CARO Conference: Day 1

May 1, 2008 10:10 AM

The first day of the conference presentations are over and what a day.

I enjoyed several very good and very technical presentations.

The only activity left for today is the official dinner. I think sleep will be optional today, but then we can debate whether sleep is an activity or not.

There were some papers on unpacking, either automated or by hand.
Tomorrow promises to be just as good as today.

Exploits in Proprietary File Formats

April 24, 2008 4:04 PM

One of the more frustrating experiences for me over the last year or two has been exploits, mostly in Microsoft Office documents.

Let me try to explain why it is frustrating. Most of the time the first time you hear about it is through some news story or some blog entry, just like this one. You don’t have access to a sample and your customers immediately panic and wants to be protected against that exploit and all others that may have existed in the past or will exist in the future.

I can understand people being concerned about exploits. You tend to trust companies like Microsoft that have produced software that have been used as critical components of many businesses for many years. Microsoft has even started earning some of that trust as they are probably the one OS company that takes security seriously. Whether they do it well or not is an opinion that is nearly impossible to comment on accurately.

What is specifically difficult about Microsoft Office exploits is the utter lack of information. You are working with a proprietary application using a proprietary file format that is in theory documented. The problem is that they can not document the format well enough to be of much use to people trying to understand the exploits.

What drives me to total distraction is that if Microsoft provides you with guidance on how to detect the exploit, it is mostly way to late to make your customers feel safe and there has been several cases where if we followed the guidance the problems caused by that would far outweigh the benefits derived from it.

What made me writes this blog entry?

Well, we may have a new PowerPoint exploit that works perfectly in Microsoft Office 2003 and probably later versions. Microsoft Office 2000 does not recognize the document. It may drop a nice little downloader that is quite effective at hiding itself. We already detect it with our version 4 and 5 scan engines. Our new version 5.1.0 engine has some heuristic capability to detect these types of exploits.

PS: Did I mention that I may be traveling the next two weeks and nobody will be able to reach me?

PS2: Something even more helpful: It seems like a similar sample was submitted to the VirusTotal service by somebody else.  (SHA1: 4F4AF9E009661468913D90ABD493CA2D671C582A)

Friends in the News

April 22, 2008 6:06 PM

A friend of mine got some prime television time up in Iceland. Getting the message across that the world is a dangerous place to spend your money in. The link for your viewing pleasure: FRISK Staff on TV

Reaction to this blog

April 13, 2008 7:07 AM

One of the amusing features of this blogging software is that it presents a page which shows the links to different posts. One of the most linked to posts on this blog is: Windows Updates: Ranting about things that I dislike.

What everybody missed when commenting about this blog entry was my last paragraph. But that is not important.

What is important is the point I was trying to make and have been trying to make for a while: People don’t get security.

I am not talking about end users. I am talking about software/security engineers/analysts.

The job of the end user is not being a security expert. Their job is driving trucks, being a doctor, answering the phone, fixing a leaking pipe and other very important tasks which makes life as we know it possible.

One of the problems with security solutions is that the software/hardware is designed by engineers for themselves. It is not designed for the receptionist or the grandmother. This makes the solution hard to understand and nearly impossible to use correctly by the non-expert.

Take updates as an example. It is a critical part of keeping a system secure. Virtually any piece of software will have exploits, the only question is how many and how serious. You need to be able to distribute and apply updates without any drama.

Unfortunately nobody gets that right. On Windows you have the “you have changed your mind, please reboot now” mentality with the pop-up reboot dialog of doom chasing your mouse around the screen. On the Mac you have a nice polite window bouncing in the dock that you can stop from bouncing, but your machine will act very strange until you reboot.

My personal favorite is my 1 year old Dell Ubuntu laptop. After virtually every update the machine stops booting. You have to type ‘e’, ‘e’, right-arrow 7 times, delete key, ‘2′ the enter key then ‘b’ to get to a place where you have to manually fix /boot/grub/menu.lst so that the machine works again. Sounds like I have done this a few times? You would think somebody would have fixed this by now.

The average user does not want to deal with this complexity and should not need to. The more security domain knowledge we expect from the average user the more security will fail.

I think part of the problem is that software development is not yet a proper science. Or that the average software developer is not properly trained. Or that the average software engineer can not be an expert in everything. If you ask me to write an algorithm or a service you will get some impressive code. If you were dumb enough to ask me to write a GUI… It won’t be pretty.

The real answer for me is that we as domain experts should become better at making security easy and seamless for the average user. At this stage we still have a lot of work to do.

People just don’t get email

April 3, 2008 12:12 PM

My assumptions about email are the following:

  1. More than 90% of email is SPAM
  2. Of the remaining few percent of email a significant percentage is malware and phishing attempts
  3. There is no guarantee in the RFC’s (the definition of the protocol) that email will be delivered
  4. There is no way to prove that an email has been read by a human being
  5. When I receive an email from a bank or similar institution it is most likely a phishing attempt
  6. The average user does not have the skills to determine whether an email is from a valid source or not

I don’t think too many people will disagree with these assumptions. There are some attempts to improve the reliability of email and email like communications but these are not in general use.

Now why does several major credit card companies keep on insisting on sending bills via email? To make it even more interesting is that one of our local utility companies started doing the same thing.

We have been trying for years to teach people not to click on links in email. It is more likely to take you to a bad place than a good place. Now the banks themselves are trying to make the situation worse by trying to convince you to trust email.

Does this show that there are big problems with email as a communication mechanism? Yes, it does. But I really think banks and utilities should be aware of it and deal with it in the correct way.

And that is why I say people just don’t get it.

AV Comparatives tries to beat a Panda

March 29, 2008 7:07 PM

A friend pointed me to this entry: Rants of an immature AV company

I have met the Panda guys a few times and they seem to be good guys.

I have met Andreas Clementi from AV Comparatives a few times too.

I have stated repeatedly that not all testers were created equal. I can share lots of opinions about AV Comparatives, but I won’t. Let us just say that AV Comparatives has never tested Authentium software and never will.

I think the Panda guys behaved properly and honorably. I personally am not impressed by this. Several other people I have talked to in the industry are also less impressed.

[Edit]

It seems like some sanity has prevailed and the blog entry from AV-Comparatives has been removed. The original post from Panda that provoked this is: Do-It-Yourself AV comparative

I always believe that it is better to handle disputes in private, but I also think there has been too many things happening in the background that should rather not have.

I have also had some pretty aggressive anti-AV Comparatives comments on this entry. I prefer not to post comments of that nature.

Make vendors liable for exploits

March 10, 2008 11:11 AM

Sometimes you just know you are going to be flamed for an opinion, and today is one of those days.

This is based on this post at the Register.

In principle I think this is a great idea. In reading the whole report there are some steps that I find lacking but then it is understandable. I think the chances of this specific report being accepted and implemented is rather remote. This is a shame, but I think it is a step in the right direction.

Let us look at their recommendations:

1. We recommend that the EU introduce a comprehensive security-breach notification law.

Great idea. It does open a can of worms that most companies would prefer to keep closed, but without this awareness any larger plan is bound to fail.

2. We recommend that the Commission (or the European Central Bank) regulate to ensure the publication of robust loss statistics for electronic crime.

Same issues as with 1.

3. We recommend that ENISA collect and publish data about the quantity of spam and other bad traffic emitted by European ISPs.

Great idea, but does not go far enough. I would prefer to introduce some teeth into this to target ISP’s that actively support organized crime. Maybe this will happen anyway as this may be a good indicator for where the police should start looking.

4. We recommend that the European Union introduce a statutory scale of damages against ISPs that do not respond promptly to requests for the removal of compromised machines, coupled with a right for users to have disconnected machines reconnected if they assume full liability.

I love this one. For the first time there will be money associated with infecting a machine with a bot. There will also be a price to not running a safe network. This is a great idea, it automatically enables the use a large body of existing law to claim damages

5. We recommend that the EU develop and enforce standards for network connected equipment to be secure by default.

Personally I love this one. As a company that take security and exploits very seriously I think this is very good. I think there will be significant resistance against this as taking security seriously is expensive.

6. We recommend that the EU adopt a combination of early responsible vulnerability disclosure and vendor liability for unpatched software to speed the patch-development cycle.

And the crowd goes wild… I think this is a another good recommendation.

7. We recommend security patches be offered for free, and that patches be kept separate from feature updates.

Obvious, but then the cost discussion I had under 5 is very relevant here.

8. The European Union should harmonise procedures for the resolution of disputes between customers and payment service providers over electronic transactions.

Obvious

9. We recommend that the European Commission prepare a proposal for a Directive establishing coherent regime of proportionate and effective sanctions against abusive online marketers.

And the crowd goes wild…

10. ENISA should conduct research, coordinated with other affected stakeholders and the European Commission, to study what changes are needed to consumer-protection law as commerce moves online.

Good idea

11. We recommend that ENISA should advise the competition authorities whenever diversity has security implications.

And the crowd goes wild… A diverse environment is much harder to attack.

12. We recommend that ENISA sponsor research to better understand the effects of Internet exchange point (IXP) failures. We also recommend they work with telecomms regulators to insist on best practice in IXP peering resilience.

Good idea

13. We recommend that the European Commission put immediate pressure on the 15 EU Member States that have yet to ratify the Council of Europe Convention on Cybercrime.

I would think this would be obvious. This is a huge issue. Not only in the EU but also in the rest of the world. Even in the US the cybercrime laws are inconsistent.

14. We recommend the establishment of an EU-wide body charged with facilitating international co-operation on cyber crime, using NATO as a model.

Very obvious and great idea. This is one of the largest issues preventing us from containing malware. I think a world-wide network of inter-connected laws and co-operation to manage cybercrime is what is really needed. This is very unlikely to happen but this is a good start. The good guys need to be able to go anywhere the bad guys are. At this stage we can’t. I am happy to see that this is acknowledged and something done about it.

15. We recommend that ENISA champion the interests of the information security sector within the European Commission to ensure that regulations introduced for other purposes do not inadvertently harm security researchers and firms.

Good idea. But then I also think that this is going to be interesting. There are too many “security” companies that do not really do security. They do hacking and probably do more to assist the criminals than in protecting society.

Rogue Anti-Malware Products

March 5, 2008 5:05 PM

What is a rogue anti-malware product?

In my mind it is a product that pretends to do something good (Protect your computer) and either does not do anything at all or creates fear in your mind with obvious and intentional false positives. The sort of fear where it tells you that you have 1,000 viruses on your machine, to clean it you have to pay $XX.XX but your machine is in reality totally clean.

Most anti-virus companies do have a free on-line scanner, but these are normally of a very high quality and does not contain intentional false positives.

So what triggered this post? I read this bit of news: Ex-CEO charged in fake anti-virus software scheme

My opinion: There are tons of other software out there that behaves the same way. There are some attempts to at least enumerate some of them and our software will actually detect some of the worst offenders out there. I think it is a very good signal that these legal steps happened. I wish law enforcement success with tracking down more of these people.

Another interesting note in the article is the mention of 200 anti-virus companies in South Korea. I can assure you there are not 200 reliable and trustworthy anti-virus companies in the world. But how do you know if a company is reliable and/or trustworthy?

One of the easiest tests is to ask for certifications. West Coast Labs, Virus Bulletin, ICSALabs are some of organizations that does reliable certifications.

One of the modern side effects of the way that anti-virus technologies are licensed is that there are a few brand names out there that may not have direct certification. That makes it a bit harder. The important part is to then try to determine what technology they license and if the technology provider has any certifications.

In general the purpose of security software is to make people feel safe and to keep them as safe as possible. Criminals like these just make our jobs that much harder to do as they violate the public trust.

PS. If this post does not make sense, blame it on the flu ;-)

Cold Boot Attacks on Encryption Keys

February 27, 2008 11:11 PM

This seems to be getting some significant coverage. More coverage than I think this deserves as a security risk. The original paper. Some more coverage in the New York Times.

The paper seems to be well written and well researched. I see nothing wrong with the work done.

What I do feel is a bit silly is how people are reacting to this. This technique is probably not extremely useful as there are easier ways to get the same information than to drag a tank of liquid hydrogen around. A baseball bat is much lighter and will probably work just as well. A promise of several years in jail will probably do it for those people like me that is averse to violence.

The reality is the most important part of security is physical security. If you can’t prevent the bad guys from getting physical access to your computer, then you have lost the game. You can’t even compete. This paper just provides yet another method how a lack of physical security can be exploited.

For the average Joe this will probably have zero impact. I think it can be a tool in the hand of law enforcement agencies across the world.

Is Microsoft writing malware?

February 15, 2008 9:09 AM

If you read Friendly ‘worms’ could spread software fixes then it really sounds like it. I would have assumed the people at Microsoft would be more responsible than this.

There is nothing like a “friendly” worm. If you look at the history of “attempts” to do this you will see that they always caused more problems than they fixed. Even if that is not enough motivation then just looking at the ethical issues surrounding the writing of malware you would think that responsible people would avoid it.

I think it would be good if Microsoft could release an official opinion of what they think of people that write malware. Especially if the people actually work for Microsoft.