You are browsing the archive for Preaching.

The cyberpoppers, the security fix, and … the Other guys

May 10, 2017 in Preaching

Cyberpopping is a term I coined for the lack of a better word to describe any vague and most of the time responsibility-free activity that is either used and/or abused to sell and market IT security in whatever form and shape possible. Yup, the activity where the seller is not being necessarily responsible for overseeing that security to the remediation/closure/assurance phase.

We all practice it.

There are various cyberpoppers out there:

  • 0days
  • APT
  • Dumps
  • Security Certificates
  • Security Conferences
  • Social media, including Twitter and blogs (including yours truly)
  • Periodical reports from vendors and Gartner
  • Compliance requirements (PCI DSS, ISO)
  • Groups, forums
  • etc.

At every step of this journey the ego and schadenfreude prevails. We all know better. And anytime we find something new and cool, the Champagne cork pops and we get the fix. I love it, you love it. We are one big family of security enfants terrible 🙂

As I get older though and get more and more insight into the less flashy part of the security world – one where the security is actually being implemented – it becomes more and more apparent to me that none of these things really help the Other guys. If you watched the movie you know who I am talking about. These poor creatures that sit in the backend offices, spend hours on the calls, actually talk to business people and clients, speak to non-technical people, and ensure the stuff that we are all breaking, or talk about breaking – is actually fixed. This is not a fun job, it’s error-prone, it ricochets when they screw up (it often costs big bucks!), it is long hours, and on-calls where the big decisions are made. I just want to take the moment today to say thank you to all engineers, admins, firewall guys, architects, customer-facing security guys, vulnerability management teams, and ISOs and any other guys who actually deal with the _real_ world aspects of IT security.

Copyright note: the pic adapted from the one posted on wikipedia

The cyberchild of Omelas, Quick Addendum

October 18, 2016 in Preaching

In the first part I claimed a number of things about the ‘Simpsons already did’ phenomenon, but I realize that w/o a solid proof, it is just trolling. I had a few minutes on my hands and googled around for the evidence for at least some of the claims made by yours truly 🙂 It was not hard, because I remembered many of the cases I referred to and it was just a matter of finding and linking to them…

1992 –

Virus monitors/detection by behavioral abnormality In this approach to virus detection, the machine is booted from uninfected files and a virus monitor is installed that monitors vari0us activities of the machine while in day-to-day use. The program monitors known methods of virus activity including attempts to infect and evade detection. 1his may also include attempts to write to boot sectors. modify interrupt vectors. write to system files. etc.

1998 –

IBM’s anti-virus technology, part of the IBM SecureWay comprehensive portfolio of security offerings, has been awarded six patents for inventions, ranging from a neural network that uses artificial intelligence to detect new viruses automatically to the immune system itself. IBM is the first company to develop an immune system that can detect previously unknown viruses, analyse them, and distribute a cure worldwide, all automatically and within minutes of first discovering new viruses.

2000 –

Automatically generated Win32 heuristic virus detection

Heuristic classifiers which distinguish between uninfected and infected members of some class of program objects have usually been constructed by hand. We automatically construct multiple neural network classifiers which can detect unknown Win32 viruses, following a technique described in previous work (Kephart et al, 1995) on boot virus heuristics.

These individual classifiers have a false positive rate too high for real-world deployment. We find that, by combining the individual classifier outputs using a voting procedure, the risk of false positives is reduced to an arbitrarily low level, with only a slight increase in the false negative rate. Regular heuristics retraining on updated sets of exemplars (both infected and uninfected) is practical if the false positive rate is low enough.

Plus, many articles listed here

And then there are patents…

1992 – US 5319776 A –

In transit detection of computer virus with safeguard

Data is tested in transit between a source medium and a destination medium, such as between two computer communicating over a telecommunications link or network. Each character of the incoming data stream is tested using a finite state machine which is capable of testing against multiple search strings representing the signatures of multiple known computer viruses. When a virus is detected the incoming data is prevented from remaining on the destination storage medium. Both hardware and software implementations are envisioned.

1997 – US 5842002 A –

Computer virus trap

A computer virus trapping device is described that detects and eliminates computer viruses before they can enter a computer system and wreck havoc on its files, peripherals, etc. The trapping device creates a virtual world that simulates the host computer system intended by the virus to infect. The environment is made as friendly as possible to fool a computer virus into thinking it is present on the host, its intended target system. Within this virtual world, the virus is encouraged to perform its intended activity. The invention is able to detect any disruptive behavior occurring within this simulated host computer system. It is further able to remove the virus from the data stream before it is delivered to the host and and/or take any action previously instructed by a user.

1997 – US 6167520 A –

System and method for protecting a client during runtime from hostile downloadables

A system and method examine execution or interpretation of a Downloadable for operations deemed suspicious or hostile, and respond accordingly. The system includes security rules defining suspicious actions and security policies defining the appropriate responsive actions to rule violations. The system includes an interface for receiving incoming Downloadable and requests made by the Downloadable. The system still further includes a comparator coupled to the interface for examining the Downloadable, requests made by the Downloadable and runtime events to determine whether a security policy has been violated, and a response engine coupled to the comparator for performing a violation-based responsive action.