The Fake Conference Season Opens

Even the fake conference crowd are trying to drag me back into testing (again). Yes, ‘Making sense of comparative anti-malware testing’ sounds like a perfect fit for the World Gene Convention. Not. I’d have been more impressed if they’d picked up on my long-gone and rather peripheral connection with the Human Genome Project.

At least the repeated invitations to a dodgy forensics conference have some theoretical relevance to what I do now.

But seems that the Gene Genie has just picked up an article I wrote of Elsevier in 2009. Or, more probably, just the abstract.

F minus for effort. F double minus for ‘would you please respond to our earlier spam?’

David Harley 


Next-gen Ethical Hacking

This morning I was amused to find comment spam advertising the services of a hacker for hire for ‘ethical hacks, school upgrade, money transfer, blank a.t.m’s, clear your credit score’. Well, that’s an unexpected view of what constitutes ethical hacking. (If you’re not sure what I’m getting at, read the above as ‘falsify your grades’, ‘be tricked into buying an ATM card that’s supposed to allow you to fraudulently draw unlimited funds’, and so on.)

No, it wasn’t on this blog, but I bet if I put the word ‘hacker’ or ‘hacking’ into the title of this article, something similar will turn up. Of course, if it does, you’ll have to take my word for it, since I’m not going to approve it.

David Harley

Symmetry and Virus Writing

Back in 2003, the University of Calgary started to offer courses in virus writing, much to the annoyance of the security industry. Well, the anti-malware industry: people outside that sector like Bruce Schneier tend to take a contrary view of the hands-on approach to understanding security threats. However, what we still called at that time the AV industry was pretty unanimous:

  • Sophos commented
  • Fridrik Skulason commented
  • Vesselin Bontchev took the idea to pieces in an AVAR paper (and made some sound suggestions about alternative ways of teaching the next generation of anti-malware researchers what they need to know).

Professor John Aycock braved a hail of criticism and has attended a number of security conferences subsequently. I’ve never been able to accept the view that you have to write malware in order to understand how to detect/defeat it, but he is an intelligent and likeable man who has contributed to our understanding of the malware scene, for instance in the (now virtual) pages of Virus Bulletin.

I don’t suppose that the current vicious spate of ransomware owes much to the teaching practices of the University of Calgary. In fact, malware technology has changed so much in the meantime it’s hard to see how it could. And certainly I’ve no particular reason to suppose that any of the students who took that class lacked honesty and integrity any more than the rest of the population.

Still, there’s a certain uncomfortable symmetry in the fact that the University of Calgary has apparently just paid $20,000 CAN to a ransomware gang for decryption keys… I won’t say ‘what goes around comes around’ but I suspect there are those who will.

David Harley

Pity the poor BIOS hacker

Darren Pauli for The Register:

Millions of flawed BIOSes can be infected using simple two-minute attacks that don’t require technical skills and require only access to a PC to execute.

I don’t often feel sympathy with people who attack other people’s data and systems, but I feel deeply sorry for those poor unfortunates condemned like a modern Flying Dutchman to wander the earth, breaking into millions of homes and offices so that they can get physical access to PCs and infect the BIOS.

By my reckoning, that’s around 3.8 man years per million PCs, not including travel time between sites, sleep, eating, and visiting the bathroom.

The article refers to a presentation at CanSecWest by Xeno Kopvah and Corey Kallenberg, but a presentation covering somewhat similar ground for Schmoocon seems to include the crucially different assertion that ‘Attacker does not need physical presence to attack BIOS . ‘ Well, that’s sometimes true. But clearly not explicitly stated in the CanSecWest abstract. I shall await further clarification with bated breath.

David Harley

21 Rules for Computer Users

I came across this collection of ‘rules’ by accident today: I’d forgotten all about it, but I get a mention there because educationalist Terry Freedman and I were exchanging email for a while in the wake of a writing project he initiated. (Jude and I contributed some content which we actually expanded on in the AVIEN Guide to Malware. Just as well, as Terry’s project seems to have disappeared…)

I should immediately point out that while I drew Richards’ laws to Terry’s attention, my friend and one time co-author (on Viruses Revealed) Robert Slade drew them to my attention.

Anyway, you might find these 21 laws, rules and principles amusing.

David Harley
Small Blue-Green World

Bank of the Internet

This is, perhaps, a little heavy on the geek side. I think there may already be a bit part reserved for me on The Big Bang Theory, along with an XXL-sized Star Trek uniform (preferably not a security redshirt uniform).

However, if you’re actually reading this, I guess there’s a reasonable chance that you’re among the elite (very) few who don’t altogether hate my cheesy little cartoons. One of the most valued members of that elite band is Aryeh Goretsky who used this one in his ESET 2014 Mid-Year Threat Report broadcast.

The webinar itself has been and gone, but you can catch a recording on the ESET Internet Security Threats Channel. There’s a list of the topics covered and a link to the recording in Aryeh’s blog article.

(No, this blog is emphatically not part of the ESET empire, but I kind of like the cartoon.)


David Harley
Small Blue-Green World