In response to the claim of exponential increase in malware, Chris DiBona has a fantastic response rant over on Google+.  It’s worth reading, since it’s a) hilarious and b) distills the frustration we’ve all felt about exaggerated claims of mobile malware over the years.

That being said though, there’s something about it that’s also a little bit disappointing to me. I say this for a few reasons…

#1 User-installed malware (i.e. Droid Dream) – I always assumed Google was “on it”

Chris acknowledges malware installed via the market; however, he does so in a way that implies parity between all vendors – for example parity between Apple and Google in respect to malware in the marketplace:

“All the major vendors have app markets, and all the major vendors have apps that do bad things, are discovered, and are dropped from the markets“

Now in my mind, there isn’t parity.  It seems to me Apple has the “bad guy app” problem at the level of something like “2 out of 10″.  Google it seems to me has this problem at like an “8 out of 10″.   Problematic apps in the Android Marketplace seem more prevalent than the Apple Store.

Now I had always assumed that this was a calculated move on Google’s part; i.e. that they were favoring rapid adoption (looser market controls) at the cost of a bit of additional malware in the short term.  Now, I’m not so sure.  Why not?  Because Chris doesn’t discriminate: there’s no recognition of a substantive difference between malware in the Android market vs the Apple store.  So is it really a calculated move?  Or is it just that they don’t see a difference between the market and the App Store?

#2 Discounting the enhanced vetting use case

Chris later goes on then to critique AV vendors for selling anti-malware products:

“Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself. “

This discounts several non-credible use cases but also at least one credible one… enhanced application vetting.

Like, say users are not satisfied with the alacrity of Google’s application vetting process and they would like additional assurance of the reliability of applications in the marketplace?  Say they want to pay a vendor to vet applications faster/better or to review what’s in the market looking for bad guy software.  Why is that a scam?  Especially if Google isn’t doing it.

IMHO, if Google really believes that this software is scam-ware, they should discontinue availability of anything purporting to be AV in the market.  But they’re not going to. You know why?  Because then they’d need to answer the question of why they’re not at parity with the Apple Store from an app review and vetting standpoint (see above).

 #3 The virus question

Chris outlines malware from the context of a traditional virus or worm in mobile devices as follows:

No major cell phone has a ‘virus’ problem in the traditional sense that windows and some mac machines have seen…

No Linux desktop has a real virus problem….

Chris goes on to discuss why this happens; namely diversity (i.e. heterogeneity) of the substrate:

Yes, a virus of the traditional kind is possible, but not probable. The barriers to spreading such a program from phone to phone are large and difficult enough to traverse when you have legitimate access to the phone, but this isn’t independence day, a virus that might work on one device won’t magically spread to the other…

First of all, allow me to say that I agree completely with him… The barrier to a traditional virus is directly related to the prevalence of the computing substrate.

But it logically follows that this is true of phones as well as other computing devices – in other words, there’s nothing about a phone that makes it immune to viruses…  it’s just less likely because of the heterogeneity.  But relative heterogeneity isn’t constant: the more homogeneous the platform becomes (like, the more marketshare Android gets), the more likely the scenario he outlines becomes.

I, for one, want to know that Google is ready to do something as marketshare increases and the virus events he describes become more likely.  But how likely are they to address it if they believe that there’s something magical about the phone that will prevent self-propagating malware from impacting it?

Anyway, the purpose of this isn’t to do his response down.  In fact, I think he makes some great points which is why I’m recommending folks go read it. But I also think that when the time comes to push back against something frustrating, the temptation is always to push too far.

Image Source: http://random1911.livejournal.com/301681.html

So here we have an article about how Android apps — 8 percent of them or so — apparently leak personal information.  From the article:

…they have studied around 10,000 Android apps and have found that 800 of them are leaking private information of the user to an unauthorized server.

Now, I’m sure the real data is going to come out in the talk, which I won’t see since I’m not going to Blackhat… so maybe my point here is moot.  However, I’m wondering about the “unauthorized” part.  I mean, philosophically.

It’s a question that I come back to again and again, but I find it particularly striking in Android because of the architectural safeguards where user agreement is explicitly required.  Like, when a user agrees to it, at what point does something stop being legitimate and start being evil? It’s like Matt and Trey and their Human CentIPad: at what point is an app malicious (because the user couldn’t reasonably know what the app is doing) and at what point is the user just too lazy to protect themselves?

My point?  It’s subjective… and a moving target.  Take Foursquare for example.  Foursquare sends personal data (like where I am) and posts it to God-knows-where.  But I love that (or I would if I suppose if I used Foursquare) because that’s the point of the app, right?  Droiddream — when I install the fart soundboard — does the same thing: it takes my sensitive data and posts it to God-knows-where.  But in that case, it’s not good. Why is that?  What specific criteria make one acceptable and the other unacceptable?

Is it because of my permission?  But I gave permission to both to do the same thing.  Is it because it’s not the “explicit point” of the fart soundboard to broadcast my data?  That’s one possible explanation… but sometimes we give apps permission to do extra things to advertise or provide ancillary functionality.  I allow Sudoku for example to show me advertising so that I can play the game for free in a quid pro quo “you show me ads, I use your app” symbiosis.  Other users may or may not be willing to make that tradeoff.  Other users might be willing to make more aggressive tradeoffs — ones I’ wouldn’t be willing to make.

I don’t have any good answers here.  I’m just saying that I’m not sure I’ve seen a good answer for where the line is drawn… and there is a line, don’t kid yourself that it’s black and white.

It’s Friday, so I’ll keep it short.

So, the BITS financial services malware report came out the other day.  It’s a pretty good read, if somewhat on the longer side.  As you probably know, I’ve been critical of BITS in the past for spawning off initiatives that nobody really needs.

But this document isn’t that: it’s solid, transparent data that leads in turn to reasoned analysis, and logical conclusions derived from that data that are presented to the industry for evaluation and consumption.

So…. an interesting read – a bit on the longish side and I did find myself they’d speed it up during the “what is malware” section (gak).  But I get it why that section is there and realize that its useful for folks to have it. It probably won’t rock the industry like the recent Comerica ruling will (at least I think so).  But it’s still worth a read nevertheless.

You ever notice how we tend to “move the goalpost” on what constitutes intelligence when it comes to determining whether machines can be intelligent?  It seems to be that we define things as unintelligent because they can’t do particular tasks; as soon as it becomes evident they can do the task we’ve set?  Well, we rationalize why that’s so and come up with a new task to say they’re not intelligent because they can’t do.

Playing chess?  Understanding natural language? Passing the Turing Test?  As soon as it becomes clear that machines can do it, it ceases to be a criteria for “intelligence”.  Once the bar is passed, nobody argues that point anymore, they come up with a new one. And the fact that it ever was a bar at all is largely forgotten (“of course a computer could play chess better than a human!  it’s all about finding and selecting the best path”).

I observed a parallel to this as I read through reader reaction to Ed Bott’s continued coverage of Mac Defender (an interesting read if you’re not keeping up).  Check it out:

Still not a single virus epidemics in whole 27-year long Mac history (even though laboratory and proof of concept examples did exist.) And, whole MacDefender thing is grossly overblown by media since people have to have three level of cluelessness to actually harmed by this…

and:

11+ years of OS X with no real threats. 10+ years of security experts saying just wait! You will see. Here is looking forward to another decade of proving them wrong. Note: We know threats are out there! Apple has warned us to protect ourselves. Nobody thinks the mac is immune to any and all future attacks. But at current threat levels, worrying about infection is just a waste of time.

and:

actually you could have said this clearer… because OSX has actually proven that you can have a system that is “secure” it still has never been attacked successfully in the wild…

I wasn’t really sure what that last one was driving at, but it sounded like he was saying that OSX has never been hacked.  (???)  So I included it.  Since its friday afternoon and nobody’s reading blogs anyway, I won’t draw the point out… but is anybody else seeing the parallel here?

Image Source: akashdesai.com

I’ve been following the discussion Ed Bott has been having recently about this new breed of Mac malware – and the response from Apple about it.  I won’t go into too much detail about it, but in vein of a quick TLDR summary for those who aren’t going to click the links, here’s the deal:

• there’s some Mac malware making the rounds
• users aren’t sure how to respond so they’re calling AppleCare about it
• Apple’s position is not to support malware removal through AppleCare…  or at all really.  Although I’m sure there’s some sort of paid option that I’m not finding.

I do understand Apple’s position in not wanting to support the malware removal.  Mostly because any kind of large-scale malware outbreak could break the bank from a remediation and support standpoint if malware removal is free.  Not to mention that it would (as the customer support rep Bott spoke to indicated), “set the expectation” that they would do this in the future. So I get it.  But on the other hand, you’d think Apple would want to minimize negative publicity in light of their recent location-tracking debacle.  But whatever, I’m not bringing it up because of that.

The reason I bring it up is the changing tone in the responses Ed is receiving about this.  Specifically, in reading through the comments to his posts, I was surprised: the instance of rabid mouthfrothing and death threats seems to be on the decline.  Compare, for example, this comment thread from an article about Mac malware in 2005 on “Ask Leo” vs the current Bott article.  See the difference in the tone and tenor?  In 2005, the community accepted on faith that Mac was “better engineered” and therefore immune to malware.  In 2005, the community took it as a given that malware for the mac was not only an impossibility, but to argue otherwise was laughable.  In light of that kind of perception, the Apple advertising message about being malware-free made sense.

But now look at the Bott article responses.  Do you see anyone claiming that malware for Mac is laughable?  I don’t.  There are folks saying it’s somehow less serious on Apple: either because the users being infected are somehow stupid (the “blame the victim” argument), how since the malware is a trojan it “doesn’t really count”, and how the volume of occurrence (i.e. less than on Windows) still somehow means Apple users are better off.  Say what you want about that, but the discussion isn’t about immunity anymore.  “Relative susceptibility” sure, but not immunity.  Instead of “it can’t happen to me”, it’s “it happens to me less than to the other guy” or “it only happens to stupid people”.  An interesting shift.

Because once the community decides that Mac users are not immune by virtue of the fruit logo, are they going to change their responses?  After all, Apple using freedom from malware as a sales pitch only works to the extent that people believe that’s true. If users know it’s false?  Seems like it’s backfire-fodder at that point.

So the folks over at the ESET malware report podcast were nice enough to have me on the other day.  As of this writing, they haven’t yet updated the feed on their webpage, but they have updated the iTunes Feed, but I’m sure the web page update is coming soon.

The topic is about whether there is likely to be a “mobile malware singularity” at some point based on increasing homogeneity of mobile devices.  We’ve talked about it on this blog, but I appreciated the opportunity to bat it back and forth with the folks over there.  Very enjoyable experience.

Anyway, below is a direct link to the mp3 version of this in case you’d like to check it out:

032111_ESET_Mobile.mp3

So there’s a really great read over at Anti-Virus Rants (Kurt Wismer’s blog) this morning about the HBGary incident and the ethical ramifications thereof and hypocrisy from vendors who are funding malware research and creation (albeit indirectly). Anyway, I highly recommend checking it out.

Now you’re probably aware that Kurt and I have disagreed in the past about the ethics of malware creation and whether there are ever any circumstances under which it can be considered ethical.  What I find interesting about the HBGary incident is that it emphasizes starkly the value of having that discussion at all.  In other words, it’s not an academic discussion by any means.

Why?  Because it could be that the HBGary compromise helps the bad guys…. The online cache of files from HBGary into targeted malware research might give a bad guy an edge that they didn’t have before.  Take, for example, the document describing their “Magenta” project.  It could be that this meta-information about that project (feature list and a play-by-play of infection) could cause a bad guy to think in ways he/she hadn’t before.  Not a given mind you, but certainly possible.

What’s my point?  That the whole “to create malware or not” discussion is relevant specifically because of this.  Some folks may point to this as an argument for why we shouldn’t create malware even for “good guy” purposes.  Others (i.e. those cynical enough to conclude that it’s going to happen even if discouraged) will argue that this is why it should be governed and regulated.

But no matter which camp you’re in, this kind of leak is why it matters.

Interestingly, a joint research effort including Ecole Polytechnique de Montreal, Nancy University in France, and Carlton University in Ottawa have created a botnet for the purposes of studying how botnets behave.

It’s interesting for a few reasons – it’s not just that it’s two-thirds short of being pan-Canadian… it’s not just that it’s almost, but not quite, entirely Franco-phonic…

No, instead I’m curious about how folks feel about this.  I wonder this because of how some outspoken folks in the anti-malware community feel about the ethics of creating new malware.  In short, that it’s wrong – under any circumstances – for any purpose – no matter what the payload – and no matter how/if it replicates.

Is a botnet malware?  I would posit that it is – and a bunch of other folks seem to think so too.  So how will folks react?  Is this an example of malware that it’s OK to create (for example because there’s no replication capability)?  Or are these folks joining the club of global evil like Sonoma State, Consumer Reports,  and University of Calgary?  Only three options are possible:

Option 1:  botnets are not malware (or at least this particular botnet isn’t malware).  That could be true, in which case I would challenge our industry to articulate why this botnet isn’t malware whereas other botnets are or could be

Option 2: It is OK to create this type of malware for this particular purpose.  In which case I would challenge our industry to re-articulate the “no malware creation ever” idea and instead change the position to reflect the OK-ness of this particular exercise.

Option 3:  Canada is evil – or, at least, Canada and France working together are evil.

So, this probably won’t come as a shock to anybody, but it turns out that users are frustrated by AV – frustrated enough to bounce from vendor to vendor, gripe about it, and even just turn it off.  Paraphrasing the user ”take”, they seem to feel that the AV “bloatware” (note: not my terminology) is an instability-inducing performance sink that demonsrates comparable little value for the usability and efficiency cost.

Image Source: freakingnews.com

So this is interesting for a couple reasons – because of course the AV will have a performance impact.  It’s computer science 101.  I’ve mentioned this before, but the algorithmic complexity of linear search is well understood in computer science.  Searching through a given amount of data is tied to two factors: data volume (number of items to search) and number of items to compare against.  I won’t go into the whole explanation again: I’ve gone through it before a number of times and people either don’t care or don’t see the writing that this puts on the wall.  Either way, it’s there if you want to go back down that road (which, like I say – I wont do again here).

So not only is AV slow now, it will continue to get slower – exponentially – going forward.  At some point, we’ll reach a crossover point where the pain of running AV exceeds the value it provides.  Unless, of course, we can find a better model to use than linear search.

Anyway, these studies are interesting symptoms of a seldom-described problem.   But I still think it’s unlikely to change the direction of the industry.

OK, it’s that time of year when everybody and their brother comes out of the woodwork to make predictions about what will happen in information security over the coming year.

As a connoisseur of human folly (thanks to Ms. Austen for one of my favorite turns of phrase), it’s usually a time of high sport for yours truly.  That’s because the typical crop of predictions (no offense to the folks making them) usually tend to be less than useless.

And I really mean that: less than useless. Useless would be that they don’t help a security practitioner do their job… Something totally unrelated – like the outcome of “Top Chef” – is an example of something that’s useless from an information security point of view (unless yours is an extreme case).  Less than useless actually sets you back to some degree: it’s represents a state where the security practitioner is worse off having undertaken the activity than they would be otherwise.

The way these predictions tend to go down, I think predictions tend to fall into the second category: they don’t really help anybody plan, they focus us – in magpie-like fashion – on the bright shiny “cool” threats at the expense of the boring, workmanlike, “eat your vegetables” kind of fundamentals that are usually more at issue in enterprise (but that really nobody wants to hear because they’ve heard it a million times already.)

It’s like going to the doctor and hearing, “hey, you should exercise more”.  We all know this already.  We know we should do it — we’ve heard it a billion times… and it’s soooo much less interesting than hearing, “hey, this new research from the Flemish cake institute suggests buttercream wards off aging.”

But this year, I’m going to fly in the face of tradition and actually make a prediction.  That’s OK, I’ll give you a minute to finish laughing.  I’m serious. Here goes:

I, non-prognosticator extraordinaire, do hereby predict (while again reminding you not to use this prediction for planning purposes) an actual mobile-malware population-level event in 2011.  Or maybe 2012… but I’m thinking probably more 2011.   I mean like some *serious* mobile-malware event.  Not a proof of concept, not a tiny blip… I mean something that hits *hard*.  I think it’s time.

Now, some of you might point out (and you’d be right) that folks have consistently predicted that mobile malware will crank up every year for at least half a decade. You might also point out (and again be right) that I’ve failed to agree with them in each and every circumstance in the past.  You might point out (as I did) the fact that 2006, the so-called “year of mobile malware” according to McAfee, came and went with more instances of the bubonic plague than instances of actual mobile malware.  So what’s different now?

I think conditions have changed.  In the past, we’ve seen a highly-diverse, heterogeneous mobile marketplace.  There were so many different platforms and operating systems that a population-level event like a true malware outbreak would be really hard to achieve.  But the market is becoming more standardized – assuming the trends continue (and we have no reason to think they won’t), we’ll have an almost half-and-half iPhone/Android substrate by April.  The more homogeneous the market, the more likely a population-level event is to occur )(as Dan Geer and others have pointed out in the past).

So increasing homogeneity.  Not to mention that the majority of devices have very little in protection against malware.  In my opinion, these two things will soon lead to a very favorable substrate for a population-level malware event.

So that’s why I think we might be tee’ed up for this in 2011.  Folks have been saying this same thing for a while now, and I’ve disagreed.  They seem to have stopped saying it this year (at least I’m not seeing mobile malware as a huge prediction in the ones I’ve seen so far), but I think they should be.  We’ll see what happens.