lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: thor at pivx.com (Thor Larholm)
Subject: Re: getting rid of outbreaks and spam

0.02 kroner coming up :)

> From: Gadi Evron [0]
>
> 2. In a broader view, notifications ARE currently the
> problem rather than a solution.

I think we all recognize the fundamental truth that AV notifications are
pure marketing. They contain no instructions on removing the virus and
only
serve to spread FUD. Somewhere sometime, a marketer at an AV company
thought
"hey, let's get new customers by notifying people that send the virus!",
implemented it and everybody followed suit since "everybody is doing it,
we
might as well also".

AV notifications have degenerated from a misguided assistance to become
an
even worse problem than the viruses they are supposed to stop.


> 3. I think we look at the whole problem in the wrong way,
> allow me to elaborate:
> The AV industry is built on reaction rather than prevention.
> Adding new signatures is still the #1 tool in the fight against
malware.

I couldn't agree more. We should stop wasting time on detailing the
subject
lines of a new virus, what P2P folder the latest worm copies itself to
or
how the latest Blaster variant changes spread algorithms on the second
Thursday of the month (provided it's raining in spain). All of this does
nothing to prevent any future reoccurences of the same threats and is
mainly
of academic interest - if you're writing a paper on worm propagation
techniques or a book about "The 1001 funniest virus subject lines".
We're
all curious beings, but having my mom know the subject lines of the 5
latest
viruses does nothing to prevent her from opening attachments or being
infected by Blaster.

We need to change our mindsets fundamentally and approach these threats
from
a different angle. Instead of playing archeologists that are uncovering
dinosaur bones and detailing their ridges we need to become bio
engineers
who analyze DNA mutation patterns and create strains of tomato plants
that
can endure cold winternights. It is essential that we invest serious
time
and money into analyzing and matrixing the common attack, spread and
infection vectors of the threats that our corporate networks and public
infrastructure encounter, and that we use that knowledge to create
targetted
counteractions and proactive theat mitigations that can hinder the
spread or
impact of generic types of threats - in advance.

This is not just a philosophy but a viable approach to applicable
crafting.
We at PivX Solutions have been preaching Proactive Threat Mitigation for
quite some time now. I have been speaking about it at conferences (blame
canada), the panel members understood it when we explained it at the
first
National Cyber Security Summit and we integrated our initial efforts
into
Qwik-Fix which prevented dozens of threats in Q4 2003 (MiMail,lots of IE
exploits,etc).

I think we can all get lost in specifics from time to time, which is why
it
is important to remember that real security is all about risk management
-
how much time and money do we want to invest in lowering the inherent
risk
to an acceptable level? It is only when we start diverting those
resources
away from reactive solutions, such as antivirus that have not hindered
any
major virus outbreak but even created the far worse problem of AV
notifications, and towards proactive appliances and proper risk
management
that we can minimize our risk and shorten our window of exposure to
threats.


> With spam and mass mailers clogging the tubes, causing us all to
> waste money on bigger tubes, as well as our time dealing with the
> annoyance (more money), shouldn't the problem be solved there
> (at the main tubes themselves) rather than at the end user's desktop?
>
> They are right, it isn't currently demanded of them.

ISPs and peering points should seriously consider the development and
implementation of technologies that can unintrusively and anonymously
detect
threats and filter packets that meet certain risk criterias, before
governmental agencies wake up and start addressing the issue by
regulations
and law that will inevitably limit their control of private property.



[0] original post
http://www.securityfocus.com/archive/1/352406/2004-02-02/2004-02-08/0


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@...x.com
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net>


Powered by blists - more mailing lists