Prevx’s ill-conceived idea

Posted on October 18, 2010 by Maxim Weinstein

Last week, BBC News reported that security firm Prevx will release a "small program" that will gather data about the effectiveness of anti-virus software:

In the face of the tidal wave of malware, said Mr Bolin, PC users need a better way to find out how well they are being protected and how long they have been at risk.

Mr Bolin believes the way to get a better sense of the performance of security companies is via a small program that sits on a PC and logs when files are installed.

The program would lie dormant most of the time but would alert a user if it noticed that a fix had been created for a particular virus or trojan it had spotted on a PC.

The idea seems to be that measuring the lag time between when a file is installed until a definitions file addresses it will "bring about change in an industry that is not changing."

My comments here are based on the BBC story, as I couldn't find any additional information about the plan at Prevx's website or blog.

The first problem with the plan is that Prevx is itself an anti-virus company. Therefore, it's hard to believe the real goal isn't to make its competitors look bad. Even if this isn't the case, the company's decision to release this software on its own, rather than working through a trade association or an independent third party, makes it appear to be the case. Only with independent scrutiny and a design that is intended to objectively measure effectiveness should a tool like this be considered reputable.

Another problem is that security software is changing. Most major AV products now use a combination of techniques to prevent and detect malware. They don't rely only on file signatures, but instead use various techniques for identifying suspicious behaviors, blocking the exploits that deliver the malware, and leveraging cloud-based data. Based on the BBC article's description of the Prevx software, it seems that the software would measure only those files that got past all of these defenses. This would measure not the products' effectiveness at protecting users, but only their response time to files that slipped through an extensive set of defenses.

My hope is that Prevx will reconsider this ill-conceived idea. Graham Cluley, from rival AV vendor Sophos, has his own critique of the Prevx plan here.

Tagged | 1 Comment

Sowing the Seeds – What Next?

Posted on October 13, 2010 by Maxim Weinstein

In "Sowing the Seeds for a Safer Internet," a piece for InfoWorld, Roger Grimes calls on the tech industry to work together to create a unified malware warning system:

…I think we all need a warning service built in to the backbone of the Internet. Most antimalware companies and interested parties get lists of all the rogue origination points each day, updated several times a minute. The antimalware companies know where the majority of the bad stuff is coming from far faster than the average consumer or regular business. My idea is that reported rogue information should be shared with the world, immediately, and not just posted in the circle of the few. As I said, more information is usually better.

He concludes with the million-dollar question:

All we need is a few servers and a few groups to agree on how to implement it. After 20 years of waiting for computer security solutions to actually put a dent in computer crime, we stand on the cusp of real solutions. I just wonder: What it will take to make it happen?

When StopBadware started the Badware Website Clearinghouse a few years ago, we envisioned creating a system much like Grimes describes: a shared pool of known badware URLs, updated frequently. We even took it a step further, establishing clear guidelines for badware, and building in mechanisms for transparency (you can search on our website to find out if a URL has been reported as bad, and by whom) and "due process" (our independent review process allows site owners to request manual investigation if they believe a URL is reported in error).

So, what happened? While the Clearinghouse and the work of our data providers (Google, Sunbelt Software, NSFOCUS, and soon Nominum) have been valuable in many ways, the collaborative sharing we've dreamed of has yet to come together. It turns out, companies like Google, the big AV companies, and Grimes's employer, Microsoft, are reluctant to share their data freely. Why? Lots of reasons, many of which are understandable from a business viewpoint:

  • The R&D and operations to detect malware are expensive, and it's hard to justify the investment if the data will then be given away to other industry players for free. (Essentially, this is a tragedy of the commons problem.)
  • Having better data than your competitor may translate to better protecting your customers, which can help differentiate your product/service in the market.
  • Data can be sold/licensed for revenue or shared/traded in exchange for something else of value (other data, public recognition, services that will help the organization).
  • Proprietary data can be used as a basis for academic or commercial research that elevates the researcher or serves as a PR/marketing function for the business.

Note: Google (one of our partners) is better than many companies, in that it offers a free API to query its own URL data. This is not the same as sharing the data into a common pool, but it's a step in the right direction.

Now, to the question "What will it take to make it happen?" Here's what I believe it will take:

  • A shared pool of data, fed by at least three large companies or research organizations (ideally, it would be fed by a much broader set of sources, but a few big ones are needed to start it)
  • A common set of guidelines for what does and doesn't qualify as bad
  • A shared set of protocols, APIs, etc., for feeding data in and pulling data out of the pool
  • A rapid process for updating those URLs/addresses/etc. that have demonstrably cleaned up after being identified as bad
  • A responsive and transparent process for reviewing reports of false positives and quickly removing any that are confirmed
  • A means of educating and supporting the victims whose computers or websites have been infected without their knowledge and have ended up in the "bad" pool
  • An independent, trusted entity to manage all of the above
  • Public and/or private funding to support that entity

Achieving all of this may seem like a tall order, but it's not out of reach. As Grimes pointed out, some of the technical pieces are already in place. StopBadware has implemented, or laid the groundwork for, several of the others. The biggest missing ingredient is the shared pool of data.

The question, then, is simple, if not easily answered: who is going to be the first to break down (or circumvent) the barriers to sharing data via a common pool?

Tagged , , , , | Comments Off

StopBadware welcomes Nominum as new partner

Posted on October 4, 2010 by ccondon

In the fight against badware, StopBadware is always looking for new ways to make the Internet safer and for more people to help us do it. Today, StopBadware is excited to announce its new partnership with Nominum, a leading provider of Intelligent DNS (Domain Name System) solutions to service providers, enterprises, and government agencies.

Nominum’s Intelligent DNS System protects users from online threats in real time, and Nominum has always been committed to ensuring that people have a safe, secure, and enjoyable Internet experience. Since Nominum’s software powers the majority of the Internet’s DNS lookups, Nominum is in a unique position to prevent large numbers of users from accessing badware domains. In return, StopBadware’s independent review process will provide a way of making sure that the domains listed as bad really belong on the list of threats.

We at StopBadware think this shared interest in keeping users safe has fantastic potential to make a big difference in fighting malware. Later this year, Nominum will become the first DNS vendor to act as a data provider for StopBadware; in addition to sponsoring us, Nominum will contribute malicious domain data gathered by its researchers over the Nominum global network to our Badware Website Clearinghouse. You can read the full press release here.  We’re extremely excited about the opportunities this partnership will offer to improve Internet security. Look for more updates from us over the coming months!

Tagged | Comments Off

Google offers automatic reporting for network operators

Posted on September 30, 2010 by Maxim Weinstein

Our partners in Google's security team are offering a great new tool for operators of "autonomous systems" (ASes). Now, large web hosting companies and other AS operators will be able to request Safe Browsing Alerts for badware URLs that Google has detected on their networks. This will allow these operators to quickly learn of badware and hopefully take prompt action to notify customers, clean servers, patch vulnerabilities, and otherwise keep their networks clean.

Companies that identify badware websites have a responsibility to share this information with the sites' owners and/or hosting providers, and this new tool is an important step forward by Google in meeting that responsibility.

You can read more about the Safe Browsing Alerts on the Google Online Security Blog.

Tagged , | 5 Comments

SBW welcomes our new Raconteur!

Posted on September 22, 2010 by Maxim Weinstein

Astute StopBadware blog readers may have noticed that yesterday's event announcement was posted by someone new: Caitlin Condon, our new Raconteur! Caitlin is a graduate of USC's Annenberg School for Communication & Jounalism. She previously worked in communications at Equipois, a California-based startup, and taught English in Korea.

We're thrilled to have her on the team, and you can expect to see much more from her over the coming months.

Tagged | Comments Off

StopBadware Bay Area Event October 4

Posted on September 21, 2010 by ccondon

 

Keeping the Net Healthy: A Conversation with Vinton Cerf, Paul Mockapetris and Esther Dyson

StopBadware is offering an exciting opportunity for anyone in the Bay Area interested in Internet security: Join StopBadware and The Commonwealth Club the evening of Monday, October 4 in Menlo Park, CA, for a discussion on how to keep the Net safe. Three Internet pioneers—all StopBadware Board members—will lead a conversation entitled Keeping the Net Healthy: How Can We Develop an Immune System for the Internet? with opening and closing remarks by StopBadware's Executive Director, Maxim Weinstein.

Featuring:
Vinton Cerf, VP and Chief Internet Evangelist, Google; one of the "fathers of the Internet"
Paul Mockapetris, Chief Scientist and Chairman of the Board, Nominum; creator of the Domain Name System (DNS)
Esther Dyson, Chairman EDventure Holdings; angel investor, philanthropist, and recently trained cosmonaut

Viruses, spyware, spam, phishing, zombie machines. Several years ago, we might have thought of these as just a nuisance, and their perpetrators as mostly underemployed kids. Today, cybercrime is worth billions of dollars to loosely organized networks of criminals that prey on individuals, businesses and governments with malicious or profit-seeking intent. What are some of the current threats, and how is industry responding to them? What new threats might we expect in the coming years? Is the Internet's health partly a result of misaligned incentives, where those who cause the damage don't bear its costs? How can we change that? What more should industry, government and individuals be doing to protect the network and, ultimately, ourselves?

The event begins with a networking reception at 6:15, followed by the main program at 7:00. Tickets are $30 in advance and $50 at the door. Advance tickets are available here. We hope you'll join us for what promises to be a spirited and educational discussion.

Tagged , | Comments Off

Another job opportunity – SBW seeks a geek!

Posted on September 13, 2010 by Maxim Weinstein

Even as we finish the hiring process for our new raconteur, we are hiring again! We are looking for a team geek to help us with everything from setting up virtual machines to writing reports about badware trends. For more information, see the job description.

Tagged , | Comments Off

A successful web chat

Posted on August 27, 2010 by Maxim Weinstein

We'd like to express a heartfelt thanks to Adobe's Brad Arkin, Mozilla's Johnathan Nightingale, and the many people who observed and contributed to yesterday's web chat. The topic, applications' role in protecting users from badware, proved interesting and engaging. You can read the transcript of the chat here.

We hope to do more of these web chats in the future. What topics would you like to see covered?

Tagged , | Comments Off

Web chat: Applications’ role in protecting users from badware

Posted on August 19, 2010 by Maxim Weinstein

Badware often installs itself by taking advantage of bugs or exploits in software on the user's computer. While some of these exploits are in the operating system or default web browser, badware increasingly is targeting other applications and browser plug-ins.

What role can and should these applications—and their developers—play in protecting users from badware? Join Brad Arkin, Adobe's director of privacy and security, and Johnathan Nightingale, Mozilla's head of Firefox development, for a free moderated web chat next Thursday.

Title: Applications' role in protecting users from badware
Date/time: Thursday, August 26, 1-2 pm EDT
URL: http://www.stopbadware.org/events/apps-web-chat
Cost: Free! No preregistration required.

We hope you'll join us on the 26th for what promises to be an informative and interesting discussion!

Tagged , , , | Comments Off

The continuing evolution of StopBadware

Posted on August 13, 2010 by Maxim Weinstein

As StopBadware and the environment in which we operate evolve, we continually evaluate where to focus our resources and attention. Over the next couple of months, we'll be making a few changes that reflect our current priorities. Hiring a "raconteur," or communication specialist, is one such change. This will allow us to work more closely with the community, our industry partners, and our other constituents to ensure that effective techniques for protecting users from badware reach the greatest possible audience.

Another change is that we'll reduce—for now—our emphasis on technical research and "deep-dive" analysis of badware sites. In place of a dedicated research function, we'll create a new, broader role that includes a bit of data sifting, along with hands-on systems work, testing, documentation, and more. (Job posting coming soon.)

Finally, we'll be introducing more events, like our upcoming web chat, that bring people together to discuss and share ideas about how best to protect users from badware.

With these changes, along with our continued work assisting webmasters and our data providers, we believe that StopBadware will be in a great position to expand our impact and make the Internet safer for all of us.

Tagged | 2 Comments