Category Archives: Security

History, Security

Top 5 Most Dangerous Malwares, or Not

Leave a comment

SecTechno caught my attention with their title of “2010 Top 5 Most Dangerous Malwares”, and then I read this line at the start:

1-STUXNET…it is for the first time in the history that a malware bypass the cyberspace to get directly to the physical environment

Whoa! Stop right there. Not true.

Malware existed on removable media first. It started with boot-sector viruses on floppy disks. Malware spreading in the 1980s depended on “get directly to the physical environment”. The only real exception was the Morris Worm on UNIX in 1988. There was a slow transition to malware on the network through the 1990s (Ivar on MacOS System 7 was my personal favorite) but it was the mid-1990s before malware started to take full advantage of network infection vectors instead of removable media, as explained in a paper by Peter Bergen.

In retrospect we can confidently state that malware writers adapted more quickly to the changed circumstances than Microsoft did. The combination of network connectivity, powerful macro languages and applications which were network aware on one level but had not really incorporated any important security concepts and, of course, the sheer number of targets available proved quite impossible to resist.

So don’t believe the hype. Stuxnet is not dangerous because of how it works. That is the same old story. It is dangerous because it was highly targeted. In addition the malware was directed to achieve a consequence of social or even political significance, instead of just financial gain.

In other words, when you look at a breached castle wall you should ask whether it was from a special and unknown type of attack (very unlikely) or because the attacking army did their research and targeted the weakest spot (very likely). Likewise, you can ask whether the defending forces had done their research and responded with sufficient resources in time, or whether they were caught off-guard or unready.


Inside the main gate of Chepstow Castle, Wales. The curtain wall on the right was breached 25 May 1648 by Isaac Ewer’s cannons and the site where Royalist commander Sir Nicholas Kemeys was killed. Photo by me.

What does a system ready to defend against malware look like? History tells us that this is a pretty good list to monitor, and would have detected Stuxnet:

  1. Alternate Data Streams (ADS)
  2. Audit Policy status
  3. System file checksums
  4. Local User activity, dumps
  5. Open file handles
  6. Modified, Access, Created times of files on system drive
  7. Hidden files on the system drives
  8. Temporary files and cookies
  9. Associated DLLs of running processes
  10. System, application, and security logs
  11. Interface configuration
  12. Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) activity — ports opened by processes
  13. Local registry hive changes
  14. Rootkit detection
  15. Services running
  16. System information about hardware, OS, and installed software
Security

Crocs Fined for Health Claims

Leave a comment

The Environmental Protection Agency says they have settled with the manufacturer of Crocs over a case of unproven health claims.

Crocs Inc. has agreed to remove unsubstantiated antimicrobial claims on product packaging and pay $230,000 to resolve cases involving several types of its shoes, according to the U.S. EPA.

“EPA will take action to protect the public against companies making unverified public health claims,” said Jim Martin, EPA’s regional administrator in Denver. “Unless these products are registered with EPA, consumers have little or no information about whether such claims are accurate.”

So, we now officially can declare Crocs are a croc?

One of the interesting details in this story is that the US Government says products with antimicrobial claims must register and be tested as a pesticide. I never thought of it like that, but wearing an untested pesticide as a shoe sounds unwise. The marketing on the Crocs page now has to change. It used to say something like this:

…ergonomic, antimicrobial, odor resistant and recyclable shoes

I guess it was easier to remove the second claim than get tested for compliance with pesticide regulations.

It might take a while longer to retrain the doctors and experts in the field and remove their authoritative references like this one on WebMD.

“Crocs shoes do provide protection, compared to going barefoot, or wearing flip-flops or sandals,” says Donna M. Alfieri, DPM, associate professor at the N.Y. College of Podiatric Medicine. “They offer some arch support and cushion, the holes in the shoe allow air in and keep the feet from sweating, and the antimicrobial properties of Crocs could help prevent infections in kids’ feet.”

It also could be false advertising. Whoops.

This story reminds me of a marketing director of a successful Silicon Valley technical firm who asked me one day to define availability. I said something like this:

It is measured by the up time and service level. The concept of five nines, for example, is a service that is unavailable to users less than 5.26 minutes in a year.

He cut me off before I could continue, threw his head back and grew a giant smile like the Cheshire Cat.

Nooooo, availability is two power-supplies! That is what the xyz competitor said on their marketing brief, so that is what I put on ours! Easy!

I read the marketing brief he cited. It was clear he mis-understood their text as he copied it but I could tell he was making a political point, not about engineering availability. His smile really was the appreciation of the lack of a regulatory authority that measured his product for compliance. He was letting me know his methods were not deceptive because success could be redefined without accountability — easier to hit sales numbers by lowering the bar for engineering and then telling customers they never knew anything better (with quotes from paid experts), while laying blame (if any were to come back) on a competitor.

Security

Italy bans all plastic bags

Leave a comment

It has captured the headline for Plastics News

Four years after it was originally proposed, Italy has imposed a ban on single-use polyethylene-based retail carryout bags. Italy is the first country in the European Union to ban plastic bags.

Ireland has had a tax on plastic carryout bags since 2002. That tax was initially 15 cents, but was raised to 22 cents in 2007.

Most other sites just say plastic bags are banned, but I figured a site dedicated to plastics would make a point about the particular type.

I wrote about degrading plastic in 2009, and in 2007 I mentioned Uganda, Kenya and Tanzania had banned plastic bags.

While the African countries said they had to take “drastic measures” to change people’s attitudes, Italy’s ban is said to have been urged by more than 100,000 citizens. Ironic, considering Italy has the highest annual plastic bag count per person (over 330) in the EU.

Security

Cloud Providers Say It’s Safe

Leave a comment

I just ran through a set of security documentation by some large cloud service providers and an old marketing campaign came to mind, as documented by the New York Times:

Note the “T-Zone”.

“T for Taste…T for Throat…”. They forgot T for Threat to your life.

Very soon I expect we will be able to help customers describe and measure some concrete risk differences among cloud providers, as I described in my presentation on logging last month at BayThreat.