back to article Schneier spanks AV industry over Flame failures

Security guru Bruce Schneier has questioned some of the excuses coming from the antivirus industry as to why it is taking them so long to pick up advanced malware like Flame and Stuxnet. Schneier's scolding was inspired by a mea culpa published in Wired by F-Secure's top security man, Mikko Hypponen. He admitted that when …


This topic is closed for new posts.
  1. NoneSuch Silver badge

    There is no single solution that will protect you. Thinking that there is means simple ignorance of the multiple threats out there.

    Cover your data with several layers of AV, anti-malware and firewalls. If it is important, have three separate copies stored in three physically distant places and make sure the backups have integrity by regular random testing.

    If you can get to it, so can others. Assume one day they will.

    1. Mikel

      That still goes on is amazing to me

      The only way to win this game is not to play it.

      Get a Mac. Get Linux. Get BSD if you really have essential work. Lock it down. Don't employ people who care more about convenience and think they are too important to learn and practice operation security. Don't trust dumb people. Just don't play this game. The vulnerabilities these things exploit are flat stupid. Autorun, really? Default admin? I have to tell you those are absurdly stupid ignorance of good practice? What is this, 1988?

      Windows is never going to understand this. I hope the right people do.

      1. Christian Berger

        Re: That still goes on is amazing to me

        Well I'd put that more general, "Get a platform with a good security track record.". Macs unfortunately are perhaps more secure than some boxes, but less than proper unixoid boxes.

        I don't expect the Windows to understand this. After all they are in a different area.

      2. LDS Silver badge
        Thumb Down

        Re: That still goes on is amazing to me

        Yes, get a Mac... how many Macs were infected by Flashback lately? When you become a target, there's a good chance someone will discover some kind of vulnerability. The only safe machine is one which is not network connected, and without Floppy/CD/USB/etc. ports...

        1. the-it-slayer

          Re: That still goes on is amazing to me

          600,000 Macs infected? But then, how many are there that are potentially targetable? Maybe tens or hundreds of millions? So the ratio was very low on that case. Where in comparison to Windows, I'd like to bet that most computers in consumer world have at least had one virus/malware in its life-time at least.

          It's taking sensible procautions and knowing what you're doing. The classic example was my dad didn't realise that he'd downloaded a fake version of Google Chrome just because he assumed the home page was legit (although it wasn't and was overtaken by another piece of malware to mimic the Google search page). A check of the URL would of determined it wasn't.

          1. LDS Silver badge

            Re: That still goes on is amazing to me

            When you are the target of an intrusion you don't really care if you're the only alone or it they had targeted two billions more. There are attackers that just try to build a botnet to spam and target the low-hanging fruit, there are others determined to break in a given system and they really don't care if it is Windows, MacOS, or any version of *nix. Any system has vulnerabilities, including *nix ones, and if your attacker is skilled enough and your systems not properly maintained and your personnel trained, they will break in. It happened, happens and will happen.

      3. Anonymous Coward
        Anonymous Coward

        That you still think its the tools that are at fault amazes me.

        You nearly got it right, with the 'dumb people' comment but they can be found on any system these days.

        saying x is safer that y is just plain wrong. if you have bad staff using X they will still be bad staff when you move to y.

        Don't blame the Tools when it is the people who are at fault.

        1. the-it-slayer

          Re: That you still think its the tools that are at fault amazes me.

          @Anon 09:30

          You're dead right. To be honest, that's down to education. There's no system that can cover the whole range of users. From the techno-bods to new users, the mixture of good protection software and knowledge of how malware works the best solution.

          I'd personally introduce a short-course in primary and secondary schools that covers topics of safety, proper usage and responsibility of using the internet. It's surprising how many people in my generation (I'm 25 and the first set of young people to use technology to its full advantage) are lacking skills to use the internet. Spotting malware/viruses and where to go/not to go on the internet would be part of that course. Infections on all systems across the world would reduce and hackers would have to get much more clever to catch us.

  2. Fred Flintstone Gold badge

    AV alone is indeed not helpful..

    I received an email with a virus on June 6th, and according to it was unknown (the file was VerifiedByVisa.htm with a chunk of java in it).

    I forwarded this to two contacts I have in the anti-virus biz, and one came back 2 hours later confirming it was a virus and they'd add it to the database. The other one never even bothered to reply, which will cost him beer the next time we meet.

    Out of curiosity, I kept checking. It's now the 19th, 13 days later, and only two packages out of the 42 pick it up - to the remaining FOURTY, this is still a zero-day level threat, which suggests to me that it was a targeted attack (large scale triggers honeypot emails of AV vendors). This means, for users of those 40 (which include the bigger vendors), the file I received would be effective in infecting the target system.

    Anti Virus is only a tactical, reactive method of protection. Assume you will get hit eventually and plan accordingly.

  3. MyronC

    I think the model is broken; reactive anti-virus developers are simply being out-staffed and out-worked from a resource utilization standpoint.

  4. Anonymous Coward
    Anonymous Coward

    Reactive broken model?

    What strikes me is that none of this is in any way new, the antivirus industry have known for years that the model is broken, yet continue to rehash the same ole broken solutions. See this from Sept 2005:

    The Six Dumbest Ideas in Computer Security

    1. Ole Juul

      Re: Reactive broken model?

      When otherwise air-gapped and vulnerable computers allow USB memory sticks to be plugged in (Stuxnet attack) then it starts to look like part of the reason the reactive model is broken is because it is not applied across the board. In other words, even in professional environments security is given a back seat.

      Nice article, by the way.

      1. Lee Dowling

        Re: Reactive broken model?

        Why should plugging in a USB stick mean that your OS is compromised? Firewire, I'd give you, because that allows arbitrary memory location DMA as part of the protocol (which is why Firewire should die a death and is disabled on every machine I manage).

        But a USB stick is just a mass storage device. Autorun should not do run. Your systems should be configured to refuse to run executables from external device (if you have any care about the security of your system, that is). Users who manually execute a program from a USB stick via whatever method (e.g. copying it to the machine and authorising it) should be disciplined accordingly.

        People just assume that there's nothing you can do about this because, on most people's home PC's, they don't BOTHER to do anything about it. It's nonsense. Arbitrary code execution is NOT required for any in-place system. And the bigger you are and the more customers and data you have, the more reason you have to STOP arbitrary code execution occurring.

        It's not an AV issue (which is nothing more than a miner's canary for when you DO have something infect your machine), it's a security issue - spurred on by the use of general purpose machines and operating systems for EVERY LITTLE THING. You should NOT be running code. Why does the person who operates a till in a shop require anything more than till controls? Why does the person handling the legal stuff at your solicitors need more than a menu of options and a word-processor to run? They don't. We just think they do nowadays, because we're used to having that control. So rather than a list of options that it's not physically possible to choose the "Format my hard drive" option because it doesn't exist, we hand them a general purpose OS where they can literally do anything and then try, half-heartedly, to pare it back to stop them breaking it too quickly.

        If your staff can run anything they like, can play about in browsers, can go on the Internet, can play Minesweeper and Solitaire, it means you DIDN'T lock down their computers for work-only use. Thus, anything that happens is your own fault. Your antivirus costs are ENTIRELY due to your own laziness in failing to secure the system.

        With SELinux and even things like Windows Software Restriction Policies, there's no excuse for anyone larger than a small business to have virus infections on their systems. It's just laziness and the convenience of being able to do non-work things traded off against your system security. If you wouldn't play Flash games on your network servers, why would you allow it on the clients that handle your customers banking details (no matter how indirectly)? And a verbal ban, we all know if we have kids, is about as secure as a Ford Fiesta parked in a dodgy area. Don't tell your staff not to do X or assume they won't (e..g don't use Internet Explorer, don't run games, don't install software, etc.). Make it 100% impossible for them to do so, if you care about your security.

        The tools are there. Nobody uses them because they obviously *don't* want to stop people going on Facebook in their lunch hour on the same machine that they're typing in customer's details into during the day. If they cared, it wouldn't be possible. And neither would a virus infection.

        1. Bronek Kozicki

          @Lee Dowling

          Your comment is, mostly, bang on. There is gaping hole, though, since it ignores the largest target add victim of security threats: home users.

          By definition, home users buy a PC for the purpose of being able to do anything with it. This may include: internet banking, email, using streamed or local media, browsing trusted or not websites, running software from trusted source, gaming, running software from new or "untrusted" source, etc.

          Perhaps "walled garden" model with pre-screened content we see on iPads is the solution for this, but I refuse to accept it. Better ideas are urgently needed.

          1. Anonymous Coward
            Anonymous Coward

            Re: @Lee Dowling

            And one huge thing about locking systems down.

            Sometimes users might need to change something.

            For example, someone I know is lefthanded, they prefer using a mouse set to left handed operation. At work, they can not change this themselves, nor any other setting. They have to log a job with the Service Desk for every computer they might ever use. You can lockdown to the point where systems become unusable.

      2. adamsh

        Re: Reactive broken model?

        Alphabet V.A.1 was spread since autumn 2007 according to local backups. It was hidden in "Verbatim.exe" , which was run at startup from USB-Sticks by Verbatim. Hints occurred July 2011, but up to now very little information has leaked into public about this trojan.

        Best, adamsh

    2. pixl97

      Re: Reactive broken model?

      The default permit idea is a terrible one when it comes to security, but a great one when it comes to development and proliferation of programs and ideas. iOS is a pretty good example of this, to run an app of your own on it you either have to root your phone or go thru the process of publishing it and getting apple to vet it. In general this keeps users safer in the fact it's harder for them to load, but the businesses that I do work for use android tablets for their apps so they can quickly push out fixes and updates to their programs to meet changing business needs without big brother apple asking if it's ok.

      Really the only way that I can think to verify that a system doesn't have software that is hiding its presence is to occasionally boot from other media that runs a filesystem check and makes a database of any executable content, the database can then show you a change log of the programs on your system. If you run many systems you can see common changes like adobe and windows updates, and hopefully pick out oddities like httpd.exe showing up on the accountants windows box.

    3. Voland's right hand Silver badge

      Re: Reactive broken model?

      They can do very little as the model is determined by the OS.

      They exists solely because of the vulnerabilities and problems in the typical install of the Microsoft OS family. If these are fixed once and for all most of the AV industry will be out of a job or so the theory goes.

      In this day and age this means that the malware writers will move to F***book and other platforms that have "opportunities" for malware propagation and the AV will promptly follow.

      1. adamsh

        Re: Reactive broken model?

        Are all installers trustworthy? asks adamsh

  5. Allan George Dyer

    Also a failure for...

    Full disclosure: I sell AV software, and know Mikko.

    A lot is being said about the "broken model" of reactive AV, but Flame and Stuxnet shows some other models are broken too:

    Whitelisting / Code signing / walled gardens: malware modules were signed with forged/stolen certificates.

    Keeping your software patched: Flame pretended it was a genuine MS update

    Keeping your software unchanged: Then you fall to the the zero-day vulnerabilities present when you started.

    Not connecting: USB memory. There's no such thing as an isolated system, there never was.

    So, defence in depth... do all (or as much as you and your users can stand) of the above, and maybe most things will get caught.

    Schneier is right, "slowly and stealthily" gets through, so "conventional non-military malware writers that want to evade detection should adopt the propagation techniques of Flame, Stuxnet, and DuQu", but, most non-military malware works on the wack-a-mole model using speed to steal a little from many victims, and doing the same tomorrow. Very few non-military targets are worth Stuxnet-level effort, so Mikko is right, "consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware".

    We do need to find better ways of efficiently identifying the more stealthy malware... the arms-race goes on.

    1. Christian Berger

      Re: Also a failure for...

      Well what we need is provable code. Code which needs to be proved "correct" before it can be compiled. There is work going on making the prove simple to write.

      However even right now it is trivial to prove things like being free of buffer overruns or integer overflows. Some compiled languages allow you to do this with a simple compiler switch. This alone solves a lot of problems.

      As for installing malware there are some rules solving the problem mostly. Install only from trustworthy sources (e.g. the repository of your distribution), install from source (higher risk of detection for the malware author) and limit the rights for individual packages.

      The arms-race will stop as soon as it hits one of 2 limits:

      1. Other ways of reaching your goal are cheaper: If it's easier to open a bank than to write a banking trojan, people will just open banks to defraud people.

      2. The highest level of competence for amoral people is reached. Government can use a propaganda to claim their goals are moral, however the smarter the people the less likely it is they fall for it.

      Currently we have systems with next to no security, and companies aren't even bothering to switch to a bit more secure systems.

      1. Mikel

        Let me explain about Turing machines

        Never mind. The lesson would be wasted.

    2. Mikel

      Re: Also a failure for...

      If you are in IT operations security at this level and don't desolder and remove the USB ports from the PC before the engineer gets it you are not qualified to do your job. USB is that insecure.

      1. Dave Bell

        Re: Also a failure for...

        The trouble is, USB is winning as the connection standard.

        You can still get keyboards and mice and speakers which plug in to the non-USB connectors of old, but how long will that continue?

        If you're at the highest levels, maybe you will still be able to avoid the need for a USB port, but where will you get the hardware from?

      2. Stoneshop Silver badge

        Re: Also a failure for...

        desolder and remove the USB ports

        That would include connecting keyboard and mouse directly to the motherboard, yes? And say goodbye to your vendor warranty.

        If you think blocking unused USB ports is the way to go, then epoxy or hotglue is a much faster and equally effective way, and less likely to cause collateral damage. But if there's one available still for keyboard and mouse, your effort is worth zip unless you've disabled loading any other modules except HID. And even then a dedicated virus or worm can penetrate; the method is left as an excercise for the reader.

        1. Crisp

          Re: desolder and remove the USB ports

          Or you could just turn them off in the BIOS. Save trashing a perfectly good motherboard.

          1. ukgnome

            Re: desolder and remove the USB ports

            Or use checkpoint or other type of software

      3. Paul Crawford Silver badge

        Re: Mike

        Nothing wrong with USB ports, its the stupid OS that lets stuff run from them, in particular autorun[*], and people who don't care to (a) lock them down, or (b) take care what you do with them.

        [*] sadly Linux is not totally innocent though not as brain-dead as the old MS approach, also why do so many Linux distros mount file systems on external media with execute permissions enabled?

        1. Anonymous Coward
          Anonymous Coward


          ...if you need high levels of security you need to control physical access to the hardware. Should that even need saying?

      4. 2cent

        Re: Also a failure for...

        USB login keys are an essential security method for some.

        It's how you use it that makes the difference.

    3. Pascal Monett Silver badge

      Re: "There's no such thing as an isolated system, there never was."

      That may be true, but if the data you want is on a computer that is not linked to the Internet, then it gets substantially more difficult to reach.

      What I continuously fail to understand is why, oh why, do military installations persist in having their entire network connected to the same Internet as everyone else.

      Get a local network, and use one, isolated PC to connect to the Web. Or at the very least, put your security stuff, military-grade secrets, etc. etc. on a network that is physically isolated from the Web.

      Is it really that hard ? Or do the generals absolutely have to have the latest Friday video too ?

      1. Anonymous Coward
        Anonymous Coward

        @Pascal Monett

        The serious military networks are physically separated, usually you will find red & blue cables, sockets, etc, to keep outside-linked and isolated separate, and a serious penalty for plugging stuff in to the wrong domain!

        You tend not to hear about them going wrong for the obvious reasons that they rarely do due to separation (unless some muppet has a USB stick infected and autorun enabled on a Windows box), and they often don't want to talk about them in the first place.

  6. dotdavid

    Fluff piece

    Sounds to me that Schneier destroyed a fluff piece that F-Secure's marketing department forced their top security man to write to take advantage of the recent publicity.

    As usual, he's correct, but it's all a little too easy.

  7. Anonymous Coward
    Anonymous Coward

    A brief history of AV, for refuseniks

    10-12 years ago it was the case that using an e-mail client other than Outlook Express (which had a nasty habit of trying to open attachments for you), and never double-clicking unknown executables in a proper e-mail client, protected you from pretty much anything.

    Then worms like NIMDA started coming out, which installed with no user interaction, and you needed a firewall (the one built into your broadband router would do, since you were just blocking unsolicited incoming traffic).

    I didn't run AV all this time and never had a virus infection.

    Now it's mainly drive-by website stuff and it's become vital to run AV and suffer the performance hit, although by using AdBlock - much malware on legitimate sites is delivered by hacking banner ads - and avoiding the seamy underbelly of the Internet like serials, warez and grumble, you can reduce the risk substantially.

    If the AV vendors aren't up to the task then they should go and flip burgers instead. We are reliant on them. Having said that, I'm not sure what Schneier is doing to help, since BT isn't known for its AV product line.

This topic is closed for new posts.

Other stories you might like