Education? Academic background in modern languages, social sciences, and computer science.
Highlights of your career? I was a late starter (1986) as an IT professional, beginning at the Royal Free Hospital, then with the Human Genome Project (1989), then at Imperial Cancer Research Fund (1991-2001), where I wrote/co-wrote/edited a number of Internet FAQs and my first articles on programming and security. I presented my first conference papers in 1997 (at Virus Bulletin and SANS). In 2001 Osborne published Viruses Revealed (co-written with Robert Slade and Urs Gattiker): VR and the later AVIEN Malware Defense Guide (Syngress) – to which Andrew Lee also contributed – are probably the best known of my books. When I rejoined the UK’s National Health Service in 2001, I ran the Threat Assessment Centre and was the go-to person nationally for malware issues. I left to work as a freelance author and consultant in 2006, which is also when I began to work with ESET.
Position and history at ESET? Senior Research Fellow at ESET N. America. Primarily, I’m an author and blogger, editor, conference speaker, and commentator on a wide range of security issues. Like the rest of the industry, they put up with me because I’ve been around so long.
What malware do you hate the most? Malware is just code. It’s malicious people I detest. While I’ve no love of scammers, I can see that it’s easier to be honest in a relatively prosperous environment – if there is such a thing anymore – and that cybercrime can be driven by an economic imperative. But I have nothing but contempt for those sociopaths who cause harm to others for no reason except that they can.
Favorite activities? The guitar (I still gig and record when time allows), other people’s music. I love opera but don’t attempt to sing it. Photography, art, poetry, country walking – well, ambling is about as much as I can manage at my age – good food and wine, good television when I can find it...
What is your golden rule for cyberspace? Scepticism is a survival trait: don’t assume that anything you read online is gospel truth, even this adage.
When did you get your first computer and what kind was it? Amstrad PCW (primarily a word-processor) in 1986. What else would you expect a not-very-rich author to buy in 1986? :)
Favorite computer game/activity? Extra-curricular writing (blogging, verse and lyrics, articles). Digital photography and miscellaneous artwork.
Here's a diagnostic window that your shouldn't panic over, certainly if some cold-calling scammer directs you to it by persuading you to run a diagnostic on your own system. But I'm getting ahead of myself. You might think I've blogged more than enough about support scams already – you know, where someone calls you out
I encountered an old acquaintance today. Tip of the hat to Peter Radatti for pointing me towards an article by John Breeden II that proposes a very familiar idea: the Good Virus. (One that also often pops up in the form of the Good Worm, such as the various hues of Code that were proposed
@RedNose commented on the blog I put up recently about the tool my Russian colleagues have made available for dumping TDL's hidden file system: I'm going to respond here in case anyone else is confused about this. "I ran the tool and it did not show anything. Does it mean that TDSS is not present?"
...the 'next Stuxnet' probably won't be any such thing, whatever we may choose to call it...
In the absence of any detailed information from the IMF itself, it's not surprising that most of the surmise around the attack is based on internal IMF memos quoted by Bloomberg, and much of it is rather tenuous.
...if you're a Facebook user, you might want to try the CTAC Facebook page. I've taken to posting links to CTAC output there at the same time as I tweet it...
...on the Twitter account owned by LulzSec that they had turned their attention to the NHS. Curiously enough, they seem to have been restrained and even responsible: while there's an image out there of a message they claim to have sent to an administrator at an unidentified NHS site, they blacked out the details.
...here's a blog in stark contrast to Urban Schrott's blog about good password practice in Ireland ... Troy Hunt ran an analysis of the subset of stolen Sony Pictures passwords put out as a torrent by those nice boys at LulzSec, some 37,608 of them...
First: a link to another article for SC Magazine's Cybercrime Corner on password issues: Good passwords are no joke. However good your password is, your privacy still depends on rational implementation by the service provider. Also, one of the articles that sparked off that particular post: ESET Ireland's excellent blog post on a survey carried
...whatever the hacker community's personal taste is in games and consoles, gamers are a tempting target...
...Aleks and Eugene released a new version of the tool they developed in the course of their research into the TDL family...
My colleagues in Hungary have released some slightly alarming statistics about malware awareness in their part of the world. Research carried out on their behalf by NRC suggests that a significant proportion of Hungarian Internet users don't even know what AV software is installed on their computer (or, presumably, if anything is installed.) http://www.eset.hu/hirek/holgyek-tessek-vedekezni?back=%2Fhirek Out
We like to give you plenty of warning when we suspect that something unpleasant is coming down the pike, even if it’s just one of those likely bursts of Black Hat SEO (web search poisoning) that come with a media-friendly event. Still, I suspect that if I told you we expect lots of malicious activity
My colleague Aleks Matrosov has come across an interesting if uncomfortable post on a Russian language forum, advertising a "Boot loader for drivers" currently under test that doesn't require a Digital Signature driver, which sounds very much like our old friend TDL4. This metamorphic malware (each build generates a fresh binary) loads before the start of PatchGuard. It's
...So here are what we consider to be the 10 commandments of corporate security...
Dear Twitter, I'm afraid our relationship is just not working these days: in fact, we seem to have stopped communicating almost immediately you cosied up to our mutual friend Tweetdeck. Clearly, I'm the spare part in this relationship, since Tweetdeck isn't talking to me much, either. How can you treat me like this? Since I'm
...Aleksandr Matrosov and Eugene Rodionov recently delivered a presentation on "Defeating x64: The Evolution of the TDL Rootkit" at Confidence 2011, in Krakow, and now available on our white papers page...
Recent additions to SCMagazine's Cybercrime Corner blog include: "Password strategies: Who goes there?" by David Harley, May 23, 2011 Password selection usually involves compromise, but even a short password can be reasonably strong and still memorable. This follows up at some length on a previous ESET blog by Paul Laudanski. "Fighting cybercrime" by Randy Abrams,
One of the (few) blessings of having been so long in this industry is that I remember a time when most malware was viral and Trojans were rare: so rare, in fact, that there was at one time a notorious "dirty dozen" set of Trojans. At around the same time, there were innumerable hoaxes describing malware with
... I haven't recently posted any pointers to our content on SC Magazine's Cybercrime Corner, and now might be a good time to recap on what Randy and I have been posting there this month (so far...) ...
As we’ve mentioned here before, fake antimalware problems are a serious problem, both to the real security industry and to our customers. So it’s good to hear of action being taken against some of miscreants involved: more specifically, the takedown of the resurrected Traffic Converter site, a major player in the distribution of this particular form
DroneBL, a site that tracks IP addresses that considered vulnerable to abuse that some sites use for its DNSBL (blocking list), blogged yesterday on the fact that it’s been subjected to a Distributed Denial of Service attack (DDoS), apparently by systems infected with malware going by the name of psyb0t. According to the blog, this
Virus Bulletin have announced the results of a trial run of its new anti-spam product testing, where one product scored platinum, two scored gold, and two scored silver, based on their average scores in the test. However, you won’t actually get to know which products they were on this occasion: quite rightly, VB has anonymised the results
[Updated after further investigation.] For the past few days, I’ve been seeing spam to one of my accounts offering me various bits of software. Nothing unusual about that, of course, but this one was better constructed than usual, and consistent, and I made a mental note to look more closely when I’m a little less
Further to our previous blog about the use of TinyURL to obscure malicious links, a family member drew my attention to a problem she was having with the TinyURL site. Every time she tried to access a TinyURL link, she got a page advertising security products. (She was using their free firewall.) It turned out, though, that this
The Tech Herald have brought it to our attention that Comodo, a security company who include an antivirus product in their range, have backed the BBC’s action in buying and exploiting a botnet for the Click programme’s story. This is clearly swimming against the tide – virtually all the mainstream anti-malware companies who’ve commented have
There was a comment posted today on an article on the SC Magazine site from someone who seemed to think we were talking up an obsolete exploit. He seems to have been thinking about this one: “Microsoft Security Bulletin MS08-014 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (949029)”. (Which fixes this issue,
Just a reminder that we can’t usually handle support issues here. Not that we want to be unhelpful, but the Research team simply isn’t resourced for that sort of work. Someone just posted a problem they had with V.4 here, and I mailed them back, but the message bounced, so I’ll summarize here. As it
And still the controversy rages: several people have pointed out that it’s unlikely that the PCs in the BBC’s botnet are all in the UK, suggesting that there could be additional legal issues relating to other jurisdictions. The H reiterated the point that Ofcom regulations state that payment shouldn’t be made to “convicted or confessed
Oh, no, I hear you say, not another hoax? Not exactly. Not directly connected with chain letters, anyway. But if you do happen to share my fascination with 20th/21st century mythmaking, you might be amused for a minute or two by a quiz here addressing the truth or falsehood of some common myths Depressingly, given my
A number of people have found my Twitter account and asked to “follow” me (that is, receive my micro-blog messages). I have it set up so that no-one can follow me unless I approve the request first, and since the account was set up specifically for work purposes, I normally only approve co-workers. Most of the others,
Still trying to catch up with blogs previously promised. I did say that I might review Michael Miller’s book “Is it safe? Protecting your computer, your business, and yourself online”, and indeed I did. However, the review was published in this month’s Virus Bulletin (March 2009), so I can’t use it here. Here’s a somewhat
Embarrassingly, I keep catching myself promising to come back to a topic and never getting round to it, however often I try to blog here. (The server is gradually filling up with my half-completed drafts!) There are just too many interesting things happening and not enough time to record them all here – this isn’t, after
[update] Commentary by Larry Seltzer for eWeek: http://www.eweek.com/c/a/Security/The-British-Botnet-Corporation-324874/ I don’t promise that this is my last word on the subject, but, having now seen the full Click programme and the BBC’s response to some of the criticism they’ve received, I found I had a few more things to say on the topic. If you aren’t
Update: several nice, thoughtful blogs on the subject from John Graham at http://john-graham.me.uk/. International law firm Pinsent Mason’s Struan Robertson seems to agree (at least in part) with commentatory in the security industry that the BBC have broken the UK’s Computer Misuse Act. Robertson, focused on the Click program’s unauthorised access to 22,000 bot-compromised PCs in order to
I spend so much time on this blog, that I’ve been neglecting the other blogs I’m supposed to contribute to from time to time (including my own, though I’ve just started to put some papers up there – more about that later). However, as the issue with the BBC’s possible breach of the UK’s Computer
In a previous blog relating to Acrobat vulnerabilities, I suggested that you might want to sign up for Adobe’s alerts service. I did, but still haven’t received any news from it. However, it appears that The Register (or one of its sources) did, so I’m nevertheless aware that Adobe has released updates to address the
Someone raised an interesting point in a comment to yesterday’s blog about Symantec’s own PIFTS.EXE being flagged by their own firewall as a possible problem. Let me quote the comment in full. I by no means buy into the super root-kit routine, I do however think that there will be copy cats (if not already)
PSST! Anyone remember the Telephone party game, also known by various politically incorrect names like Chinese Whispers and Russian Scandal? A series of reports like this and this illustrate a textbook example of how rumour and misunderstanding (some of it probably wilful) can transform a story into something very different to its original form. According
It appears there are interesting developments in the Conficker/Downadup development front. Peter Coogan of Symantec describes here a variant that doesn’t appear to be interested in infecting new machines, rather more so in updating and protecting itself on systems already infected with previous variants. (And, yes, ESET’s ThreatSense technology does already detect it heuristically!) It seems to have
