Archives
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- January 2006
- December 2005
- November 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
- March 2005
- January 2005
- December 2004
- October 2004
- September 2004
- January 2004
- December 2003
- October 2003
- June 2003
- January 2003
- December 2002
- June 2002
- January 2002
- January 2001
- May 2000
- April 2000
Categories
Meta
Monthly Archives: January 2007
Why Anti-Virus Profiling is Inadequate
There are two techniques that AV products use to try to spot viruses. I have dealt extensively with one of these—the use of signatures—in articles I’ve posted as part of the AVID (Anti-Virus Is Dead) campaign. Signatures are like fingerprints and can be used to spot known malware.
You can be slightly cleverer with signatures than to just take a signature of a whole executable, you can also keep signatures of code (just a part of the executable) that tends to be repeated by virus writers. This is a sensible idea because virus writers share libraries of code that they use to build a new virus. Taking a signature in this way makes their life a little harder. Unfortunately the signature-only approach suffers from the fact that it is really unlikely to stop a new virus.
So most AV companies add routines that try to spot virus behaviour. Behaviour spotting techniques are sometimes referred to as heuristic techniques, although if we were to be pedantic we might object to the word “heuristic”. In Computer Science the term “heuristic” usually means the use of automated iterative approximation-based feedback, aimed at getting increasingly close to a target. AV behaviour spotting techniques may get updated to include new behaviours but that is manual rather than automatic.
So what is wrong with spotting viruses by profiling? Let’s consider a mathematical theorem (are you kidding? yes, I’m sorry, it’s all dreadfully academic isn’t it). I quote from the Wikipedia: “Leonard Adleman (the A in RSA) presented a rigorous proof that, in the general case, algorithmically determining whether a virus is or is not present is Turing undecidable”. This means that you cannot know for sure whether an executable is a virus by its behaviour. (This is also a proof that current AV technology can never work perfectly).
What it means in practice is that with heuristics you risk getting too many false positives, because what viruses do, other software also does (like store files, access the network, and even log the stream of characters from the keyboard). You are also beset with the difficulty that the virus has to run for you to spot it’s behaviour. (You cannot know its behaviour from looking at its code because the code can be disguised).
Now, if you combine heuristics with whitelisting and greylisting you have something valuable. If an executable is new and you run it in a sandbox it (i.e. put it on the grey-list) and stop any virus behaviours (like accessing any other computer or saving or updating any executables) then you have something workable. (Which is what the products from SecureWave, AppSense, Bit9 and Savant Protection do).
Odd though it may seem, the real problem with heuristics and with signatures are exactly the same—the virus writer can buy the software and test his viruses against the products to see if they get through. The virus writer can also test his work against the whitelisting products. For over two years now, SecureWave has run a computer on the Internet with all its ports open, offering a challenge to any hacker to try and break in—with a virus or with anything else. It has never been hacked. Here’s the URL if you want to try to break it.
Posted in Campaigns
Tagged AntiVirus, AV technology;, AVID, IT Security, Subject, Vista, Whitelisting
Leave a comment
Unfortunately Translation Technology Cannot Yet Translate Accurately From English into Texan
One of the greatest disappointments of modern information technology has been its inability to translate to and from the Texan language. Only the following words have so far been identified and translated from the troublesome Texan tongue. Unfortunately it doesn’t constitute an adequate language base to attempt any kind of automated or even manual service:
Yawl (believed to be) the second person singular pronoun; e.g. “Good to see yawl”
Awlyawl (b.t.b.) the second person plural pronoun; e.g. “Good to see awlyawl”
Fixin (b.t.b.) intending; e.g. “Ahm fixin to visit yawl”
Often (b.t.b.) away from; e.g. “Ah can shoot that apple riot often yore had”
Barley (b.t.b.) just; e.g. “Ah can barley open mah eyes”
Thowed (b.t.b.) placed; e.g. “Ah’m gonna have yawl thowed in jail”
Hep (b.t.b.) to give assistance; e.g. “Ain’t yawl gonna hep me?
Thang (b.t.b.) an object; e.g. “That don’t main a thang”
Suede (b.t.b.) endearing; e.g. “Ain’t that jes too suede for wards?”
Far (b.t.b.) to shoot; e.g. “Stop or ah’m gonna far”
Owe (b.t.b.) admiration; e.g. “Ah stand in owe of hem”
Consarned (b.t.b.) involved; e.g. “Yawl ain’t consarned in this no way”
Squire (b.t.b.) honest; e.g. “Everything here is fire and squire”
Ails (b.t.b.) an other e.g. “Ah only done what anybody ails would do”
Truss (b.t.b.) believe; e.g. “Don’t yawl truss me?”
Mere (b.t.b.) a reflectant surface; Example: “Ah jes hate to look at mahsef in the mere”
Lard (b.t.b.) a deity of some kind; e.g. “Lard only knows what happened”
Prior (b.t.b.) a petition to that deity; e.g. “Ah don’t never say a prior with mah hat on”
…………………………………………………………………………………………………………………………………………….
Congratulations! You just found one of the easter eggs on this site. If you weren’t looking for easter eggs, why on earth did you click on the Texas flag? What were you thinking?
The Spanish Prisoner (#419)
I read a story in a recent New Yorker about some American who had become yet another victim of the “Spanish Prisoner” scam. The poor fellow lost $80,000 or so and incriminated himself into the bargain, all in the pursuit of an immense pile of imaginary money.
The Spanish Prisoner scam, also known as the 419 scheme or the Advance Fee Fraud scheme, is based on the simple idea of promising you a share in a fortune, and gradually extorting fees from you as you pursue it. There are legal versions of the scam, adverts saying “you have won a laptop”—and you have, but your collecting it is going to cost you the price of it.
Nowadays the Spanish Prisoner scam usually begins with an email from Nigeria, which may read something like this:
Request for Urgent Business Relationship
I must solicit your strictest confidence in this transaction, as by virtue of its nature, it is utterly confidential and ‘top secret’. I have confidence of your ability and reliability to prosecute a transaction of this great magnitude involving a pending transaction requiring maximum confidence.
We are top Nigerian IT analysts whose successful white paper work and business advice to IT end users has resulted in our amassing $451,000,000 (Four Hundred and Fifty One million US dollars) in funds which are presently trapped in Nigeria. In order to commence this business, we solicit your assistance to enable us transfer into your account the said trapped funds. We will also send you a free white paper that evaluates the upcoming Vista version of Windows.
Unfortunately we cannot get our hands on the money directly as we wrote a negative review of Red Hat Linux and we are now on the run from a vicious bunch of Nigerian Open Source flamers who have caused us to relocate to Canada. Hence we are writing you this email. We have agreed to share the money thus; 20% to you, the account owner, 70% for us (the analysts), 10% to be used in settling taxation and all local and foreign expenses.
Please note that this transaction is 100% safe and we hope to commence the transfer latest seven (7) banking days from the date of the receipt of the following information … etc. etc.
Yours faithfully,
Dr Notta Scamsta
Note; please quote this reference number (mq/s/05/06) in all your responses.
When you respond by suggesting that there’s something fishy about this email (do Nigerian technology analysts really earn that little?) The fraudsters start furnishing you proof in the form of scanned forged documentation, occasionally asking for money to bribe the odd official here and there. Bizarrely, some apparently intelligent people fall for it.
Another version of the scam is the unexpected lottery win. You get an email telling you that you have won some huge prize in a lottery because your email address was entered free into the lottery as a result of you registering at some web site. Try to get the money and advanced fees get requested.
However, it’s called the 419 scam, because 419 is the section of the Criminal Code of Nigeria that covers this form of confidence trick. Apparently Nigeria is the prime source for 419 emails and it has been suggested that 419 is also the third to fifth largest industry in Nigeria. The US Treasury Department estimates that these scams cost people in the United States about $100 million a year. Apparently the odd CEO, corporate VP and even a US ex-congressman have fallen for this scam. Some office workers have embezzled thousands to feed the 419ers. Many people have been ruined and, apparently, 15 people have been murdered as part of these scams.
A 419 Coalition has formed itself on the web. It is an electronically linked organization of people that are actively fighting the scam, one third of whom (it claims) are victims of the scam. In the opinion of the 419 Coalition, the elites from which successive Governments of Nigeria have been drawn ARE the 419 Scammers. That might explain why only a dozen or so individuals have ever been charged of 419 crimes in Nigeria and why none of the money ever seems to get recovered.
The 419ers don’t have it all their own way. A web site called 419Eater.com gives you detailed instructions on how to scam the scammers; wasting their time, causing them expense, and getting them to reveal who they are. Odd as it may seem the scammed often have no idea at all who it was that scammed them. They yielded up their money to an email writer…
If these sorry victims will send money to an email writer, then why not to a blogger?
I’ve been meaning to tell you that I have a large amount of money ($31,415,900), which has accumulated from all those Google Ads that appear at the side of the page. Unfortunately it is trapped in an eBay account to which I have lost the password. If someone would just send me some money to spend on big houses, long holidays, Ferraris and loose women, to tide me over for the next few days, etc. etc.
Posted in R&R
Tagged analysts;, Canada;, eBay, Entertainment, Google, Linux;, Nigeria;, Notta Scamsta;, Surfing Safari, US Treasury Department;, USD;
1 Comment
Do You Boo Yahoo!
An acquaintance sent me an email, referring me to an Op-Ed piece in the New York Times about Yahoo, proclaiming “from now on I’ll never use Yahoo again”. I had been intending to provide further coverage on the topic of ghosts this week, but this startling statement defected me to investigate the “Yahoo thing”.
Apparently Congress’s House International Relations Subcommittee on Global Human Rights subpoenaed four IT companies; Cisco, Google, Microsoft and Yahoo in order to – er.., well to be honest, give them a bad time in public. It must have been terribly embarrassing for the Don’t-Be-Evil Google and a little disconcerting for Cisco as neither company is used to being in the political cross-hairs. For Microsoft it was probably just an another-day-another-dollar kind of thing.
Cisco was criticised for selling equipment to the Chinese that could enforce censorship. (Pardon me, but isn’t there some kind of list the US government produces that restricts technology sales to “certain regimes”. If Congress is unhappy with these sales, why is the Cisco kit not on the list? I’m sure HP, IBM, Dell, Sun and others sell the Chinese kit that is or might used for censorship). Google and Microsoft were both criticised for directly imposing censorship in their search services to China.
But Yahoo, in this case, is a horse of a different colour. Over a period of years, Yahoo has revealed the identity of a number of Chinese citizens to the Chinese government. As a consequence many of these individuals (about 49 by some estimates) are now serving time in Chinese jails. These are the names of two of them, and a brief description of the heinous crimes they committed:
Li Zhi posted comments in an on-line discussion group criticising official corruption in China. The nerve of it! This 35-year-old ex-civil servant from Dazhou and running-dog-capitalist-lackey was promptly given an eight-year jail sentence in December 2003 for inciting subversion.
Shi Tao, a reporter, brazenly forwarded an email that openly divulged state secrets. He revealed the risks of referring to the anniversary of the Tiananmen Square protests and he even used seditious words like “democracy”. Mr Shi, a shameful-tool-of-American-Imperialism, who used the pseudonym ‘198964′ (the numbers form a completely meaningless date on which nothing of import happened) will spend 10 well-deserved years in jail.
Oddly, there are some people who are not entirely happy with Yahoo’s prompt and responsible actions in this matter. Some of them are visiting a web site, www.booyahoo.com, in order to sign a petition and send Yahoo a letter that expresses their misgivings. They are even closing down their Yahoo email accounts, ceasing to use Yahoo’s search capability, or movie service, or GeoCities or HotJobs. Some are even demanding that Yahoo provide financial support to the families of the criminals it grassed up.
What is the world coming to?
Yahoo may come to regret its decision to compromise the privacy of its customers, commercially. Nevertheless we should not lose sight of the fact that Yahoo was “only following orders”.
Posted in Commentary
Tagged Chinese government;, Cisco, Dell, Google, IBM, Microsoft, on-line discussion group;, Search, search engine, Shi Tao;, Sun, Vendor, Yahoo
Leave a comment
What are the IT Security Issues with SOA?
Service Oriented Architecture (SOA) has captured the imagination of both businessmen and IT Departments. A combination of advances in software technology and standardization, that goes by the name of SOA, is making it possible to build business applications by assembling parts of other applications. The development process is fast and thus if an organization chooses to build the right business applications, the benefits come quickly.
As its name suggests, this approach to software building is indeed an architecture and implementing SOA foundations is neither a trivial nor simple matter. Nevertheless the IT industry is now thoroughly committed to this approach and we can expect most organizations to adopt it in time. It is important, therefore, to have an understanding of what it will mean.
This is particularly the case as regards IT security. SOA presents a more complex scenario than what went before. Previously companies built or bought applications and secure access to applications was simply a matter of linking valid users to the applications; providing local access rights, authentication and authorization. SOA is about threading multiple applications together, but only using the functionality you need. To achieve this, SOA “abstracts” the business functionality of specific applications allowing them to be “discovered” and used by other applications.
Unfortunately, this presents an IT security problem. In most organizations some of the business applications involved in any SOA-based application will have different identity mechanisms and security policies. Users will most likley have different privileges for different applications, and thus they will need to be authenticated for each of the applications that are used by the SOA application.
The problem is exacerbated by the way that SOA works. Linking between applications occurs through an abstraction layer that does not provide access to local user identity validation in the applications that are accessed – unless the application itself provides such access, which is unlikely to be the case.
To consider a simple example, a SOA application might access an order entry capability within the order entry system, but the order entry system is unlikely to know whether the connecting application is authorized and has no means of directly checking it.
The underlying problem is that even when organizations have implemented fairly comprehensive access security, it is fragmented. To provide IT security for SOA requires an end-to-end Identity Management capability – one that is able to determine access rights for every application involved. Ultimately this means every application that the business runs. Even organizations that have invested heavily in Identity Management will still be some way from achieving that.
It follows that IT Security will probably act as a brake on SOA implementations. IT security has often been an afterthought in the implementation of new technology. In recent years, for example, we have witnessed Internet capabilities and wireless capabilities being delivered with inadequate security, often with woeful consequences. Businesses are less likely to be so carefree with SOA, not just because IT security issues are better appreciated, but because SOA will link together the most important systems that organizations run.
In the long term, SOA will connect systems between multiple organizations up and down supply chains. When that happens, the IT security situation becomes even more complex and more problematic. Businesses will not only need to have their own IT Security act in order. They will also need to have confidence in the Identity Management infrastucture of suppliers and customers. The commercial motivation to build such SOA capabilities to streamline the supply chain is there. But the Identity Management services that could make such systems secure are yet to be built.