ESET Threat Blog

Here are one or two resources some of you might find useful and interesting.

Infragard and the Center for Information Security Awareness have a Security Awareness in the Workplace program that looks worth a closer look. It consists of 14 separate lessons addressing key information security issues "that can impact in the workplace". The free lessons are presented as web-based Flash movies. People who complete the course can also register to be examined for a certificate. This isn’t free, but a nominal $24.95 doesn’t sound unreasonable. It ain’t CISSP or a GIAC qualification, but as a reward for working on security awareness, it might be a good investment.

 The US-CERT Current Activity page is a regularly updated summary of high impact security incident reports. To give you an idea of the sort of information you can find there, the current page includes:

• May 29 VMware Releases Security Advisory
• May 28 Microsoft Releases Security Advisory 971778
• May 27 BlackBerry Security Advisory
• May 26 Microsoft Releases Service Pack 2 for Windows Vista and Windows Server 2008
• May 22 Novell Releases Updates for GroupWise
• May 20 NSD DNS Buffer Overflow Vulnerability
• May 20 Cisco Releases Security Advisory for CiscoWorks TFTP Vulnerability
• May 20 Mac OS X Includes Known Vulnerable Version of Java
• May 19 Microsoft Internet Information Services (IIS) WebDAV Request Vulnerability
• May 18 Gumblar Malware Exploit Circulating

Of course, the page gives more information than this, and includes links.

Finally, the Anti-Phishing Working Group (check the web site: some pretty useful resources there). A project I’ve just caught on to is an education initiative called the AWPG/CMU Phishing Education Landing Page program. The intention is to catch potential victims who’ve clicked on a known phish link by redirecting them to an informational web site.

Find out more here. But don’t forget the Securing Our eCity initiative, either: www.securingourecity.org

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

I really ought to be concentrating on some writing deadlines, but I couldn’t ignore this item, flagged by Graham Cluley, Sophos blogger-in-residence and karaoke star. (I have to say that because I was rather rude about his singing at Infosec last month.) Graham and I both live in the UK, so the state of health of our National Health Service (NHS) is rather important to both of us.

Graham’s blog concerns the news that the UK Information Commissioner, whose office is concerned with such issues as data protection, privacy and freedom of information, has taken action against 14 NHS organizations that breached data protection legislation in some way, resulting in the loss or potential exposure of personal data.

The BBC reported that "between January and April this year there were 140 reported security breaches within the NHS – more than from central government and local authorities combined," while the Independent claims that the number of security breaches reported was only slightly less than the total number of breaches reported in the private sector. But perhaps we should get a little perspective here. Even in the UK, there is little understanding of what the NHS is, and how it works.

A great deal of NHS (and other public sector) functionality has been farmed out to private industry in the hope of cutting costs (yeah, right) and transferring risk. (Unfortunately, you can only transfer risk if the other party is prepared to accept it.) A significant number of press reports about data leakage in the public sector have taken little account of the involvement of private contractors and fuzzy interfaces with other groups such as local government, the prison service and so on. Nor is it generally realized that the NHS in general is subject to a degree of scrutiny that simply doesn’t happen in the private sector, or even in the more secret nooks and crannies of the State. Who really believes that the incidents reported to the Information Commissioner’s Office represent more than a fraction of all the data leakage incidents that take place in an era where massive databases can be carried back and forth on a DVD or a thumb drive?

The NHS isn’t one monolithic organization: it’s an "umbrella" directly employing (last time I checked) well over 1 1/4 million people in many thousands of semi-independent organizations, subject to strict budgetary and administrative controls imposed from central government via the Department of Health. The whole is loosely tied together by central networks and systems where some security functions such as messaging security are administered centrally (albeit by proxy: very little hands-on security is administered "in-house" in Leeds and Whitehall), but the local organizations that make up the bulk of the Service were told several years ago that they were responsible for their own local security and central guidance was withdrawn, or reduced to generic policy statements.

There does seem to have been some softening of the "you’re on your own and it’s your fault if it goes wrong" position: for instance, a centrally negotiated disk/media encryption solution became available some time ago which should have been deployed by now and may have mitigated the potential damage from some of those 140 breaches, but who knows?

However, the real issues here have little to do with security and everything to do with politics, the media, and the psychology of society. NHS and other public sector sites have fallen victim to the electioneering bluster of politicians of all parties, the media thirst for drama and bad news, and public disillusion with a government that has unaccountably failed to return England to a golden age where prescriptions were free, banks didn’t crash, most adults had a job, no-one had heard of AIDS or MRSA,and the Beatles were still together.

There is certainly a lot wrong with NHS security, and some of those million+ people have made massive blunders, but the Service still employs a great many competent and motivated people who don’t deserve to be treated as a political football and national scapegoat by a government and society that’s still struggling with the difficulties of online culture and finding its own place in the modern world.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

I’ve mentioned this before, but I’m still getting quite a lot of requests  to "follow" me on Twitter on an account that’s "protected". So I’m going to explain in a little more detail how this works. Or at least how it works for me…

At the beginning of the year, it was suggested that it would be useful if I had an account on Twitter, so that colleagues would know not to send me urgent requests for input on some issue or other while I was flying over Iceland or Iran or somewhere else beginning with an "I". Or whatever.

That made sense to me, so I opened an account, strictly for the convenience of people that I work with. (Actually, I opened it in Dallas in February during an ice-storm, which felt a lot like Iceland at the time.)

Being a paranoid sort of person (that’s not unusual in the security industry, I’m afraid) I "protected" the account, which means that anyone with a twitter account can request to follow me, but it won’t happen unless I actually accept the request (much the same as approving "friend" requests on a million and a half other social networking sites, though this sort of mechanism goes way back (in principle)  before "Web 2.0" to earlier connectivity providers like AOL and Compuserve.

However, "follower" requests on Twitter often don’t actually tell you much about the requester. In fact, more often than not, they don’t give you a means of contacting the requester unless you actually approve them. But I don’t usually go that far on a first date.

So, if you find and want to follow the ESET Twitter account with my name in it, I’m afraid you’ll have to email me first with your account name, if I’m not likely to recognize it). However, I won’t approve anyone for that account that I don’t work with in an ESET context. That’s because once in a blue moon information goes over it that shouldn’t go to anyone outside ESET or our partners. Which occasionally puts me in the embarrassing position of telling close friends, family etc. that I can’t approve them for that account unless they get a job with us.

However, there is an @ESETblog account. That’s the one I use to share information, acquire information from other researchers, publicly announce blogs etc, and so on, and it isn’t protected.  Except by the fact that I rarely check on who’s following me, so I’ve no idea how many gorgeous Russian women are hoping to make my acquaintance (I live in hope, but I think Graham Cluley has cornered the market there) or whether Mikeyy Mouse is squeaking away to get my attention.  So anyone is welcome to follow me there, and you’re missing very little on the other account.

But if you want to be sure of getting my attention, email is still the best route: I don’t follow many people. If you don’t have any of my email addresses (and several of them are public enough to use as spam honeypots!), leave a comment here. Blog spammers not welcome, but those are pretty well flltered anyway.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

In previous blogs, I mentioned that some of the presentations from the CARO workshop a couple of weeks ago were likely to be made available publicly.

Unfortunately for non-attendees, most of the presentations are only available to people who were there: however, some can be downloaded by the public from here.

In case I didn’t mention it before, the papers approved at the AMTSO (Anti-Malware Testing Standards Organization) workshop that followed it are now available here.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Greetings, friends, fans and foes. I know it’s been a while, but I’ve been travelling, with intermittent connectivity: first the Infosecurity expo in London, then the CARO and AMTSO workshops in Budapest, then the EICAR conference in Berlin. This week I’ve been at the Channel Expo in Birmingham (the one in the UK, that is) – I get to all the glamorous places, expecially the ones that begin with a "B".

Channel sales isn’t something I know a lot about: while anti-malware people are generally acknowledged to be greedy, unscrupulous low-life bottom-feeders profiting from the misfortunes of others, I’ve spent most of my career in AV research as a customer, and am still acquiring the taste for human blood that is apparently a prerequisite for working in this industry. That doesn’t mean, though, that I don’t appreciate the hard work of the people in sales and marketing whose labours bring in the cash that allows me to live in the lap of luxury here in the home counties (that’s the South of England, for our USian readers).

Seriously, guys, I learned a lot about the business side of this industryfrom ESET UK’s presentations on the services they offer to resellers, and I’d have considered signing up myself if I wasn’t such a hopeless sales person.  (This might also be a good point at which to thank our partners in Budapest for an interesting and useful discussion during my recent visit.)

That wasn’t what I was there for, though. I was there to deliver a presentation in the Technology Threatre on comparative testing. (Bet you didn’t expect that!) Which was interesting in itself: afterwards, I found myself exchanging views with a couple of people who were already resellers, and someone who’s in the process of setting up a testing lab in the UK at the moment. Which takes me neatly on to the subject of AMTSO (the Anti-Malware Testing Standards Organization). Yes, again…

As I’ve mentioned before, one of the most interesting (well, to me…) aspects of AMTSO’s current work has been the setting up of a Review Analysis Board. In brief, the principle is that the Board can consider requests to have a test/review evaluated by a group of suitably qualified individuals within AMTSO: basically. we’ll analyse tests to see whether it’s conformed with the good practice guidelines already published on the web site. It’s taken a while to select suitable participants and establish the basic mechanisms for requesting and carrying out a review – this is definitely a job that needs to be done right, and that does take time. However, those mechanisms were agreed by the membership at the Budapest meeting, and it’s likely that the first review swill be made public sooner rather than later.

It’s probably inevitable that some testers will see this as a threat: however, I’d rather see it as a positive step towards improving testing practice globally, and it looks like testers are starting to think proactively about getting their methodologies reviewed independently. Speaking purely personally, I’d much rather be involved with helping testers that way than with "going after" bad testers with a big stick shouting "You didn’t do it right!". But I guess we’ll have to see how it all plays out.

Meanwhile, the documents approved at Budapest are now up on the AMTSO web page for public viewing, including the Review Analysis Process documentation..

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

San Diego is a great place to live in and visit. I grew up in San Diego and didn’t realize how good I had it until I moved to San Bernardino when I was 15.  What does this have to do with security? If you need an excuse for a trip to San Diego (or if you live in San Diego), take a look at <http://www.securingourecity.org/news.php>

Securing Our eCity is an initiative that ESET and other public and private sector organizations have formed to help provide quality education about cybercrime and how to defend against it.

We are delighted that this coalition of concerned organizations has been able to create free courses on how to better educate and protect yourself from cybercrime. In late May an early June we are offering several free presentations on cybercrime. We’d be delighted to have your presence at one of the seminars… more if you like!

What if you can’t make it to San Diego? We plan to expand this program to many other cities, but I don’t have the details of when yet. You can also visit <http://www.securingourecity.org> for educational materials and resources to learn more.

I hope you’ll share this information with people you know who may need to learn a bit more about phishing and other threats on the internet.

Randy Abrams
Director of Technical Education

At the Interop show in Las Vegas I promised some people I would put the list of resources we included in out presentation on the ESET blog. These are great resources for education and cybercrime reporting. The first one is a new initiative form ESET. I’ll blog more extensively about Securing Our eCity tomorrow!

In the security community, the beginning of the summer is the time of the year when most conferences are held.  In the last couple of days, there has been the CARO workshop, the AMTSO meeting and the EICAR conference.  Numerous ESET employees have attended each of these gatherings.  In my opinion, the best event so far has received less media attention, and it is the Confidence conference.

Confidence was held last week in the beautiful city of Krakow.  It was packed with interesting challenges like assessing the security of a web application, a robot building competition, a capture de flag contest, and a specially crafted “crackme” from ESET’s research team in Poland.  The talks touched numerous topics including lock picking, penetration testing, anonymity and malware.  The keynote by Bruce Schneier was very well delivered and informative while Jacob Applebaum’s presentation on Tor, its applications and limitations gave a good overview of this great project.

Not only were the talks and workshops innovatives, the venue was also great.  The event was held in a cinema, meaning a great soud systems a good seats.  Confidence attracted attendees from all over Europe and beyond.  The two day event was a great opportunity to meet skilled researchers, thanks to the organizers!

Pierre-Marc Bureau

Researcher

After my last blog, I was asked what other EICAR papers would be of interest to people in the testing industry.

In fact, quite a few of this year’s papers were focused on anti-malware testing and/or detection, and the abstracts for the industry papers are available here, and that may give you a start on finding out which papers have been made available on the web by their authors.,  (Strangely, I couldn’t find a listing of the academic papers, but you can find a listing of the whole programme here.) I only got hardcopy of the proceedings, and I’m not sure if a conference CD is going to be made available: in other years, I believe it’s been possible to buy a hardcopy version after the conference. There is information on some of the papers published elsewhere, though not necessarily the whole paper.

"Applied Parallel Coordinates for Logs and Network Traffic Attack Analysis", by S. Tricaud et al, which won the best paper award this year, is now available here.

Jean-Marie Borello, Eric Filiol, Ludovic Mé. "Are current antivirus programs able to detect complex metamorphic malware? An empirical evaluation" Doesn’t seem to be available online yet, but there may be more information forthcoming  here.

There may be more about "On behavioural detection" by P. Beaucamps available  from here.

Some other papers I found interesting: "Raw Assault on a Poly/MetaMoRPhic Engine" by A.S. Issa; "Applied evaluation methodology for anti-virus software" by A. Gazet et al.; "A study of anti-virus’ response to unknown threats" by C. Devine; "Accrediting a Testing Lab under the Auspices of International Standards Organization" by Andrew Hayter et al.; and "Checkvir Realtime Anti Malware testing and Certification" by Ferenc Leitold. Unfortunately, I don’t have information right now on the availability of soft copy of any of these.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Yes, I’ve used that pun before, but I can’t resist using it again now that I’m back from the EICAR conference. I actually got back a couple of days ago, but I was sidetracked by some urgent administrivia and dental treatment. I’m having bacon and eggs for breakfast, my first pet’s name was Stuart Little Caesar Salad, and the first street I lived on was Letsby Avenue. Oh, sorry, I forgot for a moment that I’m not posting on TwitterBook…

So, EICAR. I went to several of these in the 1990s when the organization was still formally known as the European Institute for Computer Anti-virus Research, but quite rarely this decade, for various complicated reasons such as a change of job focus. Having learned, however, that EICAR is taking a strong interest in security software testing, which you may have noticed plays a large part in my life, there was no way I wasn’t going to this one. And, sure enough, there was a healthy ration of testing-related presentations, though it was depressing to see how young everyone in the industry (not to mention academia, which has always been well-represented in EICAR)  is these days.

As I mentioned in a previous blog, there was an interesting panel session on testing issues at which members of AMTSO, EICAR, ICSALabs and CARO spoke. While this session didn’t solve the testing problem at a stroke, it did have a positive outcome, in that all the parties concerned seem to be in agreement that they need to cooperate and share information. Well, of course, such talk is cheap, as any summit conference demonstrates. But there’s actually room here for more players. While AMTSO is doing important, practical work towards raising standards with a small "s" and providing information for testers, the public, and vendors alike, EICAR may well be able to provide impetus towards providing definitions and standards in a more formal sense, and the importance of such work should not be underestimated.

Meanwhile, I’d like to pick up a point that was made after Randy and I presented a paper on "Execution Context and Anti-Malware Testing". Another vendor suggested that the paper should have been directed more specifically at mainstream testers in another presentation context, because anti-malware vendors already know about the problems with static testing and the misinterpretation of detection statistics.

I think this misses several points: mainstream testers and certification providers were both represented at the conference, which in any case is not exclusively focused on anti-malware and certainly not solely intended for information exchange between vendors.

The fact that the individual testers specifically mentioned weren’t physically present on this occasion is irrelevant: one of them has certainly been an attendee and presenter at EICAR in the past, and the other has actually asked for a copy of that paper. Furthermore, both are active in AMTSO. These are people who are trying to contribute to the improvement of testing in general and constantly working on their own methodologies, and shouldn’t be confused with those less well-informed testers who are most likely to mislead their audiences because they have insufficient understanding of the technology they’re testing. Do many of these less-informed individuals attend Virus Bulletin or EICAR? Of course not: but as more people realize the specific problems, the likelihood increases that the information will be cascaded down to testers and audiences.

Meanwhile, the security industry does itself no favours by giving the impression that it is the sole guardian of knowledge and cannot learn, only teach: that impression is one of the biggest Public Relations problems the industry in general faces. Furthermore, one of the problems we do need to acknowledge is that if vendors are exploiting general misunderstanding of technology in order to get good reviews, they are contributing to the problem, not the solution. The anti-malware industry doesn’t deserve all the bad press it gets, but it’s not altogether an innocent victim either. But that’s starting to sound like an altogether different paper.

My EICAR paper is now available here, if you’d like to make your own decision as to how relevant it is. Like several of our conference papers, it isn’t mounted directly on the ESET white papers page, in order to avoid issues with organizations that don’t like papers that have been presented  at their conferences mounted on commercial web sites, but we do link to them along with all the other resources we list there.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence