The InfoSec Blog

14 antivirus apps found to have security problems

Posted by Anton Aylward

http://www.theregister.co.uk/2014/07/29/antivirus_blood_splattered_as_biz_warned_audit_or_die

Let us pass over the "All A are B" illogic in this and consider what we've known all along. AV doesn't really work; it never did.
Signature based AV, the whole "I'm better than you cos I have more signatures in my database" approach to AV and AV marketing that so bedazzled the journalists ("Metrics? You want metrics? We can give you metrics! How many you want? One million? Two million!) is a loosing game. Skip over polymorphism and others.  The boundary between what actually works and what works for marketing blurs.

So then we have the attacks on the 'human firewall' or whatever the buzz-word is that appears in this month's geek-Vogue magazines, whatever the latest fashion is. What's that? Oh right, the malware writers are migrating to Android the industry commentators say. Well they've tried convincing us that Linux and MacOS were under attack and vulnerable, despite the evidence. Perhaps those same vendor driven - yes vendors try convincing Linux and Apple users to buy AV products, just because Linux and MacOS ran on the same chip as Microsoft they were just as vulnerable as Microsoft, and gave up dunning the journalists and advertising when they found that the supposed market wasn't convinced and didn't buy.

That large software production is buggy surprises no-one. There are methods to producing high quality code as NASA has shown on its deep space projects, but they are incompatible with the attitudes that commercial software vendors have. They require an discipline that seems absent from the attitudes of many younger coders, the kind that so many commercial firms hire on the basis of cost and who are drive by 'lines of code per day' metrics, feature driven popularity and the 'first to market' imperatives.

So when I read about, for example, RSA getting hacked by means of social engineering, I'm not surprised. Neither am I surprised when I hear that so many point of sales terminals are, if not already infected, then vulnerable.

But then all too many organization take a 'risk-based' approach that just is not right. The resistance that US firms have had to implementing chi-n-pin credit card technology while the rest of the world had adopted it is an example in point. "It was too expensive" - until it was more expensive not to have implemented it.

 

Another Java bug: Disable the java setting in your browser

Posted by Anton Aylward

http://www.kb.cert.org/vuls/id/625617

Java 7 Update 10 and earlier contain an unspecified vulnerability
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document,
a remote attacker may be able to execute arbitrary code on a vulnerable
system.

Well, yes .... but.

Image representing XMind as depicted in CrunchBase

Are we fighting a loosing battle?
The New York Times is saying out loud what many of us (see Vmyths.com and Rob Rosenberger have known in our hearts for a long time. AV products don't work.

Please Realize That Piracy is a Service Problem.

Posted by Anton Aylward

http://www.forbes.com/sites/insertcoin/2012/02/03/you-will-never-kill-piracy-and-piracy-will-never-kill-you/

NEW YORK, NY - JANUARY 18:  Protesters demonst...

NEW YORK, NY - JANUARY 18: Protesters demonstrate against the proposed Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) on January 18, 2012 in New York City. The controversial legislation is aimed at preventing piracy of media but those opposed believe it will support censorship. (Image credit: Getty Images via @daylife)

The full article is a bit wordy, and manages to avoid lecturing about how the media industry failed at "service" when it came to view tapes and DVDs, how they objected even those turned out to be immensely profitable. We all know that and we all know that despite the opportunity for profits that just about everyone else in the world seems able to cash in on, the RIAA etc seem to want to shut it down.

Well if they did there would be outcries not from all the people who had minor copyright infringements from quoting one another, but from all the businesses that were loosing customers, not just from direct action but from the word-of-mouth style propagation, reviews, snippets that had nothing to do with them but caused shut-downs and lockouts. A ripple effect. The Laws of Unintended Consequences doing what it always does, biting in the ass.

Yes, if the media industry provided the service that customers want piracy wouldn't be an issue. As the article says, look at the economics.

It’s not a physical product that’s being taken. There’s nothing going missing, which is generally the hallmark of any good theft.

There's a corollary to that: if the media companies were selling on the net their cost of reproduction is zero. They can sell the same movie hundreds of times over and it doesn't cost them any more.

With VHS and DVD there is the cost of production, shipping and retail mark-up. There's that for every sale. And those are costs that are going up year by year. And if there's a mistake in estimates about volume then either there are lost sales for lack of product, or waste as it gets remaindered.

But with a 'Net based distribution scheme there is only the cost of storage and bandwidth, and those are going down.

Its as if the RIAA have it exactly backwards.

So it costs, what, lets say $20 to buy a movie as a DVD.
That's my budget. If I got to the store and found the movie I wanted was $5, then I'd be inclined to buy some more. Maybe at $5 a shot I'd spend more than $20 as I found other movies that I marginally considered. Now suppose that I didn't have to drive to the store? Many people I know buy more books at Amazon than they ever did in a bricks-and-mortar store. many bricks-and-mortar bookstores are shutting down. Lower the cost of a movie to $1 and make it available on the 'Net, mail buyers about new releases and packages the way Amazon does and there will be more impulse buying. See low-res, high-res and super-high res/HD, alternate endings, have consumers write reviews ... you know how it goes, Amazon does it well.

Amazon have shifted from selling books to selling e-books. No more packaging, inventory or shipping. Instant gratification.

The RIAA are not just stupid, they are extremely stupid.

A stereotypical caricature of a pirate.

A stereotypical caricature of a pirate. (Photo credit: Wikipedia)

 

Enhanced by Zemanta

Are *YOU* ready to give up yet?

Posted by Anton Aylward

Apparently (ISC)2 did this survey ... which means they asked the likes of us ....

http://www.darkreading.com/security-monitoring/167901086/security/security-management/229219084/under-growing-pressure-security-pros-may-be-ready-to-crack-study-says.html

Faced with an attack surface that seems to be growing at an overwhelming rate, many security professionals are beginning to wonder whether their jobs are too much for them, according to a study published last week.

Right. If you view this from a technical, bottom-up POV, then yes.

Conducted by Frost & Sullivan, the 2011 (ISC)2 Global Information Security Workforce Study (GISWS) says new threats stemming from mobile devices, the cloud, social networking, and insecure applications have led to "information security professionals being stretched thin, and like a series of small leaks in a dam, the current overworked workforce may be showing signs of strain."

Patching madness, all the hands-on ... Yes I can see that even the octopoid whiz-kids are going to feel like the proverbial one-armed paper-hanger.

Which tells me they are doing it wrong!

Two decades ago a significant part of my job was installing and configuring firewalls and putting in AV. But the only firewall I've touched in the last decade is the one under my desk at home, and that was when I was installing a new desk. Being a Linux user here I don't bother with AV.

"Hands on"? Well yes, I installed a new server on my LAN yesterday.
No, I think I'll scrub it, I don't like Ubuntu after all. I'm putting
in Asterix. That means re-doing my VLAN and the firewall rules.
So yes, I do "hands on".  Sometimes.

At client sites I do proper security work. Configuring firewalls, installing Windows patches, that's no longer "security work". The IT department does that. Its evolved[1] into the job of the network admin and the Windows/host admin. They do the hands-on. We work with the policy and translate that into what has to be done.

Application vulnerabilities ranked as the No. 1 threat to organizations among 72 percent of respondents, while only 20 percent said they are involved in secure software development.

Which illustrates my point.
I can code; many of us came to security via paths that involved being coders, system and network admins. I was a good coder, but as a coder I had little "leverage" to "Get Things Done Right". If I was "involved" in secure software development I would not have as much leverage as I might have if I took a 'hands off' roles and worked with management to set up and environment for producing secure software by the use of  training and orientation, policy, tools, testing and so forth. BTDT.

There simply are not enough of us - and never will be - to make security work "bottom up" the way the US government seems to be trying   We can only succeed "top down", by convincing the board and management that it matters, by building a "culture of security".

Own view of Enterprise Information Security Ar...

One view of Enterprise Information Security Architecure (EISA) Framework.

This is not news. I'm not saying anything new or revolutionary, no matter how many "geeks" I may upset by saying that Policy and Culture and Management matter "more". But if you are one of those people who are overworked, think about this:

Wouldn't your job be easier if the upper echelons of your organizations, the managers, VPs and Directors, were committed to InfoSec, took it seriously, allocated budget and resources, and worked strategically instead of only waking up in response to some incident, and even then just "patching over" instead of doing things properly?

Information Security should be Business Driven, not Technology Driven.

[1] Or devolved, depending on how you look at it.

Related articles

Enhanced by Zemanta