Bio

David Harley

David Harley

Senior Research Fellow

Education? Academic background in modern languages, social sciences, and computer science.

Highlights of your career? I was a late starter (1986) as an IT professional, beginning at the Royal Free Hospital, then with the Human Genome Project (1989), then at Imperial Cancer Research Fund (1991-2001), where I wrote/co-wrote/edited a number of Internet FAQs and my first articles on programming and security. I presented my first conference papers in 1997 (at Virus Bulletin and SANS). In 2001 Osborne published Viruses Revealed (co-written with Robert Slade and Urs Gattiker): VR and the later AVIEN Malware Defense Guide (Syngress) – to which Andrew Lee also contributed – are probably the best known of my books. When I rejoined the UK’s National Health Service in 2001, I ran the Threat Assessment Centre and was the go-to person nationally for malware issues. I left to work as a freelance author and consultant in 2006, which is also when I began to work with ESET.

Position and history at ESET? Senior Research Fellow at ESET N. America. Primarily, I’m an author and blogger, editor, conference speaker, and commentator on a wide range of security issues. Like the rest of the industry, they put up with me because I’ve been around so long.

What malware do you hate the most? Malware is just code. It’s malicious people I detest. While I’ve no love of scammers, I can see that it’s easier to be honest in a relatively prosperous environment – if there is such a thing anymore – and that cybercrime can be driven by an economic imperative. But I have nothing but contempt for those sociopaths who cause harm to others for no reason except that they can.

Favorite activities? The guitar (I still gig and record when time allows), other people’s music. I love opera but don’t attempt to sing it. Photography, art, poetry, country walking – well, ambling is about as much as I can manage at my age – good food and wine, good television when I can find it...

What is your golden rule for cyberspace? Scepticism is a survival trait: don’t assume that anything you read online is gospel truth, even this adage.

When did you get your first computer and what kind was it? Amstrad PCW (primarily a word-processor) in 1986. What else would you expect a not-very-rich author to buy in 1986? :)

Favorite computer game/activity? Extra-curricular writing (blogging, verse and lyrics, articles). Digital photography and miscellaneous artwork.

Articles by author

Stuxnet and the DHS

In fact, the real interest of the document lies in the extensive overview (12 closely-typed pages without graphics and such) of the DHS view of its own cybersecurity mission.

The Price of Fame

...there are (over) 2,095,006,005 Internet users nowadays (due credit to www.internetworldstats.com). Inevitably, some of them are going to have the same name as real celebrities and fictional characters...

Hodprot is a Hotshot

In their presentation “Cybercrime in Russia: Trends and issues” at CARO2011 -- one of the best presentations of the workshop, in my unbiased opinion ;-) -- Robert Lipovsky, Aleksandr Matrosov and Dmitry Volkov mentioned the Win32/Hodprot malware family, which seems to be undergoing something of a resurgence.

Cycbot: Ready to Ride

Although the “Ready to Ride” group originated in Russia it distributes Win32/Cycbot outside the borders of the Russian Federation. Going by the prices per installation the primary target of the group is the US.

Stuxnet: Wired but Unplugged

I've stopped maintaining Stuxnet resource pages recently, but occasionally I come across an article that adds something useful to the mix, or simply summarizes aspects of the Stuxnet story neatly and accurately. Besides, its authors must be feeling a little left out with all that fuss about TDL4. ;-) A recent report in Wired gives

Blaming the Victim…

So who's to blame? First and foremost, the victimizers. Well, persistent victims, yes. And anyone in the security industry who pushes the TOAST principle, the idea that all you have to do is buy Brand X and you never have to take responsibility for your own security. Though, of course, "who's to blame?" is the wrong question: what matters is "how do we fix it?"

Tell ESET about Facebook malware

Here's something I noticed today on the ESET Facebook page at http://www.facebook.com/esetsoftware. (There is, of course, also an ESET North America page at http://www.facebook.com/esetusa, but this is the European page. There are lots of local ESET pages too, too many to list here.) As Facebook continues to attract more pages and videos containing malware, we

Weapons systems with feet of China clay

At a time where the West is, generally speaking, not at the top of its game economically, I can see why defence contractors, like anyone else, are anxious to save money, but outsourcing critical systems purely for economic advantage in the hope of submitting the lowest tender is a risky strategy.

TDL4: Less hype, more history

I don’t think there’s such a thing as an indestructible botnet. TDSS is somewhat innovative. It's introduced new twists on old ideas like P2P networks and hiding malware.

TDSS: botnets, Kademilia and collective consciousness

The TDSS botnet, now in its 4th generation, is seriously sophisticated malware, which is why we've spent so much time writing about it: the revision of the paper The Evolution of TDL: Conquering x64 that will be up on the white papers page shortly runs to 54 pages and includes some highly technical analysis, including the detail on

TDL Tracking: Peer Pressure

Recently ... our TDL tracker picked up a brand new plugin for TDL4 kad.dll (Win32/Olmarik.AVA) which we haven’t seen earlier ... we discovered that it implements a particularly interesting network communication protocol ...

Calling for Backup

...what I had principly in mind at that point was the impact of some 4,800 of its customers whose businesses may have been threatened when data, sites and email on four of its servers were lost...

Thank you, fans….

So, a (long) while ago I wrote about the Haiti earthquake, with some commentary about the intersection between natural disasters, Black Hat SEO, scare tactics for education in good security practice, plus some links relevant to the earthquake. Well, I'm certainly not ashamed of that blog, though I haven't thought about it for a long time,

Russian DDoS Revisited

Talking of the C-worm (“Will no-one rid me of this troublesome malware?”) I mentioned in a blog from a couple of days ago that Jose Nazario supplied some useful information on an issue I was checking into. The issue concerned reports from a Russian news site of Distributed Denial of Service attacks on Russian sites:

Not every Botnet is Conficker

If it was the intention of the Conficker gang to create a huge splash, they succeeded. (In fact, it’s quite possible that they’ve attracted more attention than they really wanted.) In any case, it seems that lots of people are looking nervously over their shoulders for any indication that something unpleasant and Conficker-related is about

Giving AV the Hard Shoulder*

The Register’s John Leyden has harsh words to say today about problems with security software: “Once, running Windows anti-virus was like driving down a dual carriageway. These days, it’s more like an unpaved road.” Well, I can understand his viewpoint, though given the sheer volume of security products these days, I’m not sure a small

Credit Where Credit is Due

I remember the days when the major anti-virus companies (back when they called themselves that) actually included links to the informational sections of competitive web sites (especially the threat encyclopaedias). Sadly, that doesn’t seem to be the world we live in any more. Still, we’re always pleased when someone we know comments here, even competitors, and

Targeted Malware and Microsoft

Microsoft issued an advisory last week – Microsoft Security Advisory (969136) “Vulnerability in Microsoft Office PowerPoint Could Allow Remote Code Execution” – that “could allow remote code execution if a user opens a specially crafted PowerPoint file.” The advisory uses very similar language to Microsoft’s recent advisory on an Excel vulnerability, referring to “only…limited and

Mad Macs – the iBot

When I write about Mac issues, I usually find myself abused by individuals convinced that there are no Mac viruses, never were any Mac viruses, and never could be any Mac viruses. Less advanced cases sometimes admit that there is Mac malware (and malware that isn’t Mac-specific, but can affect Mac users), but buy into

Conficker: After the Flood, the Backlash

Good morning. Is there anyone still out there and connected? Thought so. While one or two people who comment here seem to think I’m personally responsible for developing, maintaining, and marketing ESET products (and in at least one case writing the malware as well) I’m afraid I didn’t spend April 1st crouched over a rack

Conficker: the rest is probably not silence

So, nothing happened? Well, yes. Our labs, who’ve been monitoring carefully, note that Conficker changed communication protocols, just as the code said it would. No doubt in the fullness of time, the botnet will start doing what botnets do: it would be bizarre to put this much effort into a project and then not try

April (1st) in Paris (London, Tokyo…)

…as I write, it’s past midnight here in the UK. In some parts of the world it’s already been April 1st for nearly 14 hours. I have yet to hear any reports of melted PCs, disappearing internets, or institutions DDoS-ed into insolvency by Conficker. I’ve just received email from a colleague in Sydney, where it’s business as

Catching Conficker – a New Development

I can already hear a chorus of “Not ANOTHER Conficker blog?”, but some of you will want to know about this development. The Honeynet Project has announced a new scanning tool for detecting Conficker, which gives network and system administrators a very handy extra tool for detecting Conficker activity on their networks. Furthermore, the tool

More Bull in a China Shop?

I thought I’d blogged myself to a standstill over the weekend, but it seems there’s plenty of life left in the Tibet/China story, even if it’s only the East and the West exchanging accusations. A China Daily headline claims that “Analysts dismiss ‘cyber spy’ claims”, though in fact the quotes in the article talk about exaggeration

Conficker, Y2K, and Apocalypse Now

Around the end of the last decade, when I was working for a research organization in the UK, I used to write a monthly column on security for an in-house newspaper, and was rapped over the knuckles for telling this little story. I’ve probably changed the detail since then: I don’t keep everything I’ve written

Chinese Whispers: Targeted Malware and E‑Espionage

I’ve mentioned here before that targeted malware, often delivered by “spear phishing” carried by apparently “harmless” documents such as PDFs, .DOCs and spreadsheets rather than overt programs, can have much more impact than the raw numbers of such attacks suggest. In fact, some sources now use the term “whaling” rather than “spear phishing” to reflect the

Conficker Removal (Update)

[Update: it seems that people who missed the whole MS-DOS/having fun with the C> prompt and batchfiles thing are still struggling with the fact that vendors are releasing cleaning tools that are really command-line tools, so some step-by-step notes are added below.] I’m sure you’re almost as bored with this issue as I am with the

Parliament of Foul Play

This wouldn’t normally be the place to discuss the ongoing decline of the fortunes of the British Government, but there have been several IT-security-related stories coming out of the Mother of Parliaments worth a closer look. Back on March 10th, The Register reported that MP (Member of Parliament) Alun Michael had reported to the police that he

Phishing Victims

Responding to a request for information about phishing and malware distribution mechanisms this morning, I happened upon a link on the Anti-Phishing Working Group site to the Silver Tail blog The site has been running a series of blogs on “Online Fraud from the Victim’s Perspective”. Author Laura Mather tells the story of two victims,

Xrupter – Scareware meets Ransomware

There are quite a few reports currently about particularly ugly development son the fake AV front. The Register’s John Leyden has referred to a “double dipping” attack, in which the notorious Antivirus 2009 is implicated in an attack that goes beyond offering useless rogue anti-malware to inflicting actual damage on user data files, in order to force the victim

Adobe Reader & Acrobat: Updates on Updates

Well, I’ve still had no information about updates to address the recent Acrobat vulnerability/exploits to either of the addresses I subscribed to Adobe’s Security Notification Service. However, the RSS feed here does work. Which is how I know that Acrobat Reader 9.1 and 8.1.4 for Unix were released yesterday, right on time. As expected, these address the

Mac Hack Easy PC

I just picked up a comment made today on a post Randy made about the comparative security of Macs and PCs. Since the original post goes back to 2006, it seems a pity to bury the comment on a page most people won’t get to. In fact, since the comment reproduces an article in PC

BBC television – have they got the picture yet?

The BBC published a self-justification of sorts over the Click fiasco on Friday 13th March: when I came upon it the following morning, I posted a comment there, pointing out Mark Perrow had addressed the issues this industry hadn’t complained about, and ignored the issues that we were concerned about. My comment is number 14,