What Wired Is Not Telling You – a Response to Noah Shachtman’s Article in Wired Magazine

Eugene Kaspresky is not KGB but Indiana Jones of the Industry

This is a very unusual post. It’s not about cyber-crime, malware, our latest business achievements or my latest long journey around the globe. It’s about truth and facts, and the importance of not hiding certain facts while revealing others.

For sure I was surprised to read such an article from a journalist who, up until Monday, always seemed to maintain the highest of professional and ethical standards. And it goes without saying that, on behalf of my company and our 2400+ employees around the world, I have to object to Mr. Shachtman’s litany of inferences, opinions, omissions and errors.

We first got to know Mr. Shachtman early last fall, and then invited him to our headquarters in Moscow. After several meetings with me and our team members, during which we discussed many different current issues related to the security field, it appears Noah Shachtman thought that he was ready to tell the world the “truth” about Kaspersky Lab and me personally, and decided to produce an article for Wired Magazine. And he got off to a great start (the way he described me after practically 72 hours on planes (Cancun-Munich-Cancun) just to be there for the opening of the event was all very true – and to me very amusing). But unfortunately Mr. Shachtman forgot to include essential components such as key facts, independent international experts’ opinions, and independent marketing research agencies’ data. Not only did he forget to check his facts, in some cases he wrote almost the opposite of what I actually said in my numerous interviews with him over the past seven months.

I hope Noah tried to do his best and had no hidden agenda. But he unfortunately failed to present to you the whole truth. So I’ve decided to help him out.

Read on: What Wired Is Not Telling You – a Response to Noah Shachtman’s Article in Wired Magazine

Worse than Cheese: Scary Scenarios Causing Nightmares Now – the Five Main Issues of IT Security.

I recently found myself wondering how many interviews with the press I do every month. Of course the totals fairly helter skelter between months, but in the busier periods the number can get anywhere up to 70! And that’s only spoken interviews, i.e., those done in person or over the phone. If I were to also include e-mail interviews – the number would be just silly.

But I don’t complain. In fact just the opposite – I love interviews! Which reminds me of Richard Branson and his simple rule about interviews: “If CNN rings me up and wants to do an interview with me, I’ll drop everything to do it.” I also follow this rule – to the letter – and not without good reason.

Most interviews are what you’d expect. I get asked lots of questions, I answer them as best I can, and that’s about it.

But in a very few rare instances I get interviewed by a really well read-up journalist, meticulous to the point of hair-splitting, who not only knows all about me and KL and what we do, but also all about the particular narrow topic the interview’s about. By the end of the allotted hour I’m exhausted, the mind’s pretty much frazzled, and I feel like my very soul’s been extracted together with my long-winded answers to the sophisticated questions.

These are the trickiest and most trying kinds of interviews, but also the most useful. Why? Because during such intense sessions the gray matter inside the skull shifts up a gear or three and really gets to work, thinking in new ways and approaching familiar topics from fresh standpoints – to such an extent that after the end of the interview the momentum keeps the ideas coming, leading to all sorts of new insights. All really quite fascinating how creative cognition comes about. And all kicked-off by super-sharp reporters doing their job masterfully. Respect due. And a thank you!

Curiously, what unites such “special” interviews with regular ones is an inevitable question about the most pressing IT Security issues today – something like: “What keeps you up at night (in terms of IT Security hazards)?”! And I don’t get asked this all the time just by journalists in interviews. The question pops up at practically every IT conference I speak at.

And so: as promised earlier, here I’m presenting my List of the Five Main Issues Facing IT Security, in the broad sense of the term.

I should say straight away that I don’t have prescriptions for solving all five issues. The aim of this post is more to identify the problems, let you start to muse on them, and hopefully draw you into the fold of their ongoing discussion by raising your interest, empathy and/or sympathy!

Right, here’s my list:

  1. Privacy
  2. Internet Passports
  3. Social Networks
  4. Cybercrime
  5. Cyberwarfare

More: getting into details …

Doing The Homework.

Any software vendor sometimes makes unfortunate mistakes. We are human like everybody else and we make mistakes sometimes, too. What’s important in such cases is to publicly admit the error as soon as possible, correct it, notify users and make the right changes to ensure the mistake doesn’t happen again (which is exactly what we do at KL). In a nutshell, it’s rather easy – all you have to do is minimize damage to users.

But there is a problem. Since time immemorial (or rather memorial), antivirus solutions have had a peculiarity known as false positives or false detections. As you have no doubt guessed, this is when a clean file or site is detected as infected. Alas, nobody has been able to resolve this issue completely.

Technically, the issue involves such things as the much-talked-about human factor, technical flaws, and the actions of third-party software developers and web programmers. Here’s a very simple example: an analyst makes a mistake when analyzing a sample of malicious code and includes in the detection a piece of a library the malware uses. The problem is the library is used by some 10,000 other programs, including perfectly legitimate ones. As a result, about 20 minutes after the release of an update containing the faulty detection, technical support goes under due to a deluge of messages from frightened users, the analyst has to re-release the database in a rush and the social networks begin to surface angry, disparaging stories. And this is not the worst-case scenario by far: imagine what would happen if Explorer, svchost or Whitehouse.gov were falsely detected :)

More: How to evade detecting Whitehouse.gov as a phishing site …

Enter your email address to subscribe to this blog
(Required)

The Flame That Changed the World.

I’ll never forget Oktoberfest 2010 for as long as I live. Yes, I like beer, especially the German stuff, and especially at Oktoberfest. But I don’t even remember the beer, and that’s not because I had too much of it :) It was at that time we received the first news of a very unpleasant trend, which I had feared for a number of years. That’s right, it was the first time Stuxnet reared its ugly head – the first malware created with state backing and designed to fulfill a specific military mission. This is exactly what we had talked about at our Oktoberfest press conference: “Welcome to the age of cyber warfare!” It was already obvious then that Stuxnet was just the beginning.

Cyber Warfare

Indeed, little has changed since that September right up to the present day. Everybody had a pretty good idea where Stuxnet came from and who was behind it, although not a single state took responsibility; in fact, they distanced themselves from authorship as much as possible. The “breakthrough” came at the end of May when we discovered new malware which also left little doubt as to its military origins and aims.

Yes, I’m talking about Flame.

More: How can malware stop me from eating a fresh croissant in the morning? …

When Will Apple ‘Get’ Security Religion?

My recent mention of Apple in a speech at CeBIT Australia initiated the usual flurry of chatter and publications regarding the company’s approach to security. As Apple’s security seems to be a hot topic of late (since Flashfake), I think this is an opportune time to talk some sense about this issue. As you’ll know, today we see a widening rift between, on the one hand, Apple’s long-term alleged ‘Macs are malware-invincible’ campaign, and on the other – reality, i.e., that this campaign is… losing credibility, to put it mildly. So, will users have the nous to get to understand the real state of affairs, despite what Apple keeps telling them? What’s wrong with Apple’s security approach? Is there anything Apple can learn from Microsoft and other vendors in terms of security? …

More: When Will Apple ‘Get’ Security Religion?. . .

The Dangers of Exploits and Zero-Days, and Their Prevention.

You don’t need to hear it from me that the Internet is a really interesting phenomenon, and mega-useful for all those who use it. But at the same time its openness and uncontrollability mean that a ton of unpleasantness can also await users – not only on dubious porno/warez sites, but also completely legitimate, goody-two-shoes, butter- wouldn’t-melt-in-mouth sites. And for several years already the Internet has been a firm fixture on the list of the main sources of cyber-infections: according to our figures, in 2012 33% of users have at least once been attacked via the web.

If you dig deeper into the structure of net-based unpleasantness, you always come across three principle categories of threats: Trojans, exploits, and malicious tools. According to data from our cloud-based KSN (video, details), the break-down is as follows:

Threats on the Web

The ten-percenter in the above pie chart as you can see belongs to so-called exploits (their share will actually be greater in reality, since a lot of Trojans have a weakness for exploiting… exploits). Exploits are mostly exotic peculiarities to non-professionals – while a real headache for security specialists. Those of you more in the latter category than the former can go straight here. For the rest of you – a micro-lesson in exploits…

More: A breakthough in fighting exploits …

In Updates We Trust.

Remember my recent post on Application Control?

Well, after its publication I was flooded with all sorts of e-mails with comments thereon. Of particular interest were several cynical messages claiming something like, “The application control idea is sooo simple, there’s no need for any highfalutin special “Application Control” feature. It can be dealt with on-the-fly as applications are installed and updated.”

Yeah, right. The devil’s always in the details, my cynical friends! Try it on the fly – and you’ll only fail. To get application control done properly – with by far the best results – you need three things besides that “it’s easy” attitude: lots of time, lots of resources, and lots of work going into implementation of a practical solution. Let me show you why they’re needed…

On the surface, it’s true, it could seem Application Control was a cakewalk to develop. We create a domain, populate it with users, establish a policy of limited access to programs, create an MD5 database of trusted/forbidden applications, and that appears to be it. But “appears” here is exactly the right word: the first time some software updates itself (and ooohhh how software today loves to update itself often – you noticed?) the sysadmin has to write the database all over again! And only when that’s completed will the updated programs work. Can you imagine the number of angry calls and e-mails in the meantime? The number of irate bosses? And so it would continue, with every update into the future…

To the rescue here comes running a mostly unnoticeable but mega-useful feature of our Application Control – the Trusted Updater. It not only (1) automatically updates installed programs while simultaneously bringing the database of trusted software up to date, it also (2) keeps track of inheritances of “powers of attorney” attracted to the updating process. The former is fairly straightforward and clear, I think. The second… let me explain it a bit.

Let’s take an example. While performing an update, some software launches, let’s say, a browser (for example in order to show the user’s agreement), and transfers to it its access rights. But what happens when the update is completed? Are you twigging what I’m getting at here?… Yes – in some products the browser keeps the inherited rights until it’s restarted! So until then it could perform an action that is actually forbidden according to the security policy – for example, to download something from the Internet, and, more importantly – to run it. What’s more, the browser gets the ability to call on other programs and give them the enhanced rights of the updater. Oht-Oh!

Turns out a single update could bring down the whole security system through incorrect access rights’ management during the update process. Scariest of all is that this isn’t a bug, it’s a feature!

Anyway, back to our Trusted Updater. What it does is take full control over the update: as soon as the process has finished, it restores the rights back to what they were before the update – for the whole chain of affected programs. Another handy trick is its knowing beforehand which updaters can be trusted – there’s a special category for them in our Whitelist database. And should a sysadmin want to, he or she can add other updaters to this category with minimal effort but with a good addition to the level of the network’s overall protection from all sorts of sly backdoors.

Application Control

More: The four scenarios of implementing for controlling software updates…

Apple – Listen to Us, Before It’s Too Late!

Which is better – Mac or PC?

By now the eternal debate will have come on to the radars of even the most non-geeky types, and those who still don’t have a position on it – normally a passionate and unwavering one – are fast becoming extinct. Last week of course the ongoing debate was seriously influenced by news of the Flashfake botnet for Mac OS X. It seems that cybercriminals are now joining the large numbers of users migrating from PC to Mac…

More: Why/what/who/how? Read on…

The World’s Gone Virtual – So Have We.

Why and How We Decided to Protect the Virtual Environment.

Over the last dozen years in the IT industry all sorts has gone on, but in the main what happened was the blowing up, bursting, and blowing up again of bubbles. Thankfully, against this depressing backdrop there are several examples of how things should be done – stories of technologies passing through all the stages from conception to industrial mainstream. One of the most interesting examples of this is virtualization.

Virtualize Cartoon

To start, as per tradition in these tech-themed posts, let me go over the basics. For those who already know the basics of the topic, you can skip this by clicking here.

More: Agent-less malware protection vs Disadvantages of virtualization security…

Cassandra Complex… Not for Much Longer.

Top o’ the day to ye!

It’s fair to say I’m a bit of an IT-paranoiac, and most of you will know by now I’m not one to hold my tongue about my fears of possible future Internet catastrophes, or the greed and degeneracy of cyber-wretches – plus the massive size of the threat they represent – and so on.

Because of this tendency for speaking openly and plainly I constantly get accused of purposefully frightening everyone (and in my own self-interest). But I don’t mind, even though it’s nonsense. So I’ll keep on calling a spade a spade – telling people what I think is right – regardless!

The evolution of cyber-Armageddon is moving in the predicted trajectory (proof it’s not just a matter of my frightening folk just for the sake of it); this is the bad news. The good news is that the big-wigs have at last begun to understand – to the extent that often in discussions on this topic are heard my horror stories of old practically word-for-word. Looks like the Cassandra metaphor I’ve been battling for more than a decade is losing its mojo – people are listening to the warnings, not dismissing and/or disbelieving them.

More: Five main problems for IT security …