Roger's Information Security Blog

AOL bringing security to the masses. There’s a phrase I never thought I’d here. According to their ads they are offering free desktop antivirus and free antispyware software. I think they are building Aluria’s antispyware product into the AOL software, but it looks like McAfee antivirus and personal firewall are separate downloaded that AOL is making it available for free.
It would be much better if antivirus was part of the software with updates via AOLs standard update mechanism. Then the typical user would never have to think about it. I dont know maybe it will work that way.
AOL has made security the the forefront of their current advertising scheme. Its a rather wise ploy. We’ve all seen article after article quoting people who cant keep up on patches, who keep getting hit with viruses, and now on top of it all, spyware is making their computer unusable. AOL’s Internet with Training Wheels just added protection for their customers. I think that’s pretty cool.

Back in the 90s the Clinton White House legal counsel’s office had a conspiracy theory on how news is made in Washington DC. According to this flowchart, “news” would start with well funded right wing thinktanks and individuals. It would then flow to the Western Journalism Center, the American Spectator magazine and the Pittsburgh Tribune Review. From there the legend would grow on the Internet where it would then be picked up by the British Tabloids before filtering to the Walls Street Journal, the Washington Times and the New York Post. After that it would be discussed by congressional commitees. Only then would the Washington Post or the NY Times pick up on the story. I cut a diagram of this communication stream from the paper back then and always get a kick out of looking at it.
I was thinking the other day that the tech news cycle is much like this theory. Rumors are posted to lists like bugtraq and full disclosure. From there it filters down to slightly more reputable sources, lets says SANS ISC and if its antimicrosoft it will show up on slashdot. From there it will be written up by a tech writer at zdnet or the register. Soon after that it will be in the Washington Post. From there it is on the AP wire and will appear in newspapers all over America.

According to an article at Security Focus, a judge has thrown out the case against an employee that placed a hardware keystroke logger on his employers computer system. The judge ruled that the Federal Wiretap statute is in regard to interstate transmissions and this was a local logger. Since the keystroke logger collected everything including emails, I’m a bit surprised the judge wasn’t willing to go along with the Federal case. It will be interesting to read the case writeup on this one.

Traditionally HTTP exploits have been rather mild. When an exploit site is set up and spammed to millions it can quickly be taken off line. Its also relatively easy to add to a block list such as the one provided via Websense.
The Bofra worm acts as a sort of HTTP worm. When it infects a system it harvests email addresses then sets up an HTTP server on a random port. (Although one write up of one variant I saw mentioned TCP 1639). The recipients of the email trusting enough to follow unsolicited links from random people are taken to the exploit website on the infected machine.
Because each new infected machine is a potential infecter it is much more difficult to handle than traditional HTTP viruses. The other bad news is the Iframe Internet Explorer exploit isn’t going to be stopped by antivirus since the exploit occurs without writing a file to disk.
The good news is that proper egress filtering can prevent this sort of activity. The bad news is the masses aren’t sitting behind a firewall( personal or otherwise). Particularly one with outbound filtering.

If you ever feel overwhelmed by Microsoft patches, don’t even think of looking at patching the rest of the applications that are deployed in your enterprise. Recently, I was taking inventory of our vulnerability status and found we needed later versions of Adobe, Real, Winamp, Winzip, AIM, SUN JRE. The list probably is longer than that but that list was long enough to be frightening.
I quickly found that some applications defy inventory. They don’t use a version number in on the exe so a standard file query in SMS wont work. Or the version number for a vulnerable version of the product is the same as the version number for a non-vulnerable version. Sometimes the exe version was different from the product version leaving the admin to wonder if version 14 is version 10; what is version 12 equal to version 9.
Next I considered the upgrade options. Most of the time there wasn’t a patch. It was necessary to redeploy the application. Then there is the special case of the SUN JRE where deploying a new version seems to install the new version but leave the old. My favorite though was Adobe Acrobat Reader which required installing 6.0.1 before you could install the patch to take the version to 6.0.2.
This is making Microsoft patching look easy by comparison. I wonder how many times a day we can interrupt the users with the patching/upgrade software before they rebel.

Over at Rod Trent’s blog today he posted regarding a comment by someone he knows at a Fortune 500 company who felt they didn’t need antivirus. Antivirus just slows the machine down. And this guy had never gotten a virus before so why worry about it in the future.
We live in a community. Our actions effect other people. Sometimes we must place restrictions on ourselves in order to make things better for other people. We don’t always get to do exactly what we want. Antivirus is part of that. Antivirus isn’t for the advanced user. I’ve never seen a virus detection either (other than those I intentionally had for testing or so-called hacking tools). But I still have AV because to do otherwise is simply not prudent.
Its kind of ironic to hear this thesis offered. It would seem that over the past few years we’ve learned hard lessons about the hard and crunch firewall and the soft center of a corporate network. The worms don’t come through the steel re-enforced front door. Rather they come in the window or the side door that wasn’t even installed. People have a new sneakernet today. They take the laptop home, get it infected and walk it into work. They use a “secure” encrypted tunnel to logon from home and upload viruses. They use the universal firewall traversal port (Port 80) to download viruses while at work. Most companies are looking to add more and more scanning (eg. anti spyware, http layer antivirus, etc). They wouldn’t even consider less. Being behind a corporate firewall doesn’t offer the level of protection that allows the removal of antivirus software.
There are legal ramifications too. Remember the TJ Hooper Tugboat case? You can be sued for not following computer security best practices and that negligence damages someone else. Antivirus software is universally accepted at the top of the list of best practices right after patching. Your company likely requires that all files be scanned with antivirus before being delivered to a customer. Most companies require antivirus be installed on systems connected to their network. Are you going to lose your job for the sake of your petulant stance against antivirus?
The question has been asked, if properly secured is antivirus necessary? Are you able to keep up with patching AIM, Real Player, Adobe, Winamp, on top of all the windows patches. Even without Internet Explorer. And even if you install a personal firewall there are still ways in via exploits.
You could really follow best practice, and not use an administrator account to do anything. You could restrict access to the run key to prevent installation. You could lock it down tight and be safe. But is that a trade off you’re willing to accept? The desire to avoid the tyranny of antivirus would seem to not accept any security shackles.
Is it possible for an individual to get by without antivirus? Sure. Is it a good idea for a company? Don’t think so. Perhaps if the Cisco Security Agent (a HIPS product) were installed.