Hurwitz & Associates has been running an IT security campaign: "AVID: Anti-Virus Is Dead" for some time. The argument is based on the principle that blacklists of signatures—small files that contain a unique string of bits, or the binary pattern, that identifies all or part of a virus—do not, and cannot, provide adequate …
Is this an advert/joke?
I won't pick it apart but I did manage to read as far as "Since the network cannot be breached..."...
Why mention all the other revolutionary 'features' that this product offers if this is the case? Surely if someone has come up with a product that simply prevents networks from being compromised then that's big news!
Or maybe that's a load of rubbish...
Anti-Virus is dead
While I agree completely that the concept of "anti-virus" signature-based protection is seriously flawed, you have to ask yourself who uses this anyway?
I know of only one OS that makes use of AV software, and we all know which one that is. The only reason anyone runs AV software on any other OS is to protect Windows machines that are sitting behind it on the network, or to stop annoying (but otherwise harmless) traffic from compromised Windows machines outside of the network!
For example, I have run a small server that has sat on the internet 24 hours a day, for the last 2 or 3 years. It doesn't need AV software chewing up processor time. It doesn't need anti-root kit software running. It doesn't need anti-anything_else software running. All it needs is some decent packet filter rules and a sensible approach to running the services that it does (web, email etc). It has never been successfully attacked. Ever. It runs OpenBSD. Could I make this claim if it ran (say) Windows? I somehow doubt it.
So yes, sig-based AV is indeed "dead" (was it ever "alive"?), and it is indeed akin to plastering over an open wound, The obvious answer is not to use different tools though. The obvious answer is to remove the systems that are vulnerable and which need this huge effort to keep them from being attacked in the first place! The problem is not the tools. The problem is the OS.
I wonder if there is any real news on this site anymore
AV Not needed?
"Since the network cannot be breached, signature and characteristic-based techniques are not needed."
So how does the organisation defend against known virus laden emails / links to trojan installers that slip through spam filters?
I'm fully aware that the anti-virus thing is a bit of a con-trick as any new virus in the field will not be picked up by such systems until the signatures are updated. This means that the best way to avoid such things is to not open any unknown email, don't follow links in emails (reading all email in text helps), don't browse to unknown sites etc.
The only problem in any company is that no matter how many times you tell/warn/beat people, they will still fall for the same social engineering tricks time after time. Simply installing such a device won't protect the network from anything introduced inside by third parties (intentionally or unintentionally) so having it and feeling completely secure is as bad as having AV software and feeling completely secure.
Re: doesn't need Anti Rootkit software
Strange how someone can use the term root-kit talking about Windows, since Windows doesn't have a "root" account as such! So somewhere the term has been borrowed because it describes a mode of attack on a system with a root and there are root kits available for
Of course if running a version of Linux there is absolutely no way you would have to over disconnect half your servers from the world because they had become compromised is there
and if they can't keep their servers patched - what is the likely hood of the average home user should they all start leaving Windows
chkroot is a Linux tool used to detect rootkits on, well, Linux. These threats existed long before the Windows rootkits became prevalent. Not that long ago an alpha version of a proof of concept rootkit for NT was available. That was the first, AFAIK.
Re: Advert? by Alex Hawdon
Following on from his / her point (this does seem like it was just pasted from the company's Press Release page), will this application prevent espionage? Will it prevent malicious intent by authorised users?
If not, the network can still be breached. EDUCATION is the way to prevent exploitation and compromise of any network. Learning how to set it up properly, teaching staff how to operate securely.
Saying that, though, "You ask me to show you a totally secure network, and i'll show you a stack of kit still in the box."
Run BSD then :p
Quote from page 1:
"A hacker does this by sending a SYN packet to every port on the server. If the server sends back a SYN/ACK (synchronization acknowledgment) packet from a particular port, the hacker will believe that the port in question is open and can therefore be attacked. By sending multiple SYN packets to the server, a server can quickly become overwhelmed and a denial of service attack can be achieved."
Yeah right, well I wish them good luck breaking a BSD box that way ;)
You can configure it to limit the number of ICMP packets it'll send back, to drop packets to closed ports instead of sending a RST without using a firewall, to expire routing table entries much quicker than usual when there are too many of them...
Interesting article, but I feel secure enough here
The antivirus argument is one thing but suggesting that a server can't be attacked in other ways is just ridiculous. You might think your OpenBSD server is locked down tighter than Fort Knox but there have been many vulnerabilities in software like Apache, Sendmail, Postfix, PHP and Bind that have all allowed attackers to gain root access to servers. The amount of spam alone coming from compromised mail servers is truly staggering. Besides which, rootkits exist for every OS, OpenBSD included. The fact you haven't been rooted yet is more of an indication you've been lucky rather than clever.
I have to what Rich is proposing is utterly ludicrous; he's saying that the victims of malicious software are to blame not the people that commit the crime. "If only they'd used my OS" is the call of the crazed evangelist. Blaming the victim is no different than saying purse snatchers are innocent because you shouldn't be carrying anything worth stealing. The idea that you simply remove the systems prone to infection (or more properly, the systems more likely to be targetted by criminals) is simple-headed crap of the highest order.
Shouldn't this article be retitled 'Press Release'?
get rid of this rubbish please ... this is not news
get rid of this rubbish please ... this is not news
Re: doesn't need Anti Rootkit software
Not that Mr Miles has much of a point, but just in case he thought he has, he should probably bear in mind that rootkits are bloody difficult to deploy compared to how easy Windows exploits have always been. That's the point - you have to do so much to deploy a rootkit you may as well go create a Windows virus.
And if that's not enough - Windows machines *do* have a root account. It's just that the installer is stupid enough to default to each user being a root user, encouraging standard design patterns for Windows program security that are stupid enough to assume that this is the case...thus making it all worse...etc...
@ Robert Grant
You said, "rootkits are bloody difficult to deploy compared to how easy Windows exploits have always been." Exploits are usually the path via which rootkits and other resident malware is introduced to a system, regardless of the OS. Just check your Unix-based system's SSH logs and you'll see a lot of automated attempts to log in. These are, in my experience, part of an attack that will attempt to drop a rootkit onto the system. In light of that, "you have to do so much to deploy a rootkit you may as well go create a Windows virus" does not make much sense.
Regarding the 'root' account: as we are playing with words here (root -> rootkit), it's only fair to point out that Windows does not have a default account called root. The administrator account is probably what you are thinking of. Mr Miles' point about the etymology of the word 'rootkit' still stands, to my mind, and further support can be found on the net. For example:
"The term rootkit (also written as root kit) originally referred to a set of precompiled Unix tools such as ps, netstat, w and passwd that would carefully hide any trace of the intruder that those commands would normally display, thus allowing the intruders to maintain root access (highest privilege) on the system without the system administrator even seeing them." [Wikipedia]
I have a great tool for stopping my network from being breached. A fire axe just this side of the demarc point.
In other news, are we supposed to take them seriously when they don't know how to spell connection?
Jeremiah, you'll find that 'connexion' is an anachronistic, though still valid, spelling.
*Runs to avoid an irate Reg. readers' assault on everything I've ever written*
Fair enough, I should check dictionary.com before flaming next time. But my first point still stands!
"With this in mind, an improved approach is to deploy a perimeter defense system that intercepts penetration testing attacks as they occur, concealing network resources from the hacker and sending back false information. This defense is known as anti-reconnaissance technology."
It's also called a bloody honeypot, you gits. They're well-known among the security-conscious and provides exactly this methodology. They're also open-source and don't require an advertisement.
"I know of only one OS that makes use of AV software, and we all know which one that is."
Well Rich, then perhaps you're not aware of the sendmail-based virus of about 5-8 years ago, if memory serves? A version of sendmail was released that contained a virus. Not intentionally, mind, but the server had been infected. Anyone who performed an MD5 check on it would instantly tell something's wrong. Installing it would compromise the machine, especially if you installed as root (as a lot of programs require to be compiled as root).
If you don't run any anti-anything software, how the bloody hell do you know you're *not* compromised? Gut feeling? Intuition?
What services are your BSD machine running? Let me know, because I'm damned sure I can find a way to break them within a few minutes and gain control. Just because your OS is "great" doesn't mean the entire system is great.
@ Robert Grant
If Mr Grant believes remote exploits are a rarity or any more difficult in Linux, than Windows, then he has never followed any of the security notifications – something anyone with Internet facing servers should do – Personally I find it far too much of a pain to wade through so now pay others to maintain servers. Of course if any OS is Internet (same for browsers etc.) facing but not fully patched then all bets are off come to how quickly they will be hacked.
I wonder if Mr Grant realises that the vast majority of Windows viruses aren't really such – they are more Trojan horses in that they rely on users to actively participate by clicking on them and executing them – and users still do :s Now Mr Grant is going to scream about execute flags etc – but consider this most users are unable to handle such things as command shells so you'll need point and click installers sooner or later.
And his comment about root accounts – while Windows has an account similar to Unix's root – it is actually called system, so why aren't they call system kits?
But do you know what I find most amazing thing of the lot – I freelance for a couple of small companies IT needs and some of these people are as IT illiterate as you can get – I have only found one piece of malware on their any of their machines, and that was a scare ware "anti spy ware" - of course it helps that someone has set the machines up who knows what to protect the machines
But I do agree – a lot of Windows issues are because most Windows coders have been able to Ignore security – and Microsoft have pandered to them by allowing it to stay open – but Mr Gates is by richer than I am
apples and oranges
People really need to differentiate between servers always running always connected to the world and desktops not always on and not always connected to the world and even if they are connected they don't have the same speed or volume of activity in both directions that servers do. You also need to monetize the use of the server is more expensive and more desirable than that of the average PC desktop the whole idea behind root kits is to be able to use a server for your own purposes not stop it cold not even to spy on it but to literally deliver a payload to all the clients root kitting is difficult the easily obtained ones are just as likely to destroy the servers setup as deliver it secretly usable. It's like picking a trolls pockets it's nearly always worthwhile but it's not easy and if you get caught you may end up eaten. In other words it's not an activety thats normally left to automation because automation doesn't work that well while your average desktop isn't really that hard to compromise and isn't worth that much so if you beat the automation your probably safe Linux beats the automation most of the time but not server class special human lead attacks no one is perfect on that score so comparing the levels of security doesn't really make any sense got it.
This will prove to be
Yet another security technology that was developed by scores of men and women, spending millions on R&D and was years in the making, only to be defeated in 3 days or less by a 13 year old!
As for the whole AV is dead, that too is bullshit, they only way you'll ever create a network secure enough to not ever need even antiquated signature based AV, is to create a network without users, the biggest security risk, still today, is not attack from the outside world, but from clueless navigation by the herds of f*cking retards that are end users.
computers are just like guns, to this day, i've never seen or heard of a person getting shot or killed by a gun without there being human intervention! and to this day, i have never seen a computer become infected without first being fondled by an idiot!
try it as you might, you'll always find a jackass behind the trigger!
To add a point to the "My OS is Better" fight, honestly there is no one that is better that others, all OS's period, have flaws, they can all be compromised. the biggest reason MS security flaws make more headlines and seem as though they get hacked more than any other OS / software vendor, is because MS has 97% of the market share! other os's are just as flawed, people just dont give a shit nearly as much, every time you start to read stories and random_OS_01 starting to make headway in the market, gaining market share, there will inevitably be a volley of newly discovered security flaws in that software...
Wow, an "Art of War" reference in a security press release. How original.
Congratulations on finding a new barrel bottom to scrape.
Let's just get this straight, Sun Tzu was a martial artist who lived around the time of Jesus. He didn't know much about IT Security, it was NOT designed to be related to the Internet. Moreover, he would have been ashamed to be associated with this crap.
I'm bored of seeing him dragged out every fricking time someone lacks the imagination to think of their own analogy.
Come on Register, we deserve better than this. Next week, how "70% of attacks are internal". Argh!
- Comment Renewable energy 'simply WON'T WORK': Top Google engineers
- Useless 'computer engineer' Barbie FIRED in three-way fsck row
- Game Theory Dragon Age Inquisition: Our chief weapons are...
- 'How a censorious and moralistic blogger ruined my evening'
- Amazon warming up 'cheapo web video' cannon to SINK Netflix