And another one just for fun!

Discussion in 'Computer Security' started by Lohkee, Aug 24, 2003.

  1. Lohkee

    Lohkee Guest

    Anti-Virus Software
    Copyright (c) Lohkee 2003
    All rights reserved


    According to industry experts, there are more than sixty thousand viruses
    lurking in the shadows waiting to victimize you, and each passing month adds
    several more to the list. Reveling in the mathematics of exponential
    propagation and dire predictions for those foolish enough to ignore this
    potentially devastating threat, some have even gone so far as to compare
    these irritating little programs with the biological virus responsible for
    AIDS! Not too surprisingly, many of these same experts just happen to be in
    the business of selling anti-virus software or related services!



    It is a given that computer viruses can destroy hardware, software, or
    massive amounts of information in the blink of an eye. Computer viruses have
    also repeatedly demonstrated their ability to span the globe within minutes
    often causing thousands of servers to crash in the process. During these
    attacks, the news media rarely misses an opportunity to inform us that our
    electronic world is teetering on the brink of destruction. What they
    generally neglect to mention is that the success of these programs was not
    due to any particular genius on the part of their creators; rather an
    amazing lack of concern for security within a great many organizations. The
    simple truth is that most, if not all, computer viruses are designed to take
    advantage of well known and easily patched vulnerabilities or require their
    targets to be "wide open" in order to survive and multiply. A virus is like
    any other computer program. It must have access to those resources that it
    depends on to run.



    Perhaps the most insidious threat posed by computer viruses, particularly
    those designed to spread via email, is that of confidential information
    being indiscriminately scattered to the wind during the program's
    replication process. Melissa, for example, spread like wildfire and was
    responsible for the mass-disclosure of thousands, if not millions, of
    extremely sensitive documents. My personal collection of unsolicited email
    courtesy of this virus included, among other things, rental applications,
    employee evaluations, letters of reprimand, miscellaneous financial
    information, a pretty dismal prognosis for a woman with breast cancer, an
    incredibly hot love letter (complete with nude photos), legal
    corresp0ndence, and a rather long-winded but very detailed network security
    assessment. It is truly amazing how many people are willing to connect
    systems containing sensitive information to an unsecured public network via
    wide-open protocols using operating systems that are widely known to be
    substandard with regard to security. Probably the most remarkable aspect of
    the Melissa fiasco was the deafening silence within the legal profession in
    the days that followed (one can only assume they were far too busy cleaning
    up their own systems to notice what should have been a veritable gold mine).
    Whatever the reason, many organizations managed to escape accountability for
    their cavalier approach to security and safeguarding confidential
    information and yours may have even been one of them. Unfortunately, this
    does not change the undeniable fact that the wrong file, sent to the wrong
    person, could very easily lead to embarrassment, loss of confidence in the
    organization, and a significant financial liability. The question is, how
    many times are you willing to spin the cylinder and then pull the trigger?



    The professional security community is generally more than happy to point
    out that it only takes one virus to create serious problems for an
    organization and strongly recommends the use of anti-virus software to
    protect against this threat. Some even recommend using multiple anti-virus
    products. That it only takes one virus to cause problems is certainly a true
    statement; however, it also one that happens to argue strongly (albeit
    briefly) against the use of these products. History has shown time and time
    gain that anti-virus software can only offer reliable protection against
    known viruses (assuming that you actually take the time to update it
    whenever a new virus is discovered). Did your favorite brand of anti-virus
    software stop Melissa, Code Red, Nimda, Anna Kornikova, or the Love Bug from
    infecting your systems; or did you download virus signature updates after
    the fact only to discover that you had a real mess on your hands? The
    problem here, and it is a big one, is that people who create and unleash
    viruses, worms, and other types of nasty software, seldom take the time to
    notify the anti-virus vendor establishment beforehand. Even after a virus
    has been unleashed it is unlikely that your anti-virus vendor will find out
    about it until it has gained some momentum which means two things: You are a
    sitting duck until they do and; the chances of your anti-virus software ever
    being able to detect a well-written program designed to strike a single
    target are about zero! As you read this it is entirely possible someone has
    already installed a "back door" into your system that your anti-virus
    software will never know about. When it comes right down to it, the use of
    anti-virus software is analogous to going into a gunfight wearing a
    blindfold and then letting your opponent take the first shot. That anyone
    would actually embrace, let alone actively promote as an "industry standard
    best practice" such an inherently self-destructive paradigm, is simply
    beyond belief.



    Adding insult to injury, embracing this suicidal paradigm represents an
    indefinite commitment on your part to download and rollout updated signature
    files on an almost daily basis. The outrageous initial cost of a
    site-license for this software notwithstanding, how long do you think it is
    going to be before someone in marketing gets the bright idea to initiate a
    subscription charge for these updates? Depending on how such a fee is
    structured and the size of your organization this could easily turn out to
    be a considerable additional expense over the lifetime of whatever product
    you have chosen. Think about this for a minute. Not only do you get to go
    into a gunfight wearing a blindfold and let your opponent take the first
    shot; you also get to pay a small fortune for the privilege of doing so. And
    this is a good idea how?



    I am not suggesting that you ignore the menace posed by computer viruses. On
    the contrary, these programs pose an extremely serious threat to society and
    the individual; one which has been grossly underestimated by the government
    and those within the professional security community. To date, most viruses
    have been relatively benign. Seldom do they make any meaningful attempt to
    hide as they propagate or cause real damage to the target and, in this
    sense, the digital word has been very fortunate. It has yet to experience
    the effective use of a virus as a weapon. It is only a matter of time before
    this changes. The Naval War College, along with numerous experts from
    various industries, conducted a three-day "war game" to explore the effects
    of "cyber-terrorism" against energy grids, telecommunications systems, and
    financial institutions. Collectively, they came to the conclusion that an
    attacker would need about 200 million dollars, extensive intelligence, and
    years of preparation to significantly disrupt the country's critical
    infrastructures. I disagree.



    The Internet makes it possible for anyone to disseminate information to
    millions of people in the blink of an eye anonymously. Unfortunately, bad
    information does not go away for a very long time (just look at the number
    of tired old hoaxes that manage to get resurrected year after year after
    year). In a society trained to forsake critical thinking and rely on
    thirty-second sound bites to make important split-second decisions, the
    possibilities for mischief are endless. More importantly, an attacker does
    not need 200 million dollars to commence hostilities. The price of a
    cappuccino at any Internet café will suffice. Sufficient intelligence to
    launch an attack is easy obtained while you enjoy your beverage via any of
    the popular search engines. Go to www.sec.gov and rummage through the
    documents found on their website. Collectively, these files provide an
    extensive correspondence course on document preparation and government lingo
    complete with a treasure trove of names, telephone numbers, and email
    addresses (their website, by the way, offers a very nice graphic of that
    agency's official seal). A quick search of the Usenet archives will reveal
    to whom people at the SEC are talking to and what they are talking about. If
    virus writers can consistently dupe people into clicking on e-mail
    attachments from unknown sources with grammatically incorrect nonsensical
    subject lines, how hard do you think it would be to trick someone into doing
    this if they were to receive an e-mail message from somebody they "know" or
    who is trying to help them with a problem? I suppose it could takes years
    some techno-peasant to orchestrate a viable attack, but it is also true that
    almost any computer literate kid with a little programming skill could
    easily cobble together some fairly sophisticated code designed to attack a
    specific target within a week or two; the anti-virus industry depends on
    this for its very survival. Simply stated, the resources needed to launch a
    successful attack against society are minimal and easily obtained by anyone
    with Internet access.



    Many businesses, such as the airline industry, operate on tight margins. It
    does not take much to send them into a financial tailspin, and when they
    suffer, a lot of other industries suffer right along with them. Stock
    markets are extremely sensitive to mood swings. Even the most naive investor
    knows what happens to the stock of a company that comes under investigation
    by the Securities and Exchange Commission. One negative press release can
    send a company's stock plummeting within a matter of minutes. On the other
    hand, a stock can soar to dizzying heights based on nothing more than the
    mere illusion of some pending breakthrough in the treatment for cancer. Why
    bother to attack Wall Street's computers (which is illegal) when it is so
    much easier to manipulate its investors? If you think this is far-fetched or
    could not happen easily, think again; it already has. In one case, a young
    man by the name of Jonathan Lebed, aged 15, successfully influenced the
    stock market and made over $800,000 by simply posting poorly penned "expert"
    opinions of various stocks to the Internet. More importantly, he is not
    serving time; he is spending money. The social and political arena is
    perhaps even more volatile. A single inappropriate email or unintentional
    slip of the tongue has effectively destroyed more than one otherwise
    promising career.



    The key to launching a successful attack is creativity (this is where the
    Naval War College, in my opinion, missed the boat entirely). Attacking
    hardware is not that difficult a task. Most modern BIOS chips use flash
    memory thus enabling users to download and install updates across the
    Internet. It would not be too difficult for a competent assembly language
    programmer to create a virus that erased BIOS chips as it moved from system
    to system. Such an attack could leave millions of computers in a completely
    unusable state for a considerable period of time and would undoubtedly have
    catastrophic consequences for many of those affected. The overall economic
    impact caused by an attack of this type could be staggering.

    Preventing this type of an attack, however, is as easy as setting the BIOS
    write-protect switch on the system's motherboard. The question is why would
    an attacker want to mess around with attacking hardware when manipulating
    people is so much easier? Destroying people's faith in the systems and
    institutions that affect their daily lives can be far more devastating than
    simply blowing up some building.



    Writing a program that will monitor a workstation, generate an email message
    when a specific user logs on, and then self-destruct without leaving a trace
    immediately afterward is child's play. Such a program would not even need
    any special "permissions" or system-level access to run. More importantly,
    any subsequent investigation would be hard pressed to show that the sender
    was, in fact, a victim. Getting the email addresses for leaders within the
    business, government or political communities is also a fairly trivial task.
    Consider the consequences of an email from one politician to another
    expressing racist views two or three days before an election. How about a
    memo (complete with official seal) from the chairman of the SEC ordering an
    investigation into serious criminal conduct by the executives of a major
    corporation? There is also the possibility of a few emails sent between
    employees of a major airline expressing concern about the safety of their
    aircraft and a subsequent cover-up my management - something about wrongful
    death suites being cheaper than fixing the problem. How would it effect
    society if these things were happening at the rate of about one a week over
    a sustained period of time? What effect would it have on the economy? The
    only real problem, from the attacker's point of view, is getting the program
    to run on the targeted system. The only thing standing in his way, for the
    most part, is anti-virus software. Software that has proven itself over and
    over again to be completely ineffective when dealing with anything that it
    does not already "know" about. There are many ways to prevent an anonymous
    outsider from running malicious code on your systems. Anti-virus software is
    not one of them.

    Lohkee!
     
    Lohkee, Aug 24, 2003
    #1
    1. Advertisements

  2. Lohkee

    Jim Watt Guest

    <snip>

    It is indeed time to question whether we still need to continuously
    run software that will detect a virus on the boot sector of our 5 1/4
    disks.

    IMHO removing all executable attachments at the mail server gives
    more protection than AV software that the users have not updated
    for six months.

    It also consumes no user machine resources.
     
    Jim Watt, Aug 24, 2003
    #2
    1. Advertisements

  3. Lohkee

    Leythos Guest

    I think that you need to keep it out of MEMORY and from accessing the
    hard disk. There are ways to execute code in memory without hitting the
    hard drive in browsers if the person has the right plug-ins.

    If you really want to protect internet users from all of these things,
    find some way to force ISP's to provide NAT Routers and Anvi-Virus
    applications when they install peoples service.
     
    Leythos, Aug 24, 2003
    #3
  4. Lohkee

    Akkrid Guest

    Excellent post. I can't add any technical argument to this, but, suffice it
    to say that this kind of post is why I read USENET.

    Very thought-provoking. Maybe I'll have one or two now ... :)

    Regards,

    Akkrid.
     
    Akkrid, Aug 24, 2003
    #4
  5. Lohkee

    Owen Rees Guest

    We have known about the problem for over 30 years (see the Andersom
    panel report from 1972, and other computer security research of that
    period).

    The problem now is the same as it was then, people are not prepared to
    pay in advance for a system that is resistant to attack.
     
    Owen Rees, Aug 24, 2003
    #5
  6. Lohkee

    Dave J Guest

    I think there are many applications that would not be happy about that
    rule.
    To protect specific data files, surely the way to go is to put them on
    a different server, only accessible via an application on that server
    in response to specific messages?

    The server app is then in complete control of what can and cannot be
    done to the file. It can also maintain backups that mean the data can
    revert to it's pre attack state easily enough. Intelligent IDS style
    analysis of all transactions could also be implemented iside the
    server, with an auto shutdown on detection of anything too unusual.
     
    Dave J, Aug 24, 2003
    #6
  7. Lohkee

    elsid Guest

    Greetings:

    Actually the trick is to prevent unauthorized access to the hard disk. If
    the attacking/compromised process cannot get to the disk it cannot infect it
    with a worm or Trojan horse or worse still destroy or steal information.

    This requires a re thinking of computer security as a whole and moving away
    from the "you can't get in my system" paradigm, which is akin to protecting
    the countries borders, to 'this data (file,directory,file system, device)
    can only be accessed in this manner'.

    This is done by defining absolute rules of behavior for the resources on
    your disk and implementing them at the system level so they cannot be
    circomvented.

    For example a rule such as "Executable programs can only be opened for
    reading." prevents any executable program from being written to the disk.
    So the email attachment cannot infect the disk with a worm or Trojan because
    that means opening an executable for writing. The attachment cannot even
    write a non executable file and rename as an executable it because
    executables cannot be used in the rename system call because there is no
    rule to cover it.

    Similarly your registry is protected because it would also be covered by a
    rule that states that it may only be opened for read.

    Another example would be the "Credit card data file may only be opened by
    the credit card program." thus no other program ( ftp, notepad, etc...) can
    open the file to steal or corrupt it. In addition since the credit card
    program is the only one that can access the data then the data will only
    ever be accessed in the manner defined by the people who wrote the credit
    card program.

    Regards
    Robert

    http://www.crbn.com
    Blue Steel Technology, Inc.
     
    elsid, Aug 24, 2003
    #7
  8. Yup. As I've pointed out elsewhere, most normal people grow out of the
    habit of putting everything in their mouth to see what it tastes like
    well before they get to school age.

    Chris C
     
    Chris Croughton, Aug 24, 2003
    #8
  9. Lohkee

    Jim Watt Guest

    Killing users, or sending them to Siberia is not generally an
    option, plus these days they may receive what looks like a
    valid document to open, from a co-worker, about something
    they know about.

    I got one like that recently but because the attachment was
    filtered the temptation to click on it was not there.

    As the maxim says absence of body is better than presence
    of mind.
     
    Jim Watt, Aug 24, 2003
    #9
  10. Lohkee

    donut Guest


    And they are so easily kept out with just a few well thought out
    strategies:

    1. Keep your OS patched.
    2. Use a properly configured firewall.
    3. Keep a close eye on what you open and download.
    4. Either chuck Internet Explorer completely, or run it on it's highest
    security settings. My preference is the former, since IE on it's highest
    settings is almost useless. Other browsers are not nearly as vulnerable as
    IE is.
    5. Use a good, up to date AV program.
    6. Keep up to date on what's going on.
     
    donut, Aug 24, 2003
    #10
  11. Lohkee

    Jim Watt Guest

    What is disturbing is the number of sites which do not render properly
    unless you use IE. I have a word for people who make IE6 and
    flash mandatory, sadly sometimes I need to see their websites.
     
    Jim Watt, Aug 24, 2003
    #11
  12. They have Sturgeon's Law on their side. That's no more disturbing
    than it usually is...?
    Hmmm, well, I suppose we could debate that "need". I "need" a million
    credits, but do I realistically expect to get?

    all the best

    --
    Weil es zugeklappt ist.
     
    Alan J. Flavell, Aug 24, 2003
    #12
  13. Lohkee

    donut Guest

    How is a properly configured firewall incapable of stopping a well written
    virus? How does it get inside to begin with? There are always people
    claiming this, but I have yet to see it demonstrated.
    Why? If the firewall keeps it out, the only way it can get in is if the
    user allows it in somehow.

    Let me tell you something, shithead. I've been an active member of this
    newsgroup for well over a year. Just where the hell did YOU come from?
    Another self proclaimed loudmouthed security expert who has his head jammed
    so far up his ass that he can't see the light of day.

    Don't call people trolls unless you know what the hell you are talking
    about, moron.
     
    donut, Aug 25, 2003
    #13
  14. Lohkee

    donut Guest


    I haven't found a site yet that doesn't render properly using Mozilla
    Firdbird, and Flash works just fine with it. There are alternatives.
     
    donut, Aug 25, 2003
    #14
  15. And you would probably want to restrict which parts of the registry
    tree the application is allowed to access.
     
    Graham Murray, Aug 25, 2003
    #15
  16. Lohkee

    Dave J Guest

    Sorry, the element of my picture that I didn't mention was that the
    communication to the server should be via a non std filesharing route.
    The only communication between the two machines should be via the
    server application. No application no communication. At all.
    Personally, if the data wasn't two massive I'd consider a
    Hmm, my suggestion was like an absolute rule, but with subsequent
    filtering of all accesses that _pass_ the absolute rule. Only a
    thought anyhow, just wondered why it's not commonly done that way.
     
    Dave J, Aug 25, 2003
    #16
  17. Lohkee

    Lohkee Guest

    Ever heard of a floppy diskette, CD ROM, Thumb Drive, or a keyboard? Ever
    heard of email attachments? How about embedding code in the comments section
    of a web-page? For that matter, consider any of the "major" viruses over the
    past five years.

    History has shown that users are very good at doing just that, or do you not
    follow (as you suggested earlier) what is going on in the world (Melissa,
    Love Bug, etc, etc, etc).


    My obligation to trolls (and idiots) has now been met.

    Lohkee!
     
    Lohkee, Aug 25, 2003
    #17
  18. Lohkee

    Jim Watt Guest

    try http://www.taylorbros.co.uk
     
    Jim Watt, Aug 25, 2003
    #18
  19. Why do you find it so hard to tell them you bought the product -in
    spite of- their web page and not -because of- it? Only by making this
    clear do customers stand any chance of making progress.
    Hang on a minute! You thought that their web pages were sufficiently
    relevant to the issue to be mentioned here. So don't brush it off so
    lightly. What you posted here tells us (AFAICS) that you thought the
    web pages were a substantive issue relating to purchase of the
    product, and was only offset because positive aspects of the product
    itself managed to compensate for negative aspects of their web pages.

    But that might not work for every would-be customer - they'd leave, on
    the basis of the web pages, before getting anywhere near whatever
    technical excellence the product might have. I've done it often
    enough when I had my procurement hat on - why shouldn't others?

    If you leave the company to fantasize that their web pages were of
    positive relevance to your choice of their product, then neither they
    nor other potential customers stand to gain anything from the
    encounter.

    --
    Weil es zugeklappt ist.
     
    Alan J. Flavell, Aug 25, 2003
    #19
  20. Lohkee

    donut Guest

    I sent them an email. Obviously, whoever designed the page knows nothing
    about HTML.
     
    donut, Aug 26, 2003
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.