[Full-Disclosure] Re: getting rid of outbreaks and spam

From: Thor Larholm (thor_at_pivx.com)
Date: 02/05/04

  • Next message: Stefan Esser: "Re: [Full-Disclosure] Interesting side effect of the new IE patch" 
    To: <full-disclosure@lists.netsys.com>
Date: Thu, 5 Feb 2004 14:45:04 -0800

    0.02 kroner coming up :)

    > From: Gadi Evron [0]
    >
    > 2. In a broader view, notifications ARE currently the
    > problem rather than a solution.

    I think we all recognize the fundamental truth that AV notifications are
    pure marketing. They contain no instructions on removing the virus and
    only
    serve to spread FUD. Somewhere sometime, a marketer at an AV company
    thought
    "hey, let's get new customers by notifying people that send the virus!",
    implemented it and everybody followed suit since "everybody is doing it,
    we
    might as well also".

    AV notifications have degenerated from a misguided assistance to become
    an
    even worse problem than the viruses they are supposed to stop.

    > 3. I think we look at the whole problem in the wrong way,
    > allow me to elaborate:
    > The AV industry is built on reaction rather than prevention.
    > Adding new signatures is still the #1 tool in the fight against
    malware.

    I couldn't agree more. We should stop wasting time on detailing the
    subject
    lines of a new virus, what P2P folder the latest worm copies itself to
    or
    how the latest Blaster variant changes spread algorithms on the second
    Thursday of the month (provided it's raining in spain). All of this does
    nothing to prevent any future reoccurences of the same threats and is
    mainly
    of academic interest - if you're writing a paper on worm propagation
    techniques or a book about "The 1001 funniest virus subject lines".
    We're
    all curious beings, but having my mom know the subject lines of the 5
    latest
    viruses does nothing to prevent her from opening attachments or being
    infected by Blaster.

    We need to change our mindsets fundamentally and approach these threats
    from
    a different angle. Instead of playing archeologists that are uncovering
    dinosaur bones and detailing their ridges we need to become bio
    engineers
    who analyze DNA mutation patterns and create strains of tomato plants
    that
    can endure cold winternights. It is essential that we invest serious
    time
    and money into analyzing and matrixing the common attack, spread and
    infection vectors of the threats that our corporate networks and public
    infrastructure encounter, and that we use that knowledge to create
    targetted
    counteractions and proactive theat mitigations that can hinder the
    spread or
    impact of generic types of threats - in advance.

    This is not just a philosophy but a viable approach to applicable
    crafting.
    We at PivX Solutions have been preaching Proactive Threat Mitigation for
    quite some time now. I have been speaking about it at conferences (blame
    canada), the panel members understood it when we explained it at the
    first
    National Cyber Security Summit and we integrated our initial efforts
    into
    Qwik-Fix which prevented dozens of threats in Q4 2003 (MiMail,lots of IE
    exploits,etc).

    I think we can all get lost in specifics from time to time, which is why
    it
    is important to remember that real security is all about risk management
    -
    how much time and money do we want to invest in lowering the inherent
    risk
    to an acceptable level? It is only when we start diverting those
    resources
    away from reactive solutions, such as antivirus that have not hindered
    any
    major virus outbreak but even created the far worse problem of AV
    notifications, and towards proactive appliances and proper risk
    management
    that we can minimize our risk and shorten our window of exposure to
    threats.

    > With spam and mass mailers clogging the tubes, causing us all to
    > waste money on bigger tubes, as well as our time dealing with the
    > annoyance (more money), shouldn't the problem be solved there
    > (at the main tubes themselves) rather than at the end user's desktop?
    >
    > They are right, it isn't currently demanded of them.

    ISPs and peering points should seriously consider the development and
    implementation of technologies that can unintrusively and anonymously
    detect
    threats and filter packets that meet certain risk criterias, before
    governmental agencies wake up and start addressing the issue by
    regulations
    and law that will inevitably limit their control of private property.

    [0] original post
    http://www.securityfocus.com/archive/1/352406/2004-02-02/2004-02-08/0

    Regards

    Thor Larholm
    Senior Security Researcher
    PivX Solutions
    24 Corporate Plaza #180
    Newport Beach, CA 92660
    http://www.pivx.com
    thor@pivx.com
    Phone: +1 (949) 231-8496
    PGP: 0x5A276569
    6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

    PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
    Qwik-Fix
    <http://www.qwik-fix.net>

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Stefan Esser: "Re: [Full-Disclosure] Interesting side effect of the new IE patch"

    Relevant Pages

    • Re: getting rid of outbreaks and spam
      ... I think we all recognize the fundamental truth that AV notifications are ... They contain no instructions on removing the virus and only ... We need to change our mindsets fundamentally and approach these threats from ... is important to remember that real security is all about risk management - ...
      (Bugtraq)
    • Re: [Full-disclosure] Windows future (reprise)
      ... from systems immune to certain malware. ... I'm analysing "new threats" (as defined ... difference between threat and risk. ... The risk of me personally being struck by falling alien poo is *far* ...
      (Full-Disclosure)
    • Re: Anti-spy wear
      ... had a Norton Antivirus alert that tells me it has detected a virus and is ... I have been on MSN since it came out in year ... Any threats around and we can take care of it. ...
      (microsoft.public.security)
    • Re: Basic Performance
      ... As for the 54 processes just do a search on each of them, you will get the needed information, who knows maybe one of them is a pest. ... That mailwasher link works here... ... The Symantec security site took over 2 hours to interogate my files for threats and particularly viruses. ... The end result is that I am virus clear and have protection against all known threats. ...
      (microsoft.public.win2000.general)
    • Re: Spaceflight or extinction website
      ... > panelists observed that our risk of racial extinction within the next ... > chaotic world to deal with that risk, is an urgent program not of ... I think his objectives, i.e., the objectives of those secret ... possible threats to a completely Earthbound human civilization as well), ...
      (sci.space.policy)