Special Edition is the blog for security testing business SE Labs. It explains how we test security products, reports on the internet threats we find and provides security tips for businesses, other organisations and home users.

Tuesday, 20 September 2016

The Great Anti-Virus Conspiracy

One problem with the internet is that anyone can set themselves up as an expert. There's money to be made from convenient messages. Examples abound in nutrition and health, as well as many other areas.

Despite widespread public ridicule, such sites thrive and make their owners rich because they play into what people already believe. The tendency being exploited is called confirmation bias, and it can even exert enough power over us to compromise the online safety of entire nations. 

Take this post from the Above Top Secret forum from 2008. The author began with the hunch that the biggest beneficiaries of malware are the anti-virus (AV) companies themselves. However, Google only returned stories explaining why this view was incorrect. This raised the author's suspicions. Did anyone else have any information?

The ensuing nine pages of comments were a tour de force of ideas, theories and claims, but a recurring theme was distrust. Many commenters simply don't trust what they don't understand, and they don't understand computers or AV. 





It took a few seconds to find similar examples from other forums, some dating back to 2005 and even 2002. There are many more and they usually cover the same ideas, but a common theme is still distrust. Compounding this, some commenters vaguely remember something about John McAfee once claiming to have written viruses to create demand for his first AV product, which of course proves everything.



That was a decade or more ago, but with phishing and ransomware now firmly in the public eye, the benefit of online protection will be obvious, right? Not necessarily.

In August 2016, the Daily Mail reported that some AV products can fail to adequately secure your computer. The research being reported actually identified the potential for man-in-the-middle certificate attacks. It's something our own Simon Edwards wrote about in a more general context in his own blog over 18 months earlier

As usual, the comment section of the Daily Mail's report was far more revealing than the article:






And so on. Perhaps what's most disturbing is that despite living in a world now publicly trying to cope with a grand cybercrime epidemic, such uninformed views are so mainstream. There's even a certain pride to some of them.

The McAfee virus-writing story is also still doing the rounds. Mr McAfee hasn't helped matters by claiming to have planted keyloggers in laptops he then gave away to government officials in Belize. But did he really write malware to create demand for his own AV software?

In March 2014, McAfee went on the Alex Jones show to talk conspiracies (what else?). A caller asked if he was indeed responsible for writing early malware. Despite Jones talking over portions of his answer, this was the nub of his reply:
"There were at the time thousands of computer viruses," he said. "We could barely keep up with the viruses that were out there, so we certainly had no time to build new ones. It would just be a senseless thing to do. So I can categorically say, and you can talk to any of the McAfee employees that were there are the time, that thought never crossed anyone's mind."
Indeed, in his book Computer Viruses and Malware, John Aycock of the University of Calgary in Canada also points out that if AV companies really are writing malware and yet simultaneously failing to detect some of it, then what's the point in all that effort being expended for zero gain? 

So, how do you protect the distrustful, the misinformed, and even the downright cynical online? One solution is to do it automatically, but this demands that governments, their intelligence agencies, and the ISPs become involved in actively blocking malicious content. Public reaction to any such suggestion is predictably very bad.

When GCHQ recently proposed their DNS filtering technology to block malicious domains, there was instant outrage. The Guardian, which broke the Edward Snowden story, has little love for the Cheltenham Doughnut, and was predictably upset. As usual, it's the public's comments that are really interesting. 


So, we're at an impasse. Despite their poor reputations, governments and the intelligence agencies they run are the only entities with the authority and capabilities to attempt to protect entire nations online. However, the tools they use are by their very nature shadowy, double-edged and closed to scrutiny. The public at large worries that policing cyberspace means the erosion of freedom and privacy. Nothing will convince us that this isn't the start of a dictatorship or a new world order. Too much evidence of past lies and misdeeds confirms this deep-seated bias. 


If the public won't listen to the government, who will it listen to? Who is it listening to?
Something about the caller who asked John McAfee if he wrote early viruses keeps coming back to me. He seemed to remember being told something by "some old OSS guy". This idea of an unnamed source vaguely remembered is a common feature of discussions where facts are scarce and conjecture runs free. It's a feature of the threads I referenced above.

That being the case, maybe it's down to us, as infosec professionals, to be those sources in future. Maybe it's down to us to engage friends and family, to explain how cybercrime works, how it relies on them not protecting themselves, and what to do about it.

But then again, I would say that wouldn't I. ;)

No comments:

Post a Comment