Mac Malware

You may be aware that I have a long-standing love/hate relationship with the Mac community (love Macs, hate the maulings I get whenever I comment on Mac security: somehow I keep forgetting that Macs are 100% secure and Mac users are 100% more intelligent that Windows users. Sigh…)

If you have an interest in Mac issues, you might find my Securiteam blog interesting. Or not.

AVIEN Guide published

Good day to you, my loyal readers.

How are you both?

It’s been a long time since I posted anything here, which doesn’t mean things have been happening (too many things have been happening!)

The “AVIEN Malware Defense Guide for the Enterprise” was published in the US by Syngress early in August, 2007. This is a major publishing project I put together with AVIEN (Anti-Virus Information Exchange Network) and AVIEWS (Anti-Virus Information and Early Warning System) members. It will be published in the UK in early September. Read more on the book’s own web site here. Some of the authors will be at Infosec New York (11th-12th September) signing copies at the ESET stand, and at the Virus Bulletin conference in Vienna later in September (where Andrew Lee and I are presenting a phishing paper, by the way).

I also got somewhat irritated by a poor, misleading comparative test of antivirus products presented by Untangled.com at the Linuxworld expo: so irritated that I put a white paper here and a blog entry at Technet on the subject of testing. This is probably not the last you’ll hear of this from me.

Talking of AVIEN, as of 15th August I became the interim Administrator there. Essentially, my job is to keep order while the membership decide whether they want to change the structure of the organization. More about that on the AVIEN site in due course.

TV and Security

I don’t usually do the “letter from an angry reader” thing. However,¬† a few weeks ago the UK’s Radio Times (a TV and radio listings guide published by the BBC) printed a program listing that yanked several of my chains (as a writer/editor, but also as a security person), so I wrote to their letters page. I did get a response saying that someone else had pulled them up on the same issue. but they didn’t print it. So I’m taking up (and slightly modifying) a suggestion from Gadi Evron and blogging it. ūüôā

‘I was surprised to read in the Radio Times that an NCIS episode¬†screened on 16th February 2007 was about something called “highly¬†secret de-incription software.” I did wonder whether this was a¬† typographical misreference to a new product for removing virtual¬†inscriptions. However, when I saw the episode in question, it turned¬†out to be a reference to cryptographic software. ‘ ‘Perhaps you could let your sub-editors know that the process for encoding or enciphering things is usually called encryption, not incription?¬† The process of deciphering or decoding is decryption, not¬† de-incription, or even de-encryption.’

‘In fact, perhaps the Radio Times could give programmes dealing with¬†computer security some sort of “Grumpy Old Security Geek Health Alert” icon?¬†That way, those of us who have to work with this stuff, and who get¬†irritated by programmes misusing security concepts and jargon, can avoid¬†raising our blood pressure by reading a historical novel instead.’

Since most of the people who publish and read my stuff are in the USA, maybe I should explain my ambiguous usage of the spellings “program” and “programme.” Like most vaguely techie people over here, I obstinately continue to use the UK English spelling “programme” for a TV or Radio broadcast, a printed concert brochure, and so on, but use the US spelling when referring to code.¬† (And yes, I do use disk for computer media and disc for everything else that requires me to refer to something flat and circular.)

Except that when I originally sent this mail to the Radio Times, I had some kind of a psychoneural blip and used both spellings in different places to refer to a broadcast. Well, as Emerson said, “a foolish consistency is the hobgoblin of little minds.” But perhaps RT were keeping me on the straight and narrow.¬† And those who live in glass houses should check their own spelling when writing grumpy letters about other people’s…

Knowing your limitations

Rob Rosenberger first came to my attention with a web site which was one of the standard resources on virus hoaxes for a while.¬† In particular, I owe him for introducing me to the concept of ultracrepidarianism (he calls it “False Authority Syndrome” [1]), a neat illustration of the dangers of speaking “authoritatively” about matters in which you’re not competent.

For a good while he’s been sending out his “What’s New” newsletter, giving out his version of the “Truth about Computer Security Hysteria”. [2] Like many others, I’ve been entertained (and sometimes irritated) over the years by his idiosyncratic observations on the security industry in general, and antivirus companies in particular . Not to mention his rants about politicians, business grandees and anyone else in danger of inserting one or more of their feet into their mouth.

In his 5th February 2007 issue, he turned his attention to a report on the Kaspersky Labs web page [3] on cyber-crime, written by virus analyst Yury Mashevsky. He criticized it on the following grounds:

  • There’s no indication of how Kaspersky compiled the statistics on which Mashevsky based the figures in the report. This is true: the source is simply given as Kaspersky Labs. Since Kaspersky are a major antivirus/antimalware vendor, I presume they got their data the same way that other vendors do: by analysing reports from their customers, automated software reports, captured data from honeypot systems and so forth. I suppose it would be nice if they’d said so, but I for one am not about to ask them for access to the data so that I can check it personally.
  • Figure 1 shows that “Previously unknown malicious programs are multiplying at an exponential rate…”, supported by figures from 2001 to 2006. This does, Rosenberger says, suggest that “malicious software authors will be the single largest producers of software by 2014”. It isn’t quite clear from the text in his newsletter¬†that this is Rosenberger’s extrapolation, not Mashevsky’s. Still, perhaps the word “exponential” wasn’t altogether the right choice in this context.
  • That Mashevsky “fails to explain” why a “virus analyst” is qualified to comment on cyber-crime trends. Actually, the trends being described relate largely to malware trends, so I’m not sure why his job title is a problem. And if Rosenberger had checked his biography on the web site, he’d have found that Mashevsky’s PhD dissertation was on information security, and that his job history includes information systems security development, working on information theft and unauthorized analysis. [4]

Rosenberger informs us that he would grade the report as an undergraduate assignment “between a ‘B-‘ and a ‘C'”.

I’m not sure how this maps to the UK education system, Rob, but if I was going to grade your article, it would probably be as somewhere between a D and an E. But it would be a little presumptuous, not to say condescending, for me to do¬†that. Even worse, as I’m not a teacher, that would be pretty close to ultracrepidarian, wouldn’t it? So is there any chance of your¬† explaining what teaching qualifications you have?
[1] http://www.vmyths.com/fas/fas1.cfm

[2] http://newsletter.SecurityCritics.org/

[3] http://www.viruslist.com/en/analysis?pubid=204791915

[4] http://www.viruslist.com/en/weblog?chapter=153345573