Technical Tidbits™

Posts Tagged ‘antivirus’

With Guest Author and Co-Instructor: Anthony Valente, CEO of Network Defense Solutions

I think I’m on either a debunking roll, or just out right rage against the machine! Either way, I’ve about had it with these big corporations spoon feeding you a line of crap.

I’m taking the gloves off.

The name of this post is actually the name of an InfoWorld Article published yesterday. But don’t bother clicking the link, I’m going to provide you with the 7 points and quotes as I go through each one.

1. Antivirus certification omissions. The dirtiest secret in the industry is that, while antivirus tools detect replicating malicious code like worms, they do not identify malcode such as nonreplicating Trojans. So, even though Trojans have been around since the beginning of malicious code, there is no accountability in antivirus certification tests. Today Trojans and other forms on nonreplicating malcode constitute 80% or more of the threats businesses are likely to face. Antivirus accountability metrics are simply no longer reflective of the true state of threat.

First of all, that is totally not true that the antivirus programs do not catch non-replicating trojans.  I have had my TrendMicro, Norton, and other AV tools I ‘ve tested catch my test Trojans.  Now that may be through their heuristic capablilities, it still does catch them!

I have no clue where this guy got his information, but I’d like to see what the AV vendors have to say about this one! To me, this is nothing more than fear-mongering.

Granted, there are a ton of things wrong with AV vendors and their products, but this claim is totally misleading.

Anthony’s Note:  Don’t forget that you also have packers, and down loaders that many anti-virus applications / vendors don’t detect.  I can prove this because Norton doesn’t detect the downloaders, and if my LPM attaches to a machine it can cripple Norton in record time.  Norton is useless.  NOD on the other hand can.  I also have a few techniques which help with the assurance that a Trojan not be caught by an AV application.

2. There is no perimeter. If you still believe in the perimeter, you may as well believe in Santa Claus. That isn’t to say there is no perimeter. But we need to define what the perimeter is. The endpoint is the perimeter, the user is the perimeter. It’s more likely that the business process is the perimeter, or the information itself is the perimeter too. If you design your security controls with no base assumption of a perimeter, when you have one you are more secure. The mistake we tend to make is, if we put the controls at the perimeter, then we will be fine. For many threats, we couldn’t be more wrong.

Does anyone else see the contradiction here? First he says there is no perimeter and if you believe in one you may as well believe in Santa Claus. Then he says that isn’t to say there is no perimeter.  Dude! Make up your mind! Enough said?

Anthony’s Note:  Regardless of a perimeter defense and whether its existence is valid or invalid, security cannot be just thrown at a borderline defense solution and forgotten.  People forget about middleware and security on the servers themselves.  Just saying “we will filter conditions here” doesn’t necessitate security. The point is to layer. Each layer tightening it’s vices on security. If you have packets pass a borderline defense, and it’s up to middleware its already too late to be worrying about security. There it’s not a worry that you’re insecure, it becomes a certainty.

3. Risk management threatens vendors. Risk management really helps an organization understand its business and its highest level of risk. However, your priorities don’t always map to what the vendors are selling. Vendors focus on individual issues so you will continue to buy their individual products. If you don’t have a clear picture of your risk priorities, vendors are more than happy to set them for you. Trusted security partners will provide options for assessing your risk posture and help you develop plans to make the most security impact for the least cost and complexity. Security needs to conform to and support your business priorities. Too often, vendors want your business to conform to their portfolio.

Does that go for you too Mr. principal security strategist for IBM Internet Security Systems? Whatcha selling?

I will agree that there are a lot of security vendors out there that will sell companies things they don’t need to make bucks on products they sell. But if everyone listened to me, we wouldn’t be having this discussion in the first place.  *Yes, I know that was egotistical and out right rude.  But like I said, I’m really fed up with all this misinformation going around. So indulge me!

But the problem is NOT with the vendors pal. It’s with the companies and the people who REFUSE to deal with the issue of security!

When our company ran our promo for our online security courses during our anniversary celebration, no one – not one person or company even inquired let alone purchased.  In all of our discussions with folks on the issue of security, I heard excuse after excuse of why they didn’t want to take the time to learn about it.

They are too busy.  They want someone else to worry about it for them.

And the usual question I get, “Is it really that bad?”

I’ve even given the courses away for free! Then I get a call from one of the people I offered the free course to, saying she got her third drive-by download! Has she taken the FREE course? NO! What does she do? Takes the computer to Best Buy and spends $100 bucks to get it reset.

If the companies and individuals would educate themselves about the BASICS of what they need to know regarding their security, then vendors wouldn’t be able to pull the wool over their eyes or sell them crap they don’t need.

Is it any wonder that we’ve had the Monster.com and heartland breach this week? I can give you a list a mile long of websites like theirs and commercial vendors that have vulnerabilities found by our researchers. (Right Anthony?) But do they want to hear? NO.  Do they hire us to report on what we’ve found? NO.

I’m telling you what, I can make more money selling what we know to the hackers than I can get any money out of corporate tight wads! And I’m really beginning to wonder why I have a conscious about it at all anymore. But I digress.

The article goes on with the list to say:

4. There is more to risk than weak software. The lion’s share of the security market is focused on software vulnerabilities. But software represents only one of the three ways to be compromised, the other two being weak configurations and people. The latter is the largest uncovered area of risk. This is malicious code that doesn’t leverage a vulnerability but rather leverages the person. For example, downloading a dancing skeleton for ‘a spooky good time’ (this was a trick employed by Storm), social engineering, spear phishing, etc. While we still need to find vulnerabilities and patch them, we must understand that an organization is only as strong as its weakest link. And more attention needs to be paid in mitigating the other two ways beyond software.

Okay, I agree wholeheartedly with this one.  And what solves this problem? EDUCATION! The one no one is buying!

5. Compliance threatens security. Compliance in and of itself is not a bad thing. But, compliance in and of itself does not equal security. At the very least it’s a resource and budget conflict, and it splits our focus. Compliance is supposed to raise the minimum standard of security, but it just gets us to do what we are required to do and nothing else.

Agreed. And it depends upon what kind of compliance you’re speaking about sir. Is it the government imposed security compliance?

Let’s look at HIPPA, shall we?  Our health data is supposed to be kept private. I’ll challenge any freaking government official to go stand in a line at any pharmacy (and Wal-mart specifically, but they are not alone in this), and listen to the names being called out from the prescription counter.  And I have to loudly verify my birth date and addresss. Privacy? Joke!

And don’t even get me started on the joke of PCI compliance in regards to credit cards.

Again, enough said.

6. Vendor blind spots allowed for Storm. Storm is being copied and improved. The Storm era of botnets is alive and well, nearly two years from when it first appeared. How is this possible? 1. Botnets thrive in the consumer world where there is little money for innovation, a fact Storm and its controllers know. They are making money off of everything from spam to pump-and-dump stock scams. 2. They eat antivirus for breakfast. A lot of the techniques and innovations used by Storm are not new; they are just being leveraged artfully against the blind spots of antivirus certifications and antivirus vendors. 3. Malcode does not need vulnerabilities. Most of the Storm recruitment drives have leveraged social engineering and play off of a holiday or sporting event.

EDUCATION, EDUCATION, EDUCATION

And again, the vendors don’t want to listen to folks like us. Our co-instructor was laughed at when he proposed that he had an exploit that would replace a well-known AV vendors ON button with a fake one that allowed his Trojan to operate in the background.  They wouldn’t even listen!

Anthony’s Note: Attack works by writing api text to “OFF” to appear as “ON” and “ON” to appear as “OFF” confusing the consumers. However, this isn’t the only issue. It’s the fact that AV software sometimes doesn’t check to see if it’s visible when an attack is mitigated. Any application that knows the API handles can hide the window, and throw up a screenshot of the desktop. Eliminate the anti-virus (with no checking by the av apps – Norton was one of them!) and have the user completely blind for 3 seconds; while they interact with a screen  that is a picture.

And if we know this possible and can prove it, what do you think the hackers and malcode writers are doing?

And finally the article concludes with:

7. Security has grown well past “do it yourself.” Technology without strategy is chaos. The security market is often far too focused on the latest hot box or technology. The shear volume of security products and the rate of change has super-saturated most organizations and exceeded their ability to keep up. Organizations realize only a fraction of the capabilities of their existing investments. Furthermore, the cost of the product is often a fraction of the cost of ownership. There was a time when you could “do it yourself.” But the simple days of Virus meets Antivirus are long gone. Highly effective organizations are embracing professional and managed security services to extend and augment their in-house expertise. By focusing your in-house expertise on what you know best — your business — scale comes from teaming with third-party expertise. This will be increasingly necessary in these tough economic times.

My only guess on this one is that IBM is selling some kind of managed service for security.

Look, I started this company a very long time when there was only McAfee and  Norton as major security vendors. I started teaching this stuff because McAfee let in a known virus that destroyed my entire business computer and database. This was before back-up capabilities!  That’s when I learned how it happened, why it happened and how to prevent it and led to my teaching it to help others avoid the problems I experienced.

Anthony, our co-instructor is a Certified Ethical Hacker and CEO of Network Defense Solutions, a company founded on the same principles of protecting others.

We aren’t huge corporations with shareholders to worry about. We are just trying to make a decent living doing what we do.  But it’s really hard to keep plugging away at it when we read garbage like this – touted as truth, and laughed at when we confront big corporations with their lack of security.

But let us use what we know to hack the SOB’s and prove it, and then we’re the bad guys!And when other bad guys figure it out and breach data or steal identities, oh well, it’s the cost of doing business.

Anthony’s Note:  The problem with security, is it’s taught with the views of “Avoid doing this yourself.”  Which in a way is reverse engineering for “g’head and do exactly the opposite!” And, this can have a great division on the lines of such a topic.  If corporate, America and this greedy government of ours would take their egotistical heads from out of their asses; they would see where security can be applied.

Showing home users the venues in such attacks and how easily they can be mitigated, leading up to what information can be divulged is a starting point.  In addition to which, corporate America has the motto that  “WE WANT THE FLASHING CISCO ROUTER WITH THE FANCY FIREWALL AND THE NIDS TO PROTECT THE NETWORK AND THE HIDS ALONG WITH THE AIDS TO PROTECT IF A BREACH IS DETECTED.” But, what really does happen? They see it, they feel it THEY KNOW the risks, however they’d rather fail to see them to put the extra few thousand back into their pockets in hopes of woosing over the secretary for one more night with a Louis Vuton bag.

Demonstrating security risks and showing their impact to get people on the bandwagon is the best route. Telling someone not to touch the security stove is basically like saying “Shower with this gasoline and play with this match.”  Even if the security landscape fell in price; remember one thing – you cannot escape the almighty dollar.

I think that Anthony is more jaded than I am and he’s a heck of a lot younger!

I guess my point is, read what you will but do so with a discerning eye.  The recent presidential election called out some of the networks on their bias to one candidate or the other, you have to look at technology articles the same way. Who posted the article? What’s in it for them? And is what you are reading true?

Something to think about.

I’m really supposed to be doing something else right now, but I couldn’t let this post wait.

At first, I thought there was a mistake due to an article I caught on CNET which said, “WSJ calls Microsoft antivirus tool ’spyware’.“ Because I thought the Wall Street Journal knew what I’ve been saying all this time!

Microsoft NEVER does anything with the users best interest in mind. There has to be some kind of spying capacity in this new thing.

But alas, the article actually refers to a graphic that was presented on the WSJ front page and of course, trying to read the freaking article on WSJ (which is a garbage piece of supposed financial journalism anyway) is impossible since they want you to subscribe to their overpriced pro Republican conservative call it a newspaper.

I actually had a Google alert waiting for me in my gmail inbox which gave me the scoop.

In a Press Release titled: Microsoft Announces Plans for No-Cost Consumer Security Offering the release states that Microsoft is ending the sales of OneCare. (Should’ve made bets on that one! DARN!)

But it also announced that since Microsoft has such an award winning malware engine (first, I never heard of any of the companies giving the awards, and secondly, wtf????), and it’s so concerned about the spread of malware and its users (Yeah, right! I believe that – NOT!), it’s going to offer this great, free solution that suckers – I mean consumers – will just want to use.

My questions to Microsoft:

1. How much is this software going to phone home with user information?

2. What data are you going to be collecting?

3. What’s in it for you (because we all know you don’t do anything without some kind of profit in it for you)?

Am I jaded? Ya think???

Lock down your PC’s folks. I’m sure this piece of fine Microsoft software will come in on a critical  auto-update! After all, does their piece of crap Malicious Software Removal Tool come in as a critical update? (I might be wrong on that one.)

Anyway, just a heads up that you’ll probably be marketed to by the brilliant minds at Microsoft to download this new piece of junk, or it will be downloaded for you.  Either way, beware of geeks bearing gifts – especially if the geeks are named Microsoft!

My GOD, I can’t learn Ubuntu soon enough!

UPDATED ADDENDUM: I just found this post from a CNET guru who claims that this is supposed to create a problem for major vendors like Symantec, Trend Micro and the like.  Sorry dude, but I have to disagree with you. Anyone with an ounce of brains in their head will never trust Microsoft with their security!

First of all, the malware creators will find a way around it, just as they have every stinking piece of M$ unsecure software.

Secondly, Microsoft has proven to the world of users that they cannot be trusted. Even if they were the next best thing since sliced bread in the Antivirus market, our recent experience with Vista alone and the lies we’ve been told about it is enough to make me vomit – let alone not trust them.

Lastly, how can anyone expect to trust Microsoft with anything security when they’ve proven they don’t know squat about it! LOOK AT THEIR SOFTWARE DUDE! IT’S NOT SECURE!

If you can’t make a secure piece of software to save your soul, why would anyone believe they know a damn thing about security???? Get serious!

Give me a solid, secure, piece of your software, and then maybe, just maybe I’ll reconsider. Until then, forget about it.

I’ve spoken with several people since my discovery that now TrendMicro’s software has gone down the drain.

I wanted someone – anyone – to tell me why! Why is it that when a company gets bigger their products get crappier? Why!???

At first it was Symantec. My gosh, how well I remember my love of Norton AV. They saved my hard drive when McAfee failed me early on in this business.  But Norton then was not the same as Symantec/Norton now.

First Norton changed to Symantec (they were bought out?). The downhill spiral started. But then, Symantec bought Veritas showing us where they were putting the money – enterprise! I can see them waving as they say, “Goodbye all you little end users who made us what we are! We are going after the real money!”

On we moved to Zonelabs Zone Alarm. Great software. Great control and not a heavy resource user. But then came the Checkpoint buyout and suddenly ZA has it’s own AV program too. And how odd that suddenly their updates started disabling Norton AV? Conspiracy? Maybe.

So, we all made the switch to TrendMicro’s PC-Cillin. My gosh, they’ve been around for ages too! And wow! Internet Security 2006 was a dream come true! I had to keep checking to see if it was working because it never bothered me!

But then, some evil happened in Trends Internet Security 2007. Was it the corporate bug-a-boo that bit them too? Suddenly we have a resource hog on our hands that grows worse with time and updates.

Why??? Why??? Why???

Is it a plague running rampant in Corporations?

A friend of mine gave me the answer I believe. And yes, it’s the plague of all Corporations. It’s an evil virus that spreads across the corporate landscape faster than a botnet. It’s called the “SHAREHOLDER”!

My friend believes that as the companies get bigger and either go public or get bought out by larger corporations, suddenly they have to worry about earnings and shareholders. So, they start to cut corners, cut expenses, make shoddier products. All to keep earnings up and keep the shareholders happy.

So there you have the explanation. The next time your favorite software merges, buys, gets bought out, or goes public, run! Run as fast you can away from them!

Please don’t ever tell me someone has bought up Spybot Search and Destroy. I think I’ll consider Hari kari!