Re: informIT: Modern Malware

[Andy Steingruebl <steingra () gmail com>]

On Wed, Mar 23, 2011 at 8:14 AM, Gary McGraw <gem () cigital com> wrote:
> I agree that clueless users who click on whatever pops up lead to many
> infections even when software is is reasonable shape, but I don't see that
> as a reason not to build better software.  Presumably, you guys at paypal
> agree.  Right?

First, I tend to use my personal email here rather than work one, so
don't assume I speak for them ever, and especially not when I use my
own email :)

Second, I totally agree on making endpoints more resilient against
malware, increasing software security, etc.  I've noticed however that
we (many of us, especially those with a user-rights bent) end up with
two competing goals in this space:

1. Make endpoints resilient against malware
2. Allow users to have complete control of their own computer, aka, no
walled gardens.

These two competing desires make defeating malware especially
problematic.  Lots of malware exploits technical flaws, and increasing
our software security practices will help defeat these.  As these
defenses get better, malware moves towards social engineering, and
we're ill-equipped to defend against these as there are more and more
software distribution channels, and policing gets harder.  Hence the
traditional AV-signature based approaches, which are only
semi-effective, especially when the Rogue-AV software even has a
human-staffed helpdesk to help you remove your "actual AV" and replace
it with theirs.

All the systems we've come up with so far to defeat this involve
walled gardens, heuristics looking for bad behavior, etc. and they are
all sort of a band aid.

Your article started out saying - "At the same time, software
complexity, including the notion of extensibility designed into
virtual machines like the Java Virtual Machine (JVM), leads to serious
and widespread software vulnerability that lies at the root of the
malware problem.".

It is this statement that I'm wary of, as it doesn't take into account
the non-vulnerability aspects of the problem.  If we ignore those and
only focus on drive-by malware, we're quickly going to find that the
attackers have shifted their focus, and our purely technical controls
are ineffective.

Neil makes a good point on this thread about how Dasient, and other
providers, can help, and there are also some client-side techniques
that are useful.  So is Apple's curated app-store.  It isn't perfect,
but the curated model along with swift revocation is a fairly
effective defense against mass-infection, but not targeted infection.

No real conclusions here I suppose, but I thought it useful to
highlight some of the inherent tensions.

- Andy

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________