Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security IT

Google Security Engineer Urges Hackers To Focus Less on Anti-Virus and Intrusion Products (theregister.co.uk) 54

Google senior security engineer Darren Bilby has asked fellow hackers to expend less effort on tools like antivirus and intrusion detection and instead focus on more meaningful defenses such as whitelisting applications. From a report on The Register:The incident responder from Google's Sydney office, who is charged with researching very advanced attacks including the 2009 Operation Aurora campaign, decried many existing tools as ineffective "magic" that engineers are forced to install for the sake of compliance but at the expense of real security. "Please no more magic," he told the Kiwicon hacking conference in Wellington, New Zealand today. "We need to stop investing in those things we have shown do not work. And sure you are going to have to spend some time on things like intrusion detection systems because that's what the industry has decided is the plan, but allocate some time to working on things that actually genuinely help. [...] Antivirus does some useful things, but in reality it is more like a canary in the coal mine. It is worse than that. It's like we are standing around the dead canary saying 'Thank god it inhaled all the poisonous gas'," he said.
This discussion has been archived. No new comments can be posted.

Google Security Engineer Urges Hackers To Focus Less on Anti-Virus and Intrusion Products

Comments Filter:
  • According to the summary and article, he didn't say AV was a useless box-ticking exercise.
    • by RonVNX ( 55322 )

      Did he make a remark encouraging whitelisting either? Whitelisting is a security don't do it.

  • by Anonymous Coward

    Fuck this guy.

  • by penguinoid ( 724646 ) on Thursday November 17, 2016 @09:10AM (#53304957) Homepage Journal

    An antivirus may not protect against a new attack, but it sure can reduce the value of an existing exploit (thus increasing R&D costs for script kiddies while reducing their profits). Though it is rather amusing how some "antivirus" comes bundled with, or is itself, malware -- but much less amusing that it is legal.

    • I think they not saying it's useless, just that it only covers some small portion, like 15% perhaps. There's just a lot of things it doesn't cover.
    • >instead focus on more meaningful defenses such as whitelisting applications

      They want to become the whitelisting authority, then to de-whitelist their competitors. Just like what Apple did. Too greedy!

    • Most of the major antivirus products have had at least one big security vulnerability in the last two or three years. Norton had the best one, where a buffer overflow in their image scanning code (which ran in the kernel, WTF?) allowed you to run arbitrary code in the AV simply by sending someone an image via email. Even if the recipient never opened the mail, if their mail client downloaded it then the attacker had a kernel-level compromise. With this kind of track record, I find it hard to argue that A
    • The problem with whitelisting is there has to be someone who does that whitelisting. Now that's fine in an enterprise organization. You presumably have trained IT staff who can test a program in a test lab and see if it is ok, if there's any issues against other programs, and so on. It does cost more, and slows down the speed at which you can adopt new software, but it is doable. However that only works because you have experts there who can test and make a presumably informed judgement call.

      At home, there'

      • by mysidia ( 191772 )

        You presumably have trained IT staff who can test a program in a test lab and see if it is ok,

        Not really. Malware is good at evading detection under VM/test environments.

        slows down the speed at which you can adopt new software

        This is the major advantage that whitelisting provides --- slowing down the speed is mostly the major security benefit.

        You aren't just searching the web, downloading, and rolling out programs willy nilly.... you have to wait, which throws away a lot of malware because you weren'

    • He went through a pile of Google-specific solutions to Google-specific problems. Another one of his points was that we should all switch to U2F tokens, because next year will finally be the Year of the Smart Card that we've been waiting for for the last 30 years or so.
  • by Dr_Barnowl ( 709838 ) on Thursday November 17, 2016 @09:16AM (#53304989)

    Well, as a computer, that is. The great strength of a general purpose computer is just that - it can do anything.

    Once you have a whitelisting "solution" on it, it can only do what the IT Dept. explicitly approves of, which now means that it's about as useful as an iPhone - only files that have been explicitly whitelisted are allowed to be executed.

    A whitelisting client that actually locks things down properly won't even allow you to use the shell, well, it won't allow you to run .BAT files. Running the individual commands may still be allowed!

    It might provide security, but at the cost of stifling the ability of "power users" (ie - programmers of limited ability - or indeed, any ability).

    My last job installed one on the developer's computers... and gave us the permissions to override it. Pressing "OK" after every single build to be allowed to run it was... special.

    • It also stifles the ability of your organization to change it's software - our IT department demanded a £5,000 fee for every program to be whitelisted so it could go through a security audit!

      • by RonVNX ( 55322 ) on Thursday November 17, 2016 @09:51AM (#53305191)

        And it creates a security risk because it means you trust those apps no matter what they turn out to be doing.

      • Actually, all you really need to do is whitelist anything that runs from folders which the user does not have write access to. That will automatically get all the system apps as well as the apps installed by root/administrator.

        Conversely, you could just blacklist all apps that run from user writeable locations.

        Not that hard really.

    • by Anonymous Coward

      Whitelisting done properly doesn't lock down your shell nor stops you from running batch scripts. It stops you from running any random script that runs executables that were not whitelisted.

      • Assuming your IT staff do it properly is the first mistake.

        Our whitelister locked down .BAT files and .VBS and the like, but left the much more dangerous Powershell untouched.

        It also allowed you to load and run any .JAR file into Java - once you whitelisted Java (and any native libs it used), you were golden, you could have written anything in Java and run it.

    • Whitelisting doesn't *ALWAYS* have to be controlled by IT. How about your PC at home? You are the "IT Dept." in that case, and whitelisting would certainly protect your PC more than an antivirus alone.

      BTW: What OS is this engineer referring to? Since he works for google, I would think either Android or ChromeOS. Is he suggesting a whitelisting app on android? I don't know if most phone users can handle that.
      • > Is he suggesting a whitelisting app on android?

        There is already an effective mechanism for whitelisting on Android and iOS : signed package files, which is all the official app stores distribute. Don't trust it? Don't install it. And don't sideload or use 3rd party stores.

        He must be specifically discussing the desktop case, where whitelisting has come into vogue.

    • by Anonymous Coward

      Power users! Those are the developers/managers/executives who want unlimited access and then someone else has to go clean up the datacenter when their favorite porn website gives their laptop cooties, and it spreads like, well, cooties.

      You get the access you need, the end.

    • by ark1 ( 873448 )
      Ad blockers are nice whitelisting solutions. Deny everything by default except sites I want to support. Guess what happens to google ads...
  • by Junta ( 36770 ) on Thursday November 17, 2016 @09:23AM (#53305027)

    Advice on safe internet use is "horrible", he added. Telling users not to click on phishing links and to download strange executables effectively shifts blame to them and away from those who manufactured hardware and software that is not secure enough to be used online.

    The alternative is horribly locked down appliances that can't do what the user asks it to do. It means distrusting the owner of the device. There are scenarios where that can make sense where the role of the device is very well defined (ATMs, Point of Sale equipment, etc), but personal computers are by their very nature empower their users to do things the vendor would not have necessarily conceived of.

    I agree that anti virus measures are not that good, but it just means that user education is all the *more* important, unless you don't want to let the users do anything or you don't have any users doing creative technical work.

    • Re: (Score:3, Funny)

      "unless you don't want to let the users do anything"

      All Google wants is for you to consume content so they can get you to view ads. They don't care about empowering users.
  • Dangerous (Score:3, Funny)

    by 110010001000 ( 697113 ) on Thursday November 17, 2016 @09:25AM (#53305035) Homepage Journal
    What Google means is "only allow Google Approved" software to run on your locked down device. That is what "whitelisting" means. Meanwhile Android is the biggest malware laden piece of shit on the planet when it gets deployed to real devices and Googles Ad network is a vector for drive by exploits. So fuck you Google.
  • by Anonymous Coward

    He's not wrong about the problem, but Google has yet to show us what the silver bullet solution is. Android. nuff said.

  • by fustakrakich ( 1673220 ) on Thursday November 17, 2016 @10:00AM (#53305259) Journal

    See the pattern? Selling a locked down machine will become much easier with just a little FUD. However a user should have the option of whitelisting, works on spam also.

  • by RandomSurfer314 ( 4412795 ) on Thursday November 17, 2016 @11:14AM (#53305889)
    There should be a law that states that any computer ("PC", "laptop") needs to be fully configurable by the end user by default. Every aspect of it needs to be controllable by the end user, network settings, which applications can run, which operating system can be installed, which BIOS or EFIS can be flashed, etc. If that's not the case, then the company should be forced to put a huge red warning sticker on it that clearly states "NOT A GENERAL COMPUTING DEVICE".
  • Comment removed based on user account deletion
  • by Anonymous Coward

    there's a very old anti-virus utility called "Vaccine" which did exactly this.
    only programs on the whitelist were allowed to be run,
    and every program was checked using a checksum in the products internal database.
    You could allow and disallow products whenever you liked,
    and it would automatically prompt you if you tried to run something that wasn't white listed.

    now, of course, none of this, or what the article suggests will prevent stupid users from running stuff they shouldn't.

    But, Vaccine was the best anti

  • You can't whitelist everything you need to, and you can't trust end users to be able to do that all themselves (no matter how many dialogs you pop up). A/V is only capable of doing so much, so users still need educations.

    The other option, as this Google engineer proposes, is to lock everything down and only allow vetted programs. This is called Trusted Computing [wikipedia.org] (a.k.a. Treacherous Computing [gnu.org]) for software and digital rights management [wikipedia.org] (digital restrictions management [fsf.org]) for media. These are very secure (

  • and all the help US brands gave the US mil and gov.
    When a US brand asks the wider global security community to do anything different, thats the time to start really looking.
    Any safe product would not be doing anything to make any AV product interested over days, weeks, months of updates?
    What is it about skilled, advanced global AV efforts that induced such a request?
    Users need layers of good security applications. Intrusion detection, firewalls, working real crypto, software looking for changes deep in
  • I had huge problems implementing white lists in a previous work (software development company).

    However it is real that this is the only solution. It is "very" painful, but what medicine is not painful to take or have bad said effects?" The huge mistake was to think on general purpose computers where you can mix the highly sensitive stuff with reading newspapers or Facebook profiles and visiting dangerous places; this is the same as to say that you can walk without care through a hall full of mosquitoes wi

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...