Category: Uncategorized

Last night, I had the dubious honor of helping my mother with her AOL account.  The advertisements on her email screen made it look like some garish mixture between a third world candy store and a bordello.   

Why in the hell should she have to look at these ads?    She pays for AOL. 

Anyway, StopBadware doesn’t like AOL 9.0 much. According to an article today in Infoworld, a report is to come out today that:

…blasts the free version of AOL 9.0 because it “interferes with computer use,” and because of the way it meddles with components such as the Internet Explorer browser and the Windows taskbar. The suite is also criticized for engaging in “deceptive installation” and faulted because some components fail to uninstall.

The main problem is that AOL simply doesn’t properly inform users of what its software will do to their PCs, said John Palfrey, StopBadware.org’s co-director. “We don’t think that the disclosure is adequate and there are certain mistakes in the way the software is architected in terms of leaving some programs behind,” he said. “When there are large programs, some of which stay around after you’ve thought you’ve uninstalled them, they need to be disclosed to the user.”

Because AOL has taken steps to address StopBadware.org’s concerns, the group has held off on officially rating AOL 9.0 as badware, Palfrey said.

Link here.

Alex Eckelberry
(With copious thanks to Catherine)

Smart readers of my blog probably already know this, but it’s worth mentioning.

This grainy black and white picture is an “eavesdrop” of a flat screen monitor 75 feet away.

Link here.

Alex Eckelberry

Cade Fasset at PC Advisor writes about his recent run-in with spyware. 

Because of the battery drain caused by spinning the CD/DVD drive, and also because lugging around a stack of game discs in my briefcase is not very appealing for several reasons, I often go out on the web and download ‘cracks’ for my games to bypass the CD checks. I should say now that every game I play is legally purchased and owned by me, and is installed only on my computer. I only bypass the CD to save battery life and to avoid having to take my discs everywhere.

Link here.

Alex Eckelberry

Over the past two weeks, Consumer Reports has been slammed by the bulk of professional researchers in the security community for testing antivirus programs using 5,500 “fake” viruses. 

Consumer Reports fans and a minority group in the security community, however, fought back —– after all, Consumer Reports is seen by many as a competent, independent testing lab and antivirus companies are generally seen as lazy, self-serving, money-hungry companies who have been soaking users for years with crappy products and high subscription fees, etc, etc.  So even though Consumer Reports was lambasted by professional security researchers with no ties to antivirus companies, it was seen by some as whining by money-hungry antivirus companies.   

Well, ok, on to Chapter 2, which is more damning than the AV test. Because I have something which is so incredible, it boggles the mind

In addition to antivirus programs, Consumer Reports tested antispyware applications. And they have now confirmed that they did not test against any spyware for their antispyware testing.   (Feel free to read that sentence again.)

Instead, their entire test of antispyware applications was based on running applications against Spycar, a set of applications written by Intelguardians that mimic spyware behavior — directly against the explicit instructions of the Spycar developers.

The entire test.  Blocking. Scan and remove.  The works. 

From a letter to us:

We assessed the ability of products to detect and block malware that had not yet been explicitly included in definition updates. This required the software to be capable of examining typical behaviors using heuristic methods. In the case of spyware, we used the public suite of Spycar scripts as published by Intelguardians Network Intelligence LLC, at http://www.spycar.org.

For each tested anti-spyware product, installed as the only anti-spyware product in a virtual session, we did a fresh boot and an update check for the product. We then ran each of the Spycar suite’s 17 components, allowing the anti-spyware program to attempt to detect and either warn the user or block the behavior. We then ran the evaluation tool and noted the behaviors that had been allowed. We then refreshed the session (undid the actions), and repeated the “infections”, but this time, prior to evaluation, we ran a scan with the anti-spyware program and allowed it to detect and undo any behaviors it found post-infection. We then ran an evaluation to see how many behaviors still remained.

The results of our two runs formed the basis of the “Blocking” performance in our ratings.

What does Spycar do?  It does things like install fake registry keys, changes your start page and the like.   It is specifically designed to test how well antispyware programs block unknown applications — not scan and remove. 

Remember that antispyware applications generally should do three things: 

a) Scan for spyware. 

b) Remove spyware. 

c) Block new spyware, hopefully before it infects your system.  

Spycar is ONLY designed to be a limited test of the blocking capability of an antispyware program. 

As Ed Skoudis, one of the authors of Spycar, pointed out to me:

Spycar is focused on evaluating behavior-based detection mechanisms.  That’s labeled very clearly all over the Spycar website.  Its only use in testing signature-based scanning products is in showing that they are just that, signature-based scanning products.  That is, Spycar can be useful in determining that a product has no real-time behavior-based detection mechanisms.  But, it’s not useful beyond that determination in evaluating on-demand signature-based tools or comparing them against each other.  Now, it can be used to show that  one tool has real-time behavior based defenses, and another doesn’t.   That is a useful comparison point, provided that customers understand what it means (and, an article should explain that).  But, again, it cannot be used to determine which of two purely signature-based scanners is better [my emphasis].  

This fact is made clear in section 1 of Spycar’s EULA:

Intelguardians created Spycar so anyone could test the behavior-based defenses of an anti-spyware tool.  It is intended to be used to see how anti-spyware tools cope with new spyware for which they didn’t have a signature.   It is not intended to provide perfect anti-spyware tests, or to act as a substitute for any other form of evaluation.  In particular, it is designed to test solely the ability of anti-spyware products to conduct behavior-based (non-signature based) detection of spyware. It is also not intended to disparage any particular anti-spyware product.

It is also explicitly not to be used as a sole testing method, something the authors of Spycar make very clear on their website.  

Is Spycar a Comprehensive Test of Anti-Spyware Tools?
No.  Spycar models some behaviors of spyware tools to see if an anti- spyware tool detects and/or blocks it.  But, spyware developers are very creative, adding new and clever behaviors all the time.  Spycar tests for some of these common behaviors, but not all.  Also, with its behavior-based modeling philosophy, Spycar does not evaluate the signature base, the user interface, and other vital aspects of an anti-spyware tool.  Thus, Spycar alone cannot be used to determine how good or bad an anti-spyware product is.  We’ve used it to find several gaps in anti-spyware product defenses, but Spycar is but one tool for analyzing one set of characteristics of anti-spyware products.  A comprehensive review of anti-spyware tools should utilize a whole toolbox, of which Spycar may be one element…

In other words, Consumer Report’s methodology will not tell you if an antispyware application can remove Spyware Quake, Lop, Look2me, haxdoor, or any of a number of other vicious, nasty programs. 

And even more surprisingly, even though Consumer Reports used the Spycar testing methodology, they never even contacted the authors of Spycar for advice or feedback. 

So, Consumer Reports

a) Ignored the instructions of the Spycar authors and used the simulator as the sole method of testing.  

b) Ignored the instructions by the Spycar authors to not use Spycar to test scan and remove functionality.

Consumer Reports carelessly and arrogantly didn’t bother to read the documentation for the simulator, and in the process, did not serve the consumer. RTFM.  

But let’s add a little more color.

Spycar is a limited test that can only be used to test certain blocking characteristics of antispyware programs (in other words, the ability of an antispyware program to drive you nuts with constant inane warnings).

For example, one of the Spycar test applications, HKLM_Run.exe, tries to insert the following registry key:

HKEY_CURRENT_USERSoftwareIntelguardiansSpycar

Now, Consumer Reports tested the ability of an application to try to block that registry key.  But then it ran a scan on the machine to see if an antispyware application “caught” this supposed infection!

Absolutely mindboggling.  This is NOT an infection.  It’s a harmless registry key.   The entire antispyware scan and remove functionality was solely judged on the ability of an antispyware application to remove a harmless entry. 

The only way that an antispyware application would catch this harmless entry is one of two ways:

a) The antispyware company cheated, and made sure that all the Spycar entries were in their database or

b) The antispyware product has some type of “snapshot” ability, something not generally thought of as a requirement for an antispyware application (not necessarily a bad idea, but not entirely relevant to a test of scan and remove functionality).

Spycar can’t even test for some of the really nasty types of spyware out there, which would require a kernel-level driver to detect — malware that is inside a compressed file, unpacks a few kilobytes, hooks into the kernel without even executing an application, and happily installs a rootkit.  That’s the nasty crap that truly tests the ability of an antispyware application, contrasted with finding an adware application happily advertising itself in the Run key of the registry.

At any rate, Consumer Reports doesn’t necessarily agree. When presented with an overwhelming amount of evidence as to why they shouldn’t use Spycar, their response was:

Thanks for your insights on the use of behavior simulation to test the performance of anti-spyware programs. We believe we understand your concerns, however we chose this approach because we felt it best captured the flexibility of the software.

We are constantly re-evaluating our test program, and will take these and other considerations into account in future tests.

Brownie, you’re doing a heck of a job.  

Alex Eckelberry
(More commentary here by Eric Howes.)

A naughty CEO nabbed by using Skype. Link here via Fergdawg.

 

Alex Eckelberry

Direct Revenue settles on the Left Coast.  Still no word on New York

Direct Revenue has settled another case relating to allegations that it improperly downloaded its software onto computers. This case was brought on behalf of California residents. A copy of the proposed settlement agreement is available here.

Link.

Alex Eckelberry

How to configure IE to open Office docs in the appropriate program

Sometimes when you click a link on a web site to a Microsoft Office document (a Word .doc file, Excel .xls file or PowerPoint .pps file), sometimes it may open up in Internet Explorer instead of in the Office program associated with the file type. This happens because IE is configured to host Office documents by default. You can change this behavior by following these directions:

1. Open My Computer and click Tools | Folder Options.
2. Click the File Types tab.
3. In Registered File Types, click the file type you want to change and click Advanced.
4. In the Edit File Type dialog box, clear the checkbox that says Browse in Same Window.
5. Click OK.

Patch Reissue is coming on August 22
If you’ve been having problems with Internet Explorer crashing when you go to certain web sites since you downloaded and applied the critical MS-06-042 patch released on this month’s Patch Tuesday, you’re not alone. The problem is affecting a lot of folks who are running IE6 with SP1 on XP or Windows 2000. Here’s the good news: Microsoft has fixed the patch and will re-release the patch on August 22. Read more here.  

More on the Blue Pill Scare
Well, more new info keeps coming in about the “Blue Pill exploit”. Made to sound like a flaw in Vista and a big threat to users, it turned out that the exploit was actually aimed at AMD hypervisor hardware and didn’t work anyway without administrative privileges. Now another claim, that the Blue Pill exploit is undetectable, is being challenged by security experts. Read more here.  

Is there an easy way to back up driver files?
If youQUESTION:
If you’re looking for a software utility that will let you back up your hardware drivers in one fell swoop, there are a few options out there. One that’s free is WinDriver Expert from Huntersoft, which has a free version for non-commercial use. It finds driver files and saves them for you. It’s a small, quick download; the zip file is under 1 MB. You can find it here.  

Right-click commands in IE are unavailable
If you right click a link in IE and discover that the Save Target As and Print Target commands are grayed out, it may be because Content Advisor is enabled. You can fix the problem by disabling Content Advisor or by loading the page and using the File menu command. For detailed instructions on both of these solutions, see KB article 176316.

Outlook Express stops responding when you log onto your email account
If you start Outlook Express and type in your email account name and password in the Log On dialog box, then find that OE stops responding and the Log On dialog box disappears when you click the OE window, there is an update to fix the problem. If you don’t want to install the update, there’s also a simple workaround. You can find out about both solutions by seeing KB article 898123.

DVD-RW discs appear to be empty in Windows Explorer
If you try to view the contents of some DVD-RW discs in Windows Explorer on a Windows XP SP2 computer, you may see a root folder that appears to be empty even though you know there are files on the disc. This happens because of the Universal Disk Format (UDF) defect management system. There is a hotfix available. To find out how to get it, see KB article 899527.

Security Patches for Vista
Two of the security fixes released on the August 8 Patch Tuesday affect Vista beta 2. These are MS06-042 and MS06-051. The patch releases didn’t mention that Vista is one of the operating systems affected, since it’s not commercially available. If you’re running the Vista beta, you need to download and apply these patches. You can read more about it here.  

What’s New in Paint?
The venerable Microsoft Paint program is often overlooked, as most users opt for more powerful graphics packages such as Adobe PhotoShop or Corel PhotoPaint. But Paint has been quietly getting more robust and usable with each version of Windows, and it’s come a long way since its Windows 95/98 reincarnation (which is probably the last time many of you took a look at it). The Vista version finally includes a Crop tool, and since the program is small and faster than its feature-laden cousins, I’ve taken to using it for simple chores like saving screenshots for articles. If you’re running the Vista beta, be sure to check it out.

Deb Shinder, MVP

It’s great to have options, and being able to pay for the software features you want, and not have to waste money paying for features you don’t want and will never use, seems like a great idea. We got a taste of that with Windows XP: if you’re a business user or a home power user who needs to be able to connect your computer to a domain or wants to encrypt files with EFS or connect to your system from somewhere else via Remote Desktop, you could pay extra for XP Professional. If you only want to do simple home computing tasks such as checking email and surfing the web and running a word processing program, you could save a few bucks by getting XP Home instead. There are also a couple of special purpose editions, for Tablet PCs and Media Center home entertainment computers, but those operating systems come installed on the systems.

Now, with Windows Vista, there are even more choices – and some users are a little confused by the plethora of options that are expected to be available. Pundits are making fun of the abundance of choices; see this humorous article claiming that “Windows Vista to Ship in 33 Different Versions“.

In reality, Microsoft now lists five editions on the Vista web site.

Home Basic, Home Premium, Business, Enterprise and Ultimate editions (back in February, Microsoft announced six editions which included Vista Starter Edition, a very restricted version for “emerging markets” – read third world countries – only). Although pricing hasn’t yet been officially announced, we expect the cost to rise approximately in that order. How do you decide which one you need?

Home Basic will be the lowest priced of the retail editions and will be very, well, basic, much like XP Home. Perhaps most notably, it won’t support the cool Aero glass interface with its translucent windows and other eye candy. Cynics might wonder, if you don’t get Aero, why not just continue to run XP? Basic will, however, include security enhancements, parental control, improved search capabilities, Windows Mail, Calendar and Contacts, and other new features. Home Premium offers additional features, such as EFS encryption, as well as both Tablet PC and Media Center PC functionality and a host of entertainment applications such as DVD authoring, photo management, and extra games. Home Premium supports twice as much RAM as Home Basic (16 GB vs. 8 GB).

On the business side, you now have two choices, two – well, sort of. Business Edition is comparable to XP Pro. It includes IIS (web server software), fax support, Remote Desktop, and dual processor support, among other business oriented features, as well as most of the features of Home Premium except for Media Center. Companies that enter into a Software Assurance or Enterprise Licensing agreement with Microsoft can go a step further and get Enterprise Edition, which adds BitLocker drive encryption (enhanced security for company laptops that contain sensitive information), a built-in version of Virtual PC that runs a single VM session at a time, UNIX application support and better multi-language support. This version won’t be available to individuals through retail or OEM channels.

Finally, there’s the best (and most expensive) of all possible worlds: Vista Ultimate. It has all the features of Enterprise Edition, along with the entertainment features of Home Premium, including Media Center, and is the high end option for both home users/gamers and business users who are multimedia professionals.

To confuse matters a little more, there are also expected to be “N” editions of both Home Basic and Business editions, which don’t include Windows Media Player. These are made to comply with EU regulations and will only be available in the European Union.

All these choices may cause some folks to agonize a bit when they decide to take the upgrade plunge, especially home users. Should you stick with Basic, spend a little more for Premium, or bite the bullet, empty your wallet and go all the way with Ultimate?

The good news is that, if you start out conservatively and later discover that you want more features, Microsoft is making it easy for you to upgrade one version of Vista to another. The Anytime Upgrade licenses will be sold by PC vendors and solutions providers. If you have Home Basic, you can upgrade to either Premium or Ultimate. If you have Business Edition, you can upgrade to Ultimate. You can read more about the program, which started beta testing this month, here.

Unfortunately, if you buy a high end edition and decide you don’t need all those features, you can’t downgrade and get a refund for the difference.

How do you feel about all these different editions of Vista? Should Microsoft have stuck with two basic versions, a home and a business edition? Or do you appreciate the ability to pick and choose the feature set you want? Is the Anytime Upgrade program a great idea, or just a ploy to squeeze more money out of you? If/when you upgrade to Vista, which edition will you choose? Let us know what you think.

Deb Shinder, MVP

AOL fires three people, including the CTO, for the recent privacy breach.

 Three America Online employees, including AOL’s chief technology officer, are workplace casualties of a recent search-data breach that infuriated some members.

Link here. 

Alex Eckelberry

If you’ve ever spent time in Silicon Valley, this article by Guy Kawasaki is so real it’s almost painful to read.  

It’s not about getting a job so much as a commentary on the environment which is so unique to the area.

Expect the funny farm. Most likely you’ll go through a group grope of interviews by four or five people. Most likely only one of them has hired and managed people before. Most likely this is the cast of characters that you’ll meet. Use these stereotypes to prepare answers to their questions and concerns.

Link here.

Of course, why get a job in Silicon Valley when you can come work for Sunbelt Software in beautiful Tampa Bay, Florida?

Alex Eckelberry

Juha-Matti over at Securiteam has put together an FAQ on the latest zero-day exploit for PowerPoint.  Link here.

Alex Eckelberry
(Thanks Eric)

If you subscribe through this blog through Bloglet, I’m ending the service.  I don’t want to maintain it along with everything else I do.

If you want to receive blog updates through email, use RSSFwd, which doesn’t require any client software.  Or use rsspopper, which installs in Outlook or Outlook Express.

 

Alex

 

Speedtest: The new Speedtest beta seems to work like a charm, looks wicked cool, and you can share the results. Link here.

WiFi help: Setting up more Wireless Access Points and need to test signal strength on a “g” network with a Pocket PC or Laptop? Try NetStumbler, here.

Vmware tool: Russian Veeam Software developed an app to monitor the performance and resource usage of all the virtual machines running on VMware SV or WS. Free version for personal use. Link here.

New Exchange list: Microsoft just put up their Exchange 2007 Beta Wiki. They called it… “ExchangeNinjas”. I guess we should be flattered.  Link here. 

Top Ten Active Directory Tips: The inner workings of Active Directory can get so complex, it can drive an admin crazy. Not to fear, though. No one is more adept at the technical side of AD than SearchWinIT.com expert, Gary Olsen. Here we have gathered Gary’s ten best tips from the past year, as rated by SearchWinIT readers. Link here. (free registration required). 

FAQ: Exchange Server Non-delivery Reports:  Exchange Server non-delivery reports (NDRs) indicate e-mail delivery issues due to non-existent, inactive or expired accounts, misspelled e-mail addresses, poor spam filter configuration, and other causes. Get tips on enabling and disabling NDRs, and learn how to decipher and troubleshoot NDR messages in this collection of expert advice. Link here. (free registration required)

VMware Users Worry About VM Sprawl: Server virtualization makes it easy as pie to deploy a new system — maybe a little bit too easy, say industry observers. Can you ever have too much of a good thing? Server virtualization fans are wildly enthusiastic, but even some true believers are worried about how quickly scads of virtual machines (VMs) are being added to corporate IT environments. “We love VMware,” said Tom Dugan, director of technical services at Recovery Networks, an outsourced business continuity provider in Philadelphia. Even so, he’s worried about managing an ever-increasing sprawl of VMs. More here.

SQL Server 2005 Upgrade Hurdles: Before upgrading to SQL Server 2005, consider this collection of potential migration hurdles and pitfalls, from parameters that may cause blocking to default settings that are no longer supported in the new DBMS. Link here. 

Gartner: Top 5 Steps to Dramatically Limit Data Loss
Public exposure of private data is becoming a regular occurrence, but the majority of these incidents can be prevented if companies implement the proper security best practices, according to Gartner, Inc. Gartner analysts have identified the top 5 steps to prevent data loss and information leaks. The top 5 steps to prevent data loss and information leaks are the following:

1. Deploy Content Monitoring and Filtering (CMF). A CMF solution monitors all outbound network traffic and generates alerts regarding (or sometimes blocks) activity based on inspecting the data in network sessions. CMF tools monitor common channels, including e-mail, IM, FTP, HTTP and Web mail (interpreting the HTTP for specific Web mail services) and look for policy violations based on a variety of techniques. (Sunbelt Messaging Ninja will have a content filtering plug-in before the end of the year)
2. Encrypt Backup Tapes and (Possibly) Mass Storage. Gartner analysts highly doubt that many of the reported lost backup tapes containing consumer records eventually result in fraud. However, because there is no way to know for sure, companies have to assume exposure anyway. Encryption can ensure that the data will still be safe.
3. Secure Workstations, Restrict Home Computers and Lock Portable Storage. Workstations and laptops can be a major source of loss, especially when a poorly configured or out-of-date enterprise or home computer is compromised by a virus or worm, and by losing portable storage media, such as a Universal Serial Bus (USB) drive or CD-ROM. “There’s really no excuse for not keeping an enterprise system up-to-date with the latest patches, a personal firewall, antivirus and anti-spyware software,” Mr. Mogull said. “These precautions alone will prevent the vast majority of commonly encountered Internet attacks.”
4. Encrypt Laptops. If organizations give employees portable computers, employees will store sensitive data on it. Policies don’t matter: Users will always use the tools they acquire, and sensitive data will always end up in unexpected places.
5. Deploy Database Activity Monitoring. Most organizations struggle to secure existing databases that are rarely designed with effective security controls. While companies eventually need to encrypt some of the data in their databases, database activity monitoring is a powerful security control that’s easier to implement and more viable than encryption for many types of data.

Preventing Users from Disabling a Screen Saver
(This is a really useful tip I ran into from Randy Franklin Smith’s newsletter from the UltimateWindowsSecurity site).

Q: How can I prevent my users from disabling the password-protected screensaver that I configure when setting up new systems?

A: If your computers and user accounts are part of an Active Directory (AD) domain, you can use one Group Policy Object (GPO) to deploy a policy to all your users that prevents them from disabling the screen saver. If you don’t use AD, you’ll need to configure the setting in the local GPO of each computer.

Whether editing a GPO in AD or a computer’s local GPO, maneuver to the User ConfigurationAdministrative TemplatesControl PanelDisplay folder in the Microsoft Management Console (MMC) Group Policy Object Editor and enable the “Hide Screen Saver tab” policy. Now when users open the Display applet in Control Panel, the Screen Saver tab just won’t be there for them to access. Note that the Display folder also contains other policies that enable you to configure the screen saver itself as well as its timeout value and other parameters.

This Security Q&A originally appeared in the Windows IT Security newsletter’s Access Denied column.  You can subscribe here.  

Stu

Remember to send in phishing scams to PIRT, the Phishing Incident and Takedown squad for takedown.

Two ways:

1. Email them to pirt @ castlecops.com as an attachment.

or

2. Go to the web interface at castlecops.com/pirt, and enter at least the phishing URL.

Also, we still need more volunteers to help take these sites down.  Nothing more satisfying than toasting a fresh phish.  Join the crew by clicking here.

Alex Eckelberry

You’re going to see a lot more about this over the coming weeks, but a number of reputable publications are being critized for their testing methodologies.   Not all the critisisms may be fair, but we have a debate going and it’s healthy.  As an industry, there needs to be standards in testing methodologies for all types of security software (something we’re trying to do in the antispyware testing space).

It started back in June, when the New York Times quoted Microsoft as saying that PC Magazine’s antispyware test method was unfair, “pointing out that the particular spyware programs tested were extremely rare and obscure.” Veteran PC Magazine tester and author Neil Rubenking responded an article headlined “Our Tests Are Fair” and further elucidated on testing strategy in the article “Spy vs. AntiSpy”.

Brian Livingston later added fuel to the fire with a full newsletter issue critical of the antivirus testing of PC World.    

PC Magazine and PC World are both highly experienced tech publications and know their stuff.  So there’s going to be a very active debate, but it will be a healthy one: These publications don’t have their blinders on and they do know technology.

Which brings me to ConsumerReportsGate, involving the publication Consumer Reports, better known for reviewing cars, lawn-mowers and appliances.  They have recently published a review of antispyware, antivirus and antispam applications.  We’re as baffled by the results as everyone else, especially with our desktop antispam program, which scored in such a way that I can only speculate that the magazine used some antediluvian version of the product with no updated definitions.  

Why the big hulabaloo? Consumer Reports made an incredible error:  They “created” 5,500 viruses for their antivirus test.  Graham Cluley of firm Sophos is reported as having said, “When I read about what Consumer Reports has done I want to bash my head against a brick wall”.  

Veteran virus tester and expert Mary Landesman takes Consumer Reports to task as well:

Admittedly, I may know very little about vacuum cleaners, cars, coffee pots, and many of the other things Consumer Reports tests – but I do know security software. The methods used, and the results construed from those methods, cause me to severely question the validity of any of their more mainstream reviews. I’m actually in the market for a new vacuum cleaner and a new coffee pot, and I’m sure of one thing – I won’t be relying on Consumer Reports for buying advice.

More at TechWorld, CNET, SecurityProNews and Dwight Silverman’s blog as well.

Now, there were a number of people who are curious as to why creating viruses is a bad thing in testing, a practice considered taboo in the antivirus industry. 

The primary scientific procedural problems with using simulators and creating new viruses were originally explained and substantiated in an open letter Joe Wells (our chief scientist in charge of security research), wrote here.  I will quote some relevant passages:

Today’s antivirus products use a variety of sophisticated methods to detect viruses. Such methods include execution analysis, code and data mapping, virtual machine emulation, cryptographic analysis of file sections, etc.

Such advanced antivirus systems make virus simulation for testing virtually impossible. This is because there is no way to know what sections of viral code and/or data are targeted by any given product. That being the case, all of the virus code and data must be in the file and in the correct order for the product to detect it as that virus. If a simulator did create a file with everything possibly needed in place, it would have to create the virus exactly. It would no longer be a simulator and the virus would be real, not simulated. Therefore a virus cannot be reliably simulated.

So simulated viruses cannot reliably take the place of real viruses. This in turn means they are not a measure of an antivirus product’s worth. Think about it. If a product does not report a simulated virus as being infected, it’s right. And if a program does report a simulated virus as being infected, it’s wrong. Thus, using simulated viruses in a product review inverts the test results. It grossly misrepresents the truth of the matter because: 

– It rewards the product that incorrectly reports a non-virus as infected.

– It penalizes a product that correctly recognizes the non-virus as not infected.

And then in a section entitled “An Ethical Quandary”:

Most antivirus companies are under some form of self-imposed restrictions that prevent them from knowingly creating new viruses or virus variants. In addition, competent testing and certification bodies such as ICSA, Virus Bulletin, Secure Computing, and AV-Test.org, do not create new viruses or virus variants for testing.

Indeed, the consensus throughout the antivirus development and testing community is that creating a new virus or variant for product testing would be very bad „ and totally unnecessary. To do so would undoubtedly raise questions about their ethics.

Yet, as Wells says, another problem involves the verification of created viruses. How were Consumer Reports’ viruses modified and were they fully functional viruses? If the test is to be validated scientifically, then the samples would be given to another bona fide testing lab to be verified and tested. Thus the original testing body is not just a virus creation lab, but a virus distributor as well. If they refuse to provide the samples, then their claims cannot be independently validated; so their test is invalid.

So how do you test heuristics? It’s easy, and again, I quote Joe Wells:

A tester can easily do a meaningful scientifically valid test based on the real and present danger (actually the real and soon-to-be present danger).

To elaborate on the logic, a tester can install products and download signatures on a specific day, and then test the products against current viruses known to be in the wild (see http://www.wildlist.org).

Then the tester waits a month or two and, using those old detection signatures, test against new viruses that have appeared in the wild after the signatures were downloaded. In this way the unknown viruses being tested are real viruses that are an actual threat. Such testing is therefore a “reality check” in a literal sense.

Simple and effective.  And honest. Joe has done this type of testing successfully in the past.  He designed and performed such testing for PC World back in 2000.  If you look at the “How We Tested” section you will find the simple and real-world solution.

This is turning into a scandal, with only one outcome:  Consumer Reports must do a comprehensive re-test.  There’s simply no alternative.  Otherwise, their reputation for fair and unbiased testing of security software is in the toilet.  

Wait — there’s even a disagreement with their toilet reviews as well.

 

Alex Eckelberry

Second in a two-part series with Rowan Trollope. Yesterday, thoughts on OneCare, Norton Confidential and Genesis.  Today, SiteAdvisor and emerging threats.

What do you think of McAfee’s recent acquisition of SiteAdvisor?

Chris Dixon, and the folks at SiteAdvisor built an interesting technology.  I don’t know what McAfee plan to do with it. 

The real shame is that SiteAdvisor doesn’t really work very well for phishing attacks — it wasn’t designed for that.  So users of SiteAdvisor need to be aware that while they are getting the “green light”, it doesn’t have best of breed anti-phishing technology…  Why?  SiteAdvisor was a startup, and they had to focus on doing something new that wasn’t already being done.  Whole Security, Microsoft and a few others were already quite far ahead on the phishing side, so they chose to focus on spam, popups and other “known” malicious code.  Unfortunately for users, while these are “interesting”, they aren’t as critical as protection against the real threats – namely phishing and pharming.

While this choice may have been right for SiteAdvisor the startup company, McAfee now has a big hole in their portfolio — no competitive anti-phishing technology — at least none that I’m aware of.

Our approach is to focus on the real threats, and to also provide users a “red-light/green-light” in their browser (with the Norton Toolbar).  We think this in-browser technology is so important, we’re not only including it in Norton Confidential, but also in Norton Internet Security and the upcoming Genesis.

You have been in the industry for 15 years, since the early days of viruses.  Most recently, you wrote about Vishing.  What other new types of attacks do you see on the horizon?

Yes, Wifi attacks — what I call wifi jacking (I think it has another “official” name, such as the recently reported “evil twin”).  Others are more crafty trojans, screenscrapers, password stealers, etc.  Blended threats using worms to propagate crimeware will continue and accelerate.

With Web2.0 sites becoming more and more useful and complex, we’ll see more attacks embedded in Javascript and against back-end systems which contain more and more valuable user data.

When I think of these, we try to start working on the protection concepts well before we even see the threats, so we’re already looking at this stuff now, even though many of these threats have yet to materialize.

On a personal note, what do you do in your spare time when you’re not working? 

I spend my “free” time snowboarding, racing motorcycles, painting, playing ice-hockey, and hanging out with my family and friends

Eesh. Snowboarding, racing motorcycles, painting, playing ice-hockey?  Sounds like way too much work for me. 

Alex Eckelberry

Deja vu: AOL is under fire from privacy experts. 

After being contacted by IDG News, AOL said it now plans to alter the licensing agreement. “We are updating the EULA to address any concerns,” said Andrew Weinstein, a company spokesman. “We are reserving the right solely to send periodic marketing e-mails that users will have the choice to opt out of.”

Adding to AOL’s troubles is the fact Active Virus Shield’s security toolbar is based on a product with a questionable reputation. An earlier version of this software, known as the Softomate toolbar, is flagged as adware by Kaspersky’s own anti-virus products.

Link here.

Alex Eckelberry

Rowan Trollope is the vp of consumer engineering at Symantec. We’ve been informally exchanging some emails recently on the state of security and he was kind enough to answer some questions I posed to him. 

You have a new product coming out, Genesis.  How is it coming  along?

Genesis is coming along very well.  We are targeting a public beta before the end of summer.  We’ve been working on Genesis for almost 2 years now, and the features and functionality are looking very good.  There is a lot of anticipation in the market for the product, and the team is working many late nights and weekends to get it ready.

When you see Genesis, it will be immediately apparent how we rewrote the functionality under the covers.  Unlike other suites and offerings in this space, we did not just throw everything in the kitchen sink together and call it something “new”, we really went back to the basics and rebuilt stuff from the ground up.  The benefits to customers will be that the product is faster, more lightweight, and better integrated than any other product on the market.

We’re very interested to see the public reaction to Genesis, which is why we’re so focused on getting the Beta out.  Look for more comments on Genesis on the Norton Consumer blog here.

What’s your feeling about Microsoft  OneCare?

I think it is great that Microsoft are continuing to focus on the security of the operating system.  Its a big job, and the more folks we have working on it the better.  That being said, there is nothing new or innovative in OneCare itself.  Onecare offers yesterdays technology to solve last years problems.  For example, there is a Virus scanner, firewall and a local backup.  These have all been available to customers for many years.

The real threats to be solved are phishing and crimeware (keyloggers, trojans, screen scrapers).  These threats require a new approach to security.  Our approach has been to increase our investment in behavior based security technologies, as evidenced by our acquisition of WholeSecurity last year.

Symantec has recently announced Norton Confidential.   What will this product do for consumers?

First, let me give you some background on changes in the threat landscape, which precipitated the introduction of a brand new security product, Norton Confidential.

Many users are aware that over the last 18 months, there has been a significant transition in the threat space, from hacking for fame, to hacking for fortune.  Coincident with this shift we have seen the threats changes dramatically — from Viruses and Worms, which spread internationally over days and weeks, to phishing and pharming, which are very targeted attacks, and which come and go within hours.

To combat these new threats, we realized that we had to invest in behavior based systems, and heuristic detection technologies, which is why we purchased Whole Security.  Whole Security was the market leader in anti-phishing technology, and this is being directly included into Norton Confidential when it is released.

Also unlike Viruses and Worms, there is no simple remedy or perscription, such as “don’t open attachments”, which will keep you safe.  Phishing attacks can be so devious, they fool even the most savvy users.  I almost got fooled last week by a phishing attack which was spreading through IM.  It was very crafty.  Its kind of funny when someone in the engineering team gets fooled by these, as they can almost never live down the taunts that will follow from their peers.

So what does it do?  Norton Confidential protects users confidential information, and keeps it safe.  How does it do that?  First, it integrates into the browser and provides an easy “Red/Green” signal light for every page that a user browses to.  Second, it has special hueristic based scanning technology which can detect “unknown” threats, based on their behavior and characteristics, instead of a threat fingerprint, in the manner of traditional AV products.  Finally, Norton Confidential scans ALL outbound channels, looking for telltale signs that your identity is being stolen, and will alert you instantly.

In my estimation, these features will make Norton Confidential the most important new security product to have on your system going forward.

Tomorrow, Rowan’s thoughts on some other technologies and new threats.

Alex Eckelberry

There’s been a fairly quiet debate in the spam community for some time as to the effectiveness of “Bayesian poisoning”.

As you probably know, Bayesian filtering is a method proposed back in the late 90s to filter junk email, and developed by Paul Graham in his original work, “A plan for spam”.  (If you’re rusty on your higher math skills, the term Bayesian refers to a number of methods of determining probability, first realized by mathematician Thomas Bayes). 

Bayesian filtering relies on “training” an engine to recognize the probability of something being spam or not spam.  It’s implemented in a variety of antispam products, and is a supplemental antispam method used in our own iHateSpam desktop product (but not in our server product).  

The idea behind Bayesian poisoning is that by throwing in a bunch of good words, it confuses the Bayes probability engine.  That’s why you see emails with things like the works of Charles Dickens in them — they are trying to confuse both Bayesian filters and the signature based engines.

But does Bayesian poisoning work?  John Graham-Cumming at the POPFile project decided to actually find out (realize that POPFile uses Bayes filtering, so there is the potential of bias).  His conclusion?  Bayesian poisoning is real, but is not that big of a deal.

The evidence suggests that Bayesian poisoning is real, but either impractical or defeatable. At the same time the number of published attack methods indicates that Bayesian poisoning should not be dismissed and that further research is needed to ensure that successful attacks and countermeasures are discovered before spammers discover the same ways around statistical spam filtering.

Link here.

Off the cuff, I think Bayesian poisoning is real.  However, it’s a question of scale.

If a corporate email server is processing a 100,000 spam messages a day (probably about average for a company with 1,500 employees) and there’s a slight change in the probability to let, say, a tenth of a percent of spam through, that’s 100 pieces of spam that got into an organization.   Now, a small number, but spammers deal with small numbers.  A hundred million messages advertising herbal Viagra resulting in 50 sales (or a small spike in a stock price).  When you’re using the bandwidth of other people’s machines (through botnets/spambots), it’s dirt cheap.

And there may also be the time factor involved.  A massive attack of the work of Charles Dickens slightly alters the probabilities for possibly a bit longer.  When you’re dealing with probabilities on a large scale, you will start to see a difference.   This is the problem that the drug pushers pharmaceutical business deals with all the time.  They do a small clinical trial and they may not see a small effect (or ignore it).  Then the drug gets used by a millions of people and we start to see people dying, committing suicide or growing a third leg.  The number may only be a few tenths of a percentage, but there’s a large population that’s affected.

We’ve also found that our own Bayes engine in the iHateSpam gets “corrupted” after a while and has to be reset.  We think it’s due to poisoning. I think that Bayesian filtering absolutely has a place in spam filtering, but it’s not the only solution.

I’m curious to know your thoughts.

Alex Eckelberry

The latest issue of Consumer Reports has a review of antispyware, antivirus and antispam programs.  It has some people in the industry a bit confused. 

Igor Muttik at McAfee has the first antivirus company public response to the review.

There are several things here that do not seem right:

1. It is claimed that created viruses were “the kind you’d most likely encounter in real life” which is, of course, something the testers cannot know.
2. Creating new viruses for the purpose of testing and education is generally not considered a good idea – viruses can leak and cause real trouble (you can read an open letter on the AVIEN site about that).
3. There is a more scientific way of measuring real proactive detection of AV products on future malware – it is called “proactive testing” or “retrospective testing”. The idea is to measure, say, 3-month old AV product against real field viruses that appeared within these last 3 months. The discussion of the methodology of such tests can be found here and some real test results with common AV products are on the AV-comparatives.org site.

(Minor side note: He expresses some confusion about Consumer Reports reporting the results as from September 2006, but this normal procedure in the magazine business).

Creating viruses for the sake of testing is a bad idea.  Our very own Joe Wells and many other luminaries in the antivirus space wrote a letter to CNET on this very issue quite a while back. It’s pretty surprising that a magazine like Consumer Reports would make such an error.  There are some in the antivirus community that are appalled at what they believe to be shoddy work.

Publications need to use industry-standardized methods for testing.  Organizations like Virus Bulletin have been doing this for years.   Why can’t publications follow their lead?  

Remember, though, that antispyware testing is quite a bit different than antivirus testing, a subject Eric Howes is taking on.

Alex Eckelberry
(Hat tip to Andreas Marx)

UPDATE:  TechWorld article here.