Papers & Articles

ESET Conference Papers

FUD and Blunder: Tracking PC Support Scams By David Harley, Martijn Grooten, Craig Johnston and Stephen Burn. Presented at the Cybercrime Forensics Education & Training Conference in September 2012, this paper looks at the support scam problem from a forensic point of view.

My PC has 32,539 errors: how telephone support scams really work By David Harley, Martijn Grooten, Steven Burn and Craig Johnston. Presented at the Virus Bulletin 2012 conference in September, this is a comprehensive consideration of the ongoing evolution of the PC telephone support scam. First published in Virus Bulletin 2012 Conference Proceedings*

PIN Holes: Passcode Selection Strategies By David Harley. Presented at the EICAR 2012 conference in May, this paper considers common strategies for selecting four-digit passcodes, and the implications for end-user security. Originally published in the EICAR 2012 Conference Proceedings.

After AMTSO: a funny thing happened on the way to the forum By David Harley. Presented at the EICAR 2012 conference in May, this paper looks at how the Anti-Malware Testing Standards Organization might yet retain enough credibility to achieve its original aims. Originally published in the EICAR 2012 Conference Proceedings.

Man, Myth, Malware and Multi-Scanning By David Harley & Julio Canto. The use and misuse of public multi-scanner web pages that check suspicious files for possible malicious content, and why they’re no substitute for comparative testing. Presented at the 5th Cybercrime Forensics Education & Training (CFET 2011) Conference in September 2011

Daze of Whine and Neuroses By David Harley and Larry Bridwell. The Anti-Malware Testing Standards Organization (AMTSO) has shaken up the AV testing world and attracted much controversy. But has it outlived its usefulness? And what is the future of detection testing? First published in Virus Bulletin 2011 Conference Proceedings*

Security Software & Rogue Economics: New Technology or New Marketing? By David Harley. Presented at the 2011 EICAR conference in May 2011, this paper contrasts existing malicious and legitimate technology and marketing, considering ways in which integration of security packages might mitigate the current wave of fake applications and services.

Test Files and Product Evaluation: the Case for and against Malware Simulation By David Harley, Lysa Myers and Eddy Willems. This paper, presented at the 2010 AVAR conference summarizes the kind of problems that arise when simulated malware is used inappropriately in detection testing, with particular emphasis on the history and correct use of the EICAR test file.

AV Testing Exposed By Peter Kosinár, Juraj Malcho, Richard Marko, and David Harley. Considers the good, the bad, and the ugly in comparative testing, and explores how to lie (or even inadvertently mislead) with detection statistics. First published in Virus Bulletin 2010 Conference Proceedings*

Call of the WildList: Last Orders for WildCore-Based Testing? By David Harley and Andrew Lee. Does WildList testing still have a place in testing and certification when dynamic and whole product testing methodologies are now preferred in most testing contexts? First published in Virus Bulletin 2010 Conference Proceedings*

SODDImy and the Trojan Defence By David Harley This paper looks at the implications in the age of the botnet of the “Some Other Dude Did It” and “it must have been a Trojan” defences against conviction for possession of illegal material, especially pornography. Presented at the 4th Cybercrime Forensics Education & Training (CFET 2010) Conference in September 2010.

Antivirus Testing and AMTSO: Has Anything Changed? By David Harley A summary of how the Anti-Malware Testing Standards Organization has developed in the past few years and the way in which the AV and testing industries have responded to those developments. Presented at the 4th Cybercrime Forensics Education & Training (CFET 2010) Conference in September 2010.

Real Performance? By Ján Vrabec and David Harley. This paper objectively evaluates the most common performance testing models (as opposed to detection testing) used in anti-malware testing, highlighting potential pitfalls and presenting recommendations on how to test objectively and how to spot a potential bias. First presented at EICAR 2010 and published in the Conference Proceedings.

Perception, Security, and Worms in the Apple By David Harley, Pierre-Marc Bureau and Andrew Lee. This paper compares the view from Apple and the community as a whole with the view from the anti-virus labs of the actual threat landscape.First presented at EICAR 2010 and published in the Conference Proceedings.

Please Police Me By Craig Johnston and David Harley. This paper looks at the ethical, political and practical issues around the use of “policeware”, when law enforcement and other legitimate agencies use “cybersurveillance” techniques based on software that resembles some forms of malware in its modus operandi. First presented at AVAR 2009 in Kyoto, and published in the Conference Proceedings.

Malware, Marketing and Education: Soundbites or Sound Practice? By David Harley and Randy Abrams. This paper considers the practical, strategic and ethical issues that arise when the security industry augments its marketing role by taking civic responsibility for the education of the community as a whole. First presented at AVAR 2009 in Kyoto, and published in the Conference Proceedings.

Malice Through the Looking Glass: Behaviour Analysis for the Next Decade By Jeff Debrosse and David Harley. This paper considers steps towards a holistic approach to behaviour analysis, using both social and computer science to examine the behaviours by both criminals and victims that underpin malware dissemination.
First published in Virus Bulletin 2009 Conference Proceedings.*

Whatever Happened to the Unlikely Lads? A Hoaxing Metamorphosis By David Harley and Randy Abrams. This paper traces the evolution of email-borne chain letters, from crude virus hoaxes to guilt-tripping semi-hoaxes, and examines both their (generally underestimated) impact on enterprises and individuals, and possible mitigations. First published in Virus Bulletin 2009 Conference Proceedings.*

The Game of the Name: Malware Naming, Shape Shifters and Sympathetic Magic By David Harley. This paper follows up on “A Dose By Any Other Name”, explaining why sample glut and proactive detection have sounded the death knell of the “one detection per variant” model. Presented at the 3rd Cybercrime Forensics Education & Training (CFET 2009) Conference in September 2009.

Execution Context in Anti-Malware Testing By David Harley. This paper explains why comparative test results based on static testing may seriously underestimate and misrepresent the detection capability of some products using proactive, behavioural techniques such as active heuristics and emulation. First published in EICAR 2009 Conference Proceedings.

People Patching: Is User Education Of Any Use At All? By Randy Abrams and David Harley. Presents the arguments for and against education as an antimalware tool, and how to add end users as an extra layer of protection in a defense-in-depth strategy. Presented at the AVAR Conference, 2008.

Who Will Test The Testers? By David Harley and Andrew Lee. Making anti-malware testers and certifying authorities pdf accountable for the quality of their testing methods and the accuracy of the conclusions they draw, based on that testing. First published in 2008 Virus Bulletin Conference Proceedings.*

A Dose By Any Other Name By David Harley and Pierre-Marc Bureau. Tries to answer questions like; why is there so much confusion about naming malware? Is ‘Do you detect virus X?’ the wrong question in today’s threat landscape? First published in Virus Bulletin 2008 Conference Proceedings.*

Testing, testing: Anti-Malware Evaluation for the Enterprise By David Harley and Andrew Lee. Appropriate and inappropriate ways of testing anti-malware products. Presented at the AVAR Conference 2007.

Phish Phodder: Is User Education Helping or Hindering By David Harley and Andrew Lee. Evaluates research on susceptibility to phishing attacks, and looks at web-based educational resources such as phishing quizzes. Do phished institutions and security vendors promote a culture of dependence that discourages computer users from helping themselves? First published in 2007 Virus Bulletin Conference Proceedings.*

Teach Your Children Well – ICT Security and the Younger Generation By David Harley, Eddy Willems, and Judith Harley. Research based on surveys in Belgium and the UK on teenage understanding of internet security issues. This paper was presented and published when I was still working for the NHS, but was later published on the ESET page because of interest in the topic. First published in 2005 Virus Bulletin Conference Proceedings.*

Macs and Macros: the State of the Macintosh Nation By David Harley. This 1997 paper reviews the shared history of viruses and the Mac, summarizes the 1997 threatscape, and considers possibilities and strategies for the future. It was written when I was still working at Imperial Cancer Research Fund (now Cancer Research UK) – actually my first conference paper – but was later made available for its historical interest because so many people asked about it at EICAR 2010. First published in Virus Bulletin 1997 Conference Proceedings.*

*Copyright is held by Virus Bulletin Ltd, but is made available on this site for personal use free of charge by permission of Virus Bulletin.

ESET White Papers (here or here)

These links from the ESET white papers page include only papers I wrote or contributed content to, not those I just edited and/or translated.

Origin of the Specious: the Evolution of Misinformation By David Harley, February 2013. Welcome to the Web 2.0 incarnation of the Misinformation Superhighway. Did you really think that hoaxing had died out?

Online Shopping and a Phishing Pheeding Phrenzy By David Harley and Urban Schrott, October 2012.
Phishing scams old and new, and some ways to recognize the baited hook before you bite off more than you can chew.

Ten Ways to Dodge CyberBullets: Reloaded By David Harley, December 2011. An updated version of the paper “Ten Ways to Dodge CyberBullets”, addressing the question “what are the top 10 things that people can do to protect themselves against malicious activity?”

Hanging on the Telephone By David Harley, Urban Schrott and Jan Zeleznak, February 2011. As if fake anti-virus products weren’t bad enough, nowadays we have unsolicited phone-calls from fake AV helpdesks. ESET researchers tell you pdf about support scams.

Stuxnet Under the Microscope. By Alexandr Matrosov, Eugene Rodionov, David Harley and Juraj Malcho, January 2011. Version 1.31 of a comprehensive analysis of the Stuxnet phenomenon, updated to add pointers to additional resources. This is probably the last update of the document, but further relevant resources will be added to a list here.

Choosing Your Password By David Harley, added April 2010. Some ways of avoiding easily guessable passwords.

Ten Ways to Dodge CyberBullets By David Harley, February 2010. Around New Year it seems that everyone wants a top 10: the top 10 most stupid remarks made By celebrities, the 10 worstdressed French poodles, the 10 most embarrassing political speeches and so on. We revisited some of the ideas that our Research team at ESET North America came up with at the end of 2008 for a “top 10 things that people can do to protect themselves against malicious activity.”

The Internet Book of the Dead By David Harley, January 2010. This paper is a mock interview between Dan Damon, of BBC radio and David Harley discussing the complications of a digital world when someone passes away.

2010: Cybercrime Coming of Age January 2010. The Research teams in ESET Latin America and ESET North America put their heads together in December 2009 to discuss the likely shape of things to come in the next 12 months in security and cybercrime.

Staying Safe on the Internet By David Harley, September 2009. On the Information Superhighway, the traffic signals are always at amber. Here are some suggestions for reducing the risk from collisions and carjacks.

Keeping Secrets: Good Password Practice By David Harley and Randy Abrams, August 2009. Everyone knows that passwords are important, but what is a good password and how do you keep it safe?

Social Security Numbers: Identification is Not Authentication By David Harley, August 2009. Americans are often expected to share their SSNs inappropriately: what are the security implications, and how serious are they?

The Passing Storm By Pierre-Marc Bureau, David Harley, Andrew Lee, and Cristian Borghello, February 2009. The Storm botnet may have blown itself out, but its legacy remains. This paper places Storm in the context of botnets in general, examining its technical, social, and security implications.

Common Hoaxes and Chain Letters By David Harley, May 2008.
A paper that describes some of the commonly-found lies and half-truths that continue to circulate on the Internet, and discusses some ways of identifying them.

Net of the Living Dead: Bots, Botnets and Zombies By David Harley and Andrew Lee, February 2008.
Describes the botnet phenomenon in detail: its origins and history, current trends, and what you need to do about it.

The Spam-ish Inquisition By David Harley and Andrew Lee, November 2007. A detailed overview of spam, scams and related nuisances, and some of the ways of dealing with them.

A Pretty Kettle of Phish By David Harley and Andrew Lee, July 2007. Understand and avoid the attentions of phishers and other Internet scammers.

Heuristic Analysis – Detecting Unknown Viruses By David Harley and Andrew Lee, March 2007. A detailed analysis of the differences between traditional threat-specific detection and proactive detection by generic detection and behavior analysis.

The root of all evil? – Rootkits revealed By David Harley and Andrew Lee, September 2006. This paper describes and de-mythologizes the rootkit problem, a serious but manageable threat.

Advertisements