Security

Is there hope for antivirus programs?

Antivirus software is getting a bad rap right now. Justified or not, we need to step back and figure out how to fix it.

Antivirus software is getting a bad rap right now. Justified or not, we need to step back and figure out how to fix it.

---------------------------------------------------------------------------

To start, let's define antivirus protection. Simply put, it's software that prevents malware from infecting computers. If that's agreeable to you, I then have to ask why computers protected by antivirus apps are still getting infected.

To explore this further, I enlisted the help of Rick Moy, president of NSS Labs, a company with the following charter:

"NSS Labs performs expert, independent security-product evaluations to assist end-user organizations in selecting the right security products for their environment."

I initially learned about NSS Labs while doing research for a piece about browsers and their ability to fend off malware. Since that article, Rick and I have had several interesting conversations about the current malware versus antivirus software climate, something NSS Labs is very interested in. With that in mind, I asked Rick several questions about the seemingly epic battle:

TechRepublic: You mentioned there are two classes of malware threats, user attacks and machine attacks. Could you explain what you meant? Moy: Taking a high view, malware can be defined by the way it executes:
  • Attack on the User: Users are tricked into downloading and executing software containing malware such as fake AV, video codecs, and pirated software. In this case, the user is the vulnerable or weak link.
  • Attack on the computer: Attackers exploit vulnerabilities in computer software without the user's knowledge. For example, visiting a malicious Web site with a vulnerable browser usually leads to exploitation and the installation of malware. All without any user interaction.

The first threat is solved by a combination of user education and reputation systems (like those provided in Internet Explorer 8, Firefox, or Chrome) that warn people, the software they are about to download is infected. Some AV products have this as well.

The second is solved by Host Intrusion Prevention Systems (HIPS), not traditional AV. They do this by operating in memory and inspecting data as it streams onto a computer. HIPS also inspect processes before allowing them to run. This once-stand-alone technology is increasingly being integrated into endpoint security products.

TechRepublic: During our talks, you mentioned that antivirus software usually has three components, each focusing on a different aspect of malware. I found that interesting and would appreciate you elaborating on that. Moy: Operation Aurora is a great example. It consists of all three stages; vulnerabilities, exploits, and malicious payloads. This distinction is often confused in discussions, but critical to understanding how to effectively block attacks.
  • Vulnerability: Is a bug in software code that allows a product to be exploited, e.g., a buffer overflow.
  • Exploit: Is a specially crafted code sequence that can leverage vulnerabilities within an application. Some examples would be heap sprays and buffer overflow attacks. An exploit can be hiding in an infected Web site (client-side attack) where it ambushes visiting computers or be launched from another computer (remote attack).
  • Payload: Is malicious content that gets delivered once the vulnerable application has been exploited. Payloads are the actions performed on the compromised target computer, such as command execution, writing a downloader or Trojan to disk, or returning a reverse shell.

The following graph shows the relative volume of attack components at each stage.

Rather than chasing malware payloads, endpoint security products should focus more on vulnerability protection. That's because the number of vulnerabilities is far less, therefore more manageable.

TechRepublic: According to antivirus software companies, their products will protect against malware. You feel that users are being somewhat misled by those claims. Could you please explain? Moy: During the end of 2009, we surveyed 500 visitors to our Web site and found that 46% expected their antimalware product to stop 100% of the threats. Major security vendors estimate 30+% of machines they scan have some form of malware. The statistics show that malware is far from under control. TechRepublic: It only takes one time of having a protected computer become infected for people to realize something is not quite right. What do you think the problem is? Moy: We are fighting an asymmetric battle right now; the bad guys have more power than the good guys. As defenders, we need to watch and guard ALL possible avenues of attack. As attackers, cybercriminals only need to find ONE to exploit our systems. They are motivated and disciplined, testing their malware creations until they get an effective strain, i.e., evade the most antivirus products and infect the most machines.

Going forward, software developers must write more secure code, in order to reduce the number of vulnerabilities. Users must educate themselves and patch frequently.

TechRepublic: I have been a strong advocate of: If you keep the operating system and application software up-to-date, there is no problem. You gave an example of why that's not always true. Could you share it? Moy: While it's important to apply the latest software patches, this will not guarantee your safety. Patches are only written to address known issues. Cybercriminals are constantly developing and using new attacks that have yet to be discovered by the security community, so called zero-day attacks.

Zero-day exploits give attackers a window of opportunity. That is, until analysts can figure out what's going on and push out a signature file and or patch. It's during that time frame when behavioral protection may help.

TechRepublic: You seem optimistic that antivirus applications can be improved to where they will be effective. What will it take? Moy: There are clearly areas where antivirus products can improve. In our recent study of the Operation Aurora attack, we found six out of seven products were not stopping exploit variants. And, they had mixed results in detecting the malicious payloads.

Security products should evolve to provide more vulnerability-based protection. Reputation services are also key technologies for reducing end-user exposure, but not all vendors use them. Finally, security vendors should embrace more real-world testing and third-party services to drive innovation and quality.

TechRepublic: You mentioned that NSS Labs uses a different methodology when testing security products. Could you tell us about that and why you feel it is a better way? Moy: Given the speed with which new threats arrive and spread through the Internet, legacy testing techniques are no longer a relevant measure of a product's capabilities. Thus, NSS Labs has developed a unique "Live in-the-cloud" testing framework that emulates the experience of average users.

Client machines visit malicious Web sites using their Web browsers and attempt to download malware. Files not blocked are then executed dynamically. This new test methodology focuses on threats currently active on the Internet and is the best predictor of protection offered by a product.

Recurring testing introduces malware into the test harness within a few hours of discovery, as malicious URLs are visited every few hours. This enables us to measure how long it takes a vendor to add protection, since few sites are stopped on the first visit. These metrics help show the significant differences in effectiveness among products.

TechRepublic: With that unique approach do you feel that you can be of service to antivirus software developers? Moy: Absolutely. Our engineers take a hacker's approach to testing - with the gloves off. Without such an approach, testers merely validate what a product can do. It's important to find what a product can NOT do, before the bad guys do. We have already helped many of the world's best known security companies improve their products. Final thoughts

Three comments by Rick, really stood out:

  • Defenders need to protect all possible avenues of attack, the bad guys only need one to exploit.
  • Endpoint security products should focus more on vulnerability protection.
  • Test security products in a way that emulates the experience of average users.

To me, these three simple statements clarify the problem and what needs to be done. What do you think?

I would like to thank Rick Moy of NSS Labs for sharing his insight about a subject near and dear to all of us.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

265 comments
vadodsantos
vadodsantos

Above a certain amount of money, companies should have responsibility for their programs errors and pay for any damages to buyers, otherwise software might be cheaper. Osvaldo.

pbock
pbock

The architecture between the filesystem, OS, apps and data is broken. Not all machines and systems use the same model put forth by Microsoft. Consider the XO laptop from One Laptop Per Child, or my Verizon Droid cell phone. On these alternate platforms, files are accessed by an app in a container that doesn't have access beyond the container. The current architecture used by PC's isn't securable. Suppose you need a place to store your keys. You decide that you will store your keys inside your body. So to not kill yourself, you figure out ways to sterlize your keys, and surgical instruments, and you setup a surgical environment. You do this everytime you want to store or use your keys. This is the burden of AV software. All you really needed was pockets to store your keys. The purpose of keys are to unlock your the door to your house and allow you to start your car. They didn't need to be sterilized to do that. Similarly, if you chose a different architecture we don't need to sterilize our files and apps to be able to use them. VPN technology is the extreme of this problem. It gives you the ability to perform surgery in a septic tank. Do we really need all that burden just to share some info with the main office?

youwerewarned.co.uk
youwerewarned.co.uk

Rick Moy has divided the attacks into two categories, attacks on the user and attacks on the machine. He cites reputation systems like Trend's Smart Protection Network as being good proof against many of these attacks. However I would also argue that reputation systems can also be effective proof against the second class of attacks. He says ?The second is solved by Host Intrusion Prevention Systems (HIPS), not traditional AV. They do this by operating in memory and inspecting data as it streams onto a computer. HIPS also inspect processes before allowing them to run. This once-stand-alone technology is increasingly being integrated into endpoint security products.?. I agree that HIPS has a vital role to play in vulnerability shielding and that is part of the reason behind our acquisition of Third Brigade last year, this technology absolutely needs to be integrated in all levels of ?anti malware? products, *but* I would also argue that reputation technology has a vital role to play in providing protection here. If we can block access to the malicious web site in the first place, then the user is not even exposed to the exploit that could potentially negatively affect the system. Rik Ferguson - Trend Micro www.youwerewarned.co.uk

sysop-dr
sysop-dr

Lets start with some definitons: Virus is a piece of code that infects executables or libraries, spreading by infecting other executables and libraries and is passed computer to computer by sharing executables. (Friday the 13th) Trojan horse is a piece of code that pretends to be one thing but is actually not that but a piece of malware. (These are the fake avs and codecs.) Macro virus is a virus that infects documents or other user files (not executables, but includes emails and email attachements) and spreads by sharing the files. (Love Bug.) Worm, is a piece of code that exploits vulnerabilities and spreads by exploiting that vulnerability on computers, can either be by directly probing exposed computers or by the user opening an infected web page (drive by, this seems to be the most active catagory these days). The payload of the malware does not impact the type of malware. So it doesn't matter if the paylod is a keylogger or it formats your c drive, if it infects by drive by html exploit it's a worm. Root Kits can be any one of the above. The first root kits were viruses that then put themselves into the boot sector to load before the OS did. The first of the stealth viruses, although they were ten followed by more sophisticated stealth virii and todays trojon root kits. OK now that that is out of the way, true viruses are extreamly rare these days. When was the last time you got an infected copy of word? Yes they still exist but they do pop up once in a while. Macro viruses are also still around but they don't pread world wide like they used to. Todays biggest problems are the trojons which are mostly spread by people just not knowing any better, and worms, which are the most sophisticated that we have seem so far. Trying to find and stop a trojon means education for the masses. Nothing else will stop it and AVs ae pretty much useless here unless the trojon is old and there are sigs for it. Worms are stopped by patching your system or sandboxing your web browser and other apps. This is an on-going battle that we can only bring to a draw at most. Worm writers will constantly be upgrading their systems to break through the defences put in place by av and OS developers. We will continue patching and updating our av files. It will never end. We have to keep doing it but in the end it's a battle we can not win and the malware authors win daily. So what can we do? We must continue the efforts we are now making but we also have to do the one thing that will stop it once and for all and that is make it not profitable to continue the effort. To do that we need to do more enforcement, more prosections and go after the people who are the real problem. We continually do things like blame microsoft or AV writers and people even start blaming the victims. We have to refocus on who is the real problem and the people who truely are to blame, the malware writers and they people/governments that back them. Thanks, and safe surfing, \\//_ llap

Neon Samurai
Neon Samurai

Some legal actions against hospitals and such are truly justified but many see healthcare as an easy target. Being able to spin personal negligence or a medical staff error into something grand is like winning the lottery in some eyes. The result is that money provided to healthcare and healthcare insurance is pissed away into settling frivolous cases rather than improving the system and resulting care. Payments go out, insurance premiums go up, budget to improve care is lost. Though possibly not in the exact same way, the software industry would also be damaged and those parasites who see a chance to sue as a lottery winning will start targeting software developers. Those who have valid reasons to file suit will be lost in the noise. Software costs will become prohibitive and developers will become scarse. We'll end up back in the mainframe days where Three or less vendors where available to choose from a hardware/software combinations costs in the millions let alone the vendor lockin they deliver. As the other response points out and answers to my questioning "why are software engineers not held to engineering standards" confirm; computing and software would not be affordable for any but big business and the rich minority. I'd be happy if the "good enough to make a sale" status quo was replaced with "best quality we can provide" but that isn't likely to happen as long as proprietary software is the majority - too much maximizing price on minimum expense in retail software. As an example; Mozilla has released Firefox updates based on the recent Pwn2own contest. We're still waiting on Microsoft patches (possibly next patch Tuesday of not later) and Apple acknowledgment that they where even breached in the contest. (Apple tends to play the "we're invulnerable" PR game much harder than Microsoft.)

Ocie3
Ocie3

If software developers and/or vendors were [b]required[/b] to warrant their products (which none of them do), and/or to accept liability for the consequences of using their products (which none of them do), then most likely software would become prohibitively expensive for anyone but wealthy individuals and organizations to license/buy and use. It might be so expensive that sales would be too few to make developing the software worthwhile, so the current ubiquity of computers would soon decline to virtually none. If you want a legal analysis, then please ask a lawyer to post his/her opinion in reply to your question(s).

CG IT
CG IT

But the new model doesn't really protect the devices either. The application purchased for use on the device [smart device/phone with downloadable apps] can contain the rogue code and no one would know. That's the next attack vector criminals are targeting with smart phones. Google had a problem with a Chinese guy who wrote and uploaded hundreds of apps that contained hidden code in the app. Since its special code in the app, AV doesn't get it because it's not a standard virus threat.It's not even a malware threat. no one ever looks at the # of bytes used on their smart phone bills. Since your using the app, there's extra bytes send while your using it. you or the company simply pays the bill. If you download and store anything on your phone, then it's a threat vector. The threat doesn't have to change anything on the phone software such as WinCE firmware. It's an app. When you use that app, it sends data in the datastream the app uses. No one looks at bytes sent and users so the extra isn't noticed.

GreatZen
GreatZen

Also, one of the most bizarre technical metaphors I've ever read. I suppose since we're talking about "viruses" there's a segue but wow.

Michael Kassner
Michael Kassner

Your analogy. I haven't heard put that way before. It certainly gets a person's attention.

Michael Kassner
Michael Kassner

I have not heard of Third Brigade. What are your thoughts about it?

JCitizen
JCitizen

will save the day! Seriously, they are doing just that. Microsoft has been working with the DOJ to get rid of crime gang bot-net control server relays. They have them cornered in Ukrain. However, with the Chinese and Russians requiring ID to buy a domain now, the Ukrain is sure to follow. This will force the bot-herders to buy space in the free world when it is easier for world enforcement organizations like Interpol to get hold of them and cut the lines of communication to the command and control server relay system. It is still a long battle ahead, but we are winning - so far! My postini spam has dropped to almost nothing, and spam getting through is cut by more than half, on my ISP email server. Now they need to go after the lazy advertising industry to get security standards improved/enforced on ad servers and web-site managers, to keep them from being pwned by web-site hijackers. Unfortunately this is where the political rub may get nasty.

RU_Trustified
RU_Trustified

Despite things like the MSDL...major vulnerabilities are still turning up, as demonstrated at hacking contests. Neon and Ocie3 make the point that that the economic incentives for better code development (litigation avoidance) is an economic disincentive for the user community. While improvements are both possible and desirable, perfect coding is not obtainable and like everthing else, there may be a point of diminishing returns for which there are neglible returns for additional effort. These things do nothing for the billions of lines of legacy code that already exist. So as long as it still takes one exploitable vulnerability, this model does not make sense economically, or on any level. Does it not make more sense to go with an approach that prevents threats from exploiting the vulnerablities that currently exist and that will continue to be created despite the best efforts of the software security community?

RU_Trustified
RU_Trustified

might be at risk due to rogue code. Due to the nature of supply chains, what if there is rogue code in firmware in all hardware coming out of Asia? Running a system within the system that supercedes all other kernel activity and keys on operational rules is what is required and is simply layered defense but at the core.

JCitizen
JCitizen

to pound into the head of Apple fanatics who think they are invulnerable, and always blame everything on the user for being pwned. But with applications like iTunes and QuickTime already on the Mac and then add the vectors of the iPod, iPad, and iPhone, you have a huge potential "cess-pool" as was previously mentioned. The popularity of these devices almost guarantees it will be a vector, and just think what will happen when connected to a Mac with some of the obvious zero day vulnerabilities that have come to light in the immediate past.

RU_Trustified
RU_Trustified

In what I hope should be good news to the SMB space, the long awaited Web application protection should be affordable even to SMBs that need Web application protection for their business and who can't afford enterprise solutions. If you check into it, the cost of scanning, WAF/IPS, patching etc can run over 10k per year per application, and the state of the art is not really that great yet. (hard to scale, accuracy can be a problem etc.) A medium size business could be running 20 +apps. That is out of reach for most. Full Disclosure: I am associated with a vendor of a security product that promotes an alternative security model in innovative products. Ryu for Web app protection is a per server price so can further reduce the per app price for protection down to a further incremental fraction of the enterprise solutions, which do not do as much. It looks like the price will be $1k for the complete. The Solaris package will cost more. That kind of difference should be enough for SMBs to do something about their Web app security if they are not able to do very much now. I am a bit out of the loop myself for health reasons right now, but I would suggest that folks don't assume that this solution is automatically out of their price range. It certainly will be cheaper than breach recovery.

JCitizen
JCitizen

are the ONLY way you should operate on the web! If you run Vista or Win7 you can always install something with a admin logon much like sudo in open source. Theoretically, as long as your OS or applications have no vulnerabilities, you are immune to risk, as long as you don't fall to a social engineering attack. However, we all know that Windows has plenty of vulnerabilities to go around, so a blended defense is still necessary. Unless you try RU's product and meet with success. I'd bet that would cost you plenty, unless you are the CIO of a very large corporation and have deep pockets.

RU_Trustified
RU_Trustified

I think I recall reading last week that the figure is about 60% of the low hanging fruit being eliminated by running in user mode. By definition, these systems are low assurance because it IS still possible to escalate privileges in an unauthorized manner.

AnsuGisalas
AnsuGisalas

"Lastly, once people have reached the point of running multiple AVs its really time to start introduction them to running as a limited user instead of an administrator. Smarter rights management beats overly complicated AV solutions every time." ... I had this idea that malware knows how to get around user rights, or was I wrong? Or is there something I've overlooked?

Neon Samurai
Neon Samurai

A vulnerability may have a bounty from the vendor in the thousands. A vulnerability on the open market can see bidding in the tens of thousands. Government is a huge buyer in the open market also; "how do I protect myself" and "how do I get at the enemy" or probably equal parts of the motivation to buy. When one obtains and why one keeps a stockpile depends on the organization. Criminals want 0days to use after the current tricks are blocked. Vendors want to improve there product and minimize public loss of face. Governments have defensive and offensive interests. If they don't employ researchers then they just buy later in the supply chain if it hits the open market. The vendor probably has the most valid reason for wanting them though probably not the majority of the buys given the potential size of the other two areas combined plus whatever groups I'm not thinking of.

AnsuGisalas
AnsuGisalas

I mean, how many crackers both amateur and pro are out there trying to make a buck off of zero-days... Military CyberOps would necessarily have to keep even closer tabs on which exploits are going around than the security industry; just to keep up to date on what's yesterday's news. Using a compromised attack vector could give undue warning of increased enemy activity.

Neon Samurai
Neon Samurai

That's really the crux of it there. If the OS is not designed to be secure then no amount of add-on extras is going to make it more secure. Adding more or different brands of AV is not going to fix the underlying OS flaw that malware continues to take advantage of. Another example was a flaw exploited through an old version of Firefox where Microsoft claimed that the issue was firefox so Mozilla patched even though the same underlying flaw could still be exploited through other browsers.

RU_Trustified
RU_Trustified

Thanks to the National Science Foundation, another million plus down the flusher. NSF funding creation of secure new OS http://www.networkworld.com/community/node/59938 The system I describe in my Lipstick post below does everything with normal systems that these guys are trying to do with virtual machines. The problem is the same though. You have to have a bullet proof host OS or there will be trouble. Neon covered your question Ansug- the upgrade question is up to the OS vendor's design. The control system I refer to can be dropped on any system without affecting functionality.

RU_Trustified
RU_Trustified

no,... never mind. If the OS is not secure, there will always be work arounds in the stack. That is the problem. It is necessary to build your kernel so that nothing in user space can bypass your controls there. If you think layered defense, you can place a gate or interface that controls what may pass to execute right in the heart of the kernel, the missing core layer. If you make this gateway a control framework that keys on operational privileges for its rule set, then you can set up very granular privilege controls to govern end behaviors by anything in user space. There is a lot more to it of course, as it must be self-protecting, prevent privilege escalation etc. It is not looking at fixing vulnerabilities in the normal sense. It is placing a control system that overules unauthorized behaviors, a category which threats trying to exploit vulnerabilties usually fall into. By using white listing for end behaviors, malicious unauthorized behavior attempts are denied as long as the rule set addresses that behavior. The current model is based on the vulnerability side of the risk equation, whereas focusing on reducing threat capability to zero has the same effect as removing all vulnerabilities.

RU_Trustified
RU_Trustified

when a pellet gun will do the job? Both sides have zero days that they can use if needed. Let's assume that once an attack is used, forensics will determine how it was done, and in our normal reactive way we will shut the door to that one specific vector. The problem is there are lots more on the shelf. Currently the advantage always goes to the attacker. With inherently secure systems, it's advantage defender; the cost to pull off a successful atack becomes huge.

AnsuGisalas
AnsuGisalas

I mean, their greed makes them expose weaknesses that a real enemy might otherwise want to keep in store for the cyberwar?

RU_Trustified
RU_Trustified

That thinking really only applies to the current security model, which a few people consider to be broken. Unfortunately, a few things taking place in the world lately have created a need for a different stategy. In an interview published last week, former Air Force CIO John Gilligan provided a snapshot into the huge problem in defending government networks today. I found this statement a concern: 'While we don't have the ability to produce totally secure systems, we do have the ability to implement the basic safeguards needed to protect our cyber systems from the relatively unsophisticated attacker; the 80 percent portion of the threat.' What this says is that the government hopes it has the budget and skills to eliminate the lower 80% of threats. In the event of serious cyber conflict, those that would really want to inflict damage to the critical infrastructure of the US are exactly those adversaries with the expertise and the resources to take advantage of the remaining 20% of threats. A successful attack may be harder to come by, but it still only takes one exploitable vulnerability, and that is the problem. It represents no real defense in a scenario of serious conflict against adversaries that are still saving their best offense for when the stakes are highest. Adversaries will raise their level to wherever the bar is set. Only an inherently secure or high assurance defense will work. Just look at how infosec has changed in the last 3 months. Advanced persistent adversaries for example. The Dalai Lama is hit again. What good is having one of the best analyst firms in the world (SecDev), expecting to be attacked and knowing who is likely behind it? Apparently not much good. They still could not stop it. Plus, there is always our old friends at the RBN, so these problems apply to the private sector as well as government.

santeewelding
santeewelding

And I will begin addressing you as Anheuser.

AnsuGisalas
AnsuGisalas

I am the original bigfoot, it takes a lot to make a permanent impression on my toes. According to Santee I am competently clerical, maybe. I should probably change my nick to Popemaster Flash.@;)

Neon Samurai
Neon Samurai

What you are describing is called a "Rolling Distribution" meaning that it's always rolling along without stopping for a major version reinstall from time to time. Imagine you installed Dos/Win3.11 and have simply evolved your machine through to the current Win7 simply by keeping up with Windows Update patch releases. You can literally format/install your system once and never have to format again though you always have the latest software versions and updates. By contrast, Debian and it's related forks including Ubuntu are nearly rolling distros. You still get major versions but they are designed to easily upgrade in place rather than always require a format/reinstall. When I move my system from Debian 5 to Debian 6, I'll simply type; "aptitude dist-upgrade" and from that point on, I'll be running Debian 6. Unlike a rolling distro, I'll have that major version upgrade but it won't be like a Windows Upgrade; backup, format, install clean, reconfigure, restore user data. The thing is, Windows is the retail product. Microsoft sells a Windows unit and that initial sale profit has to cover it's development costs, general retail expenses and future support such as updates. Once the original product stops providing enough profit to cover it's ongoing support, a new version has to be sold to entice another big profit spike and the cycle starts over. Each major version of Windows competes with it's previous version so Microsoft has to differentiate it; make it shiny and new so they can sell it to people who already have perfectly functioning systems. The design of windows also cripples it's ability to work as a rolling distribution. It is too interdependent. It's designed as a big blob of functionality hiding it's complexity behind pretty makeup and help wizards. Individual parts can not easily be updated without effecting the spiderweb of other related parts and libraries. Dropping true user separation in through a service pack would break most running third party software if not other parts of WinXP. Windows is simply not designed to be an ongoing evolving platform through simple patch updates. Each major version is designed as a brand new and seporate product inspired by the previous version. Everything within a version is bundled far to closely to allow major changes without effecting seemingly unrelated functions.

AnsuGisalas
AnsuGisalas

What would it involve fixing an OS on the basic level instead of pathcing? Wouldn't fixing it at the source involve continuously fixing and reinstalling the whole OS as weaknesses are revealed? Is it possible to have an OS that's designed to be reinstalled neatly on top of itself every few months, without an enormous amount of work/costs for owners? Can Windows turn into something like that? One problem is that changing the OS'es people are already using isn't really a possibility, unless their makers decide to change them. Meanwhile we still need to something to deal with that army of god damned zombies out there...

Neon Samurai
Neon Samurai

There's a pun in there.. Anyhow, adding third party band-aids is not working. When the same vulnerability is exploited repeatedly because "patches" for it continue to be applied to the third party software instead of the system level problem, the current approach is not working. When Windows security has to be reduced for third party AV vendors, it's not working. Vulnerabilities need to be considered proof-of-concept to be addressed at the lowest possible level even if that means reconsidering the OS security model. I think it needs to be fixed at the source rather than continuing to throw add-on layers of code. It's like making someone prettier by adding more makeup when what they really need is a prettier personality.

JCitizen
JCitizen

I just don't want to see good member leave. Sorry I stepped on your toes; I really didn't mean it. :) This is why I hate most forums, because of the acid atmosphere. We really do have a higher clientele here in my opinion. santee will grow on you, I promise! Especially if you like the cerebral type of discourse! Thanks to santee too! =D

AnsuGisalas
AnsuGisalas

I see sarcasm everywhere... maybe it's just the residual radiation from santeewelding? Thanks is not always farewell; I realize that I have to hang around to get the headsup when the next good tool turns crooked ;)

JCitizen
JCitizen

I doubt anyone's organization here can afford it.

JCitizen
JCitizen

We need good members such as yourself on this forum. The stronger TR is the better it will leave crappy forums like ZDNet behind!

AnsuGisalas
AnsuGisalas

That's probably what I've been overlooking at least. Optimal security isn't total security, it's "as secure as we can reasonably afford to make it, but no more". I guess the answer is then to just take the effort to build that blended defense... thanks to all you people for all the good advice BTW, it's been very educational.

JCitizen
JCitizen

finding the replacement app because the vendor is slow to close the vulnerability or refuses to fix it. This has been by goal so far, and I've been successful at it so far. Adobe wants to get lazy!? Fine we will replace it, and have for many of my clients. Both flash and reader!

RU_Trustified
RU_Trustified

is that a lot of inexperienced coders can put together an app based on a novel idea and throw it out to make money. They don't have to have malicious intent. Someone else can find their buggy code and inject malware without their knowledge, so the owners may not be aware that they have been breached and that their customers are at risk. One sees lots of scanning for Web site or application integrity services popping up but it may be beyond the realm of the original coders to correct/fix the bug in a timely manner and they may not want to pull the app if it is making money. Scanning and WAF etc., is incomplete and does not scale easily for applications such as the cloud. It is easy to find vulnerabilties, not so easy to correct them, and there has to be both willingness and expertise in order to do so. What if you find bugs in an in-house custom app that 20 other critical apps have been built on top of? Do you close down for 3 months in the interim? This is the problem of vulnerability-centric security.

JCitizen
JCitizen

,which is why I test utilities for usually two years before I call them a winner. Prevx is the first time, I have violated this rule, but it does seem singularly impressive to me. The name seems old - I'd swear this was around in the Win 3.1 DOS days! Smart device apps, will definitely be playing catch up, as they are becoming a new serious power in the web reality. Hopefully not so much a vector!

CG IT
CG IT

but the gist of the article was, some security experts were going security scans on apps available for download to smart phones and creating a web site where consumers and business users could go to to check on an app. Now while "experts" might say they checked apps and found nothing suspicious, "never trust the other guy and never trust what the other guy says".

JCitizen
JCitizen

since I'm the only one I know that doesn't have an unlimited plan. People here don't even worry about usage limits. I am lucky to live in a desert area with few people an HIGH tech competition. I am very lucky! We built our own company to do everything for communication, almost ALL the money in our association goes out to buy up small communities with failing cable systems, and equipment upgrades. If I'm not mistaken we had fiber and rented it to Sprint long before they did!!! I think this will be the new bot-net, if they are not careful! Thanks CG IT!

CG IT
CG IT

or even defeating firewalls or even AV. it's about getting a legitimate app with some code in it that gathers information and then sends it out when the phone is connected to the Internet using burst transmission. Very few people keep track of the KBs they use. Just pay the bill. If consumers and business really knew the risks smart devices pose, they wouldn't allow them to be used for any type sensitive confidentail or trade secret work from a phone. But there are some kids who will.

CG IT
CG IT

I'll have to go back through some of my notes. Think the article was on one of these sites. network world, Infoworld, computer world or information week where some developers and security experts have a site where they go through apps and check for security of the apps. If I can find it again, I'll post it.

JCitizen
JCitizen

in that the iPhone only executes one application at a time, which could slow that device down as a seriously dangerous vector? Of course, I'm mainly talking about second factor authentication using an SMS device.

Michael Kassner
Michael Kassner

Android has a few malicious apps already. I sense that Apple vets their apps a bit more, but it's still a concern. I don't have a real solution either.

CG IT
CG IT

and apps with not so good code built in are offered for sale from the Cloud providers. Criminals will simply move from consumer pcs to consumer smart devices. The problem is, the smart devices don't have AV and really can't have AV as the O/S is really firmware. Smart phones use the public world wide internet. Data can be sent while connected just like a PC and criminals can get it through burst transmissions while connected. The Cloud vendors don't care just like the cell phone service vendors don't care because they get their monthly money. Buy a bad app and well your data on doing banking from your phone, connecting to your company network just went to the bad guys from that app you though was cool and bought it.

Editor's Picks