And another one just for fun!

Anti-Virus Software
Copyright (c) Lohkee 2003
All rights reserved


According to industry experts, there are more than sixty thousand viruses
lurking in the shadows waiting to victimize you, and each passing month adds
several more to the list. Reveling in the mathematics of exponential
propagation and dire predictions for those foolish enough to ignore this
potentially devastating threat, some have even gone so far as to compare
these irritating little programs with the biological virus responsible for
AIDS! Not too surprisingly, many of these same experts just happen to be in
the business of selling anti-virus software or related services!



It is a given that computer viruses can destroy hardware, software, or
massive amounts of information in the blink of an eye. Computer viruses have
also repeatedly demonstrated their ability to span the globe within minutes
often causing thousands of servers to crash in the process. During these
attacks, the news media rarely misses an opportunity to inform us that our
electronic world is teetering on the brink of destruction. What they
generally neglect to mention is that the success of these programs was not
due to any particular genius on the part of their creators; rather an
amazing lack of concern for security within a great many organizations. The
simple truth is that most, if not all, computer viruses are designed to take
advantage of well known and easily patched vulnerabilities or require their
targets to be "wide open" in order to survive and multiply. A virus is like
any other computer program. It must have access to those resources that it
depends on to run.



Perhaps the most insidious threat posed by computer viruses, particularly
those designed to spread via email, is that of confidential information
being indiscriminately scattered to the wind during the program's
replication process. Melissa, for example, spread like wildfire and was
responsible for the mass-disclosure of thousands, if not millions, of
extremely sensitive documents. My personal collection of unsolicited email
courtesy of this virus included, among other things, rental applications,
employee evaluations, letters of reprimand, miscellaneous financial
information, a pretty dismal prognosis for a woman with breast cancer, an
incredibly hot love letter (complete with nude photos), legal
corresp0ndence, and a rather long-winded but very detailed network security
assessment. It is truly amazing how many people are willing to connect
systems containing sensitive information to an unsecured public network via
wide-open protocols using operating systems that are widely known to be
substandard with regard to security. Probably the most remarkable aspect of
the Melissa fiasco was the deafening silence within the legal profession in
the days that followed (one can only assume they were far too busy cleaning
up their own systems to notice what should have been a veritable gold mine).
Whatever the reason, many organizations managed to escape accountability for
their cavalier approach to security and safeguarding confidential
information and yours may have even been one of them. Unfortunately, this
does not change the undeniable fact that the wrong file, sent to the wrong
person, could very easily lead to embarrassment, loss of confidence in the
organization, and a significant financial liability. The question is, how
many times are you willing to spin the cylinder and then pull the trigger?



The professional security community is generally more than happy to point
out that it only takes one virus to create serious problems for an
organization and strongly recommends the use of anti-virus software to
protect against this threat. Some even recommend using multiple anti-virus
products. That it only takes one virus to cause problems is certainly a true
statement; however, it also one that happens to argue strongly (albeit
briefly) against the use of these products. History has shown time and time
gain that anti-virus software can only offer reliable protection against
known viruses (assuming that you actually take the time to update it
whenever a new virus is discovered). Did your favorite brand of anti-virus
software stop Melissa, Code Red, Nimda, Anna Kornikova, or the Love Bug from
infecting your systems; or did you download virus signature updates after
the fact only to discover that you had a real mess on your hands? The
problem here, and it is a big one, is that people who create and unleash
viruses, worms, and other types of nasty software, seldom take the time to
notify the anti-virus vendor establishment beforehand. Even after a virus
has been unleashed it is unlikely that your anti-virus vendor will find out
about it until it has gained some momentum which means two things: You are a
sitting duck until they do and; the chances of your anti-virus software ever
being able to detect a well-written program designed to strike a single
target are about zero! As you read this it is entirely possible someone has
already installed a "back door" into your system that your anti-virus
software will never know about. When it comes right down to it, the use of
anti-virus software is analogous to going into a gunfight wearing a
blindfold and then letting your opponent take the first shot. That anyone
would actually embrace, let alone actively promote as an "industry standard
best practice" such an inherently self-destructive paradigm, is simply
beyond belief.



Adding insult to injury, embracing this suicidal paradigm represents an
indefinite commitment on your part to download and rollout updated signature
files on an almost daily basis. The outrageous initial cost of a
site-license for this software notwithstanding, how long do you think it is
going to be before someone in marketing gets the bright idea to initiate a
subscription charge for these updates? Depending on how such a fee is
structured and the size of your organization this could easily turn out to
be a considerable additional expense over the lifetime of whatever product
you have chosen. Think about this for a minute. Not only do you get to go
into a gunfight wearing a blindfold and let your opponent take the first
shot; you also get to pay a small fortune for the privilege of doing so. And
this is a good idea how?



I am not suggesting that you ignore the menace posed by computer viruses. On
the contrary, these programs pose an extremely serious threat to society and
the individual; one which has been grossly underestimated by the government
and those within the professional security community. To date, most viruses
have been relatively benign. Seldom do they make any meaningful attempt to
hide as they propagate or cause real damage to the target and, in this
sense, the digital word has been very fortunate. It has yet to experience
the effective use of a virus as a weapon. It is only a matter of time before
this changes. The Naval War College, along with numerous experts from
various industries, conducted a three-day "war game" to explore the effects
of "cyber-terrorism" against energy grids, telecommunications systems, and
financial institutions. Collectively, they came to the conclusion that an
attacker would need about 200 million dollars, extensive intelligence, and
years of preparation to significantly disrupt the country's critical
infrastructures. I disagree.



The Internet makes it possible for anyone to disseminate information to
millions of people in the blink of an eye anonymously. Unfortunately, bad
information does not go away for a very long time (just look at the number
of tired old hoaxes that manage to get resurrected year after year after
year). In a society trained to forsake critical thinking and rely on
thirty-second sound bites to make important split-second decisions, the
possibilities for mischief are endless. More importantly, an attacker does
not need 200 million dollars to commence hostilities. The price of a
cappuccino at any Internet café will suffice. Sufficient intelligence to
launch an attack is easy obtained while you enjoy your beverage via any of
the popular search engines. Go to www.sec.gov and rummage through the
documents found on their website. Collectively, these files provide an
extensive correspondence course on document preparation and government lingo
complete with a treasure trove of names, telephone numbers, and email
addresses (their website, by the way, offers a very nice graphic of that
agency's official seal). A quick search of the Usenet archives will reveal
to whom people at the SEC are talking to and what they are talking about. If
virus writers can consistently dupe people into clicking on e-mail
attachments from unknown sources with grammatically incorrect nonsensical
subject lines, how hard do you think it would be to trick someone into doing
this if they were to receive an e-mail message from somebody they "know" or
who is trying to help them with a problem? I suppose it could takes years
some techno-peasant to orchestrate a viable attack, but it is also true that
almost any computer literate kid with a little programming skill could
easily cobble together some fairly sophisticated code designed to attack a
specific target within a week or two; the anti-virus industry depends on
this for its very survival. Simply stated, the resources needed to launch a
successful attack against society are minimal and easily obtained by anyone
with Internet access.



Many businesses, such as the airline industry, operate on tight margins. It
does not take much to send them into a financial tailspin, and when they
suffer, a lot of other industries suffer right along with them. Stock
markets are extremely sensitive to mood swings. Even the most naive investor
knows what happens to the stock of a company that comes under investigation
by the Securities and Exchange Commission. One negative press release can
send a company's stock plummeting within a matter of minutes. On the other
hand, a stock can soar to dizzying heights based on nothing more than the
mere illusion of some pending breakthrough in the treatment for cancer. Why
bother to attack Wall Street's computers (which is illegal) when it is so
much easier to manipulate its investors? If you think this is far-fetched or
could not happen easily, think again; it already has. In one case, a young
man by the name of Jonathan Lebed, aged 15, successfully influenced the
stock market and made over $800,000 by simply posting poorly penned "expert"
opinions of various stocks to the Internet. More importantly, he is not
serving time; he is spending money. The social and political arena is
perhaps even more volatile. A single inappropriate email or unintentional
slip of the tongue has effectively destroyed more than one otherwise
promising career.



The key to launching a successful attack is creativity (this is where the
Naval War College, in my opinion, missed the boat entirely). Attacking
hardware is not that difficult a task. Most modern BIOS chips use flash
memory thus enabling users to download and install updates across the
Internet. It would not be too difficult for a competent assembly language
programmer to create a virus that erased BIOS chips as it moved from system
to system. Such an attack could leave millions of computers in a completely
unusable state for a considerable period of time and would undoubtedly have
catastrophic consequences for many of those affected. The overall economic
impact caused by an attack of this type could be staggering.

Preventing this type of an attack, however, is as easy as setting the BIOS
write-protect switch on the system's motherboard. The question is why would
an attacker want to mess around with attacking hardware when manipulating
people is so much easier? Destroying people's faith in the systems and
institutions that affect their daily lives can be far more devastating than
simply blowing up some building.



Writing a program that will monitor a workstation, generate an email message
when a specific user logs on, and then self-destruct without leaving a trace
immediately afterward is child's play. Such a program would not even need
any special "permissions" or system-level access to run. More importantly,
any subsequent investigation would be hard pressed to show that the sender
was, in fact, a victim. Getting the email addresses for leaders within the
business, government or political communities is also a fairly trivial task.
Consider the consequences of an email from one politician to another
expressing racist views two or three days before an election. How about a
memo (complete with official seal) from the chairman of the SEC ordering an
investigation into serious criminal conduct by the executives of a major
corporation? There is also the possibility of a few emails sent between
employees of a major airline expressing concern about the safety of their
aircraft and a subsequent cover-up my management - something about wrongful
death suites being cheaper than fixing the problem. How would it effect
society if these things were happening at the rate of about one a week over
a sustained period of time? What effect would it have on the economy? The
only real problem, from the attacker's point of view, is getting the program
to run on the targeted system. The only thing standing in his way, for the
most part, is anti-virus software. Software that has proven itself over and
over again to be completely ineffective when dealing with anything that it
does not already "know" about. There are many ways to prevent an anonymous
outsider from running malicious code on your systems. Anti-virus software is
not one of them.

Lohkee!

Lohkee

On Sun, 24 Aug 2003 06:54:29 GMT, "Lohkee" <>
wrote:

>Anti-Virus Software
>Copyright (c) Lohkee 2003
>All rights reserved

<snip>

It is indeed time to question whether we still need to continuously
run software that will detect a virus on the boot sector of our 5 1/4
disks.

IMHO removing all executable attachments at the mail server gives
more protection than AV software that the users have not updated
for six months.

It also consumes no user machine resources.
--
Jim Watt http://www.gibnet.com

In article <>, says...
> Greetings:
>
> Actually the trick is to prevent unauthorized access to the hard disk. If
> the attacking/compromised process cannot get to the disk it cannot infect it
> with a worm or Trojan horse or worse still destroy or steal information.

I think that you need to keep it out of MEMORY and from accessing the
hard disk. There are ways to execute code in memory without hitting the
hard drive in browsers if the person has the right plug-ins.

If you really want to protect internet users from all of these things,
find some way to force ISP's to provide NAT Routers and Anvi-Virus
applications when they install peoples service.

--
--

(Remove 999 to reply to me)

On Sun, 24 Aug 2003 06:54:29 GMT, "Lohkee" <> wrote:

>Anti-Virus Software
>Copyright (c) Lohkee 2003
>All rights reserved
>
>
>According to industry experts, there are more than sixty thousand viruses
>lurking in the shadows waiting to victimize you, and each passing month adds
>several more to the list.

Excellent post. I can't add any technical argument to this, but, suffice it
to say that this kind of post is why I read USENET.

Very thought-provoking. Maybe I'll have one or two now ...

Regards,

Akkrid.

--

A woman drove me to drink, and I didn't even have the decency to thank her.

On Sun, 24 Aug 2003 08:08:00 -0700, "elsid" <> wrote in
<>:

>This requires a re thinking of computer security as a whole and moving away
>from the "you can't get in my system" paradigm, which is akin to protecting
>the countries borders, to 'this data (file,directory,file system, device)
>can only be accessed in this manner'.

We have known about the problem for over 30 years (see the Andersom
panel report from 1972, and other computer security research of that
period).

The problem now is the same as it was then, people are not prepared to
pay in advance for a system that is resistant to attack.

--
Owen Rees - opinions expressed here are mine; for a full disclaimer
visit <http://homepages.tesco.net/~owen.rees/index.html#disclaimer>
for e-mail use "owen.rees at tesco.net" instead of the From address

In MsgID<> inside of
uk.comp.security, 'elsid' wrote:

>Similarly your registry is protected because it would also be covered by a
>rule that states that it may only be opened for read.

I think there are many applications that would not be happy about that
rule.

>
>Another example would be the "Credit card data file may only be opened by
>the credit card program." thus no other program ( ftp, notepad, etc...) can
>open the file to steal or corrupt it. In addition since the credit card
>program is the only one that can access the data then the data will only
>ever be accessed in the manner defined by the people who wrote the credit
>card program.

To protect specific data files, surely the way to go is to put them on
a different server, only accessible via an application on that server
in response to specific messages?

The server app is then in complete control of what can and cannot be
done to the file. It can also maintain backups that mean the data can
revert to it's pre attack state easily enough. Intelligent IDS style
analysis of all transactions could also be implemented iside the
server, with an auto shutdown on detection of anything too unusual.



--
Dave Johnson -

Greetings:

Actually the trick is to prevent unauthorized access to the hard disk. If
the attacking/compromised process cannot get to the disk it cannot infect it
with a worm or Trojan horse or worse still destroy or steal information.

This requires a re thinking of computer security as a whole and moving away
from the "you can't get in my system" paradigm, which is akin to protecting
the countries borders, to 'this data (file,directory,file system, device)
can only be accessed in this manner'.

This is done by defining absolute rules of behavior for the resources on
your disk and implementing them at the system level so they cannot be
circomvented.

For example a rule such as "Executable programs can only be opened for
reading." prevents any executable program from being written to the disk.
So the email attachment cannot infect the disk with a worm or Trojan because
that means opening an executable for writing. The attachment cannot even
write a non executable file and rename as an executable it because
executables cannot be used in the rename system call because there is no
rule to cover it.

Similarly your registry is protected because it would also be covered by a
rule that states that it may only be opened for read.

Another example would be the "Credit card data file may only be opened by
the credit card program." thus no other program ( ftp, notepad, etc...) can
open the file to steal or corrupt it. In addition since the credit card
program is the only one that can access the data then the data will only
ever be accessed in the manner defined by the people who wrote the credit
card program.

Regards
Robert

http://www.crbn.com
Blue Steel Technology, Inc.


Jim Watt <> wrote in message
news:...
> On Sun, 24 Aug 2003 06:54:29 GMT, "Lohkee" <>
> wrote:
>
> >Anti-Virus Software
> >Copyright (c) Lohkee 2003
> >All rights reserved
>
> <snip>
>
> It is indeed time to question whether we still need to continuously
> run software that will detect a virus on the boot sector of our 5 1/4
> disks.
>
> IMHO removing all executable attachments at the mail server gives
> more protection than AV software that the users have not updated
> for six months.
>
> It also consumes no user machine resources.
> --
> Jim Watt http://www.gibnet.com

On Sun, 24 Aug 2003 14:20:56 +0100, Dave J
<> wrote:

>Alternatively, a removal of all faulty wetware units that will
>indiscriminately run an executable that has been delivered with no
>prior notice via email.
>
>"Hi My name's Joe Nobrain, send me anything you like and I'll run it
>for you"

Yup. As I've pointed out elsewhere, most normal people grow out of the
habit of putting everything in their mouth to see what it tastes like
well before they get to school age.

Chris C

On Sun, 24 Aug 2003 14:20:56 +0100, Dave J <> wrote:

>In MsgID<> inside of
>uk.comp.security, 'Jim Watt' wrote:
>
>>On Sun, 24 Aug 2003 06:54:29 GMT, "Lohkee" <>
>>wrote:
>>
>>>Anti-Virus Software
>>>Copyright (c) Lohkee 2003
>>>All rights reserved
>>
>><snip>
>>
>>It is indeed time to question whether we still need to continuously
>>run software that will detect a virus on the boot sector of our 5 1/4
>>disks.
>>
>>IMHO removing all executable attachments at the mail server gives
>>more protection than AV software that the users have not updated
>>for six months.
>
>Alternatively, a removal of all faulty wetware units that will
>indiscriminately run an executable that has been delivered with no
>prior notice via email.
>
>"Hi My name's Joe Nobrain, send me anything you like and I'll run it
>for you"

Killing users, or sending them to Siberia is not generally an
option, plus these days they may receive what looks like a
valid document to open, from a co-worker, about something
they know about.

I got one like that recently but because the attachment was
filtered the temptation to click on it was not there.

As the maxim says absence of body is better than presence
of mind.
--
Jim Watt http://www.gibnet.com

"Lohkee" <> wrote in
news:FiZ1b.111489$:

> According to industry experts, there are more than sixty thousand viruses
> lurking in the shadows waiting to victimize you,


And they are so easily kept out with just a few well thought out
strategies:

1. Keep your OS patched.
2. Use a properly configured firewall.
3. Keep a close eye on what you open and download.
4. Either chuck Internet Explorer completely, or run it on it's highest
security settings. My preference is the former, since IE on it's highest
settings is almost useless. Other browsers are not nearly as vulnerable as
IE is.
5. Use a good, up to date AV program.
6. Keep up to date on what's going on.