Loading ...
Sorry, an error occurred while loading the content.

Overview of Kaspersky's 2006 alerts

Expand Messages
  • Rob Rosenberger
    What s New Newsletter (SecurityCritics.org and Vmyths.com) Truth About Computer Security Hysteria {19 February 2007} IN THIS ISSUE: The editor s notepad
    Message 1 of 1 , Feb 18, 2007
      "What's New" Newsletter (SecurityCritics.org and Vmyths.com)
      Truth About Computer Security Hysteria
      {19 February 2007}

      The editor's notepad
      Humor control
      "Whisper" data collection

      Want to join or leave this mailing list? Visit
      http://newsletter.SecurityCritics.org for instructions...

      Every year, six of the world's leading computer security critics come
      up with an April Fool's joke. We do it to make people laugh, of
      course, but we treat it as a soapbox for a topic that merits special
      criticism. See http://Vmyths.com/column/1/2005/4/1 for a typical
      example of our work.

      During our brainstorming session this year, I proposed we might do
      something related to Wikipedia. I pointed out the fact virus pioneer
      Fred Cohen has only a "stub" bio page, whereas the TV
      character "Agent Mahone" boasts an extremely detailed bio page. (See
      http://en.wikipedia.org/wiki/Agent_Mahone for edification.)

      If a fictional person can have his own bio page, then why can't we
      find lengthy bios for real people in the computer security industry?
      We hear all sorts of tripe about "SCADA terrorism," for example, yet
      Wikipedia can't tell us squat about the people who protect us from
      SCADA terrorism. What's wrong with this picture?

      We're talking about real people who impact the security of networked
      critical infrastructures around the world. Shouldn't they rate
      higher on Wikipedia than an imaginary Hollywood character? Security
      demigod Bruce Schneier boasts one of the most detailed Wiki bios --
      yet it pales compared to the bio for "Chandler Bing" from the TV
      show "Friends." Again: what's wrong with this picture?

      Remember "Mafiaboy," the teenage hacker who (supposedly) very nearly
      destroyed e-commerce seven years ago? He's got a Wiki bio. Compare
      it to Carey Nachenberg, a patent-wielding researcher at Symantec who
      has NO Wiki bio. Again I ask: what's wrong with this picture?

      If computer security experts can impact the lives of hundreds of
      millions of people, then we should be able to scrutinize THEIR lives
      in return. It's that simple. The U.S. Air Force embraces this
      philosophy -- they publish a bio page for every general officer and
      every wing commander. Check out http://www.af.mil/bios if you're

      And yet
      listed only 75 computer security bios when I looked. Many of those
      were stub articles, devoid of content.

      But there's the rub -- by all indications, computer security experts
      seem obsessed with their own privacy. They'll blab about their life
      & career every time they give a computer security lecture, then clam
      up when you ask them for the same information in writing.

      Case in point: when we pointed our April Fool's cannon at the CISSP
      organization in 2005, a staff lawyer (!) hounded each of us to
      protect their members' privacy. "You can't publish our members'
      publicly viewable data!" their staff lawyer screamed.
      http://Vmyths.com/mm/whisper/2005/0401/cissp.txt offers just the
      farcical tip of the iceberg.

      Hmmmm... CISSP staff lawyer Dorsey Morrow doesn't YET boast a Wiki
      bio. Ten bucks to the first person who builds a legit
      (repeat "legit") stub page for him.

      "But Rob," you moan. "Wikipedia doesn't have a bio page on you,
      either!" They enforce a rule against autobiographies, else I
      would've written a screamer. Schneier tasks a PR team to keep his
      Wiki page updated, and I envy him for that. So why hasn't Symantec's
      PR team given Nachenberg a bio page? (That's a rhetorical question,
      of course. The answer is "privacy.")

      Computer security experts treat their own bios as security-through-
      obscurity, and that's BS. The antivirus industry almost universally
      believes Russian virus expert Eugene Kaspersky is a (former?) KGB
      mole. Why doesn't his bio mention the KGB? Scott Culp is arguably
      the third most influential person on Microsoft's security team after
      Jim Allchin and Matt Braverman. Allchin has a Wiki bio; why not Culp
      and Braverman?

      And where is Jimmy Kuo's Wiki bio? He's managed antivirus projects
      over the years that impacted more than one hundred million PCs,
      including top secret computers deep within the Pentagon. He
      continued to advise White House flunky Richard Clarke on cyberspace
      security matters *after* the FBI investigated his alleged involvement
      with the Chinese government when "The China Syndrome" scandal came to
      light. In 2006 he jumped ship from McAfee to Microsoft. At the
      expense of repeating myself: WHERE IS JIMMY KUO'S WIKI BIO?

      "You're the critic, Rob. Why don't YOU write their bios?" Wikipedia
      demands a neutral point of view (their "NPOV policy") in every
      article. I've written waaaaaay too many critical columns on waaaaaay
      too many people in the computer security industry. At best, I could
      make "minor edits" to fix a broken link in someone's bio.

      The beauty of Wikipedia's NPOV policy is that, if you're not a
      neutral party, you can be quoted and referenced! If someone else
      writes the bios, feel free to cite my columns out the wazoo.

      Ten more bucks to the first person who builds a legit page for me.
      Make sure you include the Wired magazine reference to my secret CIA
      job (http://Vmyths.com/column/1/2003/6/16). Another ten bucks to the
      first person who posts ten pithy quotes of mine on WikiQuote under
      the "Computer scientists | Critics" subcategory. A bonus buck if you
      include my "instantaneous manifestation" poker quote at

      "Rob, you sound like Stephen Colbert." Yeah, we both live for the
      deadpan parody...

      Nuclear warhead antivirus update... Airmen capture insurgents'
      mainframe, CD-ROM duplicator... Unsecured home networks open door for
      court-martial... Visit http://www.HumorControl.org/usaf/photo for
      some very funny "recaptioned" Air Force photos!

      Join the free all-humor computer security newsletter! Visit
      www.HumorControl.org for details.

      Some of the major computer security firms maintain a daily alert
      status for computer security threats. Symantec and ISS maintain
      an "AlertCon" (alert condition), SANS and the U.S. military maintain
      an "InfoCon" (information condition), and so on. In January 2005, I
      posed a question to the folks who fix the daily popular alert status
      values. I made a simple request for a history log of each firm's
      alert status.

      Of all the firms I contacted, ONLY Kaspersky Labs offered to provide
      a history log for their daily alert status. Some firms (e.g. SANS)
      didn't even bother to respond. Others (e.g. ISS) claimed they could
      only provide a history log to people who subscribe to their
      intelligence products. The U.S. Air Intelligence Agency refused to
      provide a history log for reasons of national security.

      So, I assembled my own history log of the daily alert status for
      various firms. We'll review them over the next few issues of this
      newsletter. Please note that I built my history logs by studying
      websites with my bare eyeballs, so there might be a few human errors
      (plus the occasional out-of-pocket road trip). Let's begin with an
      overview of Trend Micro's and Kaspersky Labs' daily alert status for

      I can sum up Trend Micro in a single sentence. For all of 2006,
      http://www.TrendMicro.com/vinfo read "No Malware Alert: There are no
      medium or high risk alerts at this time." Ta da! End of story.

      Okay, now let's cover Kaspersky Labs, whose "Virus Activity Code"
      appears on the left side of http://www.Kaspersky.com They started
      off 2006 in an orange, or "moderate," alert status. They downgraded
      to green, or "Normal," status on 1/13/06 with no explanation. On
      1/25/06, the status remained green but they highlighted the Nyxem.e
      worm as an "informational" alert. On 1/27/06, they added the
      GPCode.ac virus as another informational alert.

      On 2/1/06, Kaspersky raised its alert status to red, or "severe," due
      to the Nyxem.e virus. They returned to green on 2/6/06 because "the
      destructive payload will only activate when a machine is (re)booted
      on the 3rd of each month, [so] the direct danger is gone, for now."
      But the green status only lasted one day: on 2/7/06, the Bagle.fi
      worm convinced them to declare an orange alert. They returned to
      green on 2/16/06 with Nyxem.e listed as an informational alert. On
      3/3/06, Nyxem.e dictated a return to an orange alert, while on
      3/7/06, Kaspersky declared "virus activity is normal."

      The alert remained normal through March, April, and May, with only
      the Mytob.eq worm showing up as an "informational" alert. Things
      changed on 6/2/06 when Kaspersky declared an orange alert over the
      GpCode.ae virus. On 6/5/06, they raised it to red, or "severe," over
      both GpCode.ae and GpCode.af. They suddenly returned to a green
      status on 6/14/06, leaving GpCode.af as an "informational" alert.

      On 6/21/06, Kaspersky declared an orange alert over the Bagle.fy
      worm. The alert returned to green sometime during the July 4th
      holiday weekend (I don't know exactly when because I'd gone out-of-
      pocket for a vacation). The status remained normal through July &
      August. It suddenly jumped to red, or "severe," on 9/25/06 due to
      the Warezov.at worm; it just as suddenly returned to green on
      9/30/06. But green would only last for two days. On 10/2/06, the
      status turned orange due to six variants of the Warezov worm.
      Kaspersky returned the status to green on 10/4/06, with the same
      alerts downgraded to "informational." The alert status stayed green
      through 11/6/06.

      On 10/27/06, the status remained green but Kaspersky added the
      Warezov worm as an "informational" alert. It remained green until
      11/7/06 when Warezov moved up to orange. Warezov was downgraded
      again to "informational" and the alert became green on 11/23/06. The
      alert remained green for the rest of 2006.

      Are you a whistleblower or industry insider? Got a scoop or some
      dirt on the computer security industrial complex? Email it to
      Whisper@..., or mail documents to 1089A Alice Dr.
      #311, Sumter, SC 29150. ALL sources will remain confidential.

      That's enough for this edition. My best to y'all. Please keep
      fighting the virus hysteria.

      Rob Rosenberger, editor

      --------------- Useful links ------------------

      A-Z list of computer virus hoaxes

      How to spot a hoax computer virus alert

      Reduce virus hoaxes inside your company

      False Authority Syndrome

      Hoaxes NOT related to computer security

      Comedy vs. virus hysteria? Believe it!
    Your message has been successfully submitted and would be delivered to recipients shortly.