lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: dowlingg at sullcrom.com (Dowling, Gabrielle)
Subject: RE: Symantec wants to criminalize security info
    sharing

Jason ---

I can't see that your argument holds water in the least.

Yup, you know, almost everyone who works in my IS department believes
that AV companie release viruses just so they can trap them.  That's
just silly.  They don't have to, so why would they do something so
stupid?

They have also come out as a whole to decry the University of Calgary's
proposed course on virus writing (and rightfully so -- all you will
learn about how viruses function by writing is how your particular virus
works), and stated that they will not even hire graduates of the course.

To take it a step further, whomever yanked the public exploit code that
was the core of Blaster and turned it into a worm didn't seem to know
much about coding, and they certainly didn't need AV company's help,
just Packstorm's.

But, back to the insider trading / stock price question.  Most public
companies do not have to report business impact to do a major virus
incursion, except for some new law for e-commerce sites, and that may be
in California only.  I don't think the finance sector is  yet affected
by these laws, but I'm not sufficently familiar with Sarbanes-Oxley to
be certain of that.

It was a bugbear variant that tried to capture data from financial
institutions, and afaik know it was completely unsuccessful in doing so
because, hmm, they all block exe's inbound via mail, so, hmmm, all it
did was capture popular attention.

Now, for stock market prices, if there is such a trend (but you really
can't say there's such a trend unless you've controlled for a lot of
other factors), are you sure you can't chalk it up simply to media
attention and the emotional factor that continues to drive the market,
even on highly paid analyst's end?

I really think we would all be better off not focusing on this supposed
av company malfeasance and rather focus on what security vendors could
best offer us.  It strikes me that av is rather straightforward, but the
rest of the industry offerings are vastly more problematic.  I wonder
still why ISS contiues to have a "Melissa virus" sig, rated high, that
simply checks for "Important information for...." in the subject line of
a message.  3 years ago that was probably helpful, not so now.

Best,

Gaby

-----Original Message-----
From: Jason Coombs [mailto:jasonc@...ence.org] 
Sent: Thursday, September 11, 2003 8:03 PM
To: l8km7gr02@...akemail.com
Cc: Full-Disclosure@...ts. Netsys. Com
Subject: RE: [Full-Disclosure] RE: Symantec wants to criminalize
security info sharing


Aloha, Cory.

> Historically, have worms/malware visibly affected the US stock market?

First let me say that the answer is an empirical "yes" to your question.

I've personally watched worms and malware affect U.S. stock prices.

Look at a recent stock chart of SYMC -- there are lots of reasons to
explain the recent rise to all-time-highs. They were added to the S&P
500 in April, the U.S. markets have just staged one of the great
short-term rises in history, etc.

However, when you plot a detailed overlay of malware events with
specific minute-by-minute charts of each day's trading, something that
you probably don't have the data available to do easily, and compare it
to news wires and a timeline showing people's actions in the industry,
press, etc. what you see is that particular financial instruments, such
as near-expiration stock options, move dramatically. These moves are
obviously predictable for those in-the-know...

What isn't as easy to assemble, but that I've witnessed personally and
have some evidence to substantiate, is the relationship between comments
made by the executives of Symantec and specific features of subsequent
malware.

For instance, at the beginning of June a bit of malware was released
that targeted financial services companies... I think it was one of the
SoBig viruses, but I'd have to go back to my notes to confirm... Inside
the virus was code that would attempt to determine if it had infected a
computer that belongs to a hard-coded list of financial services
companies, and if so then bad things would happen such as gathering
passwords and account numbers with the appearance that this pilfered
data would supposedly make it back to the malware author ... the
likelihood of that actually happening is so small as to be absurd, and
authorities would capture the malware author if there really was any
direct communication between the person and the infected hosts at
financial services companies -- just as certainly as Blaster.B (Lovesan)
variant author Jeffrey Lee Parson's insertion of code to contact his own
Web site led to his capture recently.

What nearly everyone missed was the fact that a Symantec executive (as I
recall it was the CEO during an investor presentation during May) had
only days prior lamented the fact that Symantec didn't have enough
market penetration into financial services companies...

Now, I'm not suggesting there is a direct conspiracy between Symantec
executives and malware authors. I'm stating that there is in fact, and
in provable fact, a direct link between these people -- the free market,
the press, and SEC-mandates for equal access to information that could
impact the public's analysis of the company as an investment. It can be
seen in the sequence of events just described and it can be surmised,
without being ridiculous, that professional malware authors would take
advantage of their ability to impact stock prices in order to make
money.

When better evidence emerges that is non-circumstantial, you can be sure
that we'll all see it. Until then, if any Symantec executive really
calls for criminalization of full disclosure, I've got the ability to
assemble a detailed report showing item after item of circumstantial
evidence that may be enough to justify an SEC investigation.

I hope that it's never necessary for me to write this report. I also
hope that if any such investigation does occur at any time in the
future, that we don't find out that we've been deceived by people who
have a fiduciary duty to be trustworthy -- that's happening in other
places, but it should not be tolerated by any member of the infosec
community.

One thing is certain: the potential exists for malware authors to
manipulate the stock market. And where there is potential for
penetrations or abuses, they often do in fact occur. In my opinion,
Symantec should consider going private in order to remove this potential
for financial reward of malware authors.

Sincerely,

Jason Coombs
jasonc@...ence.org

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of
l8km7gr02@...akemail.com
Sent: Thursday, September 11, 2003 12:25 PM
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] RE: Symantec wants to criminalize
security info sharing


Mr. Coombs,

I find your ideas intriguing and wish to subscribe to your newsletter.

Seriously though, you make some fairly serious accusations -- do you
have anything with which to back them up?  I'm not trying to be
adversarial, I just think it would make for some very interesting
reading.

Historically, have worms/malware visibly affected the US stock market?

Personally, I think that any move to restrict discourse (by Symantec or
others) without air-tight justification should be met with extreme
skepticism (and subsequent retaliation) by the public.  I very much look
forward to hearing how Symantec spins the announcement over the next few
days.

If it's true and Schwarz meant exactly how Wired represented him, I'm
still not convinced his motivations are (directly) dollar-based.  It's
all part of the same Branding movement, started in the early '90s.  It
wouldn't be unheard-of for Symantec to wish to trandscend its relatively
modest position in the AV world and make themselves out to be *the*
resource for security and recovery tools and information.

That doesn't mean it's right, of course -- it just wouldn't be
unexpected.

take care,

Cory


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


**********************************************************************
This e-mail is sent by a law firm and contains information
that may be privileged and confidential. If you are not the 
intended recipient, please delete the e-mail and notify us 
immediately. 
***********************************************************************

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ