Hiding in Plain Sight

“Charity, dear Miss Prism, charity! None of us are perfect. I myself am peculiarly susceptible to draughts.” (Dr. Chasuble, in The Importance of Being Earnest)

Not long ago, I was – inevitably – asked a number of questions about NSA and Prism, one of which was “Can you protect yourself against it somehow?”

To which I responded: “I suspect that effective self-concealment from SIGINT functionality like ECHELON is probably not only out of reach of the average person, but might also actually attract more active investigation.”

And it seems I wasn’t far wrong. Subsequent revelations indicate that – as Lisa Vaas of Sophos (among many others) observed – Using Tor and other means to hide your location piques NSA’s interest in you. That works because people who hide their location will be assumed to be non-Americans, and those of us outside the US are considered fair game even if we’re communicating with Americans. Still, there’s a sufficiency of loopholes that make USians talking to Usians almost equally justifiable as targets.

In particular, it turns out that “all communications that are enciphered or reasonably believed to contain secret meaning” are also fair game, even if they’re known to be domestic. But the grounds for hanging onto harvested information apparently include communications containing “significant foreign intelligence information”, “evidence of a crime”, “technical data base information” (such as encrypted communications), or “information pertaining to a threat of serious harm to life or property”. You might wonder how many electronic communications aren’t encrypted these days at some stage during their transmission… But I suppose it doesn’t really matter whether the NSA is exceeding its brief by paying too much attention to too many all-American transactions, since apparently the UK’s GCHQ is tapping every fibre-optic cable it can lay hands on and sharing its data with our Transatlantic cousins.

It might seem strange that the security community isn’t getting more worked up about all this, but that’s probably because none of us really believe that government and law enforcement agencies worldwide aren’t carrying out information gathering and analysis to the fullest extent that their resources permit. The problem with establishing a balance between the right to privacy of the individual and the right to security of the majority is not really about the gathering of information. Not that there’s much likelihood of the forty-niners (I’m thinking Gold Rush, not football) of the world’s intelligence agencies giving up panning the gravel beds of the world’s data streams.

What really matters is (a) what they do with the nuggets and (b) what they do with stuff that isn’t nuggets. It would be nice to think that where legislation limiting the State’s right to surveillance fails because of the sheer volume of data, legislation limiting the use that can be made of information gathered collaterally would at least partly compensate. However, it’s none too clear that this is the case right now in the Five Eyes community, far less among states with less of a tradition of observing democratic and libertarian principles. In the meantime, if you’re at all concerned about the privacy of your data, you might want to consider John Leyden’s suggestion of a combination of carrier pigeon and one-time pad. Bearing in mind that if an out-of-band communication does come to the attention of the authorities, it’s likely to attract attention rather than deflect it. Which is where I came in.

“The good ended happily, and the bad unhappily. That is what fiction means.” (Miss Prism, in The Importance of Being Earnest)

Share

The death of AV. Yet again.

And in other news, Gunter Ollman joins in the debate as to whether Imperva’s quasi-testing is worth citing (just about) and, with more enthusiasm, whether AV is worth paying for or even still breathing. If you haven’t come across Ollman’s writings on the topic before, it won’t surprise you that the answer is no. If you haven’t, he’s thoughtfully included several other links to articles where he’s given us the benefit of his opinions.

If it’s free, never ever bothers me with popups, and I never need to know it’s there, then it’s not worth the effort uninstalling it and I guess it can stay…

Ollman notes:

In particular there was great annoyance that a security vendor (representing an alternative technology) used VirusTotal coverage as their basis for whether or not new malware could be detected – claiming that initial detection was only 5%.

However, he doesn’t trouble himself to explain why the anti-malware industry (and VirusTotal itself) are so annoyed, or to comment on Imperva’s squirming following those criticisms. Nor does he risk exposing any methodology of his own to similar criticism, when he claims that:

desktop antivirus detection typically hovers at 1-2% … For newly minted malware that is designed to target corporate victims, the rate is pretty much 0% and can remain that way for hundreds of days after the malware has been released in to the wild.

Apparently he knows this from his own experience, so there’s no need to justify the percentages. And by way of distraction from this sleight of hand, he introduces ‘a hunchbacked Igor’ whom he visualizes ‘bolting on an iron plate for reinforcement to the Frankenstein corpse of each antivirus product as he tries to keep it alive for just a little bit longer…’ Amusing enough, I suppose, at any rate if you don’t know how hard those non-stereotypes in real anti-malware labs work at generating proactive detections for malware we haven’t seen yet and multi-layered protection. But this is about cheap laughs at the expense of an entire industry sector that Ollman regards as reaping profits that should be going to IOActive. Consider this little exchange on Twitter.

@virusbtn
Imperva’s research on desktop anti-virus has stirred a fierce debate. @gollmann: bit.ly/XE76eS @dharleyatESET: bit.ly/13e1TJW

@gollmann
@virusbtn @dharleyatESET I don’t know about “fierce”. It’s like prodding roadkill with a stick.

What are we, 12 years old? Fortunately, other tweeters seem to be seeing through this juvenilia.

@jarnomn
@gollmann @virusbtn @dharleyatESET Again just methaphors and no data. This conversation is like trainwreck in slow motion :)

The comments to the blog are also notable for taking a more balanced view: Jarno succinctly points to VirusTotal’s own view on whether its service is a realistic guide to detection performance, Kurt Wismer puts his finger unerringly on the likely bias of Ollman”s nebulous methodology, and Jay suggests that Ollman lives in a slightly different (ideal) world (though he puts a little more politely than that). But no doubt the usual crop of AV haters, Microsoft haters, Mac and Linux advocates, scammers, spammers and downright barmpots will turn up sooner or later.

There is, in fact, a rational debate to be held on whether AV – certainly raw AV with no multi-layering bells and whistles – should be on the point of extinction. The rate of detection for specialized, targeted malware like Stuxnet is indeed very low, with all-too-well-known instances of low-distribution but high-profile malware lying around undetected for years. (It helps if such malware is aimed at parts of the world where most commercial AV cannot legally reach.) And Gunter Ollman is quite capable of contributing a great deal of expertise and experience to it. But right now, it seems to me that he and Imperva’s Tal Be’ery are, for all their glee at the presumed death of anti-virus, a pair of petulantly twittering budgies trying to pass themselves off as vultures.

David Harley
AVIEN/Small Blue-Green World/Mac Virus/Anti-Malware Testing
ESET Senior Research Fellow

Share

Anti-Virus, now with added Michelangelo

Apparently it’s all our fault. Again. Not only is anti-virus useless, but we’re responsible for the evolution and dramatic increased volume of malware. According to something I read today “If it wasn’t for the security industry the malware that was written back in the 90’s might still be working today.”

I guess that’s not as dumb as it sounds: we have forced the malware industry to evolve (and vice versa). But you could just as easily say:

“The medical profession is responsible for the evolution and propagation of disease. If it wasn’t for the pharmaceutical industry illnesses that killed people X years ago might still be killing people today.”

And to an extent, it would be true. Some conditions have all but disappeared, at any rate in regions where advanced medical technology is commonplace, but other harder-to-treat conditions have appeared, or at least have achieved recognition.

I can think of plenty of reasons for being less than enthusiastic about the static-signature/malcode-blacklisting approach to malware deterrence, though I get tired of pointing out that commercial AV has moved a long way on from that in the last couple of decades. Even so, if pharmaceutical companies had to generate vaccines at the rate that AV labs have to generate detections (even highly generic detections) we’d all have arms like pincushions.

However, there are clear differences between ‘people’ healthcare and PC therapeutics. Most of us can’t trust ourselves as computer users (or the companies that sell and maintain operating systems and applications) to maintain a sufficiently hygienic environment to eliminate the need to ‘vaccinate’. It’s not that we’re all equally vulnerable to every one of the tens or hundreds of thousands of malicious samples that are seen by AV labs every day. Rather, it’s the fact that a tailored assessment of which malware is a likely problem for each individual system, regardless of provenance, region, and the age of the malware, is just too difficult. It’s kind of like living at the North Pole and taking prophylactic measures in case of Dengue fever, trypanosomiasis and malaria.

Fortunately, new or variant diseases tend not to proliferate at the same rate that malware variants do, and vaccines are not the only way of improving health. In fact, lots of conditions are mitigated by better hygiene, a better standard of living, health-conscious lifestyles and all sorts of more-or-less generic factors. There’s probably a moral there: commonsense computing practices and vitamin supplements – I mean, patches and updates – do reduce exposure to malicious code. It’s worth remembering, though, that even if AV had never caught on, evolving OS and application technologies would probably have reduced our susceptibility to antique boot sector viruses, macro viruses, and DOS .EXE infectors. Is it really likely that they wouldn’t have been replaced by a whole load of alternative malicious technologies?

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Share

Passwording: checklists versus heuristics

The trouble with lists of ‘Top Umpteen’ most-used passwords like Mark Burnett’s is that they don’t really teach the everyday user anything. (Yes, I’m another of those sad people like Rob Slade who believe that education and reducing Security unawareness is actually worth doing.)

Since I’ve quoted Burnett’s top 500 and one or two other sources from time to time in blogs here and there, I’ve noticed that those articles tend to pick up a fair amount of media attention, and after the Yahoo! debacle I noticed several journalists producing lists of their own. But they’re missing the point, at least in part.

Not using (say) the top 25 over-used passwords will reduce the risk for accounts that are administered with a ‘three strikes and you’re blocked’ approach to blocking password guessing, but where authentication is less strict, 25 may not be enough. Heck, 10,000 may not be enough. At any rate, if an end user is expected to check that they aren’t using a common password, 10,000 is a pretty big checklist, and still doesn’t provide real protection against a determined dictionary attack. It’s the difference between static signature detection and heuristics: it might be useful to know that ‘password’ is a particularly bad choice because everyone uses it, but which of these approaches is more helpful?

(1)
Don’t use ‘a’
Don’t use ‘aa’
Don’t use ‘aaa’

Don’t use ‘aaaaaaaaaaaaaaaaaaaaaaa’
Don’t use ‘b’
Don’t use ‘bb’

(2) Don’t use any password consisting of a single character repeated N times

See A Torrent of Abuse for a flippant attempt at approach (2) implemented through parody.
But then, any password is only as good as the service to which it gives access: it doesn’t matter if the provider is incapable of providing competent security: Lessons in website security anti-patterns by Tesco. And I have some sympathy with the view that if you can find a decent password manager it saves you a lot of thinking and reduces the temptation to re-use passwords and risk a cascade of breaches when one of your providers slips up.

David Harley

Share

Counter eCrime Operations Summit next week

[I've blogged on this elsewhere, but I'm pretty sure that this will be of interest to some of the readers of this blog, so here are the details as supplied by the Anti-Phishing Working Group.]

‘Containing the Global Cybercrime Threat’ is the focus of the Counter eCrime Operations Summit (CeCOS VI) in Prague, April 25-27

The 6th annual Counter eCrime Operations Summit (CeCOS VI) will convene in Prague, Czech Republic, April 25-27, 2012, as the APWG gathers global leaders from the financial services, technology, government, law enforcement, communications sectors, and research centers to define common goals and harmonize resources to strengthen the global counter-cybercrime effort.

CeCOS VI Prague will review the development of response systems and resources available to counter-cybercrime managers and forensic professionals from around the world.

Specific goals of this high-level, multi-national conference are to identify common forensic needs, in terms of the data, tools, and communications protocols required to harmonize cybercrime response across borders and between private sector financial and industrial sector responders and public sector policy professionals and law enforcement.

Key presentations will include:

» Toward a Universal eCrime Taxonomy for Industry and Law Enforcement; by Iain Swaine, Ensequrity.
» Budapest Convention on Cybercrime: Transborder Law Enforcement Access to Data; by Alexander Seger, Director of the Data Protection and Cybercrime Division of the Council of Europe.
» Adventures in Cybercrime Event Data Sharing; by Pat Cain, AWPG Resident Research Fellow.
Additional presentations about industrial policy at CeCOS VI will investigate policies that complicate the work of exploited brand holders and responders including the domain name system (DNS) registration process that is abused by phishers as part of their phishing campaigns.

ABOUT the Counter eCrime Operations Summit

CeCOS VI, the second APWG conference held in Europe, is an open conference for members of the electronic-crime fighting community, hosted by the APWG and its Conference Partner AVG, Program Partners: The Council of Europe and Organization for Security and Cooperation in Europe, and sponsored by AVG, Google, Microsoft, MarkMonitor, ESET, Telefonica and ICANN. The CeCOS programs are widely considered the most vital events to investigators and managers of electronic crime from across the private and public sectors.

AGENDA

http://apwg.org/events/2012_cecos.html#agenda

CONFERENCE REGISTRATION

http://secure.lenos.com/lenos/antiphishing/cecos2012/

CONTACTS
APWG: Foy Shiver, +1 404-434-7282. fshiver@apwg.org

David Harley CITP FBCS CISSP

Share

The malware problem looks better after the first cup of coffee

Since most of my income comes from a company on the West Coast, I’m used to people assuming that I should be working according to their time zone (PST) rather than my own (GMT). But apparently we’re all wrong.
According to Trustwave’s Global Security Report:

“The number of executables and viruses sent in the early morning hours increased, eventually hitting a maximum between 8 a.m. and 9 a.m. Eastern Standard Time before tapering off throughout the rest of the day. The spike is likely an attempt to catch people as they check emails at the beginning of the day.”

Did I miss something? Has everyone but me moved to the East Coast? I’m not even sure it matters when you receive a malicious executable, unless you don’t get around to opening it until after your security software has been updated to detect it. However, the report also tells us that:

“The time from compromise to detection in most environments is about six months…”

So if evading AV software is really the point, this seems to suggest that all those people who’ve moved to the East Coast are coping even less effectively with their email than I am.

Hold on, though. Maybe this tells something about the blackhat’s time zone, rather than the victim’s? The report doesn’t seem to tell us anything about the geographical origin of the emails that Trustwave has tracked, but it does tells us that apart from the 32.5% of attacks in general that are of unknown origin, the largest percentage (29.6%) come from the Russian Federation. Russia actually covers no less than nine time zones (until a couple of years ago, it was eleven), but perhaps we can assume for the sake of argument that a high percentage of those attackers are in time zones between CET and Moscow Standard (now UTC+4), which applies to most of European Russia. (That assumption allows us to include Romania and the Ukraine.) Perhaps, after a hard morning administering botnets, Eastern European gangsters are best able to find time to fire off a few malicious emails between the afternoon samovar break and early evening cocktails. Convinced? No, me neither.

Actually, there are some interesting statistics in the report. If they’re reliable, some assumptions that we make about geographical distribution, for example, might bear re-examination. But I’d really have to suggest that journalists in search of something new to say about malware examine some of the report’s interpretations with a little more salt and scepticism. I suppose I should be grateful that no-one has noticed yet that according to the report, twice as many attacks originate in the Netherlands as do in China. Just think of the sub-editorial puns that could inspire…

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

Share

PC Support Sites: Scams and Credibility

Just as 419-ers seem to have been permanently renamed in some quarters as “the Lads from Lagos”, I wonder if we should refer to those irritating individuals who persist in ringing us to offer us help (for a not particularly small fee) with non-existent malware as the “Krooks from Kolkata” (or more recently, the Ne’erdowells from New Delhi). It would be a pity to slur an entire nation with the misdeeds of a few individuals, but the network of such scammers does seem to be expanding across the Indian continent.

Be that as it may, I’ve recently been doing a little work (in association with Martijn Grooten of Virus Bulletin) on some of the ways that PC support sites that may be associated with cold-call scams are bolstering their own credibility by questionable means. Of course, legitimate businesses are also fond of Facebook likes, testimonials and so on, but we’ve found that some of these sites are not playing altogether nicely.

I’ve posted a fairly lengthy joint blog on the topic here: Facebook Likes and cold-call scams

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Share

Help Desk Scams and Microsoft

Apparently when the coldcalling species of scamming maggot claims to be Microsoft or partnered with Microsoft, there really is sometimes a relationship of sorts lurking behind the scenes there, though that doesn’t mean that Microsoft are at all a party to the scam, of course.

I’ve been gnawing at that particular bone for quite a while now – see, for instance, http://blog.eset.com/?s=Harley+%2B+support+scam and http://go.eset.com/us/resources/white-papers/Hanging-On-The-Telephone.pdf and http://www.scmagazineus.com/supporters-club/article/199459/ – and the name Comantra has turned up time and time again in the context of site registrations, though I haven’t had the resources to confirm links with the company in terms of individual scam calls.

But somehow I’d never realized the company really was a Microsoft Gold Partner. Apparently Microsoft took some time to make the connection too. But they have, and Comantra is no longer a Gold Partner. According to PC Pro, a Microsoft spokesman said:

“We were made aware of a matter involving one of the members of the Microsoft Partner Network acting in a manner that caused us to raise concerns about this member’s business practices.Following an investigation, the allegations were confirmed and we took action to terminate our relationship with the partner in question and revoke their Gold status.”

Somehow, though, I doubt if this means the end of coldcall scams. There were lots of sites and lots of names registered for sites that were associated with individual scammers, and there seems to be no real pressure from law-enforcement in the regions where the calls are actually originating. And Comantra is claiming that it’s all to do with negative marketing from their competitors. Gosh, never heard that one before…

On the other hand, since I moved house a few weeks ago, I haven’t had a single support scam call, though there’ve been a few “we can help you sue your mortgage lender” calls with a reassuringly Indian accent. Still, I miss being told I’m leaking viruses all over Surrey. How long do you suppose it will take them to catch up with me?

David Harley CITP FBCS CISSP. And stuff.
Small Blue-Green World

Share

Comment(ary) Spam…

I’m not sure why I feel the urge to keep writing about comment spam: primarily, I suppose it’s because I get so much amusement from it (just as well considering how much of it I read when I moderate comments on the ESET blog), rather than because the world is full of bloggers waiting for me to tell them how to recognize it, even if it isn’t apparently posted by someone called nike soccer shoes or where to buy a laptop or even my personal favourite of the moment, rolling in the deep adele. (Well, there went my favourite heuristic.)

Still, I liked the cheek of this one:

“Throughout the great scheme of things you’ll get a B- for effort. Where you actually confused me personally was first on your particulars. As people say, the devil is in the details… And it couldn’t be more correct here. Having said that, let me inform you what did deliver the results. Your authoring is pretty powerful which is most likely the reason why I am taking the effort in order to comment. I do not make it a regular habit of doing that. 2nd, even though I can easily see a leaps in reason you make, I am not sure of just how you appear to connect the points which inturn produce the final result. For the moment I shall yield to your point but trust in the foreseeable future you actually link the facts better.”

So much so that I did a quick Google to see how common this particular approach is, and sure enough I found a whole bunch of very similar posts – by similar, I mean the same core text with minor changes such as “the great pattern of things”. Apparently, I’m not the only blogger who tends to assume that if a comment is enthusiastic, it’s probably spam.

Thank you for your constructive criticism, Mr feather extensions online: I like your style. But my absolute favourite at the moment is Fritz, who commented dispiritedly that he is “always a big fan of linking to bloggers that I love but don’t get a lot of link love from”: too bad URLs in comments are stripped automatically, or I might have allowed that one through just to put a smile on your face.

David Harley

Share

Commoditizing Pay-Per-Install

We all know, I guess, about the professionalization of Internet crime and the diversification of the underground economy, but measuring it isn’t so easy.

ESET’s Aleksandr Matrosov and Eugene Rodionov have alluded to it in several papers and presentations with particular reference to TDSS, and we consolidated some of that material into an article (actually the first of a series of three articles on TDSS) that talks about the Dogma Millions and GangstaBucks affiliate models used in that context.

However, a paper on Measuring Pay-per-Install: The Commoditization of Malware Distribution by Juan Caballero, Chris Grier, Christian Kreibich, and Vern Paxson, is based on a measurement study implemented by infiltrating four PPI service providers: LoaderAdv (of which GangstaBucks is one of the brands), GoldInstall, Virut, and Zlob. The authors assert that 12 out of the top 20 malware families tracked by Fire Eye between April and June 2010, twelve were using PPI services to buy infections.

Lots of other interesting data there, too. Hat tip to Aleks for bringing it to my attention.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Share

Japan Disaster Commentary and Resources

It probably hasn’t escaped your notice that there’s a lot of malware/SEO/scamming whenever a major disaster occurs. A few days ago I started to put together a list of commentary (some of it my own) and resources relating to the Japanese earthquake and tsunami, in anticipation of that sort of activity.

Originally, I was using several of my usual blog venues, but decided eventually to focus on one site. As ESET had no monopoly on useful information, I wanted to use a vendor-agnostic site. Actually, I could have used this one, but for better or worse, I decided to use the AVIEN blog, since I’ve pretty much taken over the care and feeding of that organization. The blog in question is Japan Disaster: Commentary & Resources.

It’s certainly not all-inclusive, but it’s the largest resource of its type that I’m aware of. Eventually, it will be organized more so as to focus again on the stuff that’s directly related to security, but right now, given the impact of the crisis, I’m posting pretty much anything that strikes me as useful, even if its relevance to security is a bit tenuous.

I’m afraid I’m going to post this pointer one or two other places: apologies if you trip over it more often than you really want to!

David Harley CITP FBCS CISSP
AVIEN COO
ESET Senior Research Fellow

Share

Back on the AMTSO wheel

The next AMTSO members’ meeting is at San Mateo, California, on the 10th-11th February, just before RSA.

I’m not sure how many supporters of the Anti-Malware Testing Standards Organization there are reading this blog, as opposed to those who regard AMTSO as a club with which to beat the anti-virus industry. However, I’m pretty sure that even those who find the generation of testing guidelines documents (which constitutes most of the work at AMTSO meetings) excruciatingly boring will find some interesting material coming out of the organization in the next few weeks.

There’s more information on this year’s AMTSO meetings on the AMTSO meetings page at http://www.amtso.org/meetings.html, including a preliminary agenda.

David Harley CITP FBCS CISSP
Small Blue-Green World

Share

Stuxnet Guesswork

Aviram said in a recent blog about Stuxnet and SCADA here:

After that, we get to theorize on who’s behind it and who is the target. What’s your guess?

And sure enough, half the security world has done just that, and the rest will be talking about it at Virus Bulletin next week. Good fun, maybe, if you don’t think too hard about some of the political implications, but I’m not sure it’s been productive or useful. Which is why I blogged today here.

I’d love to cover the same ground again here, but frankly I’m just too dispirited…

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Share

Conspiracy Theory

After a while (about 20 years in my case) around the anti-malware industry (the last couple of years actually in it…), you get used to the idea that everyone expects the worst of them… errrr, us:

  • hype and extreme marketing
  • FUD
  • incompetence
  • putting our bottom line above the public well-being
  • bad hygiene

Maybe the last one is a bit paranoid.

Still, we have a bad rep. And the popular myth that AV companies run AMTSO (the Anti-Malware Testing Standards Organization) purely for their own aggrandizement and marketing advantage has some of its origins in that universal mistrust of AV.

If you buy into all that, then you’ll also assume that when five AV researchers, all from different companies, collaborate on a blog that responds to the recent attacks on AMTSO, that’s proof of a conspiracy.

Actually, the AV industry is founded in co-operation: otherwise, your AV product would only ever catch the malware that company had seen in its own honeynets, been sent in by its customers, and so on. But apparently that’s a sign of bad intentions, too.

Whatever. If you’re interested in the blog, here are five places you should be able to find it.

http://bit.ly/at6WT4
http://tinyurl.com/35dv44x
http://tinyurl.com/2w4g6fh
http://tinyurl.com/3aka782
http://community.norton.com/t5/Norton-Protection-Blog/Testing-and-Accountability/ba-p/247711

(And for a somewhat related commentary, http://avien.net/blog/?p=539).

David Harley CITP FBCS CISSP
Not speaking for AMTSO or the AV industry, and definitely not speaking for the testing industry or the media.

Share

AMTSO Inside and Outside

God bless Twitter.

A day or two ago, I was edified by the sight of two journalists asking each other whether AMTSO (the Anti-Malware Testing Standards Organization) had actually achieved anything yet. Though one of them did suggest that the other might ask me. (Didn’t happen.)

Well, it’s always a privilege to see cutting edge investigative journalism in action. I know the word researcher is in my job title, but I normally charge for doing other people’s research. But since you’re obviously both very busy, and as a member of the AMTSO Board of Directors (NB, that’s a volunteer role) I guess I do have some insight here, so let me help you out, guys.

Since the first formal meeting of AMTSO in May 2008, where a whole bunch of testers, vendors, publishers and individuals sat down to discuss how the general standard of testing could be raised, the organization has approved and published a number of guidelines/best practices documents.

To be more specific:

The “Fundamental Principles of Testing” document is a decent attempt at doing what it says on the tin, and provide a baseline definition for what good testing is at an abstract level.

The Guidelines document provide… errrr, guidelines… in a number of areas:

  • Dynamic Testing
  • Sample Validation
  • In the Cloud Testing
  • Network Based Product Testing
  • Whole Product Testing
  • Performance Testing

Another document looks at the pros and cons of creating malware for testing purposes.

The analysis of reviews document provides a basis for the review analysis process which has so far resulted in two review analyses – well, that was a fairly painful gestation process, and in fact, there was a volatile but necessary period in the first year in particular while various procedures, legal requirements and so on were addressed. There are several other papers in process being worked on

A fairly comprehensive links/files repository for testing-related resources was established here and new resources added, from AMTSO members and others.

Unspectacular, and no doubt journalistically uninteresting. But representing a lot of volunteer work by people who already have full time jobs.

You don’t have to agree with every sentence of every document: the point is that these documents didn’t exist before, and they go some way towards meeting the needs of those people who want to know more about testing, whether as a tester, tester’s audience, producer of products under test, or any other interested party. Perhaps most importantly, the idea has started to spread that perhaps testers should be accountable to their customers (those who read their reviews) for the accuracy and fitness for purpose of their tests, just as security vendors are accountable to their own customers.

[Perhaps I’d better clarify that: I’m not saying that tests have to be or can be perfect, any more than products . (You might want 100% security or 100% accuracy, but that isn’t possible.)

You don’t have to like what AMTSO does. But it would be nice if you’d actually make an effort to find out what we do and maybe even consider joining (AMTSO does not only admit vendors and testers) before you moan into extinction an organization that is trying to do something about a serious problem that no-one else is addressing.

David Harley CITP FBCS CISSP
Not speaking for AMTSO

Share

IEEE eCrime Researchers Summit 2010

The fifth IEEE eCrime Researchers Summit 2010 (http://ecrimeresearch.org) will be held in conjunction with the 2010 APWG General Meeting between October 18-20, 2010 at Southern Methodist University in Dallas, TX.

Topics of interest include:

* Phishing, rogue-AV, pharming, click-fraud, crimeware, extortion and emerging attacks.
* Technical, legal, political, social and psychological aspects of fraud and fraud prevention.
* Malware, botnets, ecriminal/phishing gangs and collaboration, or money laundering.
* Techniques to assess the risks and yields of attacks and the success rates of countermeasures.
* Delivery techniques, including spam, voice mail and rank manipulation; and countermeasures.
* Spoofing of different types, and applications to fraud.
* Techniques to avoid detection, tracking and takedown; and ways to block such techniques.
* Honeypot design, data mining, and forensic aspects of fraud prevention.
* Design and evaluation of user interfaces in the context of fraud and network security.
* Best practices related to digital forensics tools and techniques, investigative procedures, and evidence acquisition, handling and preservation.

Important dates: (11:59pm US EDT)
Full paper and RIP (Research in Progress) paper submissions due: June 30, 2010
Paper notification: Aug 1, 2010
Poster submissions due: August 29, 2010
Poster notifications: September 5, 2010
Conference: October 18-20, 2010
Camera ready due: October 27, 2010

For more information on the submission process, visit
http://www.ecrimeresearch.org/2010/cfp.html

Share