The ‘hard’ Trojan
An article in ‘Businessweek’ (October 13, 2008), got my attention. The main article was entitled ‘Dangerous Fakes’ and what the impact of how counterfeit, defective computer components are getting into US warplanes and ships.
Within the article, there was an example given of how counterfeit routers were sold to the US Marine Corp and Air Force. The US based distributors of the counterfeit routers have subsequently been indicted. Following on from this, the FBI provided a briefing in which they outlined how counterfeit routers ‘could’ allow foreign agents to disrupt secure networks and ‘weaken cryptographic systems’. Now, from what I could discern, there was no proof that these routers had been used to compromise any networks: but the point is made and understood.
For the moment, in the world of malware, Trojans are proving to be a popular and effective delivery method for the bad guys. It is interesting to see, in this example, the possibility for hardware to be used as the receptacle for the delivery of an exploit or attack. The hardware is the ‘Trojan’ and the threat lurks within. Given the fact, that increasingly, all manner of electronic devices now have some form of storage, processing power and the ability to ‘network’ themselves, then at a conceptual level, we can see the potential security issues. Now, actual examples of real-life exploits are few and far between, to my knowledge. That being said, the Businessweek article moves the story on one more notch.
Once again, what it does show, is that the search to get branded goods at ‘bargain’ prices does come at some cost. Notably, security. As with everything, the lesson has to be: check into the provenance of what you are buying.
And the winner is….?
I came across a survey in PC Advisor that got me thinking. They asked their users ‘what’s the most important aspect of their security product’s arsenal?’. The resounding winner was the ‘firewall’ with 45% of respondents voting for it, followed by ‘signature based AV’ with 19% and the ‘behavioural analysis’, with 16%. So, there you have it, the firewall is still ‘top-dog’ when it comes to security in the eyes of the readers of PC Advisor.
There was a side of me that was pleased that the readers felt comfortable and able to discern the elements of a modern day security product. Well, we have been talking about ‘strength-in-depth’ for a long time now and people would seem to recognise and understand this. But then again, one could generalise that the readers of PC Advisor are the more technically engaged and interested. Hence, they could determine the different aspect of a security product’s arsenal. The reality is that probably, most people would not know the respective merits of one element of a security product from another. Nor should they I suppose, they expect us security companies to take care of all this stuff for them.
In that regard security software has gone the way of the automotive industry. Gone are the days when you could lift the ‘bonnet’ of a car and marvel at the site of the carburettor, the overhead gasket and the timing belt. Back then, we were encouraged to take an interest, it was a talking point in drive-ways across the land as men-folk (trying not to be sexist here), would congregate to view and discuss the relative merits of one car engine versus the other. Have we fallen out of love with the car? No, we have simply moved on.
Now, with security software, times are moving on and fast. Many of the more obvious elements of the software are being supplanted and changed. We are trying to keep security software ‘out of the faces of users’, as much as we can. We are trying to do much of the job in the background and away from the user. It will be interesting to see, what aspects, of a security product PC Advisor readers will rate in two to three years time.
Norton 2009: Standing on the shoulders of giants
This week has seen the launch of the Norton Antivirus and Norton Internet Security 2009. I have had the great pleasure of helping in the formal Press launch of these exciting new products, in Madrid, Spain. How good are they? Well, what would you expect me to say! But, let me offer you this one vignette.
I have been in IT for nearly 20 years now, and throughout that time I have had the opportunity to help and participate in the launch of the many new products. Invariably, this involved the ‘live’ demo of the product. As soon, as the mention of this comes up from the marketing folk, you see the product people, starting to wince and recoil. Excuses are proffered, as to why this might not be necessary (read for that advisable). The IT press have had the pleasure of experiencing, a veritable treasure trove of failed ‘live demos’. It is the stuff of legend in our industry.
We are making some very big claims with Norton 2009. We have a game changing product and it challenges many of the preconceptions and realities about security software. So, I decided to proactively tell the PR and marketing folk that we needed to ‘walk the talk’. It was game-on for the full live demo in front of some one hundred IT journalist from across Europe.
So, I did a full live demo of an install of the product in one minute. Norton Pulse updates streamed onto the machine every few minutes. The Press saw Norton Insight, our new real-time Whitelisting technology, determine that it need only scan 7% of the files running on the system. They were able to see for themselves, the minimal impact that NIS 2009 was having on CPU cycles and memory and our new idle time scheduler purring away in the background.
So, I left the stage with a spring in my step. NIS 2009 had simply done what it was built to do and that which we are telling people it will do. But in doing so, it made a positive impact on those in the room. I left the stage, safe in the knowledge, that Norton 2009, would not be joining the ‘hall of shame’ of live demos.
NAV and NIS 2009 are superb products. Many people have come up to me in the past days, to tell me how impressed they are. I stand there and take the plaudits. But my thanks and admiration are for the team, who worked long and hard, with passion, innovation and tenacity to bring to market NAV and NIS 2009. Give yourself a treat, go and download a trial of them.
Norton Labs
I want to introduce you to Norton labs. This is a new venture for us. Norton labs will preview some experimental projects that Symantec engineers are currently working on. It will provide a unique and useful insight into some of the things we are thinking about. It comes with the usual riders with respect to the software still being in development, or, there may also be times when we do not decide to take a piece of software forward into a product. That being said, I hope and expect that there will always be something useful and interesting for you. We launch with two interesting bit’s of software for you to ‘road test’.
The ‘User Account Control tool’ has been designed to replace the Vista UAC, to simultaneously make your system more secure while significantly improving user-friendliness. The ‘Norton Safe Web’ tool makes it easier for you to differentiate safe sites from malicious ones by providing ratings within everyday search results from top search sites like Google, Yahoo! And Live Search. Additionally, due to the nature of security threats on the Web, Norton Safe Web will also warn you before you visit a site that contains malicious content.
A new browser enters the fray: Google Chrome
Word of a new open-source based browser leaked from Google yesterday. It will be officially introduced today. Google, by their own admission, hit the ‘send button’ a bit too early and details of Chrome appeared yesterday. Creatively, they outline the ideas behind and techniques used in Chrome using the metaphor of a comic-book.
When FireFox 3 launched in June, I wrote that it was good to see competition in the browser space as it would spur innovation and choice. Well, with Google now getting into this space it is going to get plenty interesting. The timing is of note. Microsoft are continuing to push the BETA development of IE8. Now with the arrival of Chrome it will be interesting to see what this does for the development and launch of IE8.
Now, not every ‘ball’ that Google ‘swipes at’, do they hit out the ‘ground’, to use a baseball metaphor. OpenSocial and Android, whilst met with a lot of excitement and interest are still very much still just making their way.
Cuil? Cool? Kool?
So, we now have a new search engine called ‘Cuil’ and pronounced ‘Cool’. Well a catchy name never tripped up a good product, but an obscure spelling could. That being said, the arrival of Cuil was welcomed in most parts. The company goes onto explain why it is different from what is out there already:”The search engine goes beyond today’s search techniques of link analysis and traffic ranking to analyse the context of each page and the concepts behind each query”. So, there you have it, a kind of deeper more relevant search.
So what did Google make of it? They seemed quite ‘cool’ about it, however, in a blog entry they did outline that they still felt they had the biggest web index out there. Now, the people behind Cuil do have a good pedigree in this area, being ex Google and IBM people. So, they know what it takes to build a successful search engine. The arrival of Cuil brings with it many questions. The most prosaic of which being, how will they make money (there is no advertising for the moment). They will be on a steep learning curve and the story today of an embarrassing snafu is testament to this. As to how they will handle the security side of operating a search engine, we will also have to wait and see what they come up with.
Farewell Neosploit?
The past couple of years has seen a dramatic rise in the sheer number of pieces of malware out there on the internet, hence, associated attacks. One of the contributory factors to the dramatic volume increase in attacks has been the arrival of ‘do-it-yourself’ infections kits. One of the most infamous of these is Neosploit, but there are many others such as Mpack, IcePack, Cyber Bot, Zunker etc.
Neosploit allowed a budding ‘hacker’ to launch their own exploits and amass a sizable botnet. There were regular updates and even a user forum. However, the other day, a posting appeared on a Russian web site announcing that the authors of Neosploit were going to retire the product. The translation in effect announced:
“Unfortunately, supporting our product is no longer possible. We apologize for any inconvenience, but business is business since the amount of time spent on this project does not justify itself.
We tried hard to satisfy our clients’ needs during the last few months, but the support had to end at some point. We were 1.5 years with you and hope that this was a good time for your business.”
So, it seems that the authors of Neosploit just couldn’t make it work from a commercial sense. That got me to thinking, why? Is it because the cost of them coming up with new exploits is becoming more difficult, hence costly? I do not see any particular evidence as to this. There are other tool-kits out there and many new exploits being developed on-going.
Could it be, that they are being ‘boxed in’ by better security? Well, to be fair on this one, we are finding many more exploits, so this may not be the case. Is it that the market dynamics of the ‘under-ground economy’, ultimately played against them? Well, like every efficient market, there have been new entrants and competitors to Neosploit, who could compete with them on product and price. Therein may well be the answer.
So, farewell Neosploit, but there are other exploit tool-kits out there and no doubt, new ones will make it onto the ‘market’.
Testing times!
I read, with some interest, that Trend have decided to withdraw from the Virus Bulletin 100 (VB-100) anti-virus test, here is the article. I also then had my attention drawn that Trend had failed the latest VB-100 tests: their performance on VB-100 has been somewhat ‘mixed’ of late. VB-100 tests aim to assess how security products fare in detecting a set of viruses in the WildList, an up-to-date list of malware samples known to be in circulation. It numbers circa 700 viruses. Trend stated that the test had become out-dated and no longer reflect the fast changing threats that security products need to counter day-to-day.
Now, Trend’s announcement further highlights the understood requirement within the security industry for a new testing methodologies. We need approaches that will better reflect the complex and dynamic nature of the threats that anti-malware products are trying to counter. Notably, the Anti Malware Testing Standards Organisation (AMTSO), has been created to address this.
Whilst, we can all debate the relative merits of the current tests, Virus Bulletin themselves did comment that their test is not the only way to test anti-malware products, but products should be able to detect items in circulation. Furthermore, VB-100 is a measure of product competence and on-going reliability.
So, we all have to live in an ‘imperfect’ world of testing and expect for better days ahead. I am hopeful that the AMTSO initiative will deliver. But I think it is much better to stay the course – rather than decide to wander off.
UAC: the hero of silent security?
There has been a lot of comment since Microsoft stated at RSA that it set out to make User Access Control (UAC) ‘annoying’. There seems to be general consensus that they achieved their goal.
UAC is an interesting approach. Interestingly, at the very heart of it, it uses the metaphor of asking a user to make a decision to allow an application to run. On the face of it, you would think there is nothing wrong in that: or would you? We have seen a veritable avalanche of attacks that are all promulgated on getting a user to ‘click’ on something. So, people view UAC as irritating and not effective given today’s threat landscape.
Users I talk to, on the whole, tell me one of two things in relation to how they want to interact with security programs: “ can you keep that security stuff out of my face” and/or “you are the expert – you solve it for me”. Now, if you line up UAC against these criteria you can see how it scores well it the ‘annoy’ category.
If I were to take a slightly contrary view, what UAC has helped bring focus to is the latent desire from users for smarter and more silent security products. In going after this request from users (and as Symantec, this is very much the philosophy and direction we are following with the Norton products), we can also help the on-going battle to reduce the attack surface. So, perversely, the current and new generation of smart, silent security products have much to thank UAC for.