Security software is software too — and it will have flaws.
Last week, I was interviewed for the Risky Business podcast. I really enjoyed the experience, not just because I've long been a fan of the show, but also because we discussed a subject I really care about: the security of security products.
If you follow the security news, you will have noticed that several researchers (with Google's Tavis Ormandy most prominent among them) are currently hunting for vulnerabilities in anti-virus and other security products. After disclosing the vulnerabilities to the relevant vendors in a responsible manner, they write about their findings on Twitter and on various blogs.
11 papers and 9 videos added to our website.
In the security industry, we're used to people saying sorry: "sorry we chose a default password of 12345678"; "sorry we didn't look after your personal data better"; "sorry we didn't discover this huge vulnerability earlier"; and so on.
In that context, my reason for apologising is far more mundane. There were some great papers and presentations given at our VB2014 conference in Seattle that we simply haven't yet got around to publishing.
This Throwback Thursday, VB heads back to 1993, when an ordinary memory-resident master boot sector virus spiced things up with a bit of pop trivia.
Over recent years we have become used to hearing about ransomware extorting money from victims by locking up their devices and demanding a ransom in order for access to the device to be restored. Back in 1993, however, before malware had truly become linked with monetary gain, there was a device hold-up of a different kind: know your pop trivia or face losing your data.
Simon Edwards discusses how to test the potentially untestable.
Like the term or loathe it, APTs have given rise to a new generation of security products that protect against these more targeted and sometimes more advanced threats. Often, such products come with bold claims about how they are able to fend off such threats in ways that traditional security products can't.
At VB2015, Simon Edwards (Dennis Technology Labs) presented a paper, written together with Richard Ford (Florida Institute of Technology) and Gabor Szappanos (Sophos), on how to effectively test such technologies.