Tag Archives: education

SANS ‘Ouch!’ Newsletter on Ransomware

The latest SANS ‘Ouch!’ newsletter is dedicated to a description of ransomware and tips on how to counter it.  And no, I have no idea why they chose the name Ouch!

Like other editions, this particular newsletter issue is presumably aimed primarily at home users rather than corporates. (Though it does include a link to the SANS Advanced Cybersecurity Learning Platform.) At any rate, it’s fairly simplistic. However, it’s accurate enough (though I’d take issue with the fact that it seems to suggest that cloud-based backups are safe from ransomware, which isn’t always true).

Anyway, anything that might help raise awareness and understanding of the issue among the general population is worth publicizing.

David Harley

Advertisements

Beating the ‘Microsoft scam’

On the SC Magazine web site, Biocatch’s VP of Product Management Oren Kedem asks ‘After a decade, why can’t we finally be rid of the Microsoft scam?‘ Which is slightly odd, in that he reckons the support scam (no, he wasn’t talking about the way Microsoft is pushing Windows 10!) has been around since ‘at least 2009 in one form or another’. Well, I first heard about it in 2010, but Steve Burn, something of an authority on the sites that push these ‘solutions’, has indeed been following them since 2009. Still, that’s rather less than a decade.

That doesn’t invalidate Kedem’s central point, though. In spite of all the publicity we’ve given to these scams, they’re still clearly operational. While much of the action has shifted away from cold-calling to decoy popups and fake alerts, seeding undesirable URLs via SEO and social media, and even real malware, I still see reports on the ESET blog from people who’ve fallen for tricks like the old CLSID gag. Of course, they haven’t necessarily been cold-called, but the scammers are clearly still using tried and tested gambits to ‘prove’ that the victims need their help.

Kedem suggests that education fails because people fly into a panic and forget what they’ve been told when a scammer actually captures their attention. There’s probably something in that, but in my experience people tend to be fairly good at spotting a scam that’s close to something they’ve previously been warned about. However, they’re not so good at extrapolating from one scam to another when the underlying mechanism is the same, but the gambit used appears quite different. Which is why I try to demonstrate attack principles as well as just describing an attack. (That often goes for technical attacks as well as social engineering.)

Unfortunately, support scam attacks have proved fairly adaptable over the years. While the scammers themselves are often far from bright, the scripts they work from are sometimes pretty clever. (Fortunately, a not-so-bright scammer will very quickly sound much less convincing if you nudge them away from the comfort of an anticipated response.  They’ll tend to desperately try to get you back on script, often by ignoring awkward questions and repeating scripted material until it’s clear they’re not going to get anywhere.) Still, the social engineering gambits they use in those scripts (and even the more technical approaches we’ve seen recently) are often far brighter than the call-centre drones that deliver them.

Kedem does make an interesting suggestion about making bank employees identify themselves with a ‘code of the month’ which might have possibilities for reducing phishing. Unfortunately, I can’t see how it would help with the ‘Microsoft scam’. And while there are ways of implementing educational programmes that might have more impact, getting the home users who are the main targets of support scamming to undergo suitable training may not be so easy.

David Harley

Virus Researchers are community outcasts

Lately I’ve been reading a lot of blogs and articles attacking and defending AMTSO and their attempt at establishing standards for the testing of counter-malware products. Unfortunately I think BOTH sides are missing the larger picture here. AMTSO was formed to address some critical shortcomings in the testing of counter-malware products: some tests were arguably unethical, most unscientific and some just poor from the word go. So where does the dissent come from? It comes from the very people who done or supported those poor non-science based tests. Yet it goes beyond that. The people who are condemning AMTSO and their efforts are in some cases well respected in the general security arena, and are very knowledgeable, and this is the rub. These people, most people in academia, and in management as well do not recognize Malware research and prevention as a specialty niche. They attempt to apply the same rule-set to fighting a malware outbreak as they do a simple intrusion, and see nothing wrong with that solution.

A majority of people not engaged in the Malware field as a profession still feel that the average Security Professional has the same knowledge and skill sets as used by the Counter Malware Professionals. Unfortunately nothing can be further from the truth. It goes beyond the abilities and skills for reverse engineering, programming, and identifying abnormal network traffic. This argument goes back to at least the early 1990’s when in a panel discussion a firewalls specialist attempted to answer a question about a virus. On that panel was Wolfgang Stiller, creator of Integrity Master Anti-Virus, Wolfgang interrupted him saying along the lines of “look I’m here for the virus questions, I would never presume to speak with authority or experience on firewalls issues, but you presume to have the same experience and expertise with viruses that I do, and that is mistaken”. Similar exchanges have happened on other panels with people such as Robert Vibert and Rob Rosenberger, among others. These are also the same people who demand that anti-malware products protect against threats that are not viruses, nor are they specifically malware, but “Potentially unwanted programs”. So this is not a new phenomenon. The question in my mind is why does it still exist?

Anti-Virus ‘Experts’ helped establish the disaster recovery field, and were among the very first to teach classes in th at subject. It was the Anti-Virus Researchers who developed the field of Computer Forensics, in both cases it was the Anti-Virus field that had the necessary expertise and skill set needed to fill the holes and expand the career field. So now that Disaster Recovery, and Computer Forensics are recognized as specialty fields and given a high degree of respect from schools and management, what happened to the Anti-Virus researcher? Their mindset is not of an operational nature, they bore easily, some may even say they have attention deficit disorder (ADD), yet they are anal about doing things the same way every-time. They dwell on minutiae, arguing to the point of splitting hairs. I sometimes think some of my colleagues can SEE the traffic on the wire in their minds eye. Yet with all this contribution to the Computer Security Community they are still (almost purposely) maligned and misunderstood. At a Virus Bulletin Conference, I stated that we as a community must take action or go from the ranks of professional, to the ranks of the tradesmen. I still don’t know what action that is, or how to go about it, but AMTSO is a good step in that direction, and the naysayers need to start looking outside their comfort zone and realize they know enough to be dangerous and not enough to be helpful at this point.

Ken Bechtel
Team Anti-Virus
Virus Researcher and Security pontificator

Breaking up is never easy…LoveBug, the day after.

The LoveBug/Loveletter/Iloveyou worm (much more geekishly called VBS/Loveletter.a@mm by, well, AV geeks) has become one of those legendary events in malware history. The fact that 10 years on we’re still writing about it. Not only that, but many of us will remember exactly where we were and what we were doing when we first heard about it – in fact many more might remember it than were actually there :).

Still, I remember exactly where I was – I was in Reading, at Microsoft headquarters attending a security seminar and my Blackberry (one of the very early ones, with a greyscale LCD screen), started to go off regularly. I grabbed the next train back to Dorset, got into work, and spent the next ten hours ensuring that nothing bad was going to happen on our network. Many other people have written about their memories of the day – 10 years ago yesterday – including Graham Cluley and Mikko Hypponen, and indeed our own David Harley, and I’ve nothing to add to that. You see – we were using Lotus Notes (~shudder~) and not one single system got infected – although we did get a tremendous amount of email, which very quickly got blocked once we knew the attachment name. No, I remember the Loveletter for what happened 10 years ago TODAY, the 5th of May. And, it is a tale I felt worth sharing, about how even good information about one situation is not necessarily applicable across the board.

Although they were not directly under my responsibility, my team had involvement with the IT systems of all the schools across Dorset, and while none of the systems we were responsible for were affected by Loveletter, this was not true of other systems within the schools, which were under supervision of the school’s own IT personnel. On the morning of the 5th of May, I sent out a message to everyone on our network to the effect that “Our network was not affected by the VBS/Loveletter worm, and no damage resulted from any mails that were opened within our network, but we request that you remain vigilant and avoid opening attachments that are not work related. We also suggest that you install an Anti-virus product at home, and ensure that any mails with the subject “ILOVEYOU” are deleted without being opened” This was the very last time I ever sent out such a message, not because it was incorrect, but because the information ended up being spread outside of our organisation – particularly in schools, where I’m sure people felt they were being helpful by forwarding my email – at which point I got several very angry phonecalls and emails abusing me for my lack of intelligence. The reason? The information was only true of our organisation, and those whose networks DID end up getting affected (Loveletter also deleted .jpg/jpeg images) were angry that I so downplayed the risks of the worm while they were watching it eat through all the images on their servers and workstations. In fact, many of the schools were running Microsoft Exchange and Outlook, and once their systems were infected, many pupils lost work.

This highlights the fact that information is often specific, it isn’t necessarily relevant to all situations. Think of it like fire extinguishers; they have specific uses on specific types of fires – don’t go spraying a water extinguisher onto an electrical or fat fire, you will get burned.

User education is often very difficult, and one of the reasons it is so is that there are so many variables, so many different ways that things can go wrong. In a way the Loveletter worm was one of the first Phishing attacks – it combined clever social engineering with malicious code to steal passwords. David Harley and I have written fairly extensively on Phishing, including examining whether the sort of ‘anti-phishing’ quizzes we’ve seen on some security sites are actually of any use. As far as I’m concerned, the jury is still out – there’s far too little common sense, too much irrelevant information, and it takes (literally) a lifetime to become a security expert; you can’t expect people to learn in five minutes.

As David mentioned yesterday, AVIEN was formed out of the need for non-vendors working in the AV industry to get fast and accurate information about spreading threats – I was glad to find that the instances where such information got so wildly misconstrued as in my Loveletter incident were few and far between. AVIEN also has its 10th birthday this year – more of that later in the year.

As an aside, I later applied for a job at one of the schools that had been affected, imagine how my heart sank when my interviewer turned out to be one of the people who had written me an angry email…no, I didn’t get the job! Anyway, it’s all water under the bridge, and since it is the 5th of May, my greetings to all my Mexican/Southern Californian friends, who will no doubt be regretting their today’s activities tomorrow morning.

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

With all the Buzz, some education is in order

So, the not very surprising news that Google has once again attempted to launch a social networking site – following its spectacularly unsuccessful 2004 launch of Orkut (no, unless you live in Brazil or India, you won’t have heard much about it either).

The new network, called “Buzz” integrates directly into the Gmail email client. To me this just opens up lots of new ways to exploit the users – although if you are using Gmail to do anything private or confidential, you already do need to have a brain check (more-so now the NSA will be ‘helping’ to secure it). It looks like Google want some of the big dollars that Facebook and Twitter make – and of course everything will be searchable and exploitable for ad companies to target.

All the fuss around social networking has  really highlighted to me the need for good security education – we’ve moved into a new world, one where children are growing up with social networking and mobile phones etc as an integral part of life. I can’t imagine how my parents ever managed without being able to contact me by phone, or being able to look up my status on Facebook, but somehow they did. Parents have a different problem today, one of how to preserve the privacy of their families and children while taking advantage of what these new technologies offer. The sad fact is that in many cases, the kids know much more about the technology than the parents, but neither the parents or the children understand the threats. I’m often called paranoid, but it’s my belief that in some ways you can’t be too careful; our privacy and therefore our rights to a private life for ourselves and our progeny are daily being eroded by the whim of government and the campaigning of large corporations. It’s therefore refreshing that the British government has got behind a new campaign to highlight the dangers of the online world; targeting children as young as five. While the campaign understandably does focus on protection from paedophiles, the advice has wider use, though sadly it doesn’t seem to stretch to take in malware issues.

While I’m encouraged that the government is finally doing something, I’d be much happier to see a comprehensive plan in place that focuses on education in schools where security is taught as a discipline along side all IT classes. We’re a long way from that, but I (and several others who blog here) will keep tilting at that particular windmill.

Andrew Lee
CEO, AVIEN & CTO K7 Computing

Educating the CIO

Useful and lengthy comment from Rob Rosenberger added to my blog at http://avien.net/blog/?p=368.

Also a pointer to a Vmyths article from 2005 that may bring back some unhappy memories for some of us…

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

Who Will Educate the Educators?

@vmyths, otherwise known as Rob Rosenberger, notes on Twitter that

“3doz firms THAT EMPLOY COMPUTER SECURITY EXPERTS got whacked in a zero-day attack. How about some “education” for THEM, eh?”

Well, “computer security experts” is a somewhat fuzzy term, and a little pejorative: when the media use it, they usually mean themselves, or the company that supplied the press release they’re recycling. When they actually mean computer security professionals, it’s usually in the sense of “so-called security experts who can’t see what is absolutely clear to any right-thinking journalists.” A somewhat similar mindset, perhaps, to those denizens of Security-Basics who believe that anyone who has letters after his name has to be a blithering idiot with no actual security experience. No, I’m not getting into that argument again…

But let’s assume that Rob means the same group that I probably would, if I couldn’t avoid using the term: information security professionals not necessarily working within the security industry. (I know there sometimes seems to be far too many of us who are in the industry, but most of us are OK, honestly.)

A group, in fact, rather like the subscribers to the first incarnation of AVIEN: people with a wide range of job titles, skill sets and responsibilities, from independent researchers to experienced managers and system administrators to people who suddenly found themselves landed with (some) security responsibility for their company. (Yeah, me too…)

Well, it’s true: if you’re going to make people responsible for security, you do need to ensure that they already have some experience and training, or that they at least receive some training to jumpstart them into the role. Especially if, like me, you believe that part of the security professional role is to take some responsibility for the education of others. (Yes, I know that there’s a sizeable section of the security community that believes there’s no mileage in trying to educate the end-user – http://www.eset.com/download/whitepapers/People_Patching.pdf – but I’m not getting into that argument right now, either.

Before we start blaming everything (yet again) on lazy, incompetent, uneducated security experts though (and hopefully that isn’t what Rob meant), let’s remind ourselves of a few pertinent facts.

  • As my colleague Aryeh Goretsky has pointed out, banks with security guards are not immune to bank robberies. “Mitigation of risk != elimination in its entirety.”
  • When a company hires security professionals, it doesn’t necessarily mean it listens to those professionals. Especially when listening to their advice entails spending significant sums that could be better spent on upgrading the catering on the Executive floor.
  • The corollary to assuming that employing security professionals (even competent individuals with exemplary support from the Boardroom) is enough to eliminate risk, is that if some malicious actor does get through, someone has “failed” and needs to be fired. That’s just lazy thinking: not so different to giving the bank janitor a uniform, a revolver and six shells, and saying “Hey, you’re promoted: now our asses are covered.”

Let’s not forget Spaf’s first principle of security administration:

If you have responsibility for security, but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.

That observation by Professor Eugene Spafford is as accurate now as it was when I first read it nearly twenty years ago…

David Harley [Formerly FBCS CITP CISSP]
ESET Senior Research Fellow