.:Computer Defense:.

This year I had a chance to visit InfoSec Canada for the first time, it was also my first time at a "trade show". I was initially impressed and surprised by the size and quality of some of the displays. After wandering around a bit I was surprised by how few people were present... I guess there were a lot of people, but most of them were wearing Exhibitor name tags. From what I picked up at the booths the previous day had been busier.

I managed to have decent discussion with the sales people from a few different companies, namely CORE Security, F-Secure, eEye and PatchLink. I also had a decent discussion with an account executive from Robert Half Technology.

I also managed to walk away with a decent haul of swag as well...

Items Collected:

• BorderWare Notepad
• Patchlink T-Shirt and Hat
• CA Visor and Golf Tees
• SentryMetrics Notepad, Screwdriver and No-Slip Dashboard Cellphone Mat
• F-Secure Keychain
• eEye Post-Its, Lanyard and Pen
• Qualys Bag
• PineApp Pen
• Grisoft AVG Collapsible Ruler
• Application Security Inc. Stress Ball
• Codenomicon T-Shirt
• Stonewood Lanyard
• emFAST Water Bottle

Items I Missed Out On:
(Note: If any of the vendors see this and have any laying around, feel free to send them my way )

• CORE Security USB Hubs
• Light-up Yo-Yo's (Not sure who had these)
• Application Security Inc. 'Save the Database, Save the World' T-Shirt
• eEye 'See You Next Tuesday' T-Shirt
• Microsoft Stress Ball

Most Important Note of InfoSec Canada:

• Websense provided free Beer!

Lastly, I have to leave you with a picture of me from the Sentry Metrics booth.

I know these aren't daily but there were a few things I came across today / last night that I thought warranted mini blog posts.

The first of these was a post by Rich Mogull over on Securosis.com. It's a great post, entitled 'Then There Was The Time I Sort Of Kidnapped Someone', which talks about education vs experience by discussing a story of Rich's from when he was in his early 20s. While it doesn't directly discuss IT, it definitely fits with any industry. I won't spoil the story as it was definitely worth the read, but in the end Rich points out that a superb education with 'top of the class' marks, doesn't compare to actual experience. I think this is important to point out because it applies to everything. There are plenty of businesses that still place things such as [CCNA, CISSP, MCSE, ] Required in their job posts and are firm on those requirements. Even if you the industry experience to have learned and utilized those skills, they'd rather someone with a piece of paper. Now I realize that this was talking more about people coming straight out of school and I think that is another reason it should be read, and read again... a chance to learn from the mistakes of someone else.

Something that has always bothered me... and maybe it's bothered me more than it would most because I'm a college graduate rather than a university graduate... is university students... and not all of them... but a number of them. I had this problem while attending college and I've had this problem afterwards while working in IT. I find that university students feel, that because they are going to (or have) graduated university they are superior to you, if you haven't done the same. They are "hot shit" so to speak and think the world of themselves. I think that reading Rich's article is a great way for some of these "hot to trot" show-offs to be brought back down to earth. It's better to learn from the mistakes of others, than to get out into the working world and be smacked down by those around you. So if you're one of these people... go give it a read... Since most of you won't admit it if you are... Everyone go give it a read.

Up next on the "interesting reads" list is a blog post over on the Websense Security Labs Threat Blog. It discusses how an "enterprising individual" (read: scam artist) used a little bit of basic javascript to change his customer feedback rating and turn himself into a power user to all those unsuspecting visitors to his eBay auctions. Web 2.0 frightens me... I'll be the first to admit it... This is a great example of how control is lost when security isn't quite up-to-snuff.

Also a quick thanks to the Websense people for their awesome booth at InfoSec Canada. You really can't beat free beer!

Next we've got an article by Brian Krebs in his Washington Post Security Fix blog. It touches on a bill that passed in the US House of Representatives. It is the second bill they've passed on the subject of Caller ID spoofing. The first bill is still before the Senate which is where this one will head.

I've got a soft spot in my heart for Caller ID spoofing since I disabling Caller ID with each call and I dislike that the telephone companies charge you to permanently hide your phone number. I've got my trusty SpoofTel account and I really enjoy using it in the occasional prank call to family members and friends. I can understand the problems with Caller ID spoofing... especially in fraud and scams. I just hope that if these bills are passed in the Senate and become law that they are used as intended... to deal with the fraudsters and scammers and not used to harass the little people who use Caller ID spoofing.

Note: For those of you that live away from home and make weekly calls to family back home. I highly suggest a SpoofTel account. Call your loved ones from a local number and tell them you're in town for a couple days and are on your way over... you stopped to call from a pay phone. You can really mess with them. You can also call one family member from another family member's phone number... it can be the source of endless hours of entertainment.

The last thing I wanted to mention is that the research team behind McAfee SiteAdvisor now has their own blog. The first few posts look interesting and everybody should probably check it out and add it to their RSS feeds in the near future.

As most people know, my Bloglines is FULL of blogs that I read on a regular basis. Generally these blogs are interesting, however they are occasionally filled with marketing spin. This happened with a recent post on the F-Secure blog. It seems they failed the VB100 test (which they normally pass) and wanted to head it off at the pass before anyone else could talk about it. That's fine... they didn't send the most up-to-date signatures that they could have sent, and VB100 doesn't perform an update after an install. A mistake on F-Secure's part but it's minor... they even went so far as to get somebody from Virus Bulletin to comment on the quality of their product. I was impressed by this, generally I wouldn't think that a neutral organization would do this, so it gives the product a big of a boost in my eyes. However one statement in the post did catch me offguard:

"we nowadays ship around six updates a day"

I realize that this was meant as a positive thing, but it got me thinking and I just can't see it in a positive light. When you are pushing out that many updates it tells me one of two things. i) You are "sweatin' the small stuff" or ii) You have a bad QA process and need to push out fixes. I was curious about this, so I went over to Symantec and checked out Threat Explorer. It listed 62 new threats dated back to May 16th. So if we take May 16th - June 13th, that's 29 days. Which means 2.1 threats per day. Now, that's Symantec, not F-Secure so I went over and took a look at their Virus Description Modifications page. Of course there's no guarantee that these are new virus descriptions, in fact I noticed some that I'm fairly sure aren't... but I figure description modifications would include creation. Over the same 29 day period, they have 21 viruses. That's 0.7 threats per day. I grabbed a few more stats from other sites; Panda listed 11 (0.37 threats per day) and McAfee listed 24 (0.8 threats per day).

So, even if we use Symantec's numbers for F-Secure, there's no reason to push out more than 2 updates per day, and even then, I would feel that one update daily would be more than sufficient. Even that may be overkill in some cases but I could see a "daily" update. I think the last thing a company should be doing is bragging about 6 updates per day, especially when the number of new virus threats if much way below that. This makes me think of the poor QA we've seen out of AV companies in the past; McAfee update exterminates Excel or Flawed Symantec update cripples Chinese PCs. It really makes me question the integrity and quality of the updates that I'm receiving.

So kudos F-Secure on the quick thinking to put a positive spin on your failure to pass VB100, but at "six updates a day" you've failed something even bigger in my eyes. Given that the F-Secure blog was one that I enjoyed reading and that I'd just picked up my new Vista PC, I was thinking about buying F-Secure Internet Security 2007 and installing it on my machine. Now I'm afraid to... the product has just gone to the bottom of my list and it's all because "six updates a day" leaves a bad taste in my mouth.

[UPDATE]

I was able to walk the Exhibitors floor at InfoSec Canada earlier today and one of the things I was able to do was chat with a Sales guy from F-Secure. He was actually really great to talk to... I wanted to know more about the "6 updates a day" and he was more than happy to discuss it and provide me with some information. He said that 6 is just an average, that some days they are much higher with a record of ~21 in a single day. I found this little shocking, and he named other AV vendors and pointed out that some of them will do 20-30 updates daily. (I would love to hear from any AV vendors that read this, just how many updates your software has daily).

He also said that it's because their software includes not only updates for malware but also for spyware. Maybe it's just me, but I've always considered malware to be blanket term that includes worms, trojans, adware and spyware. Anyways that was another bit of justification he gave for the number of updates he did. Either way I'm still not overly impressed, however the guy was friendly enough and provided me a 30-day demo of all their products (including their mobile solution) so I may check them out and see what I think... but if I really do see 6-updates daily... I don't think it'll be around longer than 30 days. As a side note they had nice swag at their booth... the key chains that you push to separate into two key chains, with the F-Secure logo etched into the side.

[UPDATE 2]

F-Secure was nice enough to blog about this issue. However they couldn't even spell my name correctly, they currently have my last name spelled 'Regulay'. They attempt to address the issue I've brought up... and I'm glad that they have clarified (as kurt already had) that they only do descriptions for, what I'm going to call, 'media worthy' viruses. They were also good enough to provide a link to F-Secure Forums, which contains a change log for each of their releases (well almost each, I noticed certain daily releases weren't included...I'm guessing those are the ones with big QA fixes). I say big QA fixes because, for example, June 14th - Package #4 saw the deletion of 29 pieces of malware, most of which were replaced in that update. My assumption if they are replacing them is that they i) had bad QA or ii) jumped the gun and shipped improper detection before they had all the facts. They also mention that one day they had 11 updates... I definitely feel this is too much... I know there are lots of people that agree with me, since they've voiced their belief privately... hopefully some of them will speak up.

I must say I was a little confused today when I clicked on help in Hex Workshop and the help window I was used to in XP popped up (I bought a new computer last week, running Vista), however instead of displaying the help file, I received a message that WinHlp32.exe wasn't supported in Vista. There was even a link to a KB article.

It seems that WinHlp32.exe is a program designed to assist with only 32-bit help files (.hlp). 16-bit help files are handled by WinHelp.exe. For some odd reason, this still exists in Vista. Microsoft claims that their reason for removing WinHlp32.exe is:

"The Windows Help program has not had a major update for many releases and no longer meets Microsoft standards. Therefore, starting with the Windows Vista operating system release, the Windows Help program will not ship as a component of the Windows operating system. Also, third-party programs that include .hlp files are prohibited from redistributing the Windows Help program together with their products"

Now this can't help but make me curious... WinHlp32.exe no longer meets standards but somehow WinHelp.exe does? I somehow doubt that they are still maintaining WinHelp.exe. Anyone with a 95, 98 or 2K system up and running, I'd love to know the version of WinHelp.exe. On Vista it is version '3.10.0.425'. I also find it odd that they are prohibiting third parties from distributing the Windows Help program and are instead suggesting they move to .chm, .html and .xml file formats.

The fact that they are prohibiting it makes me think there's a glaring vulnerability that they aren't overly eager to patch... At the same time though, Microsoft is offering the file for download to Vista users. This update downloads a .msu (Windows Update Standalone Installer) which installs a single update (not available through Microsoft Update) - Update for Windows (KB917607). As soon as the installation was complete, the Hex Workshop help file opened without problem. If it's really that easy, considering how much was included in Vista... could one last file not be included?

I'm curious to see what will happen as knew .hlp vulnerabilities come to light. Will my copy of WinHlp32.exe that I've installed on Vista receive security patches now? Anyways... I find it very odd that this file was't included and that third parties can't redistribute it.