Fire Ant Security

So here it goes, a rant about bad website design. People, it’s 2010, why oh why oh why have you not sorted out your web forms.

So I regularly purchase stuff of the Internet so I am used to filling in web forms regarding payment details and I noticed that still to this day, some 20 years after the invention of the WWW, very few websites actually have intuitive web forms. The rest of the website is usually some flashy piece of work however I am still bugged the same issues.

Country
Why do you insist on giving me a list of 200 freaking countries to sort through. Do you think you could detect where I am browsing from and maybe auto-populate that in the list control, perhaps somewhere near the top? With the rise in geo-location software you can but you can’t be bothered. You don’t consider this part of the user experience. by the way, does anyone from Afghanistan buy from your website?

I Live in London London
This is one that annoys me the most. All you UK developers, I live in London, why on earth do you insist on me providing a county? London is not in any county. On a few occasions I have been restricted to putting my county in as Middlesex (technically the nearest county to me) just to purchase something. On other occasions I have to type my county in so I have an address of London London.

Please think when designing these forms and stop copying the same old shite that’s used everywhere else. Think intuitively, think independently.

In the new digital world we all have digital identities exposed through various forms or medium such as email, instant messaging, forums and social media like Linked-in and Facebook etc. Each of these forms represents a digital version of you. Now I don’t know about you but I care how I look in the real world and I also care about how I look in the digital world. But like in the real world I don’t like to mix these identities, I am different person down the pub with my mates compared to how I am with a customer at work. But with the prevalence of social media this line is getting blurred and this has consequences.

Over the last several years there have been plenty of examples of where a personal identity is exposed to a work related identity and this can result one of many problems such as divorce, loss of job, loss of integrity and legal issues.

Below is a Venn diagram showing how my digital identities relate.

Notice how some of the media overlap. Facebook is clearly personal but there is some crossover with my Twitter account.

This is a bad example of relating digital identities.

So where do you draw the line in sharing this always on permanent record of yourself?

Some social media actually encourage you share these identities between platforms for example Linked-in allows you to share Twitter messages. But do you really want your work colleagues to know that you just ate at a certain restaurant?

So how do we stop blurring the lines between personal and private identities?

Consider under which identity to share information

You have something to share but who should you share it with? Is it work related or personal? You wouldn’t post your latest holiday pictures on Linked-in and by contrast you wouldn’t post work related information on Facebook, at least I hope not.

Consider who you let into your network

What is the use of the medium? Is it to let your friends know that you will be down the pub at 6pm of that you are looking for another job in nuclear physics? Don’t befriend your boss on Facebook but also don’t let your mate Steve send inappropriate jokes to your work email.

Consider what the medium is to be used for

Is it used for personal business like keeping in contact with friends or work associated? A Facebook account is clearly personal but what about your Twitter account? Is that personal or work related?

Consider the security of the medium

Who owns and manages the medium? What are your rights and privileges? Email may stay private but blog posts are public.

Consider the availability and data retention of the medium

Will the post you made to someones Twitter account be available in 5 years time? That newsgroup post you made 10 years ago slating company X definitely will be. Your views in your original post may have changed but will this information be publicly available? Will it affect your next job interview?

Consider each of these when using the medium in question and you can’t go wrong.

Happy messaging in what ever form you choose.

Today Cyveillance posted a press release titled “Cyveillance testing finds AV vendors detect on average less than 19% of malware attacks”. I have to say that this report was clearly put together by the person who cleans the toilets. Even an intern could do a better job. Lets examine why I think this has the dubious honor of being the Worst Report Ever (just imagine comic book guy saying it).

First of all the title, now if that isn’t FUD then I don’t know what is. Lets examine the release in detail.

The report reveals that traditional antivirus (AV) vendors continue to lag behind online criminals when it comes to detecting and protecting against new and quickly evolving threats on the Internet.

Duh! Of course they are. I wonder how many analysts it took to figure this out?

Cyveillance testing1 shows that even the most popular AV signature-based solutions detect on average less than 19% of malware threats. That detection rate increases only to 61.7% after 30 days.

Tell me something that I couldn’t have figured out myself. Every self respecting security professional knows that signature-based solutions just don’t cut the mustard in todays security landscape. End users won;t know this of course but I couldn’t figure out who the report was aimed at so I used my experience as a baseline. I recently attended a presentation by one of the AV vendors mentioned and they presented a pretty bleak landscape for signature-based solutions. They mentioned that one particular piece of malware had over 1000 variants. Now show me a product that can cope with signatures for all the circa 1 million pieces of malware out there? There isn’t one and that’s why AV vendors rely on other technologies like heuristics and reputation etc. But the report is on signature-based detection so did they mean they will only test this functionality or did someone forget that AV is not about signatures any more? If they intended just to report on one function of AV then this is stupid as it doesn’t give a complete picture about the level of protection. So maybe they meant just malware detection using any technique the vendor can use, if this is the case they don’t say “using signature-based detection” because that’s just wrong.

Now the biggest bugbear I have with this report is its use of stats. One of my favorite quotes is

There are three kinds of lies: Lies, Damn Lies, and Statistics.

Now anyone can manipulate statistics but I am not saying that they manipulated the data in anyway. It’s all to do with how it’s presented. First of all Cyveillance states that they used 1,708 malware samples. What samples did they use and where did they get them from? Wikipedia states

Sampling is that part of statistical practice concerned with the selection of an unbiased or random subset

Incorrect sampling will certainly reduce a skew in the results. Some vendors will likely class one piece of software as malware whilst others may not. So what if this happens? Does the vendor get scored down because they didn’t detect the malware? Who knows?

Additionally, I have concern with regards to the use of the average across all the products. Some of the products they used I have never heard and clearly bring the over all results down. I question the use of these products in the test. If for example I was going to report on the overall speed of cars and I use the following data set:

Bugatti Veyron: 253 mph
Koenigsegg CCX: 245 mph
Ferrari Enzo: 217 mph
Ford Focus: 133 mph
Renault Clio: 108 mph
Smart Car: 80 mph

Average 172.7 mph

Now does this mean that the average speed of all cars is 172.7 mph? Clearly not.

Also, I suspect that some of the vendors do not have the money and resources to put into sampling malware and defining signatures. But don’t detract from the fact that using the average creates FUD in this case. Should you be worried? So only 61.7% of their sample of malware was detected after 30 days, what I am worried about is does the product I am using detect the malware after 30 days? Well if your a Kaspersky or AVG user then no but if your a Norman or eTrust-Vet then yes. The use of the average just brings the overall results down. This is plain wrong to do this!

Would you be surprised if I told you that if you chose the top 8 vendors from the list the overall detection rate jumps to 79.4%?

Panos Anastassiadis, COO of Cyveillance. “To increase protection, users can’t forget the basics – avoid unknown or disreputable websites, increase security settings on their web browser and leverage supplemental malware block lists to increase security on their devices. ”

Excuse me? The users? Do you expect me to rely on administrative controls to keep my environment secure? I cannot expect users not visit disreputable websites either knowingly or unknowingly, they simply do not have a banner which says “disreputable website”.

Finally,

The only thing which I can agree on with Cyveillance COO Panos Anastassiadis is

Only through both proactive and reactive tools can a solid security platform be achieved.

I do hope though that when he means tools he is referring to controls in general and not just software.

Rant over

So I finally pulled my finger out and selected a WordPress theme and now all I need to do is get writing. Thanks for visiting by blog, I hope you enjoy reading it.