Tag Archives: Randy Abrams

Status Epsilon-icus*

Ok. That wasn’t the last update.

And very possibly the last update here (the target blog suggests why…): Epsilon Overkill and the Security Ecology

Update 3: Rebecca Herson evaluates some of the advice given by Epsilon customers for coping with the phlurry of phish anticipated post-Epsilon: http://blog.commtouch.com/cafe/email-security-news/advice-after-the-epsilon-breach/

Links and a little extra irony from me: http://chainmailcheck.wordpress.com/2011/04/07/epsilon-epidemic/

Update 2: a discomfiting suggestion that there was a longstanding problem that Epsilon were actually aware of: http://www.itnews.com.au/News/253712,epsilon-breach-used-four-month-old-attack.aspx (hat tip to Kurt Wismer, again)

Update: a few more articles you might find worth reading.

It’s reasonable to assume that the Epsilon fiasco will lead to an epidemic: at any rate, luminaries such as Brian Krebs and Randy Abrams are making that assumption, and publishing some excellent proactive advice accordingly. So rather than go over the same ground, I’ll just cite some of the more useful blog posts around that.

Two highly relevant posts by Brian Krebs:

And two relevant posts by Randy:

A list of companies known to have been affected from ThreatPost: http://threatpost.com/en_us/blogs/list-companies-hit-epsilon-breach-040511

And a characteristically to-the-point rant by Kurt Wismer on why it wouldn’t be an issue in a sane world: http://anti-virus-rants.blogspot.com/2011/04/why-epsilon-breach-shouldnt-be-issue.html

*Yes, a rather forced pun, I know. http://en.wikipedia.org/wiki/Status_epilepticus 

David Harley CITP FBCS CISSP
AVIEN Dogsbody
ESET Senior Research Fellow


Advertisements

Changing Passwords: Should You Pass On It?

I’m seeing a lot of traffic about a story in the Boston Globe and taken up elsewhere suggesting that changing passwords is “a waste of time”. Well, actually, the study by Cormac Herley doesn’t exactly say that, and I suggest that you read the actual study to see what it does say. It’s actually well worth reading and makes some excellent points, though it’s not a particularly new paper, and some of the points it makes are much older. 

Should you stop changing passwords? Well, you probably don’t have much choice, in general. You should certainly use strong passwords, where possible (some systems actively work against you in that respect, by only accepting limited password options). Randy Abrams and I wrote a paper for ESET last year that discussed some password strategies, and one of the points made there was: 

 “It’s sometimes useful to consider whether frequent changes are really necessary or desirable. After all, if you’re encouraging the use of good password selection and resistance to social engineering attacks, and making it difficult for an attacker to use unlimited login attempts, a good password should remain a safe password for quite a while.”

I don’t think that the “change passwords every thirty days” mantra has been as universally enthused over by security specialists as the Globe suggests. System administrators (not always the same thing as security specialists) do often enforce such measures, of course. But while I was working on some notes for a journalist today on social engineering, I came across this quote in a paper I presented at EICAR in 1998. (I’ll have to put that paper up somewhere: it’s actually not bad, and not particularly outdated.)

“Documented research into social engineering hasn’t kept pace with dialogue between practitioners, let alone with real-world threats. Of course password stealing is important, but it’s [also] important not to think of social engineering as being concerned exclusively with ways of saying “Open, sesame…..”

Even within this very limited area, there is scope for mistrusting received wisdom. No-one doubts the importance of secure passwords in most computing environments, though the efficacy of passwording as a long-term solution to user authentication could be the basis of a lively discussion. Still, that’s what most systems rely on. It’s accepted that frequent password changes make it harder for an intruder to guess a given user’s password. However, they also make it harder for the user to remember his/her password. He/she is thus encouraged to attempt subversive strategies such as:

  • changing a password by some easily guessed technique such as adding 1, 2, 3 etc. to the password they had before the latest enforced change.
  • changing a password several times in succession so that the password history expires, allowing them to revert to a previously held password.
  • using the same password on several systems and changing them all at the same time so as to cut down on the number of passwords they need to remember.
  • aides-memoire such as PostIts, notes in the purse, wallet or personal organizer, biro on the back of the wrist…..

How much data is there which ‘validates’ ‘known truths’ like “frequent password changes make it harder for an intruder to guess a given user’s password”? Do we need to examine such ‘received wisdom more closely?”

Nor do I claim that those thoughts were particularly original: luminaries like Gene Spafford and Bruce Schneier have made similar observations. That doesn’t mean you should accept uncritically what they, or I, say. But it’s always worth wondering if received wisdom is really wise.

And as Neil Rubenking points out, an attacker isn’t going to waste time on trying to crack your password with brute force if he can trick you into telling it to him, or into running a keylogger. Which takes me right back to that social engineering paper… [Update: now available at http://smallbluegreenblog.wordpress.com/2010/04/16/re-floating-the-titanic-social-engineering-paper/]

David Harley FBCS CITP CISSP
AVIEN Chief Operations Officer
ESET Research Fellow & Director of Malware Intelligence
Mac Virus
Small Blue-Green World

Also blogging at:
http://www.eset.com/blog
http://avien.net/blog/
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://chainmailcheck.wordpress.com
http://amtso.wordpress.com

2nd Security Blogger Summit

This is an interesting event (of which I only became aware yesterday – thanks, Julio!) taking place in Madrid on 4th February. See:

http://www.securitybloggersummit.com/ 

(It’s in Spanish, but there are plenty of translation tools around nowadays to help with that for non-Spanish speakers.)

Although Panda is organizing the event, the company is being scrupulous about keeping it vendor neutral, so I won’t be attending on this, unfortunately (it looks really interesting).

The thought did occur to me, though, that a forum where independent security bloggers, industry bloggers and the media could discuss issues and approaches would be a Good Thing: a sort of AMTSO for bloggers.

Randy Abrams and I put together  a paper for AVAR last year on “practical, strategic and ethical issues that arise when the security industry augments its marketing role by taking civic responsibility for the education of the community as a whole” that seems quite relevant to that thought.

http://preview.tinyurl.com/ylfu3e6

Maybe I need to revisit it.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

‘Tis the season for crystal balls…

And yes, I’m working on a crystal ball document today for ESET, making use of Randy Abram’s blog at http://www.eset.com/threat-center/blog/2009/12/14/que-sera-sera-%e2%80%93-a-buffet-of-predications-for-2010 and ESET Latin America’s extensive document (already published in Spanish at http://eset-la.com/centro-amenazas/2256-tendencias-eset-malware-2010). But marketing departments and the media like that sort of thing.

In fact, many such articles are essentially retreads rather than dramatically insightful. However, Anton Chuvakin posted a blog yesterday that shows not only insight, as I’d expect, but a certain panache. Not that I wouldn’t expect that too. 🙂

http://chuvakin.blogspot.com/2009/12/security-predictions-2010.html

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

Paypal phishing its own users

Well, not really. But they seem to think they are.

Randy Abrams makes a serious point about user grooming and misleading autoresponses at

http://www.eset.com/threat-center/blog/2009/12/03/paypal-admits-to-phishing-users.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

A Few Interesting Links

Nice commentary by Lysa Myers in SC Magazine. “Facebook’s new wrinkles must be understood”: 

 

 

Since this post is likely to find its way onto several twitter accounts and at least one Facebook page in the next few minutes, point taken. 🙂

Also, a paper drawn to my attention by Jose Nazario, with whom I’ve had animated discussions in the past about whether there’s any value in user education.

http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf

Incidentally, I happen to think the answer  is yes, there is some value, and Randy Abrams and I put our point of view into an AVAR paper last year:

http://www.eset.com/download/whitepapers/People_Patching.pdf 

And a paper on botnets I hadn’t noticed before.  “ITU Botnet Mitigation Toolkit”: 

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

 

 

 

 

Virus Proofing

Randy Abrams put up a blog yesterday at http://www.eset.com/threat-center/blog/2009/11/20/what-if-your-virusproof-computer-catches-a-virus about “Virus Proof Computers”: I guess he was referring to the PCs and laptops being marketed  by an Australian company called Setup Complete , a merry band of PC techs based in Sydney.

After reading Randy’s article, I thought I’d take a look myself.

The page at http://virusproofcomputers.com.au/how_it_works.htm tells me that I don’t need to know “HOW it works, just that it DOES work!” Nice. Old time antivirus marketing hype in a nutshell. “Trust me, I’m a vendor.” No wonder Randy was a little acerbic. (No, it isn’t true that ESET personnel are required to take a course in advanced sarcasm before they’re allowed to blog, but it might not be a bad idea.)

There is a little information there including, it turns out, a brief Youtube video that gives you a bit of an idea of what’s happening. It seems to be a dual boot arrangement, where you boot into zone 1 (Virus Proof Surfing) or zone 2, which is “just computing that we can’t sort out with the virus proof [settings?]”. The zone 1 desktop as shown in the video is nearly unreadable on my screen, but appears to be based on the use of Foxpro for surfing and, by the look, an open-source office package for other jobs like editing Word documents.

The five-year warranty as “additional protection” is mentioned  in the press release here: http://www.seekingmedia.com.au/news.php?newsid=857&g=-1

Despite the statement that “We know that our computers are totally virus proof, but as an added protection we are offering any customers who buy the computers a full five-year warranty that they will not contract a virus within that time” it seems that restitution is limited to restoring the machine to the condition it was in when originally shipped.

Does this sound as if I’m less than impressed? Not at all. It appears from http://www.setupcomplete.com/spyware.html that the company were not only able to clean spyware from an infected computer (heck, we can do that and we’re only an anti-malware company), but also to get the owner’s bank to restore $3,700 that was stolen from him. (Not, presumably by the bank, and not, presumably, from a Virus Proof PC.) 

Now getting that sort of banking service is impressive. 😉

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/