UK EMEA Lab Notes - March 2011 - Ian Hyndman

The Wild List
The Wild List was invented in 1993 when computer viruses started to become a problem. Back then viruses were simple things and were relatively easy to contain.

The WildList is a compilation of sample viruses that have been submitted by security professionals from around the world. It is published each month to a select group of subscribers. Contributors can be any security professional, but the sample must be submitted by at least two respected sources before it will be included in the list.

As you might imagine, not everyone has the capacity to harvest and identify malware, so the majority of samples on the lists naturally come from anti-virus vendors. And it is undoubtedly a good thing that these vendors participate; they see far more new threats than anyone else.

In the industry, the timing of submissions to the WildList is an issue that causes heated discussion because many people believe that samples may be withheld from the list until the vendor has a solution in place. By submitting samples only after a solution has been prepared, a competitive advantage is created for the vendor.

My point, however, relates specifically to malware testing, and the broad impact of this delay on testing practices.

Because the samples are typically about a month old when published, the validity of conducting testing using the WildList as a basis of real-time or real-world scenario testing is flawed. The WildList is effectively a month out of date (by comparison with the real-world) and two or more of the participating vendors may already have fixes in place for the viruses listed.

An article by Trend Micro states that new threats are now emerging at the rate of one every 1.5 seconds, and as such, testing methodologies should be looking at change to keep up.

I’m not suggesting that the WIldList should be done away with. Many highly respected companies use it, and contribute to it in good ways, and it’s an effective industry tool, but I believe that it would be better used as a regression tool rather than a front line tool – for testing purposes.

Quality over Quantity
One method widely used for malware testing is to select a 50,000 sample repository and run it against the product under test. These results may give some really good marketing outcomes – think; “This product detected 49,995 out of 50k samples.” But, the real question that should be asked is, of those 50,000 samples how many are target specific?

If I am running a test on a Windows 7 64bit OS, are there samples in my list that are designed specifically to circumvent flaws in Windows 2000? If so, what benefit did that test hold in my scenario? One hundred samples that are known to target Windows 7 would give greater credibility to the results than 40,000 random samples.

The Wild
As the Trend Micro article (plus many others) shows, the rate of change for threats is always increasing. If the rate of threat increase is as bad as one every 1.5 seconds the industry needs to look at how they can protect the consumer in the smallest possible time. The consumer needs to know that the anti-malware vendors are looking at providing protection that is right now, rather than threats found a month ago.

Refreshingly, there has been a shift in emphasis from some vendors. They have started to look at the threats’ behaviour instead of the signatures. This is a great step forward because a Trojan (for example) will always be a Trojan and display certain characteristics as it tries to execute on the system - even if the vendor doesn’t have that particular sample on file.

(I accept that this does raise questions about some of the latest worms being able to change themselves to hide and avoid detection, but for this discussion I’m generalising about the majority of threats, not selected exceptions).

Malware testing
Regardless of the method used, any in malware test can only be considered a snapshot in time. A product only passes a specific test at a specific point in time. By the time the test report is generated, hundreds of new threats have found their way in to the wild.

The best way of truly gauging how a product copes in the wild is to keep it running. Continuous testing over a sustained period will give a much better indication of the product’s capabilities. No one product is going to come out on top every day. Different products have different strengths and these will depend on the threats that are targeting that particular machine at that particular time.

This is just one option from a host of possible methodologies. No single test can be the definitive for all scenarios, but I do feel that with the new breed of threats on the horizon we need to move away from using the WildList as the only testing benchmark.

What should the new benchmark be? Answers on a postcard please…

Australian Lab Notes - March 2011 - Steve Turvey

2012 the year of the CME !

I caught one of my kids watching the disaster movie 2012 the other day. The professional in me considers this film to be scientifically the shonkiest movie since “The Core”, but it’s an awfully entertaining flick thanks to its over-the-top special effects. The disastrously rendered scenario for 2012 was that the Sun suddenly started spewing out “mutated” neutrinos (stop sniggering) that subsequently heated the Earth’s mantle, triggering bedlam.

At about the same time I noticed a little news item - that the year 2012 is actually forecast to be a particularly nasty year for solar flares and Coronal Mass Ejections (CMEs). CMEs have been in the news quite a bit lately, but attract little interest from most of us. No doubt they are closely followed by the inevitable doomsdayers warning,” the end is nigh”. So what’s the truth? Is there any risk?

Actually yes! While suggesting CMEs will return us to the Iron Age may be a bit of an overstatement, it turns out that big CME’s are indeed the bane of modern technology.

A CME is, in effect, a large storm in space. This storm comprises radiation and fast-moving, charged particles that can disrupt the earth’s magnetosphere, which is effectively our protective force field against nasties such as cosmic radiation (of which a colourful side effect is the Aurora or Northern/Southern Lights caused by radiation crashing into the upper atmosphere).

Some of you might recall that in 1989, a large chunk of Canada was plunged into darkness when a strong, but by no means the largest that Earth has experienced, CME struck. This instantly overloaded Canada’s power grid, burning out transformers all over the place. What is perhaps less well known is that back in 1859, a much larger a CME than Canada’s, seriously interfered with the newly invented telegraph, shorting it out and starting many fires. That CME was so powerful that the Northern Lights (usually only seen in Canada and northern USA) were visible as far south as Cuba.

Had the 1859 event occurred today, it would have found more than a basic telegraph network to wreak havoc upon.

To put this in perspective, most electronic equipment is (hopefully) designed to withstand a typical or average CME (based on the last 100 years or so). However, the 1859 event was much larger than anything we’ve experienced in the last 100 years. And there are geological records that suggest the 1859 event is not a one off. Equivalent or larger events have occurred at quite regular intervals in the past.

So if we are hit by a large CME, what should we expect other than a pretty light show in the sky over Brisbane?

Assuming the CME doesn’t wipe out GPS satellites entirely, the old joke about your GPS guiding your car into a lake is highly likely. For quite a few days the signals from satellites will be incorrect and positioning on your GPS will be very inaccurate. Of course, if the event is powerful enough, your car’s own GPS unit could be fried too, along with your car’s engine-computer and any other electronic gizmos on board. You probably wouldn’t be driving anywhere. So add to that list, cell phones - forget them, landlines - ditto, TV - probably fried as well.

A CME, if it’s large enough, can punch right through our magnetosphere and will fry any electronics on the ground, not just the satellites outside our atmosphere. A large CME can also seriously deplete the Ozone layer. In extreme cases the solar wind, which is no longer impeded by our magnet field (a tangled mess until it reforms) can strip away part of the atmosphere.

There are probably a few of you thinking this could be a good thing, back to the good old days reading a book. But I think you would be in for a shock. With no electricity you no longer have your washing machine, so boiling water over a wood fire and scrubbing your smalls by hand is something you’d quickly grow to loath. No microwave, no electric kettle, no fridge and no electric cookers - the list of life’s true essentials goes on. It would potentially take quite some time to get the power grid up again because no-one has large stocks of transformers sitting around for this scenario.

Interestingly, our sun is one of the most well behaved stars observed by astronomers. Other stars in the same class as our sun have been observer to produce CME events millions of times more powerful than our gentle star. CMEs of this magnitude would mean extinction events, forget cell phones, it’s us that would be fried.

Introducing Enex TestLab Security Testing Division Advertisement

Enex TestLab is moving forward on its marketing strategies producing this advertisement highlighting our independent security testing services

UK EMEA Lab Notes - January 2011 - Ian Hyndman

The pitfalls of social networking

Social networking sites are big at the moment. Almost everyone I know has at least one account - whether it’s Facebook, MySpace, Twitter or any of the multitude of other options. Social Networking sites are a fantastic idea and offer something to all types of users.

This new craze has allowed old friends who live on different sides of the world to get back in touch. Friends who live next door are, of course, even using them to chat instead of using the phone (or getting off the settee to visit).

While these sites have been provided by reputable companies who are doing all they can to ensure online safety, there are still dangers that everyone should be aware of when using social networking sites.

A vast number of social site users are more than happy to enter all their information into the ‘about you’ information fields on these sites. “I had to log in - it’s safe isn’t it?” Well, the new friend you made using that chat application last night can now see everything about you - name, address, date of birth, next of kin, etc. Incidentally, this is all the information needed to open a bank account; do other people really need to know all this about you?

A big problem that appeared a couple of years ago was that people were putting all this personal information on their profiles, then broadcasting upcoming family holidays through their status updates and were returning home to find they’d been burgled.
Identity theft is not the only pitfall. Malware has been specifically designed to exploit social networking sites. How many times have you had an email from your friends’ social network account asking if it really is you in the office party video?

Or perhaps a video link tells you that you require a Flash upgrade, but instead of installing any upgrade it installs the Koobface worm. The fun part about the Koobface worm is that it sends messages to all your contacts (making you very popular) as it tries to infect their systems as well.

It is not only individuals that can fall prey to the pitfalls of social networking, businesses have seen the problems too.

As people become more obsessed with social networking sites, gaming with their friends on Mafia Wars or Zombie applications, businesses have started to feel the strain. Employee productivity plummeted and the increased usage often strangled corporate bandwidth. Most companies have now banned these sites.

Social networking sites are not bad for companies per-se, they can be used as a great promotion and engagement tool.

Social networks have also caused their share of curly management issues; such as employees ringing in sick, and then update their Facebook status claiming to have the mother of all hangovers. Awkward if you’ve forgotten you added your boss as a friend.

All in all, social networking is a good thing – a great thing. It has opened up the internet and communication in a whole new way. The thing to remember is to always be mindful of what information you put out there for the world to see. While most people are mostly nice, there are others that will have ulterior motives and the internet offers enormous reach for those that are hunting.

Australian Lab Notes - February 2011 - Steve Turvey

Grumpy old Men and the “Good old days”

I’m sure it’s a law of nature that the older generation always laments the good old days. I’m sure we inevitably view the up-and-coming younger generations to be in some way inferior and spoilt when compared to ourselves.

Monty Python summed it up perfectly in their Four Yorkshiremen comedy sketch when, explaining how they once had it tough, one man “lived for three months in a paper bag in a septic tank,” you can see the full transcript.

In some ways, sadly, I have to agree - but, and it’s a big BUT, the blame lies squarely at our own feet!

I look around at kids today, especially those in early primary school with mobile phones - in 99 percent of these cases I’ll argue it’s a load of tosh that these kids have a phone for their “own security”. These children have phones because somewhere along the line, one kid that really needed brought one to school, and it quickly became a “must have” status symbol with the other kids.

One of my own kids - at the grand old age of 8 was complaining that everyone else had one. He was called “lame” and other less kind words because he didn’t have one yet.

The list goes on, of course. If you don’t have a PS3 or Wii, you’re lame. If you have Target-brand runners rather than Nikes, you’re lame. If you don’t have customised handle bars on your scooter and some sort of branded hat, you’re lame as well.

I constantly come back to the fact that these kids would have no impetus, and would not even ask for any of this stuff, if no parents bought their kids this stuff.

And the problems that go with this new technology driven stuff has become a lot more complicated. Bullying is no longer just physical bullying, but now it’s via TXT, Twitter and Facebook. It goes outside the school yard now and reaches right into the home, 24 hours a day. It’s well documented how much teenagers struggle to manage their digital persona, let alone an 8 or 10 year old who is far more emotionally immature.

I’m concerned that in a bizarre way, we are actually dumbing down our kids. Sure they will be wizards with computers and electronic gizmos, but I’m suspicious they might not have an opportunity to develop simple patience and imagination. How often have you heard a kid say “I’m bored”, and your suggestion that they read a book or go outside to play is met with “you’ve got to be kidding”.

I know how this sounds, but I’m adamant that reading a book or playing outside with imaginary space aliens does in fact fire up and develop a child’s imagination, creativity and flexibility. It’s something I feel is lacking in many children. A great example is the average car trip made without an iPod or a DVD player. So many kids today are bored out of their brains. What happened to the skill of just looking out the window and imagining?

Personally, I make an effort to spend time with my kids and try to manage the time they spend in front of the TV, PC, Wii and other gadgets. Thankfully, it has now reached the point where they can self-regulate and choose to play outside on their own. They also now read and can happily sit in a car on a long trip, enjoying the scenery and their own musings.

I know this all sounds like a case of “when I was young”, but the point is that amongst the vast benefits of technology are many less obvious drawbacks. When the impact of technology is social, and when it affects our children during such formative years, the cause for care and careful parenting just has to be greater.

Australian Lab Notes - January 2011 - Steve Turvey

As I await the paperless office, a prediction that was made decades ago, my desk remains stacked high with paper documents. Another similar prediction also rings in my mind - print is dead. It’s not, but the evolution of consumer computing from devices such as the iPad and Kindle has made inarguable steps towards this end.

Now I love reading, and I do have a respectable library at home. But it is finite, it is full to overflowing and certainly has no Tardis-esque capability. I won’t be able to fit any more books on its shelves, so I’ve joined the movement and purchased the latest Kindle.

I love reading a physical book. If its good I will re-read it several times over the years, but the Kindle is smaller, lighter and can hold up to 3500 books. That’s quite an impressive library right there in the palm of your hand.

I’ve also been playing around with an iPad (more on that later) but it is the size, weight and display that favours the Kindle. The display is really the clincher; the electronic ink display is wonderful and, quite frankly, it does look like a printed page. My only criticism, and it’s a small one, is that the background is not as white as paper, so contrast is not as good. Then again, many of my older novels are yellowing so much that they are far worse than the Kindle’s display – perhaps it’s just a preference.

In bright light the Kindle’s display is perfectly readable, providing you don’t hold the screen so as to actually reflect the light. iPads are great indoors but in strong light or outdoors, its readability is quite poor. Of course, the iPad is much more than a simple book reader.

While the Kindle might save trees, the iPad has the potential to save forests given its enormous potential.

Both the Kindle and iPad can be used pretty much anywhere, the Kindle in particular, has great battery life (you could take it on a camping holiday for a couple of weeks and not need to charge it). If it’s a book, PDF or other document, the Kindle has you covered and, I would argue, it is just as easy to use as a sheet of paper. The iPad, while not as simple and convenient as the Kindle, covers more bases. The iPad gives you the majority of PC and Internet resources in an eminently usable form factor.

Why do we really print documents when we are simply going to read them? Probably because paper is always available, always reliable, light, and can be taken anywhere. Certainly there are still many reasons to print, but the Kindle and iPad are chipping away at them.

I have found, of late, that I’m constantly using the iPad - what’s on TV next? Look it up on the iPad. Need to read a proposal document? Straight to the iPad (no need to print). Wondering where Olympic Dam is? Forget the atlas, the iPad is faster and not only tells you where in SA you would find Olympic Dam, but all the background detail and how to get there.

With the increasing usefulness of portable devices such the iPad and Kindle, maybe some of our forests will get a stay of execution, but I have no doubt that as sales of these devices grow, another part of our environment will be impacted.

UK EMEA Lab Notes - February 2011 - Ian Hyndman

PCI Compliance In The UK

Hands up any who still uses cash for most of their purchases? Hmm, very few.

Nowadays the majority of people pay for everything by debit or credit card. Paying by card is so easy that you can walk in to a corner shop, pick up a couple of chocolate bars and use your card. The ability to walk around without having to worry about cash or change is a great feeling. As anyone will testify, when you don’t need a cash machine they’re everywhere, but when you do need a cash machine…

With all this new found freedom and everybody willing to swipe my card, are my details safe?

The banks and card providers have been asking the same question and, as a result, have come up with PCI Compliance. PCI stands for Payment Card Industry, and every single business that takes payment by card will have to become compliant. That’s right, not just the Amazons and PayPals, but your local take away and corner shop as well. Everyone will have to be compliant.

Why?

The banks and card providers are fully aware of problems such as customer’s card details being sold or stolen. For this key reason (and many others) PCI regulations have been brought in to ensure that any company holding card data has proven - through audits - that the data they hold is secure. As it currently stands, we consumers don’t know if a company has a secure server behind a firewall or whether the data is simply held on the store owner’s home computer - with a weak password. The banks and card providers are hoping that these measures will mean consumers have the confidence to use their cards. This is a problem that these organisations are taking very seriously. If consumers don’t have faith in using their cards safely, they just won’t use them.

When?

The original deadline set for all businesses to become compliant in the UK was September 30th 2010. The aim was to ensure Level 1 businesses were compliant first, and then all other level businesses meet compliance thereafter.

A level 1 business refers to Amazon-type companies with over 6 million transactions annually. At the other end of the scale are level 4 businesses, local shop less than 20,000 transactions annually.

In September 2010, Tripwire published a white paper that revealed the readiness of UK businesses for compliance. Below are the key findings from that report.

KEY FINDINGS

• Only 12% of United Kingdom (UK) organisations processing credit and debit cardholder data are currently certified as being PCI compliant.

• 58% of Level 1 merchants have been audited and certified as compliant. This falls to 6%, 8% and 4% for Level 2, 3 and 4 organisations.

• Over half (57%) of retail organisations admit to not fully understanding the requirements of the Payment Card Industry Data Security Standard (PCI DSS).

• Brand awareness and fear of reputation damage is a significant driver for achieving PCI compliance.

• Over three quarters (77%) of organisations have had no difficulty in securing funding and resources to ensure PCI DSS requirements are met.

• 88% of organisations have senior management on the PCI DSS team or working group — a figure that is 100% for Level 1 organizations.

Whilst currently, there is a short fall in compliant businesses, the vast majority of these see PCI compliance as an improvement and have gained the necessary funding to implement it. They have seen what can happen to large corporations such as RBS WorldPay and TJX who both lost vast amounts of card data through breaches, and understand how PCI compliance can improve their security.
This can only be good news for us as consumers as we need to trust our data is being stored securely.

Australian Lab Notes - December 2010 - Steve Turvey

Ever since watching the children’s cartoon, The Jetsons as a child, I have always wanted a video phone. (Truth be told, I have always wanted my own robot and flying car that folded into a suitcase too.) We have been living and working with video phones for quite a while now in the form of video conferencing units and, of course, 3G video capable mobile phone.

As much as spin doctors at Apple Inc. would like us to believe otherwise, we have had the option of video calls on our mobile phones way before the iPhone 4. While the iPhone video call is undoubtedly better quality than a 3G video call, the iPhone actually cheats and places the call over any available local wireless access point and the internet. Essentially the iPhone is a hand held video conferencing unit.

We were recently testing dedicated video conferencing units at the TestLab. The reason we spend large sums of money on such technology is that there are sound business reasons for doing so. We would not go to the great trouble of face to face meetings if there was not such value in the relationship, in the expression and in the nuances that face to face conversations convey.

There is simply no way most of us would negotiate a pay rise, undertake a job interview or purchase a new house over the phone. Why? Simple because we are at a great disadvantage if we cannot be there to read the relationship we carry out with the other party.

Coincidentally, while musing over such drivers of video phone calls, there was quite a stir in the media regarding the wearing of religious garments in public, in particular the Burqa. The French were discussing the possibility of banning the garment and a similar debate emerged Australia concerning the moral, religious and security issues of the veil. I was fascinated by the arguments for and against the Burqa. They range, of course, across religious, cultural, sexual and individual grounds, but the one most relevant to this particular discussion was about its impact on a security-minded world. The argument follows that if you have to remove a motor cycle helmet in the bank or airport (it is a form of disguise concealing the identity) the Burqa, religious ramifications aside, also plainly hides the wearer’s identity in much the same way.

It’s not my place to decide on what is appropriate. But it does amuse me somewhat that my dream of a The Jetsons-esque science fiction future, one that is becoming a fantastic reality through high quality video conferencing technology, is still impacted by thousand-year old culture and tradition. Even so, I’m confident that video communication with, or without a Burqa, is still a science fiction milestone.

Enex TestLab Corporate Video

Enex TestLab video

UK EMEA Lab Notes - December 2010 - Ian Hyndman

Even More Reason to Get Protection

Most modern day cyber attacks tend to target organisations and governments with the explicit purpose of stealing information and causing disruption. As a consequence, governments have had to reassess their stance on cyber crime, and many are attempting to tackle the problem directly.

In the latest budget, the UK government announced an estimated £500 million will be made available to help fight the war on cyber crime. This is a substantial allocation, suggesting that cyber crime is a bigger problem than the average person might be aware of. It is refreshing to see that the threat is being taken seriously.

Recently, Symantec and Websense (among many others) have announced they expect an increase in attacks in during 2011. This has been backed up with the UK’s intelligence centre (CESG) saying that it has seen a massive rise in the number of attempts made to infiltrate UK government and industrial targets over the past year.

The types of attacks occurring are very advanced, with viruses/worms such as Zeus, Aurora and Stuxnet deliberately targeted at infiltrating businesses and key infrastructure.

These malware are specifically designed to hide from detection devices and software, making them significantly harder to manage. They also mutate into different strains, allowing them to survive far longer in the wild. The Stuxnet worm is said to be one of the most advanced pieces of malware seen to date. Iit is a sophisticated worm that has the ability to actually change its code and hide these changes afterwards. Currently, this type of technology infects thousands of computers worldwide. It is the sort of cyber-attacks seen in sci-fi films through the 80’s and 90’s, they really may be becoming a reality.

Last month (November 2010) the UK Intellectual Property Office was hit by a cyber attack which took down its website and services for several days. It was almost certainly a targeted attack due to the ferocity and damage it caused. And this is but one of the many attacks that take place worldwide on a daily basis.

Most of the current targets are generally big business and government - organisations that hold information worth a lot of money. But, as this kind of malicious technology spread, my fear is that it will begin to be used against any company holding useful data – big or small. Even a list of email addresses can be valuable to the right customer.

To combat such attacks, all businesses have to enforce strict security policies. That isn’t to say they need to have expensive equipment, but they do need to ensure that all employees are being vigilant. A good security policy should contain instructions on acceptable internet use along with guidance on the correct use of memory sticks and personal equipment brought in to the work place. Nothing should be plugged in to a PC that hasn’t been virus checked.

One of the most important defences against attack is to ensure that all PCs, workstations and servers are fully patched with the latest security updates (operating system and anti-malware solutions). Usually, it is vulnerabilities in operating systems and security that most attackers look to exploit.

Even though malware is becoming more advanced, the best ways to combat it continues to be much the same. It is probably true that the Stuxnet worm outbreak was cause by unchecked laptops and memory sticks being used on the corporate network.

If a user is vigilant (scan all files before opening, don’t open email attachments from unknown senders, and keep your anti-malware solution up to date) you are about as safe as you can be whilst still being connected to the internet.

Just like anything in the world of IT, malware is evolving. It is always up to users to ensure they take the precautions necessary to safe guard themselves until anti-malware vendors catch up with what’s being found in the wild.