Review Review – ComputerWorld's Free AV Wrapup

This week, ComputerWorld released a review of free anti-malware systems.  The conclusions were much as one would expect, mostly that the free stuff works OK but the pay stuff is probably better.  The free systems are ranked here, if you are so inclined.

So, really, there’s nothing new here.  However, I do want to point out a few things:

  • Only one system has phone support, and that costs $50 per instance.
  • Many of them fund themselves with advertisements.
  • Heuristic detection was pretty poor across the board.
  • None of them update very frequently.
  • Most of these companies have a for-pay version available as well.

I know that most of us are always looking to cut costs, but the sheer number of times that I have removed expired or non-functional anti-malware systems indicates to me that this is very important.  Do not scrimp when it comes to security software. The good stuff costs real money for a reason.

If there is a problem, a reliable company will take care of you. The goal of a business in this space should be to help you maximize your profits.  Sure, they have to cover their costs and make a bit of profit themselves, but attitude is extremely important.  If they approach the problem of “people don’t want to pay for anti-malware” with “let’s constantly distract the users with popup ads”, do you think that they have your interests at heart?  If they charge as much for one support instance as it does to buy a license with unlimited support, do they really want to help you?  (And, do you think that they have an incentive to have you not experience problems?) If they make no distinction between “I am unable to login to World of Warcraft” and “I am unable to make payroll”, do you really want to work with them?

I mean no disrespect to ComputerWorld here.  I know that they serve both the consumer and business markets.  I know that there is a place for free anti-malware systems in the consumer space (though I think it’s quite small).  However, to answer the question “Can You Trust Free Antivirus Software?”, I’d have to answer unequivocally “no”. If you are in business, you should use a business-quality anti-malware suite.  Even if you’re at home, if your business requires you to use your home system, it should also be protected by a business-class anti-malware suite. 

Odds are that you know the cost of your time, and if you are unable to work because you get sick, you know what it’s worth to protect against that, that’s why we have health insurance (however it winds up being paid for in the U.S.).  Similarly, if your computer gets sick, how will that impact you?  Does your computer need health insurance too?

Small Business Defense – Steganography

First of all, I have to stress that this is a good news / bad news situation.  The good news is that the vast majority of you have nothing to worry about from steganography.  The bad news is that the reason steganography isn’t a threat is that you probably have a great many more holes that are easier for an attacker to exploit.

If an attacker can email out random files, that’s much simpler.  If they can burn CDs or write to USB drives (remember that many MP3 players are also USB drives), they could do that.  Some data could simply be printed out can carried off.  Attackers could also transfer files away directly via many protocols such as HTTP, FTP and SCP.

So, realistically, you only have to worry about steganography if you’ve managed to close off all these other leak vectors.  Most businesses haven’t, so the rest of this is probably not of much use to you.  If you haven’t, start identifying valid outbound traffic and blocking everything else.  That alone will likely take several months.  Then come back and read the rest.

The easiest way to prevent steganography is to prevent the sharing out outbound files.  This means blocking attachments in email, and severely limiting access to all other websites.  This means no eBay, no Flickr, no Facebook.  No external websites of any kind.  Any site that allows users to post content should be off limit.

This leaves one major vector – public-facing web sites.  Luckily, you have control over these, so you can directly manipulate the files.  There are tools that can help you identify files that might contain hidden data.  They work by mathematically analyzing the files and seeing if they are altered from a “normal” distribution. Another method would be to collect hash signatures for each file, and check for alteration. This does, however, require that you have absolute trust in the person creating the files and depends on the hash algorithms being secure. These days, that may not be such a safe bet.

So, as cool as this technology is, it’s important not to rely entirely upon it. There may be file types it cannot identify or new techniques to hide data. It may be better to configure the web server to only allow certain types of files (such as .jpg and .png files) and then attack the data source directly. Simply alter each image file and randomize the lower order bits. This way, it doesn’t matter if there was steganography in them or not. It’s removed before it goes online.

So, in conclusion, steganography is a real threat, but it is also more difficult to use than many other commonly existing holes in infrastructure. It’s not easy to deal with, and if you have other holes open, it’s probably not worth going after. However, if you can manage to deal with all the other threats, it’s worth considering.

Small Business Attack – Steganography

Steganography is talked about a lot in the security field, but not much outside of it.  Though there are many forms of varying complexity, at it’s core all you need to know that steganography incolves hiding data inside of other data.  It is commonly used with pictures, but it can be applied to pretty much any file.  Any file that you may need to use in your business could be used as a conduit for other data.

Take, for example, this photo, which is on your website (maybe you sell bone adhesives, I don’t know):

Suppose that you had some top secret data that you wanted to hide (clearly highly confidential):

An attacker could use one of many tools to embed the highly confidential image within the safe one, and most people would be none the wiser. For example:

(For the technically inclined, I used stegotools and the last 2 bits to hide the image. Try it out if you like.)

It’s important to realize that this example is highly contrived. In the real world, attackers can use any file at all and any transport mechanism:

  • Logos on a web site
  • Press releases emailed out
  • Financial documents on CD

If you have any confidential data at all, and any way to communicating with the public, the data can be leaked. How can you protect yourself?

(A thank you goes out to kordite and The Metro Library and Archive for making their images available on under the Creative Commons, and allowing me to make some really bad puns.)

Security Lessons from Nature – Prairie Dogs

It must have been quite the surprise as American settlers moved Westward and encountered their first prairie dog town.  As they traveled, they would have seen first one strange little rodent, then another, then a few more, then maybe thousands.  They would have observed that they live in a large subterranean community and work together to protect the colony.  Lewis and Clark themselves observed that they could pour five barrels of water into a hole without filling it.

While this may seem somewhat cruel by modern standards, one has to note that it’s not like prairie dog colonies never encounter rain.  In fact, that’s the point of today’s post.  Prairie dogs work together to build a massive underground complex.  They will raise their children below ground and forage for food above ground.  Over the millions of years that they have been honing this system, they have learned to maximize their security infrastructure.

In the prairie dog’s world, there are many threats.  For a subterranean colony, the threat of rain is pretty significant.  If insufficiently reinforced, the tunnels could collapse and crush the little critters.  If improperly designed, water could flow into the nursery areas and drown the pups.  Simply being underground protects the prairie dogs against predators like hawks and coyotes.  However, other predators like snakes and weasels have managed to adapt.  To defend against incursions from predators such as these, the colonies have a very complex array of tunnels that only the prairie dogs know how to navigate.  (Though this has proven less effective against some.)  Prairie dogs supplement their security with a complex warning system of alarm calls where the sentries will stand on a high outlook and issue a shrill “eep” when danger approaches.

So, while all of this is useful if you happen to be one of many communal rodents, what does it mean for those of us who happen to work in the business world instead?  The first thing to remember is that infrastructure planning is important. Consider building in excess capacity.  Your network may be able to handle ordinary traffic, but could it handle the torrential downpour of traffic that would result from sudden Internet popularity?  That said, it’s important to realize that not even prairie dogs built infinite capacity.  They withstood the attempted denial of service attack by Lewis and Clark, but they wouldn’t have survived a distributed attack by thousands of Lewises and Clarkses (sorry).  So, while capacity planning is important, it’s not everything… your infrastructure also has to be adaptable.

Instead, it would be wise to build a slight excess of capacity to handle the peaks of usage and then invest in some sentries.  Just as prairie dogs monitor for specific dangers and issue alarms for birds of prey, snakes and canines (and, at the zoo, monorails), you could monitor your network for malware, DDOS attacks and internal intrusions.

I would, however, recommend that the alarms not involve standing atop your building and “eep”ing.  Email or SNMP might make better sense.

subterranean

Mythic Monday – Tricksters

Most cultures have a trickster figure of some sort.  Though they go by many names: Coyote in North America, Anansee in Africa, Puck in Britian, Loki in the Germanic regions… and many others.  In the stories, there is usually not much if any justification for the actions of the trickers… though their tricks usually fail in the end and they learn an valuable lesson along the way.

No matter what the story may be, the point often seems to be less the story itself and more about the learning.  There are stories about ethics, significant social changes, developing new skills and personal growth.  In almost every one, though, the lesson is learned by either the trickster character itself making a mistake or leading someone else into making a mistake.  Then, inevitably, significant learning occurs.

In many ways, it’s all about attitude.  Tricksters tend not to care much about others, being lead instead by their own desires and intuitions.  They get an idea and run with it, ignoring all else, until their actions bring about their own downfall.  In short, they are driven by curiosity, creativity and intelligence.

Tricksters break everything they touch, and sow discord everywhere they go, but they do make things happen.  You probably know people like this in your own organization.  They may be a bit narrowly-focused and their projects may have a significant number of… unintended consequences, but they manage to complete more projects in less time than anyone else.

Just as tricksters benefit a story, these personalities benefit an organization.  In a developer, these traits create new products.  In an administrator, they can produce significant efficiencies.  In a security professional, they can protect an organization in ways never before though possible.  Of course, they also cause a significant amount of chaos as they implement these changes without really thinking things through.

There are many organizations… especially in I.T… that have the occasional local trickster.  Called “cowboys” or “lone wolves”, they are often thought of immature or unready for the business world.  In many cases, this is right. It is extremely easy to look merely at the negatives, and as a result, these people are often the first on the firing lines.

However, just as security is all about balance, so is business.  It is worth considering the long-term value of trickster-types.  Maybe they won’t fit into the business over-time, and it’s best to let them go.  However, maybe they can learn (possibly through a mythic journey of growth and pain).  Maybe they can learn to temper their own erratic tendencies and put their creativity and curiosity towards the benefit of the business.  Perhaps all they need is a bit of guidance.    You’ll never know if you don’t try.

But remember, most cultures can only tolerate one or two tricksters.  Fewer than that, and they would stagnate, but more than that and they would be destroyed by chaos.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.