Share
Randy Abrams, Director of Technical Education at ESET, recently took the time to answer a few questions and chat with us here at The Tech Herald about security myths and Google’s new Chrome browser.
Randy Abrams of ESET takes time to talk to The Tech Herald.(IMG:J.Anderson)
Abrams explained his job as something that requires him to translate a lot of technical information and jargon into something the average user can understand.
“I have a weekly podcast as well as contributing to the ESET blog. Occasionally I present for computer user groups. Askeset@eset.com was created specifically to field questions from users,” he explained.
So what is the most common problem he sees when dealing with end users?
“The most common problem I see is a lack of computer education. There are still many users who do not know that malicious software can steal their bank account information if they log onto their bank's web site on an infected computer. It is hard to make the argument that end users don't want to be educated when they don't even know they need to be educated. Given the prevalence of work being done at home on PCs, businesses who do not provide security education for their employees put themselves at risk.”
So what has ESET been up to lately? What’s new that people should be aware of?
“ESET has long lead the industry in the use of technologies that frequently allow NOD32 and ESET Smart Security to detect new viruses before we even have signatures. The technology is called heuristics and there are many different heuristic techniques,” he said.
[Most readers might know of NOD32, but the majority of home users may be unaware of the various security vendors. ESET has been around as long as certain other vendors, but spends more time focused on development and product engineering rather than marketing.]
“It is really more what a user doesn't need to be aware of that is most important. As NOD32 and ESET Smart Security update in the background, in addition to new virus signatures, new heuristics are often added to the product as well. When a user purchases ESET products new technologies are added without the user needing to buy the next version to get the benefits,” Abrams added.
Recently, Abrams was quoted in SC Magazine regarding his opinions on Google's new Web browser Chrome. TTH asked him: “Why do you think Google has not updated the Apple WebKit which led to its first vulnerability?”
“My guess would be that Google executives insisted upon a premature release. How much is this blunder actually going to cost Google? Is there a business incentive at this point for Google to get it right in the security space? The truth is that most users have no idea there was vulnerability.
“The people reading security information do not comprise the majority of internet users. I can easily find a new person each day who does not know that a program can steal banking log on information. It is possible that the developers simply overlooked the fact that they were using a bad code base. This would imply seriously deficient development processes. Neither scenario inspires confidence.”
Following up, we asked if he thought the small glitches that led to two other vulnerabilities such as the 'Save As issue', which was recently fixed, or the '%' crash error were missed in the QA process?
“First, there is QA, and there is QC. Quality Assurance is a process to assure the quality of the final product. Quality Control is a process designed to find failures in the QA process. Both QA and QC are quite difficult with complex software. The sheer number of possible scenarios to test against makes comprehensive QA and QC extremely difficult, if not impossible. When these odd vulnerabilities are fond they get added to the checklists at many companies. Good QA and QC teams will examine their own tests and processes when vulnerabilities in anyone else's product are discovered.
“The "Save as" and "%" problems are understandable, but the use of the code with the carpet bombing vulnerability point to serious deficiencies in QA and QC. Problems like this are generally caused by one of a number of failures. A lack of security training for developers can be one problem, a lack of priority for the QA and QC teams from management can be another problem. Unreasonable release time constraints can force QA and QC failures. The skills of the employees working in QA and QC are a factor as well. Vulnerabilities are going to be found in all browsers. It truly was the use of the code with the carpet bombing vulnerability that points to a significant problem, so far.”
So what should Google do to ready Chrome for mainstream use?
“Beta products are rarely viable for mainstream use,” said Abrams. “Relatively speaking, Chrome is probably already viable or close to viable, if you would say that IE 3 was viable for mainstream use in its day. I expect that more vulnerabilities will be found, but not at an alarming rate. Google's privacy track record is probably a more significant issue for those considering the use of Chrome than their security track record. I would be concerned about what may be monitored and tracked by Google.”
Moving on from Chrome, we then asked about Mozilla's Firefox and Microsoft's Internet Explorer browsers. What should users on either of those platforms do to harden them and stay safe when surfing the Web?
“First and foremost, make sure that you keep your operating system and applications up to date,” he points out.
This is because a vulnerability in iTunes might not be an issue until the user visits a malicious Web page that exploits it. The malicious site is useless if the browsing software is patched.
“Using the most recent released version of a browser is also important. The browser developers have learned a lot of lessons and the newer version incorporate better security models. Personally, I don't browse the web without using a sandbox for the browser. A sandbox can dramatically mitigate damages from malicious software; however users need to empty the sandbox regularly,” Abrams continued.
[Sandboxing is a way you can protect your computer by creating a one-time only environment for the surfing session. You see this in some of the new specs for Internet Explorer and even in the way Google’s Chrome deals with tabs. Mozilla is working on it as well.]
“Discretion in which websites a user chooses to visit is important. While not a guarantee of security it reduces the number of attacks a user will experience. Double checking the URL you type in can also be of benefit due to the practice of registering websites because they are common typos made when users type in popular websites.”
Moving from business to personal matters, we then asked Abrams what's in the news lately that bothers him the most?
“That would mostly be political news. In security there has been a disturbing trend toward the ignorant advice or encouragement of people to use less defense in depth rather than more. Rather than presenting white listing technologies as an added layer of defense, a segment of that industry attempted to present it as a replacement for antivirus. Aside from the fact that white listing companies use antivirus software extensively, the technology is not failsafe.
“White listing and Anti-virus are complementary technologies. Others have correctly pointed out that all antivirus software misses some threats, but then draw the incorrect conclusion that it is therefore useless. This is like removing breaks from cars because they often don't stop a car in time to prevent an accident. Users do need to know that no antivirus product catches everything, but antivirus software is a part of owning a more secure computer.”
Bearing that in mind, we asked the interview's final question: Can you name five security myths you want to see expunged from the public?
Secure: “There is no perfect security. No single product can assure computer security. Using a variety of techniques, including education, software, and sometimes hardware as well, we can increase security, but risk cannot be completely eliminated. Security is the process and practice of managing risk”
Anti-virus companies make the viruses to sell their products: “If one believes this, then logically they must also believe that doctors make people sick to collect money from patients, or that firemen start fires so that they'll have a job.
“A small amount of rational thinking will yield the conclusion that it would be a very bad idea for an antivirus company to make viruses. The word will get out and there will be serious ramifications if companies do that. It's also a really bad business model to pay people to write software that others are writing for free. There are more samples than the industry can keep up with. We don't need any more.”
If someone can write a virus they will be good at writing anti-virus: “Many viruses are buggy programs. The virus writers do not need to know how to write quality software in order to write viruses. The skills required to write antivirus software are very different from and far exceed the skills required to write a virus.
“Causing damage is easy. Just because a person can disassemble a car it doesn't mean they can build one. All that is required to write a virus is a simple set of commands that makes some software add itself to a limited set of other programs… repeatedly. Writing antivirus software requires a much, much higher level of knowledge of operating systems, applications, logic, statistical analysis, and other information than writing a virus does. As an industry virtually no antivirus company will hire a known virus writer for both ethical and technical reasons.”
I can click on any file I want to because I have antivirus software: “The most secure user is an educated one. Educated users understand that how they use their computers is the biggest factor in their online safety. Antivirus doesn't catch everything and cannot possibly protect against poor security habits.”
Product X is best because a test proved it: “There are a number of aspects of antivirus testing that affect the actual quality of the test. To choose a product based upon the results of a single test, or even a few tests is almost like picking a stock based upon its performance for one day or one month. The difference is that the stock's performance can actually be effectively measured. The quality of anti-virus tests varies greatly from tester to tester, but most people fail to consider things, like files that are not viruses being included in the test.
“How a test set is collected makes a big difference too. If one or two products are used to identify samples they will of course score better than other products that may have much better detection when an appropriate test set is used. Generally, with the best of tests, a 10% difference in detection results is too close to be able to say which product actually has better detection over all. The sets used have inherent biases and even at 2 million samples are too small to be authoritative in determining what product detects the most threats in the world.”
Many thanks to Randy Abrams for sparing The Tech Herald some of his valuable time to discuss business and personal online security issues.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story