ISSG Magazine – Malware

The following introduction was originally published in the BCS Information Security Specialist Group Magazine, Spring 2006 issue:

Dubious Anniversary
The PC virus turned twenty this year. The Brain.A virus was first discovered and identified on the 19th January 1986. Twenty years on how have things changed?

For the viruses, worms, Trojan horses, malware, spyware, adware, bots etc. it’s been a wonderful two decades; growth, development and migration to new platforms.

For the writers, a chance to move from earning kudos to earning cash; working with spammer, porn peddlers, extortionists and organised crime.

For the vendors, it’s been a goldmine; growth and development of threats, along with new platforms to be affected and infected, means more products and updates.

For the media, scare stories sell; they’re easy news, often written by the vendors.

For the users, we suffer more as things become more interconnected and technology ‘progresses’; we buy, install and maintain firewall and anti-everything (virus / spyware / adware / spam etc.) software with no hope of respite.

0-day Troubles
As more and more vulnerabilities are discovered how can users, both domestic and corporate, be expected to keep up with the ever-increasing need to patch, and to patch quickly? The vulnerability to exploit windows is becoming narrower.

0-day vulnerabilities, such as the recent one related to the Microsoft Windows Metafile (WMF), show that some people are looking for gain, when they discover a vulnerability, rather than fame. The vulnerability to exploit window is closed.

As vendors, such as Microsoft and Oracle, are moving to monthly patch release cycles some undesirables are using their computer skills to make a profit, selling exploits for unpublished and unpatched vulnerabilities.

Reliance on patching is unlikely to be viable in the long-term. We need defence in depth, combined with systems which are less susceptible to compromise; possibly with an improved architecture and trust model, where the scope for software negatively impacting a system is considerably curtailed.

Who are you?
The National ID card continues to spark heated debate with frequently polarised opinions. One issue, with its semantic word games, is about how much the scheme will cost, and who pays. What both sides of this argument have failed to publicly address is the difference between cost and charge.

The ‘user’ may be charged a certain amount when they apply for a card. This is unlikely to represent the full cost, which will be hidden within the machinery of government. What is certain is that the taxpayer will foot the full cost of the scheme, either directly or indirectly, whatever the charge is.

Another issue, which goes beyond a debate about whether National ID cards are a good or a bad thing, is about what information will be stored in the National ID Database. Only a small number of data types are necessary, or indeed proportionate, to ‘establish identity to a high degree of assurance’.

What has been proposed, discussed and suggested, by government representatives, represents a massive expansion in what information is stored, over what is required to prove who you are. It is time the debate took a look beyond the card and looked at the data, and how your data may be used.”