Secure Coding mailing list archives
Re: informIT: Modern Malware
From: Andy Steingruebl <steingra () gmail com>
Date: Wed, 23 Mar 2011 11:17:08 -0700
On Wed, Mar 23, 2011 at 8:14 AM, Gary McGraw <gem () cigital com> wrote:
I agree that clueless users who click on whatever pops up lead to many infections even when software is is reasonable shape, but I don't see that as a reason not to build better software. Presumably, you guys at paypal agree. Right?
First, I tend to use my personal email here rather than work one, so don't assume I speak for them ever, and especially not when I use my own email :) Second, I totally agree on making endpoints more resilient against malware, increasing software security, etc. I've noticed however that we (many of us, especially those with a user-rights bent) end up with two competing goals in this space: 1. Make endpoints resilient against malware 2. Allow users to have complete control of their own computer, aka, no walled gardens. These two competing desires make defeating malware especially problematic. Lots of malware exploits technical flaws, and increasing our software security practices will help defeat these. As these defenses get better, malware moves towards social engineering, and we're ill-equipped to defend against these as there are more and more software distribution channels, and policing gets harder. Hence the traditional AV-signature based approaches, which are only semi-effective, especially when the Rogue-AV software even has a human-staffed helpdesk to help you remove your "actual AV" and replace it with theirs. All the systems we've come up with so far to defeat this involve walled gardens, heuristics looking for bad behavior, etc. and they are all sort of a band aid. Your article started out saying - "At the same time, software complexity, including the notion of extensibility designed into virtual machines like the Java Virtual Machine (JVM), leads to serious and widespread software vulnerability that lies at the root of the malware problem.". It is this statement that I'm wary of, as it doesn't take into account the non-vulnerability aspects of the problem. If we ignore those and only focus on drive-by malware, we're quickly going to find that the attackers have shifted their focus, and our purely technical controls are ineffective. Neil makes a good point on this thread about how Dasient, and other providers, can help, and there are also some client-side techniques that are useful. So is Apple's curated app-store. It isn't perfect, but the curated model along with swift revocation is a fairly effective defense against mass-infection, but not targeted infection. No real conclusions here I suppose, but I thought it useful to highlight some of the inherent tensions. - Andy _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- informIT: Modern Malware Gary McGraw (Mar 22)
- Re: informIT: Modern Malware Andy Steingruebl (Mar 23)
- Re: informIT: Modern Malware Gary McGraw (Mar 23)
- Re: informIT: Modern Malware Andy Steingruebl (Mar 23)
- Re: informIT: Modern Malware Haroon Meer (Mar 26)
- Re: informIT: Modern Malware Gary McGraw (Mar 26)
- Re: informIT: Modern Malware Haroon Meer (Mar 26)
- Re: informIT: Modern Malware Gary McGraw (Mar 26)
- Re: informIT: Modern Malware Gunnar Peterson (Mar 26)
- Re: informIT: Modern Malware John Wilander (Mar 26)
- Re: informIT: Modern Malware Kevin W. Wall (Mar 26)
- Re: informIT: Modern Malware Gary McGraw (Mar 27)
- Re: informIT: Modern Malware Gary McGraw (Mar 23)
- Re: informIT: Modern Malware Andy Steingruebl (Mar 23)