Astroturfing AV: When the wolves guard the hen house

Like any typical morning, I woke up, picked up my iPhone, fired up a twitter app and prepared to be educated about current happenings in the world. I was initially bored when I stumbled across a blog post on the Kapersky Lab Security sponsored site "threatpost" entitled “Some Researchers Lack Basic Ethics”. I assumed that I would read another generic article about AV researchers selling warez to the Russian Mafia or something truly nefarious along those same lines. Instead I was treated to a thinly disguised PR talking point by a Kaspersky researcher, Roel Schouwenberg. The central theme to Schouwenberg's post was the vilification of ethicless researchers who demonstrate how easily an attacker can evade signature based AV systems.

The evil ethics-lacking incident drawing the ire of Schouwenberg is a University of Michigan project, Polypack. The Polypack Project is a website that demonstrates how Crimeware-as-a-Service, a generic term describing anyone who creates malware for a system, works with specific detected malware sample that the user uploads to the site. To quote Schouwenberg:

“The idea behind the site is that people can upload (detected) malware files and make them undetected by as many anti-virus products as possible.”

Being able to tell how easy a malware sample can be made undetected by various AV products...could you think of anything worse for an AV sales person?

I visualize how this conversation went down: A Kaspersky sales guy didn’t make his anti-virus product sales numbers and blamed it on the Polypack Project. Without further questioning, the PR people immediately dispatched a researcher to debunk the accuracy and validity of this project. You can tell this isn’t an earnest effort by Schouwenberg to educate a reader, at no point does Schouwenberg ever provide a link to the project so that the reader can review and make the decision for themselves Schouwenberg and the PR people are banking on the laziness of their reader.

The Polypack Project can be found here with the research paper here. Contrary to the claims of PR people at an AV sales company, I think this project is a good piece of engineering and evaluation of a failing technology. Through this project, a user can determine which AV system fails to detect a higher number of malware (aka viruses). In turn, a large company can spend less money, time, and resources deploying a highpriced signature based AV system if they know it has the most holes. Hrm, why is Kapersky afraid of this sort of open testing? The crowning jewel of Schouwenberg's post is when he cites numbers for how many samples are received and analyzed in a day. He makes the numbers sound almost overwhelming and intends to convey the message that “we can’t protect you from the bad guys if we have to spend time handling shortcomings in our engine pointed out by projects like this”. Schouwenberg fails to point out that technology like the Polypack Project is useless to criminals as criminals have their own tools for these types of testing.

Unfortunately for Kapersky (and other AV sales companies), projects such as the Polypack Project highlight the fallacy that signature based AV products can protect anything other than sales numbers. Could you imagine a slightly different scenario: "Cigarette company employee states that research into tobacco/cancer link is unthical?"

More fodder for the arms race...

http://tech.slashdot.org/article.pl?sid=08/06/30/1155205&from=rss

A long, long time ago (5 years I think) I did a talk on why anomaly based IDSes do not work. If given the ability to spend a few days analyzing traffic you can evade them easily. I am guessing the same holds true for "throttling traffic even though it’s encrypted". If you look at to two points of data that can be reliably read, packet size and frequency, those can be varied greatly by an attacker without introducing much latency or overhead.

Like most things in security produced in labs, this technique will only be efficient as long as no one knows it has been implemented.

Poisoned by the Venom: Silicon Snake Oil:Vol 1 BigString

People often ask me what it is that ErrataSec does. Outsourced security research doesn’t seem descriptive enough for most people. Well basically companies like ISS, eEye, and iDefense have research teams. These are groups of people that can take a product apart and then detail the problems of them. This doesn’t mean just finding buffer overflows; sometimes it means there are simple things like architecture problems. We are basically a research team for hire.

I have the perfect example of what we do. It’s a rather simplistic example and I assure you more examples are forthcoming in a new blog series called “Poisoned by the Venom: Silicon Snake Oil”. This will be a monthly series where we will attempt to impart some wisdom to our readers about how to logically analyze a vendor claim and evaluate a product. This series is starting off rather simply with me starting my day with my trusty RSS reader. I came across an article on Gizmodo that catches my eye.

http://gizmodo.com/gadgets/software/bigstring-recallable-email-send-naked-vidmail-to-the-boss-with-confidence-228926.php

It’s a service that claims email that is recallable or that it can be forced to expire. Knowing what I do about how email works it doesn't mean the message that gets delivered will be deleted, that would mean that a 3rd party source can delete emails on an arbitrary server. That’s not how email servers work. So before looking at the service at all I have a feeling that what will happen is the contents of your email will be stored on their webserver and when it’s recalled or expired the content is just removed. This would mean that the message you receive on your email server is really nothing more than an HTML message that links back to the hosted content that contains your message. This is already a problem for people that don’t receive html email or don’t have html enabled email clients.

So I went to the site and signed up for an account. The first clue that this really isn’t a security oriented service is that using a typical password for me that contain uppercase, lowercase, and alphanumeric characters I get a message that my password is to long. If I were worried about security this would worry me because it would be easy for someone to bruteforce my account.

After creating a few emails my initial thoughts were correct. When you send an email that is “recallable” all that happens is that your text is turned into an image. This in theory would help with the problem of people copying or forwarding your email because they can’t just cut and paste your text. On top of that the image is hosted on the Bigstring servers. When I click to “recall the email" all that happens is the image of my text is replaced with a blank image. This has the same problem that most DRM stuff has, the simple problem that has been overlooked. Most audio DRM can be defeated by just plugging the headphone jack of one machine to the input jack on another.

To defeat the “recallable” option all someone needs to do is press print screen before the message is expired. This isn't really an ingenious or sneaky trick, it should be common sense. Below are before and after pics of the same message; there really isn’t much a company can do about disabling the print screen button so the “recallable” feature of the email service really isn’t useful.

The next edition will target two factor auth systems that claim to stop ID theft.