RE: [Full-Disclosure] RE: Symantec wants to criminalize security info sharing

From: Jason Coombs (jasonc_at_science.org)
Date: 09/12/03

  • Next message: Kristian Hermansen: "Re: [Full-Disclosure] Internet explorer 6 on windows XP allows exection of arbitrary code" 
    To: <l8km7gr02@sneakemail.com>
Date: Thu, 11 Sep 2003 14:03:11 -1000

    Aloha, Cory.

    > Historically, have worms/malware visibly affected the US stock market?

    First let me say that the answer is an empirical "yes" to your question.

    I've personally watched worms and malware affect U.S. stock prices.

    Look at a recent stock chart of SYMC -- there are lots of reasons to explain
    the recent rise to all-time-highs. They were added to the S&P 500 in April,
    the U.S. markets have just staged one of the great short-term rises in
    history, etc.

    However, when you plot a detailed overlay of malware events with specific
    minute-by-minute charts of each day's trading, something that you probably
    don't have the data available to do easily, and compare it to news wires and a
    timeline showing people's actions in the industry, press, etc. what you see is
    that particular financial instruments, such as near-expiration stock options,
    move dramatically. These moves are obviously predictable for those
    in-the-know...

    What isn't as easy to assemble, but that I've witnessed personally and have
    some evidence to substantiate, is the relationship between comments made by
    the executives of Symantec and specific features of subsequent malware.

    For instance, at the beginning of June a bit of malware was released that
    targeted financial services companies... I think it was one of the SoBig
    viruses, but I'd have to go back to my notes to confirm... Inside the virus
    was code that would attempt to determine if it had infected a computer that
    belongs to a hard-coded list of financial services companies, and if so then
    bad things would happen such as gathering passwords and account numbers with
    the appearance that this pilfered data would supposedly make it back to the
    malware author ... the likelihood of that actually happening is so small as to
    be absurd, and authorities would capture the malware author if there really
    was any direct communication between the person and the infected hosts at
    financial services companies -- just as certainly as Blaster.B (Lovesan)
    variant author Jeffrey Lee Parson's insertion of code to contact his own Web
    site led to his capture recently.

    What nearly everyone missed was the fact that a Symantec executive (as I
    recall it was the CEO during an investor presentation during May) had only
    days prior lamented the fact that Symantec didn't have enough market
    penetration into financial services companies...

    Now, I'm not suggesting there is a direct conspiracy between Symantec
    executives and malware authors. I'm stating that there is in fact, and in
    provable fact, a direct link between these people -- the free market, the
    press, and SEC-mandates for equal access to information that could impact the
    public's analysis of the company as an investment. It can be seen in the
    sequence of events just described and it can be surmised, without being
    ridiculous, that professional malware authors would take advantage of their
    ability to impact stock prices in order to make money.

    When better evidence emerges that is non-circumstantial, you can be sure that
    we'll all see it. Until then, if any Symantec executive really calls for
    criminalization of full disclosure, I've got the ability to assemble a
    detailed report showing item after item of circumstantial evidence that may be
    enough to justify an SEC investigation.

    I hope that it's never necessary for me to write this report. I also hope that
    if any such investigation does occur at any time in the future, that we don't
    find out that we've been deceived by people who have a fiduciary duty to be
    trustworthy -- that's happening in other places, but it should not be
    tolerated by any member of the infosec community.

    One thing is certain: the potential exists for malware authors to manipulate
    the stock market. And where there is potential for penetrations or abuses,
    they often do in fact occur. In my opinion, Symantec should consider going
    private in order to remove this potential for financial reward of malware
    authors.

    Sincerely,

    Jason Coombs
    jasonc@science.org

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com]On Behalf Of
    l8km7gr02@sneakemail.com
    Sent: Thursday, September 11, 2003 12:25 PM
    To: full-disclosure@lists.netsys.com
    Subject: Re: [Full-Disclosure] RE: Symantec wants to criminalize
    security info sharing

    Mr. Coombs,

    I find your ideas intriguing and wish to subscribe to your newsletter.

    Seriously though, you make some fairly serious accusations -- do you
    have anything with which to back them up? I'm not trying to be
    adversarial, I just think it would make for some very interesting
    reading.

    Historically, have worms/malware visibly affected the US stock market?

    Personally, I think that any move to restrict discourse (by Symantec
    or others) without air-tight justification should be met with extreme
    skepticism (and subsequent retaliation) by the public. I very much look
    forward to hearing how Symantec spins the announcement over the next few
    days.

    If it's true and Schwarz meant exactly how Wired represented him, I'm
    still not convinced his motivations are (directly) dollar-based. It's
    all part of the same Branding movement, started in the early '90s. It
    wouldn't be unheard-of for Symantec to wish to trandscend its relatively
    modest position in the AV world and make themselves out to be *the*
    resource for security and recovery tools and information.

    That doesn't mean it's right, of course -- it just wouldn't be
    unexpected.

    take care,

    Cory

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Kristian Hermansen: "Re: [Full-Disclosure] Internet explorer 6 on windows XP allows exection of arbitrary code"

    Relevant Pages

    • RE: [Full-Disclosure] RE: Symantec wants to criminalize security info sharing
      ... back to the insider trading / stock price question. ... Subject: RE: Symantec wants to criminalize ... I've personally watched worms and malware affect U.S. stock prices. ... that targeted financial services companies... ...
      (Full-Disclosure)
    • Re: anlukx7n.sys
      ... For most of us Symantec is not free. ... infestation or you have a damaged malware infestation. ... When was your ISO ... Are you sure it's not just the ISOs of the install files? ...
      (microsoft.public.windowsxp.help_and_support)
    • [Full-disclosure] No one else seeing the new MS05-039 worm yet?
      ... and other AV vendors have had code since then, ... One can use other utilities to kill running malware processes. ... Symantec may report as Bobax.Z@mm and/or W32.HLLW.Nebiwo. ... cleanup actions complete. ...
      (Full-Disclosure)
    • Re: Could someone let me know if the following is Malware or relat
      ... malware / viruses that could have demonstrated this behaviour? ... on the computer is ACTIVESYNC V4.1, Symantec Client Firewall V 7.1.3.1039, ... | * Both events were bounded by two failed logon attempts under my user ID ... | Event ID 637 is:A user or group account was removed from a local security ...
      (microsoft.public.security.virus)