ESET Threat Blog

Having worked quite a lot in recent years in the public sector in the UK, I’m not at all surprised that RIM (Research in Motion) is bullish about being assessed by CESG as suitable for use with restricted government data. However, it’s not altogether clear from the documentation published by RIM what this actually means.

Blackberry Enterprise Solution is considered to be "suitable for handling HMG [Her Majesty's Government] information protectively marked RESTRICTED (Impact Level 3). CESG (Communications-Electronics Security Group, though the expanded name is no longer used) is the Information Assurance arm of GCHQ (Government Communications Headquarters) Signals Intelligence lynchpin of national security. This standard of assurance is far from easy to achieve. However, RIM’s copious documentation, though accurate as far as it goes, doesn’t tell the whole story: the CESG page at http://www.cesg.gov.uk/find_a/cert_products/index.cfm?menuSelected=1&displayPage=152&id=436 gives a little more detail.

That information classification sounds pretty impressive, and so it is: however, it’s actually partway through an impact level matrix that ranges from zero impact in all respects (level 0) to various serious eventualities such as widespread loss of life, internal political stability, or "exceptionally grave damage to the operational effectiveness or security of UK or allied forces." Here are the issues that qualify as Impact Level 3:

• Risk to an individual’s personal safety or liberty
• Minor loss of confidence in Government
• Make it more difficult to maintain the operational effectiveness of security of UK or allied forces (e.g. compromise of UK forces doctrine or training materials).
• Cause embarrassment to Diplomatic relations
• Disadvantage a major UK Company
• Damage unique intelligence operations in support of intelligence requirements at
  JIC Priority Three or less.

Potentially serious issues, but they should  be seen in the context of the mapping of Impact Levels to standard protective markings, which classify the level of confidentiality that applies to protected data:

• Impact Level 6 – TOP SECRET
• Impact Level 5 SECRET
• Impact Level 4 CONFIDENTIAL
• Impact Level 3 RESTRICTED
• Impact Levels 1&2 PROTECT

In other words, this level of protection applies to data to which access is restricted, but it’s a long way down from top secret.

Clearly, this doesn’t mean that anyone in the UK public sector can use any Blackberry for any purpose. The CESG page makes it clear that "This advice is specific to Blackberry(R) Enterprise Solution and should not be construed as being more widely applicable." Furthermore, system administrators are expected to conform with CESG security procedures, and that is likely to involve disabling "features that affect the overall security of the solution".

The assessment only holds if "administrators and users adhere to the CESG security procedures". It’s also specifically stated that use of Blackberry GSM phone functionality should restricted to NOT PROTECTIVELY MARKED use.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

I’ve just been observing a slightly bizarre email thread about the whatdoestheinternetthink?net site, which is apparently aiming to be the place to go if you want a global enquiry tool to find out what the online world thinks about any given subject. You enter a search term, it submits to one or more search engines, and it comes back with a percentage score in three categories: positive, negative and ambivalent. (An actual search comes back with ”don’t care” rather than ambivalent, and I don’t think that’s quite the same thing, but let’s not be picky.)

Well, it’s reassuring to note that the search term “ESET” scores 94.3% positive at the moment whereas Symantec scores 30.2% , and McAfee a  heartrending 25%.  (Sorry  Mark, Igor et al! ) 

However, it seems that we’re all outclassed right now by Microsoft Security Essentials, with a resounding 100% approval. (I figured if I searched just on Microsoft, I’d get a lot of security-unrelated hits that would totally skew the results.) In fact, that last result may be skewed slightly by the fact that it’s apparently based on a single google hit. So much for the Wisdom of Crowds.

And that makes an interesting point about how to lie with statistics. I’m not much of a statistician, though my father was: his copy of Duff’s book was one of the first serious books I read. But you don’t need to know your mean from your median to realize that:

• A brand new pre-release product hasn’t had much time to generate negative opinions
• The bigger a company’s profile, the more comment will be made about it on the Internet (and in the real world, of course)
• There’s a likelihood that over time,  more adverse than positive comments will be made about a specific product, human nature being what it is
• You can get pretty much any positive result you want, if you’re prepared to spend time tweaking the search terms.

So even if we knew anything about the classification criteria and used by the site’s search algorithm, which we don’t, I wouldn’t advocate that you try to draw any real conclusions about the popularity or value of any vendor or product from this particular instance of lies, damned lies and statistics. Especially in the light of a little experiment carried out by a colleague at ESET UK (thanks, Quinton!): it turns out that people are overwhelmingly in favour of Ebola. Unfortunately, the site doesn’t tell us whether it’s the river, the virus, or the haemorrhagic fever that people are so fond of. Or maybe the fact that there are several musical acts, a cartoon web site and a movie with the same name tells us something. Maybe the algorithm needs a little work, guys. Or maybe some clarification as to what it actually does. Though to be fair, the disclaimer at the bottom does say that the results are provided as-is and are not reliable.

Given the mauling that John Lennon received in the 1960s after suggesting that the Beatles were more popular than Jesus, I think I’ll let you find out for yourselves whether a search on http://www.whatdoestheinternetthink.net supports that suggestion. Or for some real fun, try varying the search terms to see how easily you can skew the results either way.

And that’s a real problem: I can actually envisage people generating all sorts of spurious results in the way I did above and using them misleadingly in a PR context, in much the same way that they misuse VirusTotal statistics.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

• Use a combination of uppercase and lowercase letters, symbols, and numbers

• Make sure your passwords are at least eight characters long. The more characters your passwords contain, the more difficult they are to guess

• Try to make your passwords as meaningless and random as possible

• Use different passwords for each account

• Change your passwords regularly. Set up a routine, changing your passwords the first of each month or every other payday

• Never write your passwords down, and never give them out—to anyone.

• Don’t use names or numbers associated with you, such as a birth date or nickname.

• Don’t use your user name or login name in any form

• Don’t use a derivative of your name, the name of a family member, or the name of a pet

• Avoid using a solitary word in any language

• Don’t use the word password

• Avoid using easily-obtained personal information. This includes license plate numbers, telephone numbers, social security numbers, your automobile’s make or model, your street address, etc.

• Don’t answer yes when prompted to save your password to a particular computer. Instead, rely on a strong password committed to memory or stored in a dependable password management program

The news broke a short time ago that pop star Michael Jackson died of a heart attack. It is all too predictable that the bad guys will use this news event to spam out fake videos or links to alleged pictures in order to trick users into installing their malicious software.

If you receive an email about Michael Jackson simply delete it unless you know the sender and you verify (call, email or chat) the send sender actually did send it to you.

If you receive an IM about Michael Jackson and it has a link, ignore the link. Don’t click on it.

If you want to find real news about Michael Jackson then go to a real news site.

Don’t fall for the hoaxes in email, Instant Messenger (chat), tweets on Twitter, or other social networking sites.

Randy Abrams
Director of Technical Education

It’s often claimed that men think about sex very seven seconds. Sorry, where was I? Oh yes… I’m not sure where that pseudo-statistic comes from: apparently not from the Kinsey report as is often claimed, and a more recent poll, while reflecting perhaps more liberated views about sexuality than could be admitted to in the 1950s, actually suggests that 43% of men think about It several times a day, compared to the 54% cited by Kinsey. Perhaps we spend less time thinking about it nowadays because we have more opportunities to experience it.

Well, there are lots of exciting statistics to drool over at the two links above, but this is supposed to be a family blog. (Actually, it isn’t, but it’s not supposed to be salacious either!) What do dubious statistics about romping in the hay (too bad I have hay fever…) have to do with security?

An article in Computer Weekly started me thinking in this direction (in between thoughts about The Other – sorry, about other things). Apparently, nearly a third of professional workers have sent explicit emails, or dumped partners by email, according to a Proofpoint survey to which I haven’t seen a direct link. (I’m afraid the article doesn’t mention if the survey breaks those figures down by gender,  if that interests you. Furthermore, nearer 40% of respondents have apparently applied for jobs elsewhere from their work PCs.

Not everyone considers this sort of occasional misuse of company facilities to be a big security issue, of course. What is a major issue, though, is the average computer user’s apparent inability to distinguish between their work and private life. Well, I guess it’s one way to restore some semblance of normality to a workaholic’s work/life balance. But there are a whole load of security issues around it.

Businesses are increasingly paranoid about all sorts of online activity- not just social networking such as Facebook and Twitter, but older forms of file sharing and messaging. Not just because of the security risks associated with malware, social engineering, data leakage and so on, but because of less obvious risks such as potential damage to the company’s reputation, all manner of legal and compliance issues, duty of care to employees, and so on. No wonder employers like the city of Bozeman are tempted to overstep acceptable boundaries in attempt to monitor or even regulate their employee’s web activity. Bozeman’s officials apparently wanted to ride roughshod over their employees’ constitutional rights, but they do seem to have more of a grasp of the security problems associated with social networking than most employees do.

I’m relieved, however, to learn that the story about the memory span of a goldfish being just a few seconds is also a myth. It saves me wasting any more of my life wondering whether they have time to think about sex.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

I was recently reminded of the truism that security is about managing risk. You cannot eliminate all risk. When we think of cyber criminals we tend to think of phishers, criminal gangs writing malware to steal passwords, and eBay scammers. So we try to deal with “reputable” companies to eliminate the risk of theft and fraud, but as you will see, this does not always work out.

Cybercrime is simply crime using computers and/or the internet to commit crimes. There are a variety of variations on this definition, but I think this one works just fine.

Dealing with a reputable company can minimize your risk of fraud or theft, but it does not eliminate it. Before I get to my specific example, it may be useful to explain “Bait and switch”.

Bait and switch is essentially when a company offers a product at one price, but then fails to honor the offer. They may fail to honor the offer by offering an inferior product or by raising the price.

I recently booked a round trip flight from Frankfurt, Germany to Amsterdam, Holland on KLM airlines using the Northwest Airlines web site. Northwest Airlines sent an email confirming my purchase of the flight for the price of $313.63. The next thing Northwest airlines, who incidentally are the same as Delta Airlines now, did was to silently cancel my ticket. Northwest knew that I would be stranded in Frankfurt with my only real option being to pay KLM, who is also Air France, more than twice as much money to make my appointment in Holland.

This appears to be a particularly nefarious bait and switch scam in that the airlines know the customer can’t easily back out of the deal. One might say that it was an accident, but logically if it was an accident then Northwest Airlines would have accepted responsibility for the increased fare and refunded the difference since they were exclusively at fault for not notifying a passenger when they cancel a ticket. I contacted Northwest and their response was that they were sorry, but they would accept no responsibility for their actions. I would guess they have a pretty lucrative kickback scheme with Air France and that the money will be pretty hard to trace.

You can dramatically reduce risk by dealing with well known companies, but you can’t eliminate it. In this case, Northwest Airlines used the internet, which is how I booked my tickets, to perpetrate what appears to be a classic bait and switch scam.

I’ll figure out who the appropriate law enforcement agencies are and see what they think about it. In the mean while, I’ve filed a complaint with the Better Business Bureau.

Randy Abrams
Director of Technical Education
ESET LLC

I really didn’t think that Microsoft’s beta AV product would necessitate three blogs: it is, after all, just a beta release. However, I was surprised just now to read an article by Mark Mayne of SC Magazine that claims the product is “going head-to-head with a range of AV vendors, from Symantec and McAfee through to AVG and Eset [sic]“, and suggesting that “the market incumbents will be watching this beta with interest, if not concern.”

I’m not surprised at the content of the suggestion: after all, I just touched on it in my previous blog. I’m a little more surprised that it was aired by SC, which actually has roots in the antivirus industry (though you wouldn’t think so to read it now) and usually has a more balanced view of what we now prefer to call the anti-malware industry. So let me tell you (again) why I think those statements are misleading.

Microsoft is already going head-to-head against the rest of the industry in the enterprise market, with a product range that includes anti-malware and much else, but is very definitely not free.

What we’re expecting to see today is a beta test version of a limited product that will eventually be a production version of a free but limited product. That’s not a market that most of us are in. AVG (among others) do have a free (but limited) product: we don’t, though we do have a free online scanner here, as do other vendors. Why do vendors do this? Well, hopefully, some users of free products and services will find that they actually need a full commercial solution and think about upgrading. But it’s also a practical and (at least in part) altruistic issue: it’s better to give something free to people who wouldn’t use a commercial product and reduce their exposure (and everyone else’s) to malware.

However, it seems bizarre to me to suggest a head-to-head between competing free products. Where we’re really in competition is in the product ranges that actually keep us in business, and that’s a much more diverse and complex market sector than Mark is implying.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Alex makes a couple of interesting points in his comment on Randy’s blog yesterday about Microsoft’s "Security Essentials" antivirus (as does Randy, of course, but there’s no surprise there.) Alex is suggesting, I think, that Security Essentials isn’t so much a freebie as a value-add to something you’ve already paid for (i.e. Windows).

That’s a pretty interesting, because it puts us right back to 1993, when Microsoft bundled an anti-virus program, bought in from Central Point, with MS-DOS version 6, and the 2006 Virus Bulletin paper quoted in Randy’s blog makes a similar point. And many others worth revisiting: if you haven’t read the paper, I’d suggest you check it out now. In some ways it’s even more relevant than it was then.

But I’m going to introduce a more personal note. In 1993 I was working for a medical research organization in the UK, and was tasked with evaluating reliance on the MSAV as a defensive strategy for the organization. If I’d been aware at that time of a review by Yisrael Radai, it would have saved me some time, but I didn’t come across it until later. Still, I came to somewhat similar conclusions, and we bought in  a commercial product. No, not ESET’s: I wasn’t aware of the company at that time.

I’ve said publicly since that this was probably one of the most useful jobs I ever did for the organization: MSAV was, from the user’s point of view, a disaster. Declining support and development and a consequent and dramatic fall-off in detection rates seriously disadvantaged DOS and Windows users who believed they were using a product with functionality equivalent to full-strength commercial anti-virus. (The same happened with Mac users and free AV when macro viruses hit a year or two later). 

But are we looking at a similar scenario now? Not exactly. Microsoft has not left the security arena, and bought in some significant anti-malware talent a few years ago, and some of that expertise is likely to trickle down to this product. It’s likely, therefore, to benefit the same sector that currently benefits from a number of free but limited products that don’t have full multi-layered anti-malware functionality, but do cover a subset of threats quite adequately.

This isn’t full-strength anti-malware (and is unlikely to be when it leaves the beta testing stage) any more than the Windows firewall is a full-strength firewall system, which means that it isn’t going to render the anti-malware industry redundant.

Ah, you might say, surely it’s going to hit your sales? Let me lapse into another personal anecdote. In the past few years I’ve done a lot of writing for Syngress and Elsevier. When the "AVIEN Malware Defense Guide " came out, more pirated PDFs were distributed in a week than legitimate copies were sold in months. Not a very nice feeling for those of us who put in a lot of work on putting the thing together, but not a big deal either, because the people who grabbed a pirated version would probably never have bought the thing.

Similarly, there are a lot of people who don’t see why they should buy antivirus software. (Not much of an incentive to those of us who try to scrape a living out of the industry – God bless you ma’am for putting a 5-penny piece in my hat – but why they think that way is another discussion entirely.) Not to mention those who’ve never even thought that security software might be a good idea.

If Microsoft’s free product is actually used by some of these people, that’s not only good for them, but for the rest of us who have to struggle with an avalanche of malware-related issues on a daily basis. That is, as long as Microsoft have learned that you can’t give people a free anti-malware product and then drop support for it and be considered a responsible and credible player in the security market.

David Harley BA CISSP FBCS CITP
Director of Malware Research

Microsoft is releasing a beta of their new antivirus product. Previously Microsoft announced that they would discontinue OneCare.

The choice of the name “Security Essentials” is amusing. I’m not in the camp of those who think that you can’t have “Microsoft” and “security” in the same sentence, but just the same, Microsoft does say “If you already have antivirus software installed you probably don’t need this service.” That doesn’t sound much like an essential to me!

The other amusing aspect is that the name is “Microsoft Security Essentials” which is plural. Anti-virus is only one aspect of security.

All jokes about the name aside, Microsoft hopes that their free solution will get people who currently do not use antivirus software to install the Microsoft offering. Given the numerous choices for free antivirus software out there, I do not see how this will be effective, but more power to Microsoft for trying.

I addressed the potential impact of Microsoft entering the antivirus industry at the Virus Bulletin conference back in 2006. Back then I predicted that this would have little impact on the market and it has had little impact, except for pricing. OneCare introduced a 3 PC pricing model that some other vendors have followed. OneCare was almost free and I don’t see a free offering changing the landscape much.

I am reminded of an ad I once saw for Shoei motorcycle helmets. The ad said “If you have a $10 head wear a $10 helmet.”

At ESET we are confident that an abundance of consumers will continue to choose a quality product based upon the track record, performance, effectiveness, and support, rather than simply choosing what is free.

The word “Microsoft” makes this a news story, not much else does though.

Randy Abrams
Director of Technical Education

The City of Bozeman, Montana effectively joined the ranks of phishers when they asked job candidates for their usernames and passwords for social networking sites that the applicant belongs to.

In a report at , after considerable outcry the city rescinded its mindless policy.

To begin with, the city was asking applicants to breach their terms of service with the social networking sites that require passwords and account access to be kept confidential. The city went further in promoting exceptionally poor security practices. You don’t ask people for their usernames and passwords.

The city simply rescinding the policy falls a million miles short of doing the right thing. If the city is going to act responsibly they will immediately inform the social networking site of which users accounts were compromised by the city collecting the username and passwords and the social networking sites will immediately force a password reset. Additionally the city should proactively inform all applicants whose passwords were collected that they should change their passwords as their accounts are at risk to insiders. It is not unheard of for employees of governments and private organizations to abuse data.

With the massive amounts of data being lost and the low level of security expertise demonstrated by the city in even collecting this information, all applicants who provided passwords to the city must assume that the city will lose their data and criminals will have their usernames and passwords.

Upon notifying the social networking sites and affected applicants, the city needs to purge the data from their systems and their backups. It is an unacceptable and completely ignorant security risk for the city to have collected the data in the first place, and then to keep the data.

Evidently, some in the government of the city of Bozeman think that civic duty is the import tax paid on a Honda automobile.

Randy Abrams
Director of Technical Education
ESET LLC