11 worst ideas in security. And finally, the truth comes out.

(Thanks to Larry Seltzer for this one)

What a wonderful list. It starts with this wonderful gem of truth and goes on down from there:

11. Security Industry and Market Analysts (I am become analyst, the destroyer of markets)

Those bastions of knowledge, defenders of the objective faith, and creators of 2-page, in depth, market analysis reports. They don’t actually analyze security they analyze the security market, they say cool things like “By the end of 2007, 75% of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses.” and come up with amusing names and acronyms, (did you know that NBA – Network Behavior Analysis – was at one time called NADS – Network Anomaly Detection System – you can imagine the fun Gartner could of had with an overview of the NADS market). I spent years as an analyst myself and I loved my time, but I will always regret that analysts never actually test, demo, or even interact with the technology they so confidently and assertively write about.

That last sentence: “I will always regret that analysts never actually test, demo, or even interact with the technology they so confidently and assertively write about.”

I suspect there are a lot of enterprise customers out there who don’t know that analysts, for the most part, never play with the products they recommend. They view vendor Powerpoints and talk to customers, vendors, and the like. Who wins? Probably the vendor with the best Powerpoint, the best relationship with the analyst, and the most willingness to pay for analyst research.

Whatever. More here.

Alex Eckelberry

Another Zango-lovin’ site

Softwareheadlines.com pushing Zango…

Hey, why not put up some content, then force users to install Zango to get content that they can otherwise freely obtain on The Internets?  Awesome!

Zango2382348288234

If you click “cancel”, you get to view the page, making that popup a complete lie (it also appears that when the dialog comes up asking if you’re sure you don’t want Zango, clicking “OK” to install Zango actually doesn’t do that — and you also get to view the site for free).

The text posted is, for all I know, scraped from other blogs (I don’t know that, but I wouldn’t be surprised). 

Alex Eckelberry

The continuing problem of malware being advertised in Google Adwords

Google continues to have a problem with malware being advertised in Google Adwords, in this case, for the trojan Antivirus XP 2008.

Examples:

Antivirusads88234888

and

Antivirusxp123818123

Antivirusxp123818123a

An exacerbating part of the problem, of course, is that Google Adwords are massively syndicated to other sites, including heavy-hitters like CNET, all of whom may unknowingly push malware through these ads. A lot of people can get affected by this type of problem.

Alex Eckelberry

Isn’t this kind of click fraud?

Marketing uber-guru Seth Godin blogs:

Ads are the new online tip jar

“I never click on ads.”

It’s almost a badge of honor to say that. The subtext is, “I’m too smart/busy to waste my time doing that,” or perhaps, “I don’t want someone to sell my attention.”

But the real effect is that you’re starving great content.

I can say this because there are no ads here but,

If you like what you’re reading, click an ad to say thanks.

Pretty simple, but not an accepted online protocol, at least not yet.

If every time you read a blog post or bit of online content you enjoyed you clicked on an ad to say thanks, the economics of the web would change immediately. You don’t have to buy anything (though it’s fine if you do). You just have to honor the writer by giving them a click.

You still get what you pay for, even if you pay with attention.

Link here.

So advertisers will now have to adjust their economics to deal with meaningless clicks whenever someone wants to give a nod to a blog they like?

Not sure I like this idea.

Alex Eckelberry

Seen in the wild: Spam using swf files to avoid detection

Swfspam1238123888

Dissasembled, the output is actually this:

movie ‘spammed.swf’ compressed // flash 6, total frames: 136, frame rate: 12 fps, 1×1 px

// unknown tag 88 length 78

frame 14
getURL hxxp://moyapodruzhka. com/?wmid=44&sid=44′ ”
end // of frame 14
end

(Simply a redirect to a Russian porn site.)

Alex Eckelberry

Continuing creativity in trojan distribution

We’ve seen the same trojan being sent to inboxes in all kinds of ways — and seemingly obsessively on the subject of Angelina Jolie. Minor shift, now they’re putting the fake codec window right in the spam.

Angelina123812388

Pushes video.avi.exe, a fake alert trojan which invariably installs Antivirus XP 2008 or some such rogue security program.

Alex Eckelberry

Lobbyist for the adware business

The problem of being blacklisted by a security product has spawned a new entrepreneurial activity: Lobbying security companies to become delisted.

Bill Belcamino, a former executive with Miva and Auctiva, has started a new company, called Antivirus Compliance.

The goal of this company is to get companies off the detections of antivirus/antispyware engines, and improve their ratings in places like SiteAdvisor.

He’s proud of his accomplishments:

I personally found the ALOT.com domain, defined all aspects of the new brand, defined the Antivirus Compliance strategy and ultimately delivered the clean ALOT toolbar and homepage solution. I repaired the flagged SuperHoroscopes.com website and worked with McAfee SiteAdvisor to change the RED rating to GREEN to reflect my efforts. I defined and vetted with industry experts the strategy for the cleanup of Screensavers.com (in progress). I have an unblemished track record in this space and am highly confident that I can repeat this process for any challenges that may be in front of your company.

How will being clean impact the bottom line?

As a direct result of my leadership, steady product vision and Antivirus Compliance expertise, the ALOT brand significantly outperforms the legacy Starware brand: RPMLU is 62% higher and retention is 14% improved and revenue growth is phenomenal. Every product success metric is up, while the brand is able to provide a clean, virus free and malware-free user experience.

However, let’s consider that Alot.com, SuperHoroscopes.com and screensavers.com are all owned by Miva — a company without the most perfect reputation (remember Starware?). And let’s remember that Screensavers.com has stuff still listed by quite a few folks.

While my blog headline might have been provocative, it could be argued that Belcamino may be performing a service in helping companies clean up their act. However, I do hope that security companies rely on their own networks of contacts and information to make an informed decision. Ultimately, it’s the user who will be impacted in any de-listing decision.

Alex Eckelberry

Ransoming software vendors

This bozo enterprising fellow actually thinks we’d pay him? Unreal.

Dear Sir,

We are starting new service for software vendors, in this this service we will inform about full version, serial , keys or any availabe method avaible to use the prouct without paying their fee on public areas like forums, sites, rfree hosting etc. as a inaugral we want to inform you that a working full version of you product is available on this site and probably others also.We have tested this and it is working without problem.

http://(obfuscated).blogspot.com/obfuscated)

http://rapidshare.com/files/obfuscated)

you have already lost 1000$.

would you like to recieve this type of alert on daily monthly basis. Our starting monthly fee is 100$ per product monthly. please send your payment to versingdictionary@yahoo.co.in Thanks any unanswered question? write us back.

We are even currently working on how to stop torrent. no domain/page has been setup to prevent detection from sharing site forums etc. You can see our payapl verification before processing fee on your browser.

Thanks

versingdictionary@yahoo.co.in forums etc. You can see our payapl verification before processing fee on your browser.

Thanks

versingdictionary@yahoo.co.in

Name: Rahul Khandelwal

Company: no
Email: versingdictionary@yahoo.co.in
Telephone: none
Country: India
Previously attempted to contact Sunbelt? No
2008082111275789233
Code: CONTACT_US

Alex Eckelberry

Security through obfuscation: Mesquito ringtones

Can you hear this sound? If so, you’re probably a younger reader of my blog.

As people age, their ears may lose the ability to hear higher frequencies (such as above 20 or 22khz). 

Mosquito ringtones take advantage of this fact for teenagers, giving them downloadable “silent” ringtones that adults can’t hear.

Cute.

Alex Eckelberry

What we’ll do for a customer

A customer, Nigel, just sent this email on our VIPRE tutorial video:

I have just installed it and all is well except for one thing — the installation tutorial (the one labeled Welcome to Vipre). The music that accompanies the explanations is so extraordinarily irritating and distracting that I literally found it impossible to stay focused on what was being said. Had I not been a committed customer of Sunbelt, I would have been tempted to ask for my money back on the theory that I can’t trust anyone with such terrible taste in music and lack of appreciation for the customers’ feelings or intelligence.

Err. I was the one who made that video. And chose the music. And did the voiceover.

So now that I’ve been found out to be the Philistine lout that I truly am, I decided to set matters right: I made a new video for anyone who wants a more pleasing sound, using Pachelbel’s Canon, played by Ray Hutchings on the piano. You can watch it here (prepare yourself).

We’ll do almost anything to make a customer happy.

Alex Eckelberry

Security Theater Roundup

Our manufacturing at risk? US carmakers are up in arms over new legislation that would require an inordinate amount of tracking of container shipments, which they deem largely useless in terms of protecting the security of this country. They argue that the new regulations would disrupt “just in time” manufacturing, pretty much the only way our carmakers can actually manage production in a time when consumer whims change at the the drop of a hat (hat tip).

Inspector accidently breaks instrumentation, grounds planes. Then, the astonishing and deeply disturbing story of a TSA inspector who blunders around the outside of a number of planes, only to damage key instruments that, if broken, presents a serious safety risk. The damage is found and the planes are grounded, thankfully. What if they’d made it up in the air? No one should ever be allowed near a plane who doesn’t have the qualifications. Unbelievable. (hat tip)

Watch lists: More silliness with commercial pilots on no-fly or watch lists.

The TSA Blog also responds to allegations that it’s not putting people who don’t have ID on a list. It says it doesn’t.

I don’t get that. About a year ago, I was traveling and forgot that my driver’s license was expired (I had renewed it, my wife had put it aside for me, but I forget to put the new one in my wallet). A screener caught it, and I was sent downstairs and got an SSSS boarding pass (which means that you have enhanced screening).

No problem.

But then my next two trips, I automatically got the SSSS on my outbound boarding passes (not on the return). I must have been on some list.

None of this type of thing would bother anyone, if they felt that the security of our nation was actually being served. But these are obvious and painful examples that we are doing more to hurt ourselves than secure ourselves.

I have no grudge against TSA or border control people. I’ve talked to a number of them, and many of them are decent, good people — really. However, they are in a bad spot, following policies and a culture put in place that does not prioritize how to deal with real risks.

The solution is leadership. Invertebrate committees will always come up with these types of solutions. Someone in Homeland Security has to get in charge and say “Let’s get real about what the security priorities are in this country”. And that person has to have the gumption to take the hits internally in the vast bureaucracy.

Alex Eckelberry

The problem with TCP/IP

Good stuff.

The TCP/IP protocols were conceived during a time that was quite different from the hostile environment they operate in now. Yet a direct result of their effectiveness and widespread early adoption is that much of today’s global economy remains dependent upon them.

While many textbooks and articles have created the myth that the Internet Protocols (IP) were designed for warfare environments, the top level goal for the DARPA Internet Program was the sharing of large service machines on the ARPANET [Clark, 1988]. As a result, many protocol specifications focus only on the operational aspects of the protocols they specify and overlook their security implications.

Though Internet technology has evolved, the building blocks are basically the same core protocols adopted by the ARPANET more than two decades ago. During the last twenty years many vulnerabilities have been identified in the TCP/IP stacks of a number of systems. Some were flaws in protocol implementations which affect only a reduced number of systems. Others were flaws in the protocols themselves affecting virtually every existing implementation [Bellovin, 1989]. Even in the last couple of years researchers were still working on security problems in the core protocols [Gont, 2008] [Watson, 2004] [NISCC, 2004] [NISCC, 2005].

Link here (via Schneier).

Alex Eckelberry