back to article Don't count on antivirus software alone to keep your data safe

TJX hacking mastermind Albert Gonzalez scoffed at antivirus tools. He and his cohorts wrote malware specifically designed to evade their detection. One can imagine him laughing as his team of hackers broke into corporate networks using SQL injection attacks and gained administrative access. Then he probably guffawed, Bond …

  1. fnusnu

    100% security - It's not a 'dirty little secret'

    It's a f**king huge flashing neon sign which hangs over the risk management office and illuminates the boardroom

    1. JamesTQuirk

      Re: 100% security - It's not a 'dirty little secret'

      I have 2 Networks Home & Internet Capable (Sandboxed/live DVD), only after checking & transfering VIA USB do files move from 1 to another, NO WIFi, sneakerNet can be a pain, but the last files/system, I lost to virus where on a Amiga ...

      However leaving your files on a Azurb Clod Drive sounds like "Hackers heaven" plenty of time to rip the guts out of your Data ...

      1. Anonymous Coward
        Anonymous Coward

        Re: 100% security - It's not a 'dirty little secret'

        For me, that would be just far too inconvenient. I need all my devices to connect to the internet, that's their main purpose (other than photo/document editing, but the results of that work do in turn need an internet connection).

        So, instead of your nuclear air-gap/read-only OS solution, I use a decent network firewall (pfsense - although most consumer routers are probably good enough), sufficiently configured, together with local AV, together with 'user' self-training (not clicking on suspect executables, not installing unknown programs from untrustworthy sources), and good (incl. offline) backups.

        1. JamesTQuirk

          Re: 100% security - It's not a 'dirty little secret'

          Well I bought a Series 1 PI, recently, was thinking of making that into a wireless Linux IpTables Firewall between systems, as it can't do a lot, but should be plenty for that, but before I could, I was getting A HP Lappy w/ win7 ready for Sale/disposal, It was online updating (768), when I noticed it going more "NUTS", it was infected by Cryptolocker from a Flash Animation on Web Page, NOT by me doing anything but going following a link in Google News. I killed it, Disassembled it, & sent it back via their "Comms channel", with several hundred extra zeros, BUT it was a TOR'd address .....

          So thinking I will keep SneakerNet as is ...

          1. Anonymous Coward
            Anonymous Coward

            Re: 100% security - It's not a 'dirty little secret'

            Solution. Don't install Flash.

            1. JamesTQuirk

              Re: 100% security - It's not a 'dirty little secret'

              Yep, Synaptic Package Manager can/will removed FLASH only from restricted extra's Pack in Ubuntu & Friends, but that should work for any Debian install, with Synaptic ...

              In Firefox install "User Agent Switcher" addon, and make firefox think it's on a MAC, so YouTube etc still work ...

              Still using Adobe Flash? Oh well, get updating: 15 hijack flaws patched ..


  2. RainForestGuppy

    Who's the Audience here?

    Whilst the content may acceptable, I'm just wondering why this article appears in a "news site"? It's not exactly earth shattering revelations, it's verbatim Information Security 101.

    What next? "turning your PC off at night saves energy"

    Also whilst I agree that nothing is 100% secure and it should be difficult for an attacker, you've missed an important point, it must be remain useful to the business.

    I can take a laptop, shut it down, put it in a safe and destroy the key. The laptop is now, as near as possible, 100% secure from cyber threats. Unfortunately in the process its now lost all value to the business.

    1. Anonymous Coward
      Anonymous Coward

      Re: Who's the Audience here?

      Just because it's stating the 'obvious' doesn't make it less relevant. Most compromises can be avoided by following this guidance. However, many companies do not follow even these basic principles.

      1. Robert Helpmann??

        Re: Who's the Audience here?

        Yes, but it isn't exactly news and, as mentioned above, it is hardly an in-depth analysis. There are entire suites of applications, certification sets, and careers based on information security in one form or another. This, while nice as far as it went, amounts to what an IT professional might send out as an annual reminder to those who write the checks as to why we do what we do. I honestly do not understand why it has been posted to an IT news site.

        1. Ole Juul

          Re: Who's the Audience here?

          The audience is MS-Windows desktop users. That's totally fine, but this may not be the best site for that.

          1. Anonymous Blowhard

            Re: Who's the Audience here?

            "The audience is MS-Windows desktop users."

            Because no other operating system can possibly be compromised?


            Awareness of risk is vital to an effective security policy.

        2. Anonymous Coward
          Anonymous Coward

          Re: Who's the Audience here?

          No-one ever claimed El Reg is a news site :)

    2. veti Silver badge

      Re: Who's the Audience here?

      Antivirus software "alone" can't do anything. In 20 years of having a home internet connection, I think AV has detected maybe 2 threats on my system. It's debatable whether it will ever pay for itself in terms of the storage, memory and CPU resources it demands; and since no financially or personally sensitive information is stored anywhere on the machine, it's unlikely to protect me from much personal loss. Really it's mostly there as a courtesy to others, who might otherwise be inconvenienced by my machine's spamming or DDOSsing them.

      When I took my old XP machine offline permanently, I tried to uninstall and disable the AV. Not an easy thing to do, it turns out. For several days I found myself treating the AV itself as malware.

      What I do care much more about, though, is the firewall. Now that's something I wouldn't be without.

  3. Anonymous Coward
    Anonymous Coward

    Yet not a word ..

    .. about HIDS/NIDS and APT detection.

    You need to keep an eye on your network traffic and server integrity. We have a number of internal hosts that run fake services (basically following the principle of a honeypot or its predecessor, Fred Cohen's Deception Toolkit) that should never be touched by anything but a security scan - those are primary alarm signals to check what is going on. Also check for protocols you normally have no use for.

    Next up is the whole issue of Advanced Persistent Threats, which is really the "here and now" of the bigger hacks. These things were going on for months before they delivered results, yet were never spotted. I have not yet seen a decent, integrated solution for APT but I'd welcome one..

    1. JamesTQuirk

      Re: Yet not a word ..

      I read a translation of a Chinese Blog Post, regarding using a SUBSETMASK hack to effectivly "cul-de-sac" systems and entire networks, maybe even countries, into a Group/net you control, Not sure about some of it, as translation wasn't great. I think/wonder if it's a old system tool, which some have forgotten about, maybe @ their peril ....

      1. Michael Wojcik Silver badge

        Re: Yet not a word ..

        using a SUBSETMASK hack

        That's quite an acronym you have there. What does it stand for?

        Or perhaps you meant "subnet mask"? Though why changing the subnet mask on an interface would be a "hack" I do not know.

        1. JamesTQuirk

          Re: Yet not a word ..

          Sorry about Caps, Spacing, Typo's ...

          I was shown this translation "printout" @ a friday arvo "IT types" Pub thing, and asked to form a opinion, I looked @ it & was a code injection to enable using subset mask & "Something else" which is the bit I didn't understand, to Gain a Escalation of privledges in/on system/network & allow redirection of traffic thru this "NEW" network with Full Admin/supervisor control ...

          It warbled on @ end, I think they may have been gimberling into a mirror, while saying it ...

          1. JamesTQuirk

            Re: Yet not a word ..

            or maybe they weren't ...

            Patch now: Design flaw in Windows security allows hackers to own corporate laptops, PCs


  4. Anonymous Coward
    Anonymous Coward

    Email whitelists

    Some of the dodgy emails that get past the Demon and Norton filters for my domain are apparently from known persons or businesses. It often takes a visual inspection of the raw headers to decide that the origin is suspect.

    Don't think I've seen many almost convincing payloads that were also from the genuine source.

  5. mark jacobs

    When I read comments like, "they run the risk of being infected by rogue JavaScript running in the browser." I cringe. There is no way on planet Earth of infecting a machine by it running some JavaScript and HTML in a browser. The only thing JavaScript can write to, is cookies. This, again, is idiotic scare-mongering to attract readership. Granted, if somebody clicks on a link and runs whatever it leads to by acknowledging consent, then more fool them. But, on its own, with no clicking or acknowledgement, a website cannot infect a PC that prompts for any activeX to run. JavaScript can't - someone give me an example, if you think otherwise.

    1. Pascal Monett Silver badge

      An example ?

      I Googled "drive-by infection" and the first two results were this and this.

      In the second article, it is clearly stated that "Just surfing to an affected website is enough to infect a computer".

      I do believe that that sentence is in direct contradiction to your belief that "on its own, with no clicking or acknowledgement, a website cannot infect a PC".

      And would you care to clarify how, on the one hand, you talk about Javascript in most of your post, yet you say "a website cannot infect a PC that prompts for any activeX to run" ? Where does ActiveX come into the discussion, and how exactly do you believe that ActiveX is, in any way, secure after all the holes that have been found in it ?

      1. JamesTQuirk

        Re: An example ? @ Pascal Monett

        I think mark jacobs may have been/is, a Java or Flash, "Programmer", they have a heart attack if they to learn something new ...

        1. mark jacobs

          Re: An example ? @ Pascal Monett

          If you cannot cite the offending Javascript/HTML code, then don't give me tripe!

          1. JamesTQuirk

            Re: An example ? @ mark jacobs

            Heres one,


            I could have put 20 here, but surely such a knowledgable person, should be able to google ...

      2. mark jacobs

        Re: An example ?

        "With drive-by infections, it is enough to simply visit a website to infect a computer with malware. Visitors don't need to start a download or install anything - the website does this automatically!"

        My browser will not automatically download anything, without asking me where it should save it first. What kind of browser are you using that would do this? An idiotic one by the sound of it.

        "Yet If a browser has a relevant safety gap, such scripts can access a user's computer directly. This therefore enables malware to move from the server to the browser, and via the security gap to the user's computer, without any conscious action by the website visitor at all."

        Again, it's a problem with the browser, and you should change your browser.

        The reason I mentioned ActiveX is because that is the biggest hole in your browser, then comes Java (I do not allow this to run), then Flash (run with permission). That leaves JavaScript with Ajax or other call-to-the-server methodologies, which can only write to the web page, open new web pages, or write to cookies. None of those compromise a PC.

        JavaScript and HTML are not capable of infecting your PC. Buggy browsers, ActiveX, Java and Flash, however, can. The article is talking about Javascript. Now, go back to sleep!

        1. JamesTQuirk

          Re: An example ? @ mark jacobs

          ActiveX is a windows issue, not real PC's ...

  6. Marty McFly Silver badge

    Really, Reg??

    The calendar is 2015. Antivirus-only security has been dead for about a decade now. This is not news.

    However, there are certainly ignoramuses in the IT space who believe in 'check box' level security. So there is some value to this article.

  7. Doctor_Wibble

    Not just dodgy websites

    It's not really the websites, it's the large heaps of third/fourth/etc party gubbins that appears on every flipping site (reg not as insane as many) that you just have to trust that someone somewhere has at least glanced at to ensure that their random ad-plonking and/or social-network button array hasn't had something extra included without them noticing.

    That's a lot of people and systems effectively trusted by proxy which is never a good thing - having to disable scripts gets tedious and is a bit of a kludge for a problem that should not exist.

    And on rare occasions the thing that killed your browser is actual malware.

  8. Zog_but_not_the_first

    Against stupidity...

    I've just been reading the online version of the Graunuad. Halfway down their new "tabletised" landing page is an image of a tick with the caption "Go on. Click. You know you want to".

  9. Anon5000

    Zero day exploits do not bypass antivirus protection, no do they have anything to do with AV software as the article suggests. A 0day might be used as the initial step to get the malware on the machine but they are entirely different things.

    Crypting your malware to avoid signature based detection, splitting and scattering the malware across many memory locations, unusual hooks to existing processes and also tricks to make individual AV's think they have crashed or timedout are just a few of the things that are done to bypass AV's.

    'Legitimate work sites' should not be considered malware free. AD server farms sites that serve many top web sites are often compromised to serve malware and some even slip through the front door in that way. Both Google and Microsoft have had their ad servers serving up malware.

    Take a layered approach to security and make sure to include network traffic analysis.

  10. Pascal Monett Silver badge

    "These are solid, reliable tools"

    Yeah, especially when they utterly fail to stop a new version of a virus, or when they mistake a Windows system file for a virus, quarantine it and crash the system, or when they grab 99% of CPU for minutes on end and keep you from doing your job without rhyme or reason.

    The only thing that is reliable with AV software is the fact that your PC now belongs to it, not to you.

    Unfortunately, as imperfect and annoying as they are, we do indeed need them. Therefor the only thing we can do is find the anti-virus that will be as efficient as possible while bothering us the least.

    A real treasure hunt, and the treasure is our security.

  11. Michael Wojcik Silver badge

    TJX hacking mastermind Albert Gonzalez scoffed at antivirus tools. He and his cohorts wrote malware specifically designed to evade their detection.

    Ooh, scary. Would malware inadvertently designed to evade detection be scarier? I can't decide.

    One can imagine him laughing as his team of hackers broke into corporate networks using SQL injection attacks and gained administrative access.

    One can, though one hardly wishes to. And what this has to do with antivirus tools I cannot guess.

    Then he probably guffawed, Bond villain-style,

    I think this is somewhat less than probable. Yes, the blackhats tend to have poor social skills, but guffawing at your own exploits is taking megalomania a bit far. (And do Bond villains guffaw? I can't recall any doing so. Perhaps a bit of chortling.)

    as he uploaded the malware directly into server memory,

    Easier than uploading it directly to disk...

    and when the corporate networks began happily delivering customer credit card data directly to his servers chuckled all the way to the bank.

    Chuckling now? The man runs the gamut of mirthful expression. That bastard!

    And, again, the relevance of all this to antivirus software is a bit distant. I know, there's some vague point about Mr Scary Person employing attacks for which AV is not a defense. Surely this could have been expressed with less speculation about his maniacal outbursts?

  12. lucki bstard

    Other topics relevant to business security

    - Management buy-in

    Without that all you have is a collection of good intentions

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like