Vulnerabilities in Antivirus Software - Conflict of Interest

Vulnerabilities within security solutions -- antivirus software in this case -- are a natural event, however, the conflict of interests and failure of communication between those finding them and those failing to acknowledge them as vulnerabilities in general, harms the customer. How they get count, and how is their severity measured in a situation where a vulnerability bypassing the scanning method of an antivirus software allowing malware to sneak in, is less important than a remote code execution through the antivirus software, is a good example of short sightedness. Here's a related development regarding a recent study regarding vulnerabilities in antivirus software - "McAfee debunks recent vulnerabilities in AV software research, n.runs restates its position" :



"Several days after blogging about a research conduced by n.runs AG that managed to discover approximately 800 vulnerabilities in antivirus products, McAfee issued a statement basically debunking the number of vulnerabilities found, and providing its own account into the number of vulnerabilities affecting its own products :



“A recent ZDnet blog discusses a large number of vulnerabilities German research team N.Runs says it found in antimalware products from nearly every vendor. The ZDNet posting includes scary graphs to frighten users of security products. We researched the N.Runs claims by analyzing the raw data and found their claims to be somewhat exaggerated. We will discuss our findings (and make available our source data) in the attached document. We have also provided our source data for anyone who wishes to examine it.”



Today, n.runs AG has issued a response to McAfee’s statement, providing even more insights into the vulnerabilities they’ve managed to find, how they found them, and why are the affected antivirus vendors questioning the number of flaws in general."



Consider going through the interview with Thierry Zoller as well.



UPDATE: The folks at ThreatFire know how to appreciate my rhetoric.



Related posts:

Scientifically Predicting Software VulnerabilitiesZero Day Initiative "Upcoming Zero Day Vulnerabilities"

Delaying Yesterday's "0day" Security Vulnerability

Shaping the Market for Security Vulnerabilities Through Exploit Derivatives

Zero Day Vulnerabilities Market Model Gone Wrong

Zero Day Vulnerabilities Auction

The Zero Day Vulnerabilities Cash Bubble

People's Information Warfare vs the U.S DoD Cyber Warfare Doctrine

Which doctrine would you choose if you had the mandate to? Dark room a

We cannot discuss these if we don't compare their cyber warfare approaches next to one another. It's rather ironic situation, since China has built its cyber
warfare doctrine based on the research conducted into the topic by U.S military personel. At a later stage, Chinese military thinkers perceved the combination
of Sun Tzu's military strategies in the virtual realm

Email Hacking Going Commercial

This email hacking as a service offering is the direct result of the public release of a DIY hacking kit consisting of each and every publicly known vulnerability for a variety of web based email service providers, with the idea to make it easier for someone to execute their attacks more efficiently. Outsource the hacking of someone's email, and receive a proof in the form of a screenshot of the inbox, next to a guarantee that you'll be able to get back in even after they've changed their passwords? Too good to be true, but since they only charge after they provide you with a proof that they did the job, they could be in fact attempting to hack these emails, compared to the majority of cases where scammers scam the scammers. The service works in 7 steps :



"1- Submit your case to one of our experts.

2- After successful submission , you will be sent a confirmation email along with your Case Reference Number (CRN) .

3- Our expert(s) will revert back to you in a few minutes with the details, the charges & the turn-around time. You may also be asked to provided additional information through a private form if required by our expert.

4- Once our expert has all the required information, you will be provided a username/password to our client area where you can view the real-time progress of your case.

5- Within a matter of hours (maximum 72 hrs), you can see the results. Our expert will provide you with proof-of-success , which you can verify and confirm.

6- Once you have verified the authenticity of success, you will be sent detailed payment instructions. You will be asked to pay using anyone of our multiple payment methods.

7- Once the payment is realized, we will provide you the requisite information"



Who's doing the actual email hacking? Independent contractors on behalf of the service as it looks like :



"Most other groups employ phishing , trojans or viruses which could damage or even alert the target. Our experts use techniques which are developed by themselves , not shared by anyone. We don't ask them how they do it, but as long as they provide us the desired results, its ok for us. Since we test their methods while they are on probation period with us, we check if the target is being alerted or not. As of now, for the past 4 years, we have NOT RECEIVED A SINGLE COMPLAINT IN THIS REGARD, which is testimonial to the ingenuity of the methods used by CSP."



How would they prove that they've managed to hack the email account before requesting the payment?



"1- Multiple screenshots of the mailbox

2- A copy of your own email which you had sent to the target

3- A copy / part of the address-book of the target mailbox."



Ironically, a hypothetical questionarry that I once speculated a private detection would require from someone interested in Outsourcing The Spying on Their Wife, in order to set the foundations for a successful social engineering attack, is being used by the email hacking group.