All posts

Anti-malware is just one part of the picture

 
Beefing up security advice with facts

Latest reports now online for enterprise, small business and home users.

At SE Labs we spend our time testing things that are supposed to protect you but we also understand that securing your business, or your home network, is never as simple as installing one or more security products.

The risks are many and varied, but the ways to mitigate them are often most successful with a good dose of common sense as well as the appropriate technology. You just need to think things through carefully and make sensible decisions.

Continue reading “Anti-malware is just one part of the picture”
All posts

How can you tell if a security test is useful or not?

How to tell if security test results are useful, misleading or just rubbish?

Latest reports now online.

In security testing circles there is a theoretical test used to illustrate how misleading some test reports can be.

The chair test

For this test you need three identical chairs, packaging for three anti-virus products (in the old days products came on discs in a cardboard box) and an open window on a high floor of a building.

The methodology of this test is as follows:

  1. Tape each of the boxes to a chair. Do so carefully, such that each is fixed in exactly the same way.
  2. Throw each of the chairs out of the window, using an identical technique.
  3. Examine the chairs for damage and write a comparative report, explaining the differences found.
  4. Conclude that the best product was the one attached to the least damaged chair.

The problem with this test is obvious: the conclusions are not based on any useful reality.

The good part about this test is that the tester created a methodology and tested each product in exactly the same way.* And at least this was an ‘apples to apples’ test, in which they tested similar products in the same manner. Hopefully any tester running the chair test publishes the methodology so that readers realise that they have carried out a stupidly meaningless test. But that is not a given.

How to tell if a security test is useful

Sometimes test reports make very vague statements about, “how we tested”.

When evaluating a test report of anything, not only security products, we advise that you check how the testing was performed. And check whether or not it complies with a testing Standard. The Anti-Malware Testing Standards Organization’s Standard (see below) is a good one.

Headline-grabbing results (e.g. Anti-virus is Dead!) catch the eye, but we need to focus on the practical realities when trying to find out how best to protect our systems from cyber threats. And that means having enough information to judge a test report’s value. Don’t simply trust blindly that the test was conducted correctly.

*Although some pedants might require that the tester release each chair from the window at exactly the same time. Possibly from windows far enough apart that the chairs would not entangle mid-air and skew the results in some way.

Find out more

If you spot a detail in this report that you don’t understand, or would like to discuss, please contact us via our Twitter or LinkedIn accounts.
 
SE Labs uses current threat intelligence to make our tests as realistic as possible. To learn more about how we test, how we define ‘threat intelligence’ and how we use it to improve our tests please visit our website and follow us on Twitter.
 
These test reports were funded by post-test consultation services provided by SE Labs to security vendors. Vendors of all products included in these reports were able to request early access to results and the ability to dispute details for free. SE Labs has submitted the testing process behind this report for compliance with the AMTSO Testing Protocol Standard v1.0. To verify its compliance please check the AMTSO reference link at the bottom of page three of each report or here.

UPDATE (10th June 2019): AMTSO found these test complied with AMTSO’s Standard.

Our latest reports, for enterprise, small business and home users are now available for free from our website. Please download them and follow us on Twitter and/or LinkedIn to receive updates and future reports.

All posts

Big Time Crooks: A Fake Sense of Security

When an online scam becomes too successful, the results can be farcical. And bring a fake sense of security…

In the movie Small Time Crooks, Woody Allen leads an inept gang of would-be robbers who rent a store next to a bank. They plan to tunnel into the vault. As a cover, Allen’s girlfriend (played by Tracey Ullman) sets up a cookie business in the store. Ullman’s business takes off and, to maintain the cover, the gang must work hard. They set up production facilities, hire staff, find distributors and so on.

Why is this relevant? Well, rewind to 2002. The internet had already taken off in a big way. People were pouring online as new opportunities exploded into the public consciousness. Cybercrime was also exploding. The internet presented a new breed of tech savvy crooks with their own set of opportunities. For one gang, an Allenesque adventure was about to begin, bringing people a fake sense of security.

Humble Beginnings

How many times have you browsed a web page that suddenly throws up an alarming warning that your computer is infected? And the only thing that can save you is to immediately buy a special program or call a special number? If you’re up to date with system patches and use a reputable anti-virus solution, you’re rarely in danger from such sites these days.

It was not always so.

For millions of internet users who were running without protection the apparent authority of such “scareware” sites made them act. They downloaded free “anti-virus” software that gave a fake sense of security and infected them with real malware. They parted with real cash and many also paid again to have their computers cleaned by professionals.

Look through the history of scareware, and one company repeatedly appears: Innovative Marketing Inc. This was the name used in US Federal Trade Commission paperwork but the organisation also known by a wide range of other names. Innovative was registered in Belize in 2002.

Despite the appearance of being a legitimate business, its initial products were dodgy. They included pirated music, porn and illicit Viagra, along with sales of “grey” versions of real anti-virus products.

Innovative security

After Symantec and McAfee both put pressure on the company to stop those software sales in 2003, Innovative tried to write its own. The resulting Computershield wasn’t effective as anti-virus protection, but the company sold it anyway as a defence against the MyDoom worm. Innovative aggressively marketed its new product, and according to press reports, it was soon raking in $1 million per month. As the threat from MyDoom receded, so too did profits.

The company initially turned to adware as a new revenue source. This enabled so-called “affiliates” to use malicious web sites to silently install the adware on vulnerable Windows computers. Getting victims to visit those sites was achieved by placing what looked like legitimate adverts on real sites. Click them, and you became infected. The affiliates then pocketed a fee of 10 cents per infection, but it’s through that Innovative made between $2 and $5 from sales of the advertised products.

Fake sense of security

Meanwhile, development of completely fake anti-virus software snowballed at the company’s Kiev office. A classic example is “XP Antivirus 2008”. This also went by a large number of pseudonyms and evolved through many versions. A video of it trashing an XP machine can be found here. Its other major names include Winfixer, WinAntivirus, Drivecleaner, and SystemDoctor.

xp2bantivirus2b2008-7843602

In many ways, Innovative’s scareware was, well, innovative. It disabled any legitimate protection and told you the machine was heavily infected, even going to the trouble of creating fake blue screens of death. At the time, some antivirus companies had trouble keeping up with the rate of development.

Attempts to access Windows internet or security settings were blocked. The only way of “cleaning” the machine was to register the software and pay the fee. Millions of people did just that. The FTC estimates that between 2004 and 2008, the company and its subsidiaries raked in $163 million.

In 2008, a hacker with the handle NeoN found a database belonging to one of the developers. This revealed that in a single week one affiliate made over $158,000 from infections.

The Problem of Success

Initially, Innovative used banks in Canada to process the credit card transactions of its victims, but problems quickly mounted as disgruntled cardholders began raising chargebacks. These are claims made to credit card companies about shoddy goods or services.

With Canadian banks beginning to refuse Innovative’s business, it created subsidiary companies to hide its true identity, and approached the Bank of Kuwait and Bahrain. Trouble followed, and in 2005 this bank also stopped handling Innovative’s business due to the high number of chargebacks. Eventually, the company found a Singaporean bank called DBS Bank to handle the mounting backlog of credit card transactions.

The only solution to the chargeback problem was to keep customers happy. So, in true Allenesque style, Innovative began to invest in call centres to help customers through their difficulties. It quickly opened facilities in Ukraine, India and the USA. Operatives would talk the customers through the steps needed for the software to miraculously declare their systems free of malware. It seems that enough customers were satisfied with a fake sense of security to allow the company to keep on raking in the cash.

Official complaints

shaileshkumar-p-jain-3887344

But people did complain, not to the company but to the authorities. The FTC received over 3,000 complaints in all and launched an investigation. Marc D’Souza has been convicted of his role in the company and ordered to pay £8.2 million, along with his father who received some of the money. The case of Kristy Ross for her part in the scam is still going through the US courts. Lawyers are arguing that she was merely an employee.

Several others, including Shaileshkumar “Sam” Jain and Bjorn Daniel Sundin, are still at large, and have had a $163 million judgement entered against them in their absence. Jain and Sundin remain on the FBI’s Most Wanted Cyber Criminal list with rewards for their arrests totalling $40,000.

bjorn-daniel-sundin-8778038

An Evergreen Scam

Scareware is a business model that rewards creativity while skirting the bounds of legality. Unlike ransomware, where criminal gangs must cover their tracks with a web of bank accounts and Bitcoin wallets, scareware can operate quite openly from countries with under-developed law enforcement and rife corruption. However, the gap between scareware and ransomware is rapidly closing.

Take the case of Latvian hacker Peteris Sahurovs, AKA “Piotrek” AKA “Sagade”. He was arrested on an international arrest warrant in Latvia in 2011 for his part in a scareware scam. Sahurovs then fled to Poland, where he was subsequently detained in 2016.

The hacker was extradited to the US and pled guilty in February this year to making $150,000 – $200,000.  US authorities claim the total made by Sahurovs’ gang was closer to $2 million. He’s due to be sentenced in June.

Fake advertising

According to the Department of Justice, the Sahurovs gang set up a fake advertising agency that claimed to represent a US hotel chain. Once adverts were purchased on the Minneapolis Star Tribune’s website, they were quickly swapped out for ones that infected vulnerable visitors with their malware. This made computers freeze and produce pop-ups explaining that victims needed to purchase special antivirus software to restore proper functionality. This case is interesting as it shows a clear cross over from scareware to ransomware. All data on the machines was scrambled until the software was purchased.

The level of sophistication and ingenuity displayed by scareware gangs is increasing, as is their boldness. You have probably been called by someone from India claiming to be from Microsoft, expressing concern that your computer is badly infected and offering to fix it. Or they may have posed as someone from your phone company telling you that they need to take certain steps to restore your internet connection to full health. There are many variations on the theme. Generally, they want you to download software that confirms their diagnosis. Once done, you must pay them to fix the problem. This has led to a plethora of amusing examples of playing the attackers at their own game.

False sense of safety

It’s easy to see the people who call you as victims of poverty with no choice but to scam, but string them along for a while and the insults soon fly. They know exactly what they’re doing, and from the background chatter on such calls, so do hundreds of others. Scareware in all its forms is a crime that continues to bring in a lot of money for its perpetrators and will remain a threat for years to come.

See all blog posts relating to analysis.

All posts

Anatomy of a Phishing Attack

We look at phishing attack tactics and impact. Who attacked a couple of internet pressure groups earlier this year? Let’s examine the evidence.

It is interesting to read about the public details of an unusually high-quality spear-phishing attack against a low value target. Particularly if you are engaged in constructing carefully-crafted tests of email security services.

Continue reading “Anatomy of a Phishing Attack”
All posts

Who certifies the certifiers?

At SE Labs we test security software and services methodically, realistically and in great detail. Or, at least, we claim to. But how does anyone really know? Do we follow quality management requirements? And what does that even mean?

Testing can be a very process-driven task. If you are going to be fair to every product undergoing a test you need to be consistent with how you run the test as a whole and how you test each individual product. It’s probably best carried out by well-qualified people, then?

You don’t need to be certified to work here…

We figured that as we certify, so should we be certified. As such, for the last few months we have worked towards having our business certified to an international level for providing consistent security testing services.

Another purpose of quality management is improvement. There is always room for improvement in testing, and we constantly strive to make things more realistic, useful and fair for everyone involved.

Quality management certified

As such I am extremely proud to announce that SE Labs has now achieved compliance with the ISO 9001:2015 standard for quality management systems, specifically relating to “The Provision of IT Security Product Testing”.

That means we do what we say we do, and strive to improve.

All posts

Can Microsoft Solve Security?

Windows is becoming increasingly secure. Does this spell the end of third-party security products and services? Can Microsoft solve security on its own?

Continue reading “Can Microsoft Solve Security?”
All posts

The Government Encryption Enigma

Is Amber Rudd right about people wanting weaker encryption? Jon Thompson isn’t so sure.

UK Home Secretary Amber Rudd recently claimed in an article that “real people” prefer ease of use to unbreakable security when online. She was met immediately by outrage from industry pundits, but does she have a point?

Continue reading “The Government Encryption Enigma”
All posts

Quantum Inside?

Is this the dawn of the quantum computer age? Jon Thompson investigates the progress we’ve been making with quantum computers.

Scientists are creating quantum computers capable of cracking the most fiendish encryption in the blink of an eye. Potentially hostile foreign powers are building a secure quantum internet that automatically defeats all eavesdropping attempts.

Single computers far exceeding the power of a hundred supercomputers are within humanity’s grasp. 

Are these stories true, as headlines regularly claim? The answer is increasingly yes, and it’s to China we must look for much current progress.

The quantum internet

Let’s begin with the uncrackable “quantum internet”. Sending messages using the properties of the subatomic world has been possible for years; the security world considers it the “gold standard” of secure communications. Chinese scientists recently set a new distance record for sending information using quantum techniques. They transmitted data 1,200Km to a special satellite. What’s more, China is implementing a quantum networking infrastructure.

QuantumCTek recently announced it is to deploy a network for government and military employees in the Chinese city of Jinan. This will be secured using quantum key distribution. Users will send messages encrypted by traditional means, with a second “quantum” channel distributing the associated decryption keys. Reading the keys destroys the delicate state of the photons that carry them. As such, it can only be done once by the recipient. Otherwise the message cannot be decrypted and the presence of an eavesdropper is instantly apparent.

The geopolitical implications of networks no foreign power can secretly tap are potentially immense. What’s scarier is quantum computers cracking current encryption in seconds. What’s the truth here?

Quantum computers threaten encryption

Popular asymmetric encryption schemes, such as RSA, elliptic curve and SSL, are under threat from quantum computing. In fact, after mandating elliptic curve encryption for many years, the NSA recently declared it potentially obsolete due to the coming quantum computing revolution.

Asymmetric encryption algorithms use prime factors of massive numbers as the basis for their security. It takes a supercomputer far too long to find the right factors to be useful. However, experts believe a quantum algorithm called Shor’s Algorithm will find it easy.

For today’s strong symmetric encryption the news is currently a little better. Initially, quantum computers will have a harder time cracking systems like AES and Blowfish. These use the same key to encrypt and decrypt. Quantum computers will only really halve the time required. So, if you’re using AES with a 256-bit key, in future it’ll be as secure as a 128-bit key.

A quantum leap

2000q2bsystems2bin2blab2bfor2bwebsite-9704561

How far are we from quantum computers making the leap from flaky lab experiments to full production? The answer depends on the problem you want to solve, because not all quantum computers are the same. In fact, according to IBM, they fall into three classes.

The least powerful are quantum annealers. These are available now in the form of machines from Canada’s D-Wave. They have roughly the same power as a traditional computer but are especially good at solving optimisation problems in exquisite detail.  Airbus is already using this ability to increase the efficiency of wing aerodynamics.

More powerful are analogue quantum computers. These are much more difficult to build, and IBM thinks they’re about five years away. They will be the first class of quantum computers to exceed the power of conventional machines. Again, they won’t run programs as we think of them, but instead will simulate incredibly complex interactions, such as those found in life sciences, chemistry and materials science.

The most powerful machines to come are universal quantum computers, which is what most people think of when discussing quantum computers. These could be a decade or more away, but they’re coming. And when they arrive they will be exponentially more powerful than today’s fastest supercomputers. They will run programs as we understand them, including Shor’s Algorithm, and will be capable of cracking encryption with ease. Scientists are developing these computers and the software programs they’ll run. The current list stands at about 50 specialised but immensely powerful algorithms. Luckily, there are extremely complex engineering problems to overcome before this class of hardware becomes a reality.

More news on quantum computers

Meanwhile, quantum computer announcements are coming thick and fast.

IBM has announced the existence of a very simple device it claims is the first step on the path to a universal quantum computer. Called IBM Q, there’s a web portal for anyone to access and program it, though learning how and what you can do with such a device could take years.

Google is pursuing the quantum annealing approach. The company says it plans to demonstrate a reliable quantum chip before the end of 2017, and in doing so will assert something called “quantum supremacy“, meaning that it can reliably complete specialised tasks faster than a conventional computer. Microsoft is also in on the action. Its approach is called StationQ, and the company been quietly researching quantum technologies for over a decade.

Our Universal Future

types-quantum-computers-7915887

While there’s still a long way to go, the presence of industry giants means there’s no doubt that quantum computers are entering the mainstream. It’ll probably be the fruits of their computational power that we see first in everyday life, rather than the hardware itself. We’ll start to see solutions to currently difficult problems and improvements in the efficiency of everything. Expect good things including improved data transmission and better batteries for electric cars.

Life will really change when universal quantum computers finally become a reality. Be in no doubt that conventional encryption will one day be a thing of the past. Luckily, researchers are already working on so-called post-quantum encryption algorithms that these machines will find difficult to crack.

As well as understandable fears over privacy, and even the rise of quantum artificial intelligence, the future also holds miracles in medicine and other areas that are currently far from humanity’s grasp. The tasks to which we put these strange machines remains entirely our own choice. Let’s hope we choose wisely.

All posts

Staying Neutral

Net neutrality is a risk. Is a fox running the FCC’s henhouse?

Net neutrality is a boring but noble cause. It ensures the internet favours no one. So, why is the new chairman of the Federal Communications Commission, Ajit Pai, determined to scrap it?

“For decades before 2015,” said Pai in a recent speech broadcast on C-SPAN2, “we had a free and open internet.

Continue reading “Staying Neutral”
All posts

Infected websites, back from the dead

Forgotten, infected websites can haunt users with malware.

Last night, I received a malicious email. The problem is, it was sent to an account I use to register for websites and nothing else.

Over the years, I’ve signed up for hundreds of sites using this account, from news to garden centres. One of them has been compromised. The mere act of receiving the email immediately marked it out as dodgy.

Continue reading “Infected websites, back from the dead”

Contact us

Give us a few details about yourself and describe your inquiriy. We will get back to you as soon as possible.

Get in touch

Feel free to reach out to us with any questions or inquiries

info@selabs.uk Connect with us Find us