risk of someone penetrating the URL shortening service itself and hijacking previously shortened links to point them to malware sites. Over 2 million shortened links were hijacked this summer at URL shortening service Cligs.

Twitter is programmable and can be automated using their published APIs

As I mentioned above, Twitter provides an Application Programming Interface (API) that lets developers create programs to automatically exercise Twitter features. Features that the API does not support can be accessed by automating web requests as described here: Scripting Twitter with cURL.

Countermeasures

As we have seen, Twitter is a feature-rich malware distribution platform with a ready-to-go user base of 25 million Tweeters who are predisposed to do exactly what the bad guys want: click it fast. Here is a short list of things users can do protect themselves:

Protect your tweets: Go into your Twitter settings and click the "Protect my tweets" checkbox at the bottom. This will remove you from the public timeline and only people you approve can follow your tweets and send you replies.

Check those short links: Network security firm Sucuri provides a free service that scans shortened URLs with McAfee SiteAdvisor and Google's SafeBrowsing service. It's available here: http://sucuri.net/index.php?page=tools&title=check-url. AVG's LinkScanner is also an option that will scan all the links you visit in a supported browser.

Use Twitter security tools: Security tools designed specifically for Twitter are starting to appear on the market. I haven't evaluated them yet, but one recent example is Krab Krawler from Kaspersky.

Windows 7 Security versus Usability: The Beat Goes On

noreply@blogger.com (Ray Dickenson) — Thu, 15 Oct 2009 22:01:00 +0000

Usability and security are competing goals: the more secure a computer is, the harder it is to use. The easier a computer is to use, the less secure it is. In my opinion, Windows 7 is easier to use than Vista.

With Vista, Microsoft introduced User Account Control (UAC), which frequently shows pop-ups asking the user to confirm any configuration changes, like changing network settings. UAC was one of the biggest usability problems with Vista and was lampooned by Apple in one of their hilarious "I'm a Mac and I'm a PC" commercials."

With Windows 7, Microsoft backed off on the UAC prompts, which greatly improves usability. My personal observation as a user is that Windows 7 is much more pleasant to use than Vista. This is important, because UAC had the effect of making the entire Vista experience very un-fun and slowed adoption of an operating system that has other important security improvements.

However, as is nearly always the case, increasing operating system usability also increases security risks -- risks of infection and compromise of data and functionality. The changes to Windows 7 UAC have made it easy for malware writers to turn UAC off entirely without the user's knowledge. Microsoft recommends keeping UAC turned on and yet allows malware to turn it off without the user's knowledge. A post on the Windows 7 Engineering Blog explains some of the thinking behind the no-prompt-to-turn-off-UAC issue.

The story gets much more complicated at this point. If malware is on the computer, hasn't the game already been lost? Why worry about UAC if a password-stealing Trojan is on your computer? The answer lies in the difficulties inherent in identifying a program as goodware or malware. If my son downloads a game (goodware) that has been secretly tampered with to introduce malicious capability (malware) that tries to change my system configuration, I will not see a UAC prompt warning me of the configuration change. The first step of this malicious code will be to turn off UAC and avoid warnings. I cannot depend on antivirus to detect the malware, and I cannot depend on UAC to put up a prompt that will make my son say, "Daaaaaaad??!"

Will the Internet be there when you need it?

noreply@blogger.com (Ray Dickenson) — Tue, 13 Oct 2009 21:06:00 +0000

I have an article appearing in TechNewsWorld about the reliability of Internet web services. The Twitter outage in August shocked a lot of people and called into question the dependability of Internet-based services. In this article I look back on other notable outages -- eBay, MySpace, and Yahoo have all had their bad days -- and look into the root causes of the failures.

While researching the article I read "Mafiaboy: How I Cracked the Internet and Why It's Still Broken." This is the story of distributed denial of service (DDoS) attacks that took down Yahoo, CNN and other websites in February of 2000. The perpetrator was a 15-year-old high school student from Montreal who had built up his DDoS capabilities by hacking university and corporate servers for many months. If a high school student with no budget can take down top websites, it's clear that politically-motivated adults with even modest funding can do the same or worse.

The Importance of a Good (Consumer) Education

noreply@blogger.com (Ray Dickenson) — Thu, 17 Sep 2009 18:45:00 +0000

Vicki Salemi posted an article on SheKnows.com about shopping securely online. Educating consumers about safe online behavior is extremely important, and Vicki is certainly doing her part.

The article highlights ecommerce safety tips I shared with Vicki this summer. These tips are even more important as we head towards the holidays, so I'll recap them briefly here:

It is best to shop on "name brand" websites that are well-known and have a distinctive look and feel. Unfamiliar websites that look cheap and poorly designed are not a wise place to spend money, even if they have eye-popping prices.

Check the address bar in the browser when you are ready to buy, reading from left to right, and be sure it starts with "https://" followed by the name of the website and ".com".

It is best to type the name of your favorite shopping website into the browser to get started. Clicking on links in emails is a risky way to start an online shopping excursion, since the links may be fake.

Don't forget to log out when you have made your purchases. If you remain logged in and then go browsing other sites, it is possible for malware to use that login in surprising ways.

Don't make purchases on public computers. Do you use public computers in libraries or other places? Don't enter your credit card or other information into computers that aren't yours. They may have information-stealing software that can give your credit card number to the bad guys.

Pay attention to what your anti-virus program is telling you. If it says it needs an update, get the update. If it says it expired, renew it.

High-level Attention on the Growing Cyber Crime Threat

noreply@blogger.com (Ray Dickenson) — Mon, 14 Sep 2009 19:27:00 +0000

A couple of weeks ago we warned that small businesses and local governments are being ripped off by online thieves who have learned to tap into commercial bank accounts by infecting computers with crimeware.

Yesterday, the Senate Committee on Homeland Security and Governmental Affairs met to hear from government and industry experts on the growing threat of cyber-crime targeting small- and medium-sized businesses. In his opening remarks, Committee Chairman Joseph Lieberman focused the hearing with the question: "What can be done by the public and private sectors to make commercial cyberspace secure, especially for organizations that can’t afford to have large IT staffs on the job 24/7?"

“The latest targets of cybercrime are small- and medium-sized businesses." Senator Joseph Lieberman

He went on to cite the same recent thefts from small businesses and local governments we talked about in this blog a couple of weeks ago. You can check out the hearing yourself: Cyber Attacks: Protecting Industry Against Growing Threats.

How to Protect Your Commercial Bank Account

noreply@blogger.com (Ray Dickenson) — Tue, 25 Aug 2009 15:53:00 +0000

Remember in Ferris Bueller's Day Off, when Principal Rooney watched on his computer as Ferris' number of days absent ticked down..down..down? Ferris had hacked into the school computer and was "adjusting" his attendance record right under the nose of the principal.

Online criminals may be doing the same thing to your bank account. Crimeware operators are stealing money right from under the noses of consumer and commercial banking customers who may not be able to recover the stolen funds.

Crimeware - viruses that get onto your computer and steal money from your bank account

Security researcher Joe Stewart of SecureWorks details the workings of a piece of crimeware dubbed "Clampi". "Clampi is operated by a serious and sophisticated organized crime group from Eastern Europe and has been implicated in numerous high-dollar thefts from banking institutions. Any user whose system has been infected by Clampi should immediately change any and all passwords used on that system for any websites, but especially financial credentials." Full report here.

Here are examples of recent thefts from commercial bank accounts:

Bullitt County, Kentucky: $415,000 stolen from the county government bank account by a ZeuS trojan infection. The county was able to recover $105,000 but is still out $310,000. The bank points out that the theft occurred on government computers, not bank computers.
The Western Beaver School District in Pennsylvania had $704,610.35 in school funds transfered out of its bank account to 42 other accounts as far away as Puerto Rico by a virus on a Western Beaver computer system. The bank was able to reverse $263,413.34 of the transfers, leaving the school district with a $441,197.01 loss. The school district is suing the bank to recover the full amount plus interest.
Slack Auto Parts in Gainesville, GA lost almost $75,000 due to fraudulent transfers of funds from its commercial bank account by a Clampi trojan. Once again, the victim was able to get back $14,000 but is still missing over $60,000.

Brian Krebs of the Washington Post Security Fix blog now reports that users of commercial banking accounts are being warned to take extra precautions with the computers they use to do online banking. Brian reports that the Financial Services Information Sharing and Analysis Center is recommending that its members "carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible."

This guidance reflects an important reality about today's Internet-connected computers. If the same computer used for online banking is also used for general web browsing, email and other Internet activities, there is a strong likelihood the computer will become infected with money- and password-stealing crimeware. We cannot assume that our computers are free of this malware that evades detection by even the best antivirus programs.

In fact, my position is that it is better to assume the computer has been compromised and take special steps to perform online banking as safely as possible. At Authentium we have created SafeCentral for just this purpose. SafeCentral creates a separate Secure Desktop that protects passwords, bank accounts and other information from crimeware.

SafeCentral provides the following protection:

Block keyloggers: stops crimeware keyloggers from stealing usernames, passwords and other account information

Blocks screenshots: Prevents crimeware from taking "snaphots" of web pages that display bank account balances and other sensitive details

Secure DNS: Provides its own secure DNS lookups to stop DNS-changing crimeware from sending you to fake banking sites that steal your account credentials.

High-tech Protection: Stops code injection attacks that can snoop on banking session even when they are protected by the familiar "HTTPS" and lock icon appearing in the browser.

Browser Security: Prevents malicious browser plugins from infiltrating the browser and performing real-time fraudulent bank transactions.

As you can see, we built SafeCentral to provide a separate, hardened environment on computers you already own to provide a safer online experience. Even if you buy a separate computer for online banking, we recommend that you also install and use SafeCentral to provide that extra measure of protection.

Update:
September 15, 2009: Replaced links to news stories with new, non-broken links

Give Your PC a Back-to-School Check-up

noreply@blogger.com (Ray Dickenson) — Mon, 24 Aug 2009 17:58:00 +0000

While parents are getting their kids to re-focus on math and English, it's also a good time to get the computers in the house ready for school, too.

After a long and busy summer of playing games, downloading music and browsing Facebook, PC's can be out of shape or downright dangerous for serious use. Here is a handy guide for giving your computers that back-to-school check-up.

1. Remove Dangerous Programs
P2P File Sharing programs like Limewire, eMule, or Shareaza are typically used to download pirated music, games and other programs. "Other programs" can include viruses, as I described here. Besides getting a computer infected with viruses, File Sharing programs can also make every document on your computer visible and available to users all around the world--users you don't know (and probably don't want to know). A Seattle man was sentenced earlier this month to over 3 years in prison for stealing tax returns, bank statements and canceled checks from computers all across the country.

2. Free up Disk Space
Windows needs gigabytes of free space to run properly. When important security updates are downloaded by Windows Updates, they may fail to install because of insufficient disk space. Here is a guide from Microsoft on freeing up space on your hard drive. You might ask the kids to find and delete music or videos they know they don't need anymore.

3. Run a Full Virus Scan
You do have antivirus software, don't you? If not, install a security suite immediately. AVG offers a free antivirus program you can get here. Today's antivirus programs are on all the time, watching for badware and blocking what they find. But they don't stop everything the first time they see it. So it's a good idea to pull up a chair, find your antivirus program's "Manual Scan" or "Full Scan" feature and let it run for the hour or more it may take to search the entire computer for badware. Don't worry, you don't have to sit there and watch it. Just check back periodically to see if the scan is complete and review the findings. Choose to "Quarantine" any malware that was found.

4. Set Internet Time Limits
It may have been okay for kids to stay up late on the computer during the summer, but if you want your kids to get a good night's sleep on school nights you'll need to set some limits. First, talk to your kids and agree on an appropriate schedule and the "lights out" policy for computer use. How do you monitor and enforce this policy without watching them every minute? Many security suites include Parental Controls options to set time limits on Internet usage. Wireless routers also have this feature. You can read about Netgear's here . World of Warcraft has an excellent Parental Controls feature that allows parents to create a separate password for managing a time schedule that the game servers will all enforce; the game will log your child out at whatever time you specify. (See screenshot, below) Other online games and most game consoles have at least some ability to control game play.

5. Check Printer Ink and Paper
Okay, this is an easy one. Remember the big lemonade stand banner the kids printed out this summer that used up all the yellow? You won't want any excuses when it comes time to print out that homework. So check for printer paper and get an extra ink cartridge for the printer. That way you'll avoid any "teacher's dirty looks" when your kid hands in their first assignment printed out in magenta.

Settings Play Schedules for World of Warcraft

Are you contributing to the Twitter Denial of Service Attack?

noreply@blogger.com (Ray Dickenson) — Thu, 06 Aug 2009 16:05:00 +0000

Twitter has been dealing with a denial of service attack this morning that has resulted in millions of users not receiving or posting tweets.

These days denial of service attacks typically are launched from botnets--large numbers of consumer PCs that have been infected with Trojans that wait to do the bidding of the "bot-herders" who manage them. The users of these machines may not know anything is wrong other than, "Gee, the Internet seems slow today." Their Internet is slow because their computer is sending lots of traffic to the targeted site, in this case twitter.com. The bot-herders collect infected machines and then rent them out. Twitter is such a high profile site, it may be just a bot-herder or one of their customers wanting to show off the power of their bot net.

Is your computer a member of one of these botnets? It's not easy for the average Internet user to find out. Seeing rapidly blinking lights on your cable modem even if you aren't using your computer may suggest something is going on. But it could just be an updater downloading a new Firefox or operating system patch.

You may not be too worried about the state of Twitter. But you should Know that botnets can be told to do many things. They can be instructed, for example, to download keyloggers or other data stealing malware. The stolen data is then shipped off to collection servers where the bad guys can then use your bank username and password to steal money.

Keep your antivirus up to date and perform a full scan if you're a little concerned.

Download and use SafeCentral if you want to bank and shop without the worry. SafeCentral users talk about this stuff here: community.safecentral.com.

Update:

It may be coincidental, but we saw a large increase yesterday in our virus-collection network. We received 200 times the normal average of emails with malicious attachments. One node, for example, went from 10 items to 2000 in a day. These were phony emails telling random recipients that a UPS parcel could not be delivered and asking the reader to "print out the attached invoice". The attachment was not an invoice, it was a trojan.

Example of the email. Do not open the attachments in these emails if you get one!

Four-star review of SafeCentral

noreply@blogger.com (Ray Dickenson) — Tue, 02 Jun 2009 19:48:00 +0000

PC Magazine published a review of SafeCentral 2.0 today, giving our latest version 4 stars. You can read the entire review here. Neil Rubenking, the reviewer, looks at a lot of products and has a good eye for what works and what doesn't. This is his second look at SafeCentral.

If you haven't given SafeCentral your first look yet, here is a little flash video to whet your appetite. Visit www.safecentral.com for the full story.

Safe Travels

noreply@blogger.com (Ray Dickenson) — Wed, 06 May 2009 20:29:00 +0000

I've been on constant travel for the past month, connecting to various hotel, airport and coffee shop wireless networks, and talking with people about information risks while on the go. More and more travelers--business people, vacationers, kids and grandparents--are using laptops, netbooks and smartphones to stay connected, informed and entertained on the road and in the air. Our computers are more susceptible to infection by malicious software when we are on the move, connecting to different networks and dealing with distractions caused by unfamiliar surroundings and fear of missing a connecting flight. We are also far away from our safety net of computer support, whether that is the computer help desk at our company or the "computer guru" friend you can depend on to help you out of a jam.

True Story
I was sitting on an airplane at the Charlotte, NC, airport waiting to return home after visiting a couple of banks. Another business traveler sat down next to me and asked if I connected to the free Wifi the airport provides in the terminal. "I connected to the network and saw a certificate warning page," he said, "I clicked past that page and a few minutes later my McAfee antivirus started alerting me about viruses on my computer." I introduced myself and offered to take a look when we got up to cruising altitude.

We opened his laptop and I reviewed the virus alerts and looked in his browser cache. He said the only thing he did was connect to the network and open his browser, which loaded the Yahoo home page. I saw the file McAfee was complaining about, which was a download triggered by a javascript file downloaded from a server in China about a minute after the Yahoo home page loaded.

A little more reverse engineering and I found that a flash ad on the Yahoo home page had infected the computer and installed a downloader which started downloading all manner of malware. McAfee was not telling him it had blocked the infection, it was telling him he was already infected. The first Flash exploit got right past his antivirus protection with no problem. It wasn't until the second or third install of malware that McAfee finally noticed something was up.

Turns out the guy was general manager of a US company and this was the laptop he used for his corporate computing, commercial banking, everything. I strongly recommended that he rebuild the laptop, reinstall all the software and in the meantime refrain from any banking or other sensitive online use. But he was on the way to important meetings and far away from his IT support group. I invited him to stop by our offices near West Palm Beach, Florida for some cyber-assistance but I never heard from him again. I'm pretty sure he continued to use his compromised laptop, perhaps after trying multiple antivirus scan-and-clean routines.

Preparing for Travel

Given the increased chances for malware infection while traveling, here are a few things we can do to be safer on the road. These steps should be completed the day before you head out on your business trip or vacation.

1. Update Windows - Run Windows Updates and install all updates. This is your chance to let Microsoft close as many holes as possible in your operating system and Microsoft programs.

2. Update Applications - Adobe Flash Player, Apple Quicktime and a few other applications are closely tied to web browsing and are prone to exploitation if they are out of date. In the anecdote above, an out-of-date Flash Player was responsible for the business traveler's infection. Run the vulnerability scan at Secunia for free. It's a great tool that shows you what is out-of-date and gives easy links to click to make it all better (see screenshot below).

3. Update Antivirus - And, of course, make sure your antivirus is updated with the latest definition files.

Secunia Online Scan for Out-of-Date Applications

Making sure your operating system, application programs and antivirus are up-to-date will give you the best chance to stay safe during your travels. Good luck!

Quips and Comments - RSA Conference 2009

noreply@blogger.com (Ray Dickenson) — Fri, 24 Apr 2009 18:13:00 +0000

I just returned from the RSA Conference in San Francisco where the focus was on cloud security, identity theft, data protection, and online fraud prevention. The Expo floor was busy, with lots of foot traffic and a higher-than-expected level of energy. Especially from the guy who escaped a straightjacket while balancing atop a high-rise unicycle and pitching a security product. We all have to multi-task.

More than half of my meetings were in hotel suites and other locations away from the Moscone Center. Power-walking between venues, it took me a while to realize that the biz-hipsters in hair gel and rock-star sunglasses were not the new wave in computer security--they were from the AdTech conference in the Moscone Center West. Yes, geeks, infosec is still in our hands.

The "gubment" was there--in the towering National Security Agency booth/condo. They could neither confirm nor deny jamming my iPhone.

More seriously, Defense Secretary Robert Gates was interviewed during the week on CBS News about cyber-spying. It's worth noting that the same basic techniques are used by spies stealing government secrets and crimeware operators stealing consumer identities. If the government cannot stop spies from stealing secret plans for our latest fighter planes or infiltrating presidential campaigns, what chance do ordinary citizens have protecting their bank accounts?

I'd like to thank Neil Rubenking, PC Magazine Lead Analyst and AppScout contributor, for taking the time to meet with us, talk about SafeCentral 2.0 and post his observations on AppScout.

When Websites Attack

noreply@blogger.com (Ray Dickenson) — Mon, 30 Mar 2009 16:22:00 +0000

Wouldn't it be crazy if a banking website infected our computer with a virus that steals money from our bank account? If you agree, then get ready for a big dose of crazy. Here's the inside scoop on a banking website we discovered doing just that: infecting its customers' computers with banking malware.

[Quick note: 60 Minutes ran a segment yesterday on infected websites. You can view the segment here. They interviewed a woman who watched her bank account get hacked before her very eyes.]

During a routine scan of banking, shopping and financial services websites, the virus lab here at Authentium discovered malicious code on the website of a credit union in Lousiana. The code, which would have been invisible to us humans, was inserted at the bottom of each web page on the site. Here are some Before and After shots of the site, showing the source code:

Before

After

What does this code do?

Any Internet user who pointed their browser at the site would have the bad code downloaded and run inside their Internet Explorer or other web browser. The web browser would run this code just like all the other "good" code that shows us the text, images and links that make up the web page we're viewing. The bad code is smart. It pulls down more code from various places, jumping from China to the Ukraine and back to China. It's pretty tough for the good guys to track down the bad guys with that kind of world-hopping behavior. Here's a simple view:

During Step 3, the code tries to infect our computer, betting on the fact that our Windows software is not up to date like Microsoft warns here, or we have not updated our Adobe PDF viewer like Adobe warns here and here. In spite of these warnings from software vendors, an alarming percentage of computers remain out-of-date and vulnerable to infection.

The code in Step 3 is identified on http://www.virustotal.com/ as the (variously named) Zbot Trojan. The trojan installs a keylogger, steals sensitive data and enables fraudulent banking transactions. One thing to note in the following screenshot is that only some antivirus products detect the infection. If you were running Trend Micro or McAfee when you visited the site you would not have been protected.

http://www.virustotal.com/ analysis of the infection

So the upshot of the above is: simply browsing to the credit union website can get you infected with a trojan that steals your money.

How did the code get there?

It's likely that the company managing the website did not keep the operating system, database, web server or other software up-to-date, allowing criminals to gain administrative access to the server and insert the bad code. They need to make sure the servers are up-to-date with the latest patches from Microsoft and the other vendors, just like we need to do with our own computers.

Happy Ending?

The malicious code has been removed from the banking website we are profiling here. That doesn't mean it won't be back. Authentium continues to scan banking and shopping websites to make sure that users of our SafeCentral secure browsing service are as protected as possible. SafeCentral is designed to provide safe web transactions even if you've been unlucky enough to visit a website that has infected your computer.

Kids Download the Darnedest Things

noreply@blogger.com (Ray Dickenson) — Fri, 27 Feb 2009 02:33:00 +0000

As a kid I loved to hunt wild creatures, trap them and bring them home alive. Snakes were my favorite. My mom still tells the story of my bringing home a four foot reptile during her tea party with neighborhood moms.

These days kids are just as likely to introduce dangerous creatures of the digital kind into the home computer.

An interesting segment appeared on NBC's Today Show this morning that describes the risk. The story focused on kids who downloaded and used a file sharing program to access music online. Unfortunately they were using the same computer that Mom and Dad used to prepare the family tax return and did not realize the completed tax forms were shared for the entire world to see! Any identity thief could simply type "Tax Return" into their own file sharing program's search field and find the family's 1040 form ripe for the picking. The family profiled in the Today Show story had their tax form filed electronically by an online thief who was very happy to receive their $2000 tax refund.

There are more insidious risks to file sharing networks: they are an excellent means for spreading Trojans that quietly infect computers, remain under your antivirus radar, and do more long-term damage than grabbing a tax return. File sharing programs are used by millions of users around the world to download "free" software. Need Photoshop but don't want to spend the money? File sharing programs can deliver you a "cracked" copy (a permanent free trial) or a key generator you can use to generate your own license key. Bogus key generators ("keygens") are the most common form of malware on file sharing networks.

Malware distributors watch for file sharing searches of any and all keywords and immediately offer up files that match the keywords. Searches for "Benjamin Franklin" in a file sharing program will return hits like "Benjamin Franklin keygen" or "Benjamin Franklin Greatest Hits." The files these search results point to can be executable programs or songs and videos that can deliver infections to computers that play them.

Here is an example of a file sharing search this morning. The marked entry, "benjamin franklin KeyGen," is identified by Authentium's Command Anti-Malware as "W32/Trojan2.FXIS." This is a trojan that infects the Windows login service so it runs every time a user logs in. What does it do next? Anything it wants to.

These infections can include Banking Trojans, Keyloggers and DNS Changers that are described elsewhere on this blog.

Kids do download the darndest things. Authentium's SafeCentral provides secure banking and shopping even on computers that may have been infected by the kids.

Now I'm going to call my mom and remind her that none of the snakes, crabs or lizards I brought home ever emptied the family bank account.

Update:
March 16, 2009: A couple of media outlets picked up on this story over the weekend:

Dallas Morning News - Pamela Yip covered the story in Sunday's paper here:
Protect your personal data when filing taxes online

MarketWatch - Andrea Coombes included it in last Friday's Taxing Times and will be following up with more this week in the Market Watch Personal Finance section

The Next Internet..Now

noreply@blogger.com (Ray Dickenson) — Tue, 17 Feb 2009 19:10:00 +0000

Internet Security is broken, and the best way to fix it is to start over. This is the idea presented in an excellent article in the New York Times this weekend: Do We Need a New Internet? John Markoff describes "a growing belief among engineers and security experts that Internet security and privacy have become so maddeningly elusive that the only way to fix the problem is to start over."

This is an excellent topic for debate and discussion among Internet technologists and everyday users alike. Technologists can (and will) endlessly debate the merits of a revolutionary approach like the Clean Slate program at Stanford versus a more evolutionary approach to incremental improvements like deploying DNSSEC and IPv6. Whichever approach we take, it is safe to say the solution will take decades to develop and get into mass deployment.

But the fact that stands out clearly is: Something Must Be Done.

Authentium has taken a revolutionary approach to Internet security and developed a solution that gives users access to The Next Internet, now. We recognized the limitations of DNS and the critical impact its compromise can have on Internet transactions. We saw the "maddening" failure of antivirus and firewall suites in their efforts to keep computers clean of infection by identity-stealing malware that allows criminals to "take over someone's computer from half a world away."

So we developed SafeCentral, which has its own Secure DNS and its own hardening against the keyloggers and screen-stealers found in Banker Trojans. Our goal was to create an island of safety on a computer that is otherwise adrift on an unsafe Internet, which is the only Internet we have right now.

The end of an era

Fri, 12 Nov 2010 17:32:28 +0000

This is the final blog posting on blogs.authentium.com. In a way it is sad, but it is also good. It is the end of an era, but also the beginning of a new one.

The reason: The antivirus part of Authentium was bought by Commtouch and our new place for blogging is the Commtouch Cafe.

The blogs.authentium.com/virusblog blog is more than 4 years old and had 257 blog postings. Not too bad I think We tried to provide a technical, no marketing view of the antivirus world and hopefully we had some success at doing that.

Keep monitoring our new location at the Commtouch Cafe for new blog postings by the antivirus team and hopefully the new blog will be even better than this one.

Brand new 0-day Exploit. The world is going to end! Yet again…

Tue, 24 Aug 2010 21:37:30 +0000

Sigh… The latest “exploit” that affects hundreds of programs and will be the end of the world as we currently know it is actually a well documented feature of Windows. It has actually been around since the DOS days.

In the old days we used to call these Companion viruses. It worked by using a different file extension that will be executed before the real executable. For example if you had a “gwbasic.exe” you would create a “gwbasic.com” anywhere in the path and if the user just typed “gwbasic” he would execute the “gwbasic.com” and not the “gwbasic.exe”. If the author of the “gwbasic.com” was ‘nice’ he could execute the “gwbasic.exe” so as to make the existence of the “gwbasic.com” file harder to detect.

This brand new 0-day exploit also uses the search path of Windows. In this case the search path for dynamically linked libraries. If an application needs to load a library dynamically then it uses a predetermined and very well documented search order to find the required libraries. This has been well documented for at least a decade.

How this new and amazing exploit works is that if some malicious or not so malicious person were to drop a library with the required name into the correct location then this library will be loaded instead of the expected one. We have seen malware exploiting this for several years. Developers call it DLL hell.

If “security researchers” are this desperate to publish exploits then it probably is a good sign. Either everybody is tired of yet another Adobe Reader exploit or it is getting harder to find exploits.

Is this really an exploit? Is this something that we should be detecting or Microsoft should be patching?

As I stated this is known and documented behavior of the Microsoft Operating systems. Unix does things a bit differently for good reasons. It definitely is not good design, but it may be problematic to fix.

It is possible to avoid being hijacked like this, but it does take a bit of work on the side of the developer. It is possible for Microsoft to fix it, but it will probably break the majority of software that runs on Windows. Should it be fixed? Probably, but Microsoft probably can’t without causing major problems.

Should we detect the exploit? That is harder. Firstly it is not an exploit. It is just the operating system doing what it should be doing. We will definitely detect any malware using this technique to spread or escalate permissions.

In the end I think this 10+ year old 0-day “exploit” (oxymoron?) is much ado about absolutely nothing new.

Cyberwar

Wed, 21 Jul 2010 03:55:19 +0000

A friend forwarded me a link to an article on NPR: “Cyberwarrior Shortage Threatens U.S. Security“.

Personally, I am a pacifist. I abhor violence in any form for any reason. I dislike war for the same reason. I am however a pragmatist. I believe that you should have the ability to defend yourself. I also believe that sometimes the best defense is a well timed attack. This is contradictory, but it is what I believe.

I also believe that being a warrior should be an honorable profession. It requires integrity, compassion, experience and perseverance. Not quite the skill set you will find in a 16 year old script-kiddie calling himself a security expert. Or somebody that would adjust his own scores by cheating.

Too many people call themselves security experts these days. The vast majority of them don’t have the qualifications, the integrity or the ability. The whole field of computer security is surrounded by way too much myth and hype for this to change in the near future.

One statement is true: True security experts are a rare breed and it is very hard and expensive to recruit them. Finding twenty to thirty thousand of them is unrealistic. You will be lucky to find two hundred of them. Obviously it would be better for society if this changes, but it will take a significant investment in math and science related fields.

Personally I am not applying, for the simple reason that I am a pacifist. But I do hope that the people chosen to be the warriors of the future live up to the expectations that we as society have for the defenders of our liberty and our lives.

AMTSO

Fri, 09 Jul 2010 01:50:40 +0000

There has been a lot of excitement about AMTSO and what it is all about. This specific posting was inspired by “The edge of reason(ableness)…“.

Some disclaimers:

Authentium is not an AMTSO member and I have not been involved with AMTSO. Authentium is a vendor, but we generally don’t make it into the worst tests because we are relatively unknown. I am a Wildlist reporter.

I have previously expressed my opinion on this blog that AMTSO is a good thing. I have also repeatedly expressed my opinion about bad testing.

Some assumptions from my side:

Testing malware correctly is hard Malware is a very specialized field There is a significant amount of money to be made or lost in the anti-malware/security field The only constant about malware is that it changes all the time Nobody has an infinite amount of money

The major reason I am personally not more involved in AMTSO is basically a lack of bandwidth: I don’t have the time.

What I have seen is that what they have done has basically been positive. Their intentions seems to be good.

Have they been able to achieve everything I would have wished? I don’t think so. But they are making progress. They have the major players involved in trying to make sense of a constantly changing, complex and specialized field. They have an open invitation for any organization that feel that they can make a contribution to join and improve AMTSO and help it in its work.

Will testing be perfect after AMTSO is finished with their job? Firstly I dare you to define perfect testing, secondly I don’t think that they will ever be finished. The field changes too rapidly for any decisions taken today to be valid for too long.

I am not going to comment in any detail on the contents of the Kevin Townsend article that started all of this. I have to wonder about “false authority syndrome” ? What I will say is that taking a test collection of 2 samples are statistically irrelevant. Using a public multiscanner as a method to test products is also extremely dangerous. What is also quite funny is his references to Sophos and ducks. You have to understand something about Sophos to get that inside joke.

The Wildlist is not perfect. But you would be amazed at how much it has changed over the last year, and there are some exciting changes planned for the near future. I do however have an open invitation to anybody that can think of a better way to create a better, relevant, consistent and reproducible test set to document and implement it.

Testing costs money, and the better the testing, the more money it costs. Who should pay for it? The vendors definitely should not. Where should the money come from to create this perfect testing infrastructure and process?

I also think everybody is taking this way too seriously. I think criticism can be good and if it is constructive should be used to improve matters. If it is just negative and contributes nothing of value then it should just be ignored. Nothing is to be gained to respond angrily to any type of criticism. Either ignore it or respond in an unemotional way.

I understand that AMTSO has a lot on its plate, and there are a significant number of very contentious issues being debated by highly skilled people. They don’t have an easy job to do, and doing it will take time. They may also not get it right according to everybody, but hopefully they will get it right according to most people most of the time.

How much malware is really out there? Part 2

Thu, 10 Jun 2010 21:00:32 +0000

Last year I did a previous blog entry on this subject.

For my own, and hopefully your amusement I will add some more useless statistics to the subject. Since this specific monitoring system has been running we have downloaded around 78 million unique files. That is in a little more than one year. We are currently monitoring around 3 million URLs with only a small percentage of them being active at any time.

I collected a list of the most prevalent malware names according to this monitoring system. Only names with more than a million unique downloads are listed. With unique I imply an unique hash.

Count	Name
15,289,341	VBS/Haptime.F
12,905,221	HTML/IFrame
6,431,912	JS/IFrame.CP
3,414,435	JS/Redir.AH
2,770,410	W32/Skintrim.A
2,671,040	JS/IFrame
2,369,753	VBS/Redlof.A@m
2,197,070	JS/Linker.B!Camelot
1,267,335	VBS/Edibara.A
1,227,217	VBS/StartPage.BW
1,219,779	HTML/Linker.G
1,161,190	JS/Linker.A!Camelot
1,152,779	W32/Fenomen.B.gen!Eldorado
1,124,740	VBS/Psyme.CL

A few things surprised me about this list.

There are only 2 PE executable type malware represented in this list. There are a large number of entries with more than a million unique hashes: 14. There are 73 with more than a 100,000 unique hashes. There are 164 with more than 10,000 unique hashes. There are only 3 generic detections in the list of which 2 are Camelot.

The last one is truly counter intuitive as it contradicts all my other statistics.

One more thing to remember, due to the way this system is configured it has bandwidth limitations. I am confident that is the only reason why some of these numbers are not even higher than they currently are.

Maybe all this proves is that this system is skewed towards seeing what it knows. These statistics are not consistent with anything else we are seeing. But then the statistics I normally look at is at what are we missing and not what we are detecting.

Maybe it points to something more. Maybe the amount of script based malware is more than we think. Maybe we are focusing too much on measuring and detecting PE executable malware and we are not seeing some possible growth in script based malware? I personally doubt this, but maybe it warrants a bit more thinking about the subject.

Multiscanners: part n of m

Wed, 03 Mar 2010 18:31:21 +0000

This will be my third blog posting about the dangers of multiscanners. The previous ones are: Malware Naming Confusion and Multiscanners: The good, the bad and the ugly.

This time it is about how garbage can spread and infect definition files.

What I am talking about is somebody is detecting some file just because somebody else is. Or people demand that we detect a file just because somebody else is.

We accidentally did a test that was similar to the one that Kaspersky did that lead to my first blog entry on this subject. The original test was that they created several executables and added detection for it. These executables were then submitted to a public multiscanning service and they monitored detection of these samples. After a few weeks a large number of vendors detected the samples with virtually identical names.

We have a file that we detect as W32/TestSample. It is a simple Windows executable that does 2 things. It opens a handle to itself, which always fails, and it displays a message box stating that it is a test sample. This allows our OEM customers to test our memory and registry scanning routines and to test the functionality of the scan engine in a safe environment. It definitely is not malware.

Or so I thought.

Obviously if 13 products detect a file it must be malware. Interestingly enough some of the major brands detect this file. I would love to name and shame, but I am confident there must be some similar garbage in our own collection. What is really funny is that only one other vendor at least tried to copy our name for this. Two other vendors called it Adware, 3 detected it heuristically and 6 others detected it accurately by name using different names.

This specific sample is at least in one large testing organizations test set that is used to determine malware detection rates.

It is easy to be critical towards these other companies for including detection for this but in the end I think I understand how it happened. Either a mutual client insisted that these samples must be detected or they saw the samples in the test set of some antivirus tester and decided to add detection for it because it is easier than to dispute the sample. Or they saw that we detected it and therefore added detection for it without analyzing the actual sample.

Just be careful how you interpret the results of a multiscanner. Not everything detected by antivirus products are really malware. There are too many non-technical influences on what should be detected for the results of a multiscanner to be valuable.

Malware Naming Confusion

Wed, 17 Feb 2010 04:18:11 +0000

I have a set of 52 samples that I know are in the same family. Based on other meta-data I know that it is at worst different versions of the same malware that we gathered over the last few weeks. In attempting to determine a name to call this I went to the “trusty” multiscanner to determine what I could call it. I am trying to be consistent and not add to the naming confusion.

The result: I am more confused than usual. Not a single vendor was consistent in its naming.

One vendor called 22 of the samples “Trojan Horse”, another vendor called it “Trojan.Generic”. In total I had 8 votes for Trojan, one for malware, some for Pasta, a few for password stealer. In general nothing useful to be able to easily provide a consistent name. Not even “Trojan Horse” was used to identify the majority of samples. In total I had 306 distinct names for 52 samples.

I will probably end up calling this W32/Trojan because:

The set does not contain enough samples They are not important enough to worry this much about the name

That is probably the same choice all of my colleagues in other companies are making about these same samples.

I don’t think the name of a piece of malware has any value. It is virtually impossible to be consistent with anybody else even if it we just try the family name. Except if we start calling everything W32/Trojan. Then we can at least be consistent with the family name. But then the name will truly have no value.

I propose a new naming standard: Let us identify every piece of malware with a random number. It will not provide any less information than we already provide and it will allow everybody to shrink their databases by a significant amount as you don’t need to store these weird names in their weird formats.

But to be a bit more serious: There is true value in properly categorized malware with consistent naming. The problem is that nobody in the industry is currently doing consistent naming. To consistently categorize samples is very hard. To build meta-data to be able to associate what seems to be completely unique samples with each other with any measure of certainty is decidedly non-trivial. Most companies are trying their best to do a good job of it and sometimes you can see it. At this stage I am convinced that the route to properly handle the deluge of malware we face is to get better at these tasks.

Multiscanners: The good, the bad and the ugly

Thu, 04 Feb 2010 03:07:10 +0000

What is a multiscanner?

It is a system where multiple AV products are used to scan files and provide a report about the files.

What is the good about a multiscanner?

It is relatively easy to build one It can provide some information about a file or set of files

What is bad about a multiscanner?

The quality of information you get from a multiscanner is quite low It is the ideal method to copy other people’s mistakes

Before I go on to the ugly I need to explain the previous statements. When a scanner detects something the only information that you have is that some scanner detected that file. It does not imply that the file is malware.

That may sound surprising but the reality is that not all scanners were created equally. Some scanners have heuristics that is so paranoid that they trigger on virtually every second file. Today I spent some time looking at about 200 files gathered by one of our monitoring systems. The files were from three different sources and about 90% of them were detected by at least one scanner. Strangely enough they were all variants of three totally legitimate products and should not have been detected. Had I trusted the multiscanner I would have duplicated their mistake.

Not all scanners are meant to be used this way. Some scanners are focused on scanning email or gateway based traffic. This enables them to specialize and tweak their heuristics in such a way that they do an amazing job at the gateway but would be disastrous to use on the desktop. They have virtually no false positives when used as they were designed, but when used in a multiscanner or as part of a desktop product they would behave in very unexpected ways.

Some scanners will automatically detect that it is being used to scan a collection of malware and change their behavior. This can make it difficult to trust in a multiscanner environment as its behavior is not consistent and the results can be surprising.

I am not going to name any specific vendors but completely trusting the information you get from a multiscanner is quite dangerous. The information gathered from a multiscanner about a file have to be added to other information about the file before a determination can be made whether the file is malware or not.

What is ugly about a multiscanner?

This article was triggered by a highly amusing article by Kaspersky: On the way to better testing. Responses by ESET and PC Magazine. What amused me is to know that they are in the same boat as we are. It is hard to convince a customer that some file that some so-called “tester” magically conjured up from some disreputable spot is garbage if 10 other scanners detect it. What is less amusing is if one of your own products are detected by 10 other products and you try to get it white listed or detection for it removed.

Both these situations are the real ugly of multiscanners. Not only the ones in use by every AV company out there but also the public ones.

I am not trying to point any fingers nor am I saying that any individual scanner or multiscanner should not be trusted. All I am saying is that the context in which a product or products are used should be understood. The risks and the value of the information provided by any source should be investigated and understood before a decision based on the information is made.

Operation Aurora

Fri, 22 Jan 2010 19:54:23 +0000

A new Microsoft Internet Explorer exploit has been identified. It specifically affects Internet Explorer 6, but it has a very low statistical chance of affecting Internet Explorer 7 or later. It does not affect Firefox, Opera, Safari or Chrome.

Yes, there has been some targeted and some not so targeted attacks using this exploit. We do detect all of the versions of the exploit that we are aware of.

If I were Microsoft I would be a bit exasperated about this exploit and all the news it is getting. What more do they need to do to protect their customers? They have released 2 newer, most likely more secure versions of their own browser that actually handles the exploit pretty well. Microsoft Internet Explorer 6 was released in August 2001. That is nearly 9 years ago. Microsoft Internet Explorer 7 was released in October 2006. That is more than 3 years ago.

There has been some accounts of a working exploit for Internet Explorer 7 but we have not seen that used in malware.

Microsoft did release a patch for this exploit.

We strongly recommend the following actions:

1. Apply all patches to the Operating System and all applications used. It just takes one missing patch to allow a system to be compromised
2. Seriously consider improving the diversity of the Internet by using one of the many alternate browsers that are available.

Antivirus researcher turned bad

Wed, 28 Oct 2009 02:57:20 +0000

So there is this 18 year old kid that is making news. Some people call him a security professional, some people give him credit for “advancing the state of security”, some people even call him an antivirus researcher.

This is based on the fact that the 18 year old Peter Kleissner has started doing things that would not be considered good behavior in the antivirus industry. Some of it is documented at Former Anti-Virus Researcher Turns Tables On Industry.

You will have noticed that thus far I have mentioned his age twice. If you go to his blog you will notice that the school he is studying at seems to be investigating him for other behaviors too.

Lets get some balance to this story. I think he is doing a really good job at destroying himself and I hope he has friends and family that can help and support him when he figures that out. I am not trying to protect him or to say what he is doing has any merit, it does not.

What I am saying is that he is young, angry and confused. He is also just 18. He probably does not know enough yet to be a danger to anybody but himself and is probably about 10 years away from making a lasting impression in any field. Lets hope he figures out what he is doing to himself before he gets into real trouble.

Now that I have said nice things about him. I don’t think anything he has done is really going to damage the antivirus industry. I also think that Ikarus was totally correct in asking him to leave. If he was my employee I would probably have done the same thing.

I think the real malware groups out there are doing things much more professionally. They are using people that are paid more and better qualified than Peter. I personally would not recommend a job as a malware author either: I have a suspicion that side of the fence use baseball bats. We just fire people or force them to listen to rants about malware naming conventions.

I also think this shows that the antivirus industry is serious about staying on the right side of the fence. Due to that he will probably never work in the antivirus industry again and any “security” company that appoints him will announce something about their ethics.