Archive
Old Mac Bloggit isn’t really a grumpy old man…
…he’s really a rather nice young chap. But he’s certainly feeling a bit peeved right now, and with some reason. He’s upset about the unquestioning articles in the New York Times (31 December) and the Register (1 Jan) discussing a new report by Imperva. Actually, I discussed it in Infosecurity Magazine on 28 November.
Imperva concluded that anti-virus products are not that good (“The antivirus industry has a dirty little secret: its products are often not very good at stopping viruses,” says the NYT). Imperva’s proof is that VirusTotal (an online collection of AV engines) failed to block many of the 0-day viruses it threw at it. What I said in Infosecurity was that “the real value of VirusTotal is in allowing users to check whether a suspect file is actually malware – it was designed to check malware, not to check AV products.”
Mac Bloggit doesn’t have to acknowledge the niceties of journalism, and can be more succinct. “Perhaps the NYT would care to look up the terms heuristic analysis, behaviour blocking, sandboxing, behaviour analysis, whitelisting, integrity checking, traffic analysis, and emulation, among other approaches that a security program might use to detect possible malicious activity.” His point, and he has a point, is that VirusTotal does not and cannot measure the efficiency of these parts of AV products. The fact that Stoppem Anti Virus on VirusTotal doesn’t detect the latest virus doesn’t mean that Stoppem Anti Virus on a PC won’t detect and/or block the very same latest virus.
Using VirusTotal to judge an anti-virus product isn’t merely bad form, it is positively dangerous – it might tempt users into abandoning AV altogether. That would be a very, very bad idea. The Imperva report is actually a sleight of hand by a non AV vendor. But here’s the rub: the AV industry isn’t innocent of its own sleights of hand.
The one that gets me personally rather hot under the collar is the ‘destroys all known bacteria dead’. Well, that’s the clear message. The actual terminology is ‘stops 100% of viruses in the Wild’. What it is really saying is that Stoppem Anti Virus detects every virus in the Wild List. And the Wild List is very different to ‘in the wild’. In fact, the Wild List is effectively compiled by the AV industry; so in reality, any AV company that doesn’t score at least 99.99% success against viruses in the Wild is largely incompetent.
So I would say this. Imperva, you have been a bit naughty in your report. AV industry, you can be a bit naughty yourself. So stoppit, both of you. Anti-virus is good, not perfect, but essential. Just tell us the truth.
Update
David Harley includes quite a lengthy comment on this blog in his post, Going beyond Imperva and VirusTotal. In particular he delves into the pros and cons of WildList testing. He doesn’t completely disagree with me; but nor does he completely agree – so it’s well worth a read.
My news stories on Infosecurity Magazine this week (so far)
News stories for 30 April – 2 May 2012:
Megaupload prosecution is lawless, says Professor of Law
Eric Goldman, Associate Professor of Law at Santa Clara University School of Law, says the prosecution of Megaupload is “a depressing display of abuse of government authority.”
02 May 2012
Al-Qaeda uses steganography – documents hidden in porn videos found on memory stick
Steganography is the science of hiding data. Its most common digital use is to hide data within graphics – text hidden in a picture. Al-Qaeda apparently hid documents within porn videos on a memory stick.
02 May 2012
VPNs used to defeat censorship and data retention in Sweden
Pirates, typified by The Pirate Bay, are under increasing attack from the authorities around the world. Sweden is more than the spiritual home of The Pirate Bay – so it is not surprising that user-reaction to these attacks is being led by Swedes with an increasing use of VPNs.
02 May 2012
New combined home firewall & anti-virus is free
Home computer users do not, in general, pay for security. They rely instead on free software offered with little or no support. This can cause problems when different free products conflict with each other.
01 May 2012
Trusteer finds new ransomware variant
Ransomware is malware that locks up computers and demands payment for their release. A common ruse is to pretend that the malware is actually a ‘seizure’ by law enforcement agencies.
01 May 2012
UK ISPs must block The Pirate Bay – By Order
It was expected in June, but it happened on the last day of April: UK ISPs must block access to The Pirate Bay (TBP) by order of the court.
01 May 2012
Let’s do the ACTA Time Warp again
It appeared that ACTA was dead in the European Parliament when the ACTA rapporteur David Martin advised that it should be rejected. But now Marielle Gallo has postponed the recommendation of the Legal Affairs committee.
30 April 2012
42 blackmail sites -posing as news sites – shut down in China
Genuine news sites publish information on events – these sites, say the Chinese authorities, promised not to publish information for a fee.
30 April 2012
How to break into security (as a professional)
These are questions that students and unfulfilled geeks continually ask; and ones that all security practitioners receive more than any other. DigiNinja has tried to find an objective response.
30 April 2012
Keynote sessions from Infosecurity Europe 2012 – and a few other stories
Infosecurity Europe is over for another year. If you weren’t there, well I just suggest you make sure you get there next year. Meantime, here’s my take on a couple of the announcements and almost all of the keynote sessions:
Infosecurity Europe 2012: Minister of State for Universities and Science introduces the 2012 security breaches survey
The challenge, says the Rt Hon David Willetts, is that in order to get the economic and social benefits that the internet offers, we need to first tackle cyber security.
24 April 2012
PwC and Infosecurity Europe release the latest Information Security Breaches Survey
Significant attacks more than double, but one-in five companies still spend less than one percent of their IT budget on security, and more than half of small organizations do no security training at all.
24 April 2012
Russian cybercrime: what Russia is doing, and what it should be doing
Russian security company Group-IB says Russian cybercriminals made £2.3b in 2011; Russian-speaking cybercriminals made more than $4b; and worldwide, cybercriminals made more than $12.5b.
24 April 2012
Trustworthy Internet Movement Launches Pulse Tracker
The problem, says Pulse, is that we are telling users that this site has SSL, so it’s secure. That’s not necessarily true. We are promulgating a false sense of security, and we need to fix that.
25 April 2012
Infosecurity Europe 2012: defining risk management in the context of information security
The three companies represented on the keynote panel (G4S Secure Solutions, Steria UK, and Skipton Building Society) are very different; and their CISOs have very different views on the functioning of risk management within infosec.
25 April 2012
Infosecurity Europe 2012: the rising role of the CISO
Chaired by Quocirca’s Bob Tarzey, Network Rail’s CISO Peter Gibbons and Yell’s CISO Phil Cracknell led a lively discussion on the current and future role of the CISO.
25 April 2012
Ipswitch survey reveals the extent to which IT is losing control over data
IT needs governance; but users are choosing simplicity. In choosing and using their own non-sanctioned methods for data transfer, users are causing IT to lose control over its own data.
25 April 2012
Infosecurity Europe 2012: AET & APT – Is this the next-generation attack?
Advanced persistent threats (APT) and advanced evasive techniques (AET): what are they, who’s doing them, and what can we do about them?
26 April 2012
Has the time come to dump anti-virus?
Bit-9 asks the question that dare not be spoken: is anti-virus beyond its sell-by date? And is BYOD the final straw?
26 April 2012
Infosecurity Europe 2012: The ICO on better regulation and better infosec
Christopher Graham, the UK Information Commissioner, talks about his role as an information regulator and facilitator at Infosecurity Europe in London
26 April 2012
Infosecurity Europe 2012: Are we smart enough to secure smartphones?
Three heads of security from three very different organizations came together to discuss their practical and very different experiences in introducing a company BYOD strategy.
26 April 2012
Infosecurity Europe 2012: The insider threat – is it real?
While the primary security stance faces outwards and is designed to keep hackers and malware outside of the system, organizations are increasingly aware that their own staff are also a potential – and in some cases an active – threat.
27 April 2012
Infosecurity Europe 2012: The cloud – do you really know what you’re getting in to?
The cloud is new; but it’s been around for years. It’s insecure; but more secure than we fear. Two practitioners discussed the cloud of FUD.
27 April 2012
It’s the lack of understanding of virtualization that makes security an issue
A new study from Kaspersky Lab confirms an earlier one from Crossbeam Systems: it’s a lack of knowledge about virtualization that leads to fear for its security.
26 April 2012
