Symantec: Don't blame us for New York Times hack Symantec has taken the unusual step of commenting on a story about a customer, issuing a robust statement denying its anti-virus products were to blame for sophisticated targeted attack on the New York Times. The Gray Lady revealed yesterday that it had been persistently attacked for four months by China-based cyber insurgents …
Well to put faith piece of software to do all the protection when they know they been getting attacked consistently for months. Seems Like NY Times dropped the ball on protecting their networks. Granted Symantec is not the greatest software, but even the best software has flaws and holes that will be found. Less the IT staff takes steps to protect the network this will happen.
Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance
I'm no fan of Symantec, and don't use antivirus products myself, but with such a poor performance, I wouldn't be so fast to blame Symantec. There is something else wrong here. Someone dropped the ball and is trying to blame someone else.
4 real mistakes here:
- Going on the article, there appears to be no layered security here, and none upstream either. In particular IDS appears to be missing or non-operational.
- Passwords stored on the site hosting box? In the clear? One would hope not.
- APT's as pretty much designed to bypass AV signatures, and *all* AV products have pretty poor heuristics.
- No apparent security or escalation processes in place, and it's all been dumped on the IT guys as "their problem". And if it was their problem, how did they not notice? Poor logging & alerting?
As if to re-iterate its message on the prevalence of advanced targeted attacks, Symantec warned in a new blog post published on Friday of a sophisticated spear phishing campaign targeting the directors and VPs of aerospace and defence firms.
You might like to consider that as an irregular and unconventional CV submission from that/those which targeted firms/beings [for no matter how continentallly big or beautifully small a business/operation/administration be, there is always just one final decision-maker/event producer in overall remote control of collective distributed power] need, in order to remain at the forefront of lead, even though the actual reality be that they be following leads sublimely delivered to them by that/those which are simply reprogramming second and third party prime base metadata instruction sets for reinforcing compatibility guaranteeing preeminent dominance in first party power generation and supply ... Intelligent Source Output Systems Input, for both constructive and disruptive and even destructive recursive methodologies which deliver progressing learning memes which have analysed and incorporated, or discarded as unnecessary, competitive contemporaries' chains of intelligence supply for universal control of globalised circles of command and contro/Earthed SCADA Systems Admin. ........... which offers and is a somewhat spooky alien control of humanity with Advanced Intelligence?
And delivered there as a question because a statement wouldn't provide y'all with future answers for media and news presentations which replace the past with what is to be.
To think and try to maintain and retain a current dominant and preeminent position/situation from the past, for a present which is building a more perfect future for all with zero negative historical baggage which remembers and pimps mistakes and traumas of the past, is not an aid to progress into a better future, it is more a corrupt hindrance and perverse tacit admission of bankruptcy in Intellectual Property Supply and Internet Server Service Provision, which condemns one and all so decidedly controlled and designedly entertained to stagnate and be petrified/terrified/terrorised.
Which very much appears to be the current present overall position/situation whenever on ponders and contemplates/analyses and deconstructs the bigger pictures being broadbandcast to you via media and news?
All news is lies and all propaganda is disguised as news.-- Willi Munzenberg .... Amen :-)
You can avoid reality, but you cannot avoid the consequences of avoiding reality. …. Ayn Rand ..... Hallelujah :-)
And aint they diamond gems in the truth of reality.
AV software is only part of a security organization.
I'm trying to think of a suitable analogies
Best I can think of for the moment is that just because you have an immune system doesn't stop you wearing gloves when you clean up dog mess.
Or blaming the manufacturer of a safe that got robbed when you hadn't put on the burglar alarm or locked the back door.
Most of the time you don't notice your immune system working as its just doing its job.
Only when it begins to struggle do you remember its there.
Sometimes it deals well with a virus only to have some other human alter the virus just enough to let it slip past the next time you catch it.
I'm so glad my immune system doesn't tell my via a pop-up every time it deals with a problem - it would be an endless stream.
The company I am currently at use Symantec End Point security with all the bells and whistles turned on and it did not stop or detect the recent Java exploits, the only thing that did was the FireEye boxes we have recently installed.
The FireEye boxes are in detect mode only (evaluation going on) so we found out about it but a number of PC's had already been infected by that point. Without FireEye who knows how long it would have been.
anon: The company still pays me.
CVE's arent always submitted/approved for release before disclosure happens... and possibly some are disclosed against 'ethical standards', so they wouldnt exist in the CVE databases until they're classified 'in the wild'?
However decent heuristics solutions... should... at least, detect and prevent unusual 'activity' at minimum, in the event of attack... at least, it then should isolate the issue before its allowed to spread?
Caution should always be taken with infected machines, since spreading methods seem to have multiplied and mutated.
HIPS may also use a form of signature based heuristics? Some in depth tools... can sometimes detect unusual processes/dlls loaded into processes or even modifications of files... that are running (although, it can quarantine "false positives" for 'abstractly designed/placed files')
Rootkits on the other hand are slightly more advanced once they infect.
Quick! Get out the hex editors! All hands on deck, run for the hills, batton down the hatches and so forth!
innanigans that goes on in Board Rooms when they ask why should they spend money on IT Security - it doesn't provide any income.
Yeah, but it stops losses - as long as you have defence in depth. And for that these days should be starting outside your front door.
Oh and how about some regular deep dive helath checks?
When will VPs, CEO etc realise that Security costs - a bit like insurance. You hope you will never need it, resent the cost because you don't use it..... but round that corner
Symantec is right.. most companies tend to install AV on a basic level and forget it. When new features are added, companies tend to ignore them.. up until there's a massive failure of the signature-only detection, and then they blame the product and shitcan it, replacing it with something else which may be no better.
Obviously, defence in depth is better.. especially against APTs. What strikes me as odd though is that Symantec did actually seem to detect part of the attack. It was probably therefore a failure of the NYT that they didn't properly investigate the malware incident (unless of course that's how they discovered it!)
Apart from Symantec / Nortons being a bit crap
Several years ago while working for another newspaper group we deployed some Finjan boxes to check all content passing through the proxies.
Firstly the Finjans ran 2 AV solutions to try and reduce the chances of a single vendor missing something (of course the regular IT people objected to us (networks) sticking their noses into AV)
The desktop client machines used yet another AV product to give a third check.
Even with sand boxing and heuristics the Finjan kit we didn't thing we where 100% safe but at least we made some effort.
When we installed the "endpoint security" from a well-known AV vendor - some internal applications stopped to work. Tracing what was happening, we found that the tool was blocking HTTP connections (to internal servers) without notifying the user. Most notifications are turned off by default, and simply the applications seemed to stop working. Moreover its "reputation" system when attempting to download some tools that can be classified as "hacking tools" but may have legitimate uses by sysadmin, was damaging downloads once again without notifying the user, we got corrupted zip files only instead of a message telling what was really going on. These behaviors by default are really stupid - people will just find the computer is running slower, application that was working now don't, and downloads gets corrupted. Without a proper explanation on what's happened, the average user will just think the "endpoint security" is just crapware, and disable it. Software vendors should stop to think they are smarter and they can outsmart the user. This way they are just delivering silly solutions users are not going to use because of that.
If you are a high profile business user, you have a duty of care to your share holders to secure your network and therefore not to deploy a platform that is the target of the greatest number hacking attacks.
Strangely, even though the above statements have been released, the majority of AV vendors like to trumpet their zero day abilities, until that is, the zero day performance is actually exposed.
... like the ADE 651
http://en.wikipedia.org/wiki/ADE_651
or the Sniffex
http://en.wikipedia.org/wiki/Sniffex
although those are marketed as bomb detection devices, those work just as well on cyber-threats, and probably a lot better than AV software, no matter what vendor.
Now, obviously I tend to agree with comments above that the statement from NYT sure sounds naive to say the least.
However.. Its also fair to note that these days you don't get "virus scanners" anymore; no, you get whole "Internet protection suites", just check the product page of Symantec's Antivirus 2013: "Harness global power – only Norton™ can bring you the ultra-fast Network Defense Layer to block a multitude of threats before they can even touch your PC.
Or what to think about: "Protection from the future, available today – our exclusive reputation and behavior antivirus technology are so advanced that they can stop online threats that bad guys haven't even created yet.".
If you boast like that and something does go wrong, you're bound to tick someone off who's not going to sit quiet and simply blames himself.
But ask yourself this?
How did these machine get the AV in place?
Poor policies on the PC's (Admin privileges, rights to install)?
Access to run scripts on websites?
No lock down when out of office.
AV is a last line of defence, these days it should be RARE to get malware on a network, not the norm.
I understand what Symantec are saying , but the essence of IT security is about defence in depth. Each layer must do it's part. WSJ is expecting their AV scanner to detect malware , well it should shouldn't it ? True it shouldn't have been the only hurdle to cross , but Symantec cannot shrug their shoulders and say 'yeah well we kind of expected something else to deal with that".
New malware is created thousands of times per day. Symantec and other AV companies (but not all), issue new AV updates HOURLY. If an entitiy isn't smart enough to update their AV software every few hours or automatically, then they can expect to get hit time after time because they are reactive and not pro-active.
Google: Symantec Sucks.
Documentary blog should be top hit.
There's a special spot in Hell reserved for the management and staff of Symantec circa 2005-2008. They contributed so much misery to society (especially to those running NAV '07) that they can never make adequate amends.
We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security.
Why doesn't Symantec sell such solutions? They only seem to sell individual products. Can I go to a Symantec rep and hire a consultant from them?
I would like to see what John Thompson's company uses in-house. They most likely use Windows, if for no other reason than to test their products, they would definitely use their own products rather than pay a competitor to use theirs, and we don't hear about them falling prey to attacks.
Watching administrator friend dealing with personnel, from columnists to graphics interns (removed AV because Mac has no virus) on a politically attacked newspaper tells me this time, symantec is the victim.
It is not NY times. A third world newspaper dealing with major powers.
You have to understand the wrong beginnings of computers in such organisations. They started as "cool electric typewriters" and for most, stayed that way.
I am sure if you visit the Guardian etc, you will sure see absurdly unprotected computers, people insisting to forward all their mail to gmail, people being bugged by antivirus installed to their macs while it has no effect in ordinary use etc.
The Register - Independent news and views for the tech community. Part of Situation Publishing
Join our daily or weekly newsletters, subscribe to a specific section or set News alerts
Subscribe
