Special Edition is the blog for security testing business SE Labs. It explains how we test security products, reports on the internet threats we find and provides security tips for businesses, other organisations and home users.

Friday, 27 January 2017

Developer claims anti-virus does not improve security

Anti-virus is bad, dead (again) and worse, its corpse is poisoning the ecosystem of good software.

There is, according to former Mozilla developer Robert O'Callahan, negligible evidence that anti-malware software produced by third-parties provides any additional security. His arguments have spread from his blog to Twitter and then to IT news websites like IT Pro and The Register.

We test anti-malware software and have, as a team, being doing so for years. We think we have plenty of strong evidence that third-party anti-malware software provides improved security over that which comes with Windows by default. Our enterprise, small business and consumer reports are free to download.

There is no doubt that updating your operating system makes it more secure. We've run tests to prove that this oft-quoted advice is based on real, reproducible data. But what we've also seen is that adding a decent anti-virus package to a good patching schedule raises protection levels even higher.

There is a difference

To say that all anti-virus software is equally (in)effective is just plain wrong, and there are plenty of results from different testing labs that show this. You may not trust all of those labs, and you may have problems with some (or all) of the ways that they test, but I would strongly suggest that we can't all be wrong.

Our position on the Microsoft anti-malware included with Windows is that it is far better than it used to be, but that some commercial third-party packages are consistently stronger.

Why do people bash 'anti-virus' all the time?

Different individuals and companies have axes to grind when it comes to anti-virus or, to use a more modern and appropriate term, 'anti-malware' software.

  • New anti-malware vendors sometimes disparage more established vendors as providing less sophisticated products as a marketing tool.
  • Windows developers at Microsoft don't like the perception (which is sometimes the truth) that anti-malware products slow down Windows. When a user has a bad Windows experience, for whatever reason, Microsoft feels the impact.
  • Other developers hate that anti-malware products embed themselves into Windows in sometimes strange and unusual ways, causing potential havoc with their own efforts and possibly introducing new and powerful security vulnerabilities. Anti-malware vendors argue that they need to do this to prevent particularly nasty threats from digging in at the lowest security levels within the operating system.
  • Users who have never (knowingly) suffered a malware attack often question the very necessity for anti-malware.
  • Some testers/ researchers make it their life's mission to discover technical problems with anti-malware, sometimes apparently taking the position that "anti-malware is bad for you," rather than, "you need it, it's a bit broken but here's how to fix it."

So is anti-virus the ultimate solution?

I have never seen a perfect anti-malware product, in terms of the protection that it offers, the performance impact that it makes and the additional attack surface that it exposes. But nor have I encountered a perfect operating system, browser or user.

We can throw away our anti-malware software when our operating systems are fully secure; we, as users, stop clicking on links to malware; and criminals and other 'agencies' stop attacking our computers en-masse.

Tuesday, 10 January 2017

How well does your anti-virus really protect you?

Not equally well, is the short answer. Find out which products are consistently the best.

Latest reports now online

Welcome to the final set of endpoint security tests for 2016. We've spent the entire year scanning the internet for prevalent threats that affect real people and exposing popular security products to those same threats in real-time.

If you want an answer to the question, "How well does my anti-malware product protect me?" the reports we've published throughout the year should go some way to helping you either feel safe or make an informed decision on which product to change to. You can find these, and earlier reports, on our website.

But helping you, our readers, choose the best products is only part of our mission. We want products to improve, because even the best are not perfect. We offer the developers of these products the chance to engage with us and learn where the problems lie. At the end of each test we could say to them, "bad luck, you missed these threats. Better luck next time!"

But what we do is provide a huge amount of useful data to companies that want to work with us. This includes extremely detailed analyses of the threat itself, how it worked against individual products and forensic data proving what happened.

This data provides two benefits to the security companies: the first is proof that we're not just making everything up! The second is an unbiased, third-party quality assurance service that can identify problems overlooked by in-house teams. In the end they benefit and so do you, if you use their products.

We're trying to make things better. Thanks for your support throughout the year.

Our latest reports, for enterprise, small business and home users are now available for free from our website. Please download them and follow us on Twitter to receive updates and future reports.

Thursday, 5 January 2017

Predictions for 2017

Still dazed from the year that was, Jon Thompson dons his Nostradamus hat, dusts off his crystal ball
and stares horrified into 2017.


Prediction is difficult. Who would have thought a year ago that ransomware would now come with customer care, or that Russia would be openly accused of hacking a bombastic businessman into the Whitehouse. Who even dreamed Yahoo would admit to a billion-account compromise?

So, with that in mind, it's time to gaze into the abyss and despair…

Let's get the obvious stuff out of the way first. Mega credential breaches won't go away. With so many acres of forgotten code handling access to back end databases, it's inevitable that the record currently held by Yahoo for the largest account breach will be beaten.

Similarly, ransomware is only just beginning. Already a billion-dollar industry, it's cheap to buy into and easy to profit from. New techniques are already emerging as gangs become more sophisticated. First came the audacious concept of customer service desks to help victims through the process of forking over the ransom. By the end of 2016, the Popcorn Time ransomware gang was offering decryption for your data if you infect two of your friends who subsequently pay up. With this depth of innovation already in place, 2017 will hold even greater horrors for those who naively click attachments.

Targeted social engineering and phishing attacks will also continue to thrive, with innovative
campaigns succeeding in relieving companies of their revenues. Though most untargeted bulk phishing attempts will continue to show a low return, phishers will inevitably get wise and start to make their attacks more believable. At SE Labs, we've already seen evidence of this.

It's also obvious that the Internet of Things will continue to be outrageously insecure, leading to DDoS attacks that will make the 1.1Tbps attack on hosting company OVH look trivial. The IoT will also make ransomware delivery even more efficient, as increasing armies of compromised devices pump out the pink stuff. By the end of 2017, I predict hacking groups (government-backed or otherwise) will have amassed enough IoT firepower to knock small nations offline. November's test of a Mirai botnet against Liberia was a prelude to the carnage to come.

Bitcoin  recently passed the $1,000 mark for the first time in three years, which means criminals will want even more than ever to steal the anonymous cryptocurrency. However, a flash crash in value is also likely as investors take profits and the market panics in response to a sudden fall. It's happened before, most noticeably at the end of 2013. There's also the distinct possibility that the growth in value is due to ransomware, in which case the underlying rally will continue regardless of profit takers.

The state-sponsored use of third party hacking groups brings with it plausible deniability, but proof cannot stay hidden forever. One infiltration, one defection, one prick of conscience, and someone will spill the beans regardless of the personal cost. It's highly likely that 2017 will include major revelations of widespread state-sponsored hacking.

This leads me neatly on to Donald Trump and his mercurial grasp of "the cyber". We've already delved into what he may do as president, and much of what we know comes straight from the man himself. For example, we already know he skips his daily security briefings because they are "repetitive", and prefers to ask people around him what's going on because "You know, I'm, like, a smart person."

Trump's insistence on cracking down on foreign workers will have a direct impact on the ability of the US to defend itself in cyberspace. The shift from filling jobs with overseas expertise to training homegrown talent has no discernible transition plan. This will leave a growing skills gap for several years as new college graduates find their way to the workplace. This shortfall will be exploited by foreign threat actors.

Then there's Trump's pompous and wildly indiscreet Twitter feed. Does the world really need to know when secret security briefings are postponed, or what he thinks of the intelligence presented in those meetings? In espionage circles, everything is information, and Trump needs to understand that. I predict that his continued use of social media will lead to internal conflict and resignations this year, as those charged with national cybersecurity finally run out of patience.

It's not all doom and gloom, however. The steady development of intelligent anti-spam and anti-malware technologies will see a trickledown from advanced corporate products into the hotly contested consumer market. The first AV vendor to produce an overtly next gen consumer product will change the game – especially if a free version is made available.

There's also a huge hole in "fake news" just begging to be filled. I predict that 2017 will see the establishment of an infosec satire site. Just as The Onion has unwittingly duped lazy journalists in the past, there's scope for the same level of hilarity in the cybersecurity community.

However, by far the biggest threat to life online in 2017 will continue to be the end user. Without serious primetime TV and radio campaigns explicitly showing exactly what to look for, users will continue to casually infect themselves and the companies they work for with ransomware, and to give up their credentials to phishing sites. When challenged, I also predict that governments will insist the problem is being addressed.

So, all in all, it's business as usual.

Happy 2017!