Malware Attacks – How Much Disclosure Are You Entitled To?

image I’m an advocate of full disclosure. I demand transparency (not always successfully), in every area that has the potential to impact my life at any level. Period.

Since cyber crime has the potential to affect me at a fundamental level, I expect that every aspect of all security vulnerabilities will be released by those you have access to this information. I’d be surprised if you felt differently.

As a reputable Blogger, I’m regularly updated by many of the leading security developers on recently discovered or pending security issues, so that my readers can stay current with changing malware conditions.

In fact, the objective of my Tech Thoughts Daily Net News column, is to do just that – notify readers of a seemingly never ending list of new security issues, as quickly as possible.

From time to time though, a security issue needs to be explained more fully. As an example, last week, BitDefender let me know of a so called Kiddie Script – Facebook Hacker, which can be used by amateur cyber crooks to construct malware designed to steal login credentials.

Based on the available information, I wrote an article “BitDefender Says Facebook Hacker: A Do-It-Yourself Kiddie Script Is On The Loose!” Not the first time, I might add, that I’ve reported on the availability of Kiddie Scripts, and the impact such freely available hacking tools can have on unwary Internet users.

I was not alone in reporting on this issue. Other tech sites that reported on Facebook Hacker included; hackinthebox, softpedia, itbusinessedge and techworld. As well, scores of prominent tech news aggregators, linked back to BitDefender’s original Blog post on this issue.

Imagine my surprise then, when I received a series of emails from a security developer executive, who argued that BitDefender, and by extension, me, had broken some sort of hidden rule – that it’s better to keep computer users in the dark with respect to certain security threats.

I must admit, I was taken aback by the implication that by reporting on Facebook Hacker, I was now part of the malware problem, and not part of the solution.

I’m on the far side of 50, and I’ve been at this game a very long time, so an insinuation that suddenly I’m part of the malware problem, definitely provoked a slow burn. Nevertheless, I was prepared to let this go. But, a security developer who can’t allow an alternative opinion, suggests a deeper issue exists.

Keeping computer users in the dark, at least in this security developer’s opinion, is less harmful than letting computer users know what they’re really facing in their increasingly difficult battle to stay safe against cyber criminals.

The gist of his argument was this – BitDefender, and again by extension, me, by reporting on Facebook Hacker, had told “every dickhead in the world where to find it.” So, I should have kept you in the dark.

Conveniently, the fact that  a Google search on “Facebook Hacker”, returns 24,900,000 results was not mentioned.

Curiously, in one email the following observation was made –

Until a couple of days ago Facebook Hacker was a low key (almost unknown, in fact) problem because very few people knew it existed….

Thanks to recent publicity there are now 34 anti-malware programs detecting the original … up from 20 a couple of days ago … up from a mere handful a couple of months ago.

So, you’d think that would be the end of the argument – that reporting on this issue was the right thing to do, since more antimalware applications are now  detecting malware produced by this kit – but no.

There was a further point that had to be made. One which negated the value of shining the light on this security threat.

If the grubs stay true to form there will almost certainly be more “upgrades” in the pipeline, and unlike the original which had limited distribution, a relatively minor payload, and little chance of success because most people aren’t silly enough to run an unsolicited email attachment, some of those “upgrades” might hit the mainstream as undetectable autorunners carrying vicious payloads.

Irresponsible “disclosures” telling perps where to download live malware ALWAYS do more harm than good!

Two questions need to be answered here:

First: What’s the point in paying for antimalware software unless there’s an implied agreement that the security vendor will do all that is necessary to seek out, and identify harmful threats, and develop an appropriate defense against these threats?

In this particular instance, that doesn’t seem to have been the case. Why did it take “recent publicity” before additional antimalware programs began detecting this malware?

Second: Why would cyber criminals need me, or anyone else for that matter, to point them to malware creation tools? The fact is, the Internet is awash in hacker sites. Pointing out that fact, was part of the purpose in writing the article.

I’ll restate my view, as I expressed it, in replying to these emails –

Being aware of danger is a prerequisite to preparing a defense against the danger. No, I’m definitely on the other side of the fence on this one. I expect full disclosure and access to information, not only in this type of situation, but in all areas where the information is required for me to adequately assess an issue.

I have a problem with anyone who sets themselves up as a arbitrator of what’s in my best interest. I don’t think I’m alone in recognizing that withholding information is rarely, if ever, in the public interest.

Do you see the value in full disclosure? Do you agree that antimalware vendors have an obligation to release information on threats that potentially can impact your Internet safety?

Or, would you rather remain unaware of existing, or impending security threats, and just take your chances with remaining malware free?

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Advertisements

25 Comments

Filed under Bill's Rants, blogging, cybercrime, Internet Security Alerts, Point of View, Tech Net News

25 responses to “Malware Attacks – How Much Disclosure Are You Entitled To?

  1. I’m with you on this one, Bill. There’s way too much secrecy in this world, and way too many liars.

    Whatever happened to honour and decency in all things?

    • Hey Paul,

      I detect a sense of old fashioned morality and ethics in your question. Contrary to what many believe, “old fashioned morality and ethics” have not being overrun by so called “situational” ethics. Progressive business people understand, that not only must they do the right thing – they must be seen to be doing the right thing.

      Still, there are just enough examples of stupid business decisions, and points of view, to give your question validity.

      Bill

  2. I’d rather someone like you exposed threats to the public – the buying, voting, choosing public – than wait and hope the anti-malware people were on top of it all.

    And I’d certainly echo this question: “Why did it take “recent publicity” before additional antimalware programs began detecting this malware?” (Of course, maybe buddy didn’t know what he was talking about in this case.)

    • Thanks for commenting Wendell.

      As an independent Blogger, I don’t rely on ads to generate my income. I have no obligation to software developers. Instead, I have to satisfy my own needs, and those of my readers. So yes, I agree – someone who can step back a pace, can be more reliable than a party who has a financial interest.

      Bill

  3. Liam O' Moulain

    Well done Bill.

    This is the kind of nonsense I expect from a politician – not the developer of a product I rely on to help keep me safe on the Internet.

    My message to security vendors – tell me the truth. The whole truth. Don’t set yourself up as someone who withholds information because you think you know better.

    Get rid of this antiquated notion or you’ll end up with no customers. Maybe you need a “Toyota” lesson.

    Liam

    • Hi Liam,

      Yes, you’re right. Not disclosing the changing environment in which a product is designed to operate, seems patently absurd.

      Thanks for dropping by.

      Bill

  4. greg

    Its tough being sane isn’t it Bill?

    • Hi Greg,

      LOL! Well, I’m reasonably sure there will be certain antimalware developers who will question the “sane” part. Some, within the industry, are rather selective with the truth, and don’t take to criticism well. But, as I said earlier, my obligation is to my readers and not the antimalware industry. Sitting on the fence is not my style. 🙂

      Bill

  5. Mal

    Hey Bill,

    Interesting blog today. Here’s a hypothetical: what if the malware discovered affected people’s online banking and/or other sensitive financial information. Do these type of people expect us not to expect full disclosure, so we can take the appropriate steps. To me, they sound like absolute idiots, I can and do expect full disclosure on ANY potential threat.

    Cheers

    • Hey Mal,

      Exactly.

      If A, B and C, for example, are judged to be unimportant where does the rollover to “important” begin? It seems to me that the importance can only be gauged by the user. After all, he/she is the only one who is fully aware of the conditions under which the system is operated.

      Like you, I have no doubt that all potential threats should be fully disclosed. Any other course of action borders on negligence, in my view.

      Best,

      Bill

  6. Bill,
    Add my vote to full disclosure. It’s more important to inform we users than try to contain expansion of the problem. Many times there’s a simple user-level work around, like not doing something for a while, or otherwise avoiding the problem by circumventing the threat.
    Look, you know I can be a bit cynical at times and I’m not convinced that there’s a dying drive to end Internet security problems by the security vendors who are making a good living from it; so when they come up with BS like this…well, let’s just say they aren’t helping their image in my eyes.
    Keep up the good fight Bill.
    Standing with you,
    Paul

    • Hi Paul,

      Your cynicism is well justified. I’ve often been tempted to write the “conspiracy theory” article, on the antimalware industry. The one that questions the killing of the goose that lays the golden egg, or more properly, not killing the goose that lays the golden egg.

      When I read last week, that the antimalwalware industry is expecting an increase in sales of 12% or so, in the coming year, I had no problem drawing a comparison with the pharmaceutical industry and their unsavory marketing methods.

      Your point, that users can work within the confines of a security problem (provided they are aware of the problem), rings true.

      Good to have another IT professional come in on the side of common sense. I appreciate your supportive comment.

      Best,

      Bill

  7. Rob

    I echo the sentiments of all here… and thanks Bill. Just hope when all of this insanity comes to a boiling head, I’ll have a developer or two in the cross-hairs of my paintball gun… or else, who thinks that I’m not intelligent enough to discern the information I need to know.
    Sort of smacks of the old DOS days when MS didn’t think we were smart enough to handle their operating system.
    Rob

    • You’re dead on Rob. There is that element of – *you’re just a user and you’ll never understand the complexities involved.* Senseless tripe of course – but there you have it.

      Thanks for your supportive comment on this issue.

      Bill

  8. Pingback: Malware Attacks – How Much Disclosure Are You Entitled To? « Bill … | Free-PCSupport.COM

  9. Siam

    I was actually quite shocked to read this. The “… it’s better to keep computer users in the dark with respect to certain security threats” response floored me. To whom are we expected to entrust the making of such arbitrary but crucial determinations? Who are the gatekeepers? And what are their real motives in keeping people in the dark? I fail to see the benefits in this. My internal alarm bells are ringing (actually, I have an image in my head of the robot from Lost In Space waving its arms around, crying “Warning, warning, danger Will Robinson” … and yes, this does date me!) . As the old adage goes: Forewarned is forearmed. And for that, I think companies such as BitDefender should be down on their knees thanking you for the work you are doing in bringing these things to our attention. I know I certainly am. Well, metaphorically at least!

    • Hi Siam,

      “Warning, warning, danger Will Robinson” LOL!! Now that takes me back to a simpler time.

      You raise a number of important issues, including questioning what motives the self appointed “gatekeepers” might have, in controlling access to security information. Information, that in in a real sense, may be crucial to a user’s ability to stay malware free.

      Part of the problem is – many security applications are advertised as a “lifeboat”, in a sea of sharks. The reality, in too many cases, is quite different – the “lifeboat” offers little more protection than a life jacket. It might keep the user afloat, but it won’t provide much protection against sharks.

      For example, the article points out “there are now 34 anti-malware programs detecting the original of Facebook Hacker up from 20 a couple of days ago up from a mere handful a couple of months ago.” Based on these stats, it’s reasonable to ask the question – why don’t the 100s of other antimalware solutions detect this malware, and provide appropriate protection?

      The answer to that one would require a book, I’m afraid. In the meantime, be skeptical of antimalware application claims.

      It’s always a pleasure to see your thoughtful input.

      Bill

  10. dar

    @Siam
    DANGER WILL ROBINSON DANGER
    – LOST IN SPACE

    cheers

  11. Pingback: Does my book do more harm than good? « Mister Reiner

  12. I have always been suspicious of Anti-Virus companies. The guys I used to work with and I came up with a theory that all anti-virus companies had two parts.

    The one part writes the anti-virus updates, while the other part sits in the back part of the company and writes new ones! 🙂

    I believe that full disclosure is necessary. When a flaw is reported to the manufacturer, many times they take months to patch it. Or worse they just sit on it and do nothing. The Apache “Slowloris” DoS attack comes to mind. I think it took about 9 months to patch this after it was revealed. And a third party company actually came up with the fix.

    If the users know, they can take steps to protect their systems, especially when manufacturers are taking their time getting to it.

    • Hey Dan,

      You’re not alone in espousing the theory in your first point. I don’t think a time goes by when I sit with fellow IT pros, that this point does not get discussed. Any industry that is totally unregulated, and that makes spectacular claims (as a group), which continually are shown to be little more than wishful thinking, opens itself to this type of conjecture.

      You’re second point is dead on of course. I’ve lost count of the number of similar occurrences over the years.

      Good to see another IT pro cut through this BS.

      Bill

  13. Hello, Bill and thanks for the input. I’m one of the analysts who dug into the Facebook Hacker for the malwarecity article you mentioned. I was also one of the guys that encouraged that we should publish the material.

    Long story short: just got one of the server files forced on me and I almost fell for the trick. It suddenly occurred to me that there may be some other users less tech-savvy than me who already took the bait or who are likely to fall for a poorly-detected piece of malware.

    We did not provide the user with any download links, nor did we reveal more about the threat than necessary. By necessary, I mean that the user swhould know what and how happens, not to think that there’s some magic voodoo trick lifting their passwords off the browser cache.

    Strikingly enough, the software vendor you mentioned did not contact us (the original author), which should be a common-sense approach prior to complaining to others.

    DIY kits are on the loose: from Twitter-based botnet creators to all sorts of hacker tools, they are all in the wild and freely available. Rest assured, the bad guys already know about them and use them against people who failed in acknowledging the threat. And I’m also sure that those who have read the article on Facebook Hacker would spend more than a millisecond before clicking on anything that displays that notorious icon.

    Last, but not least, there’s no excuse for keeping people in the dark. I’d rather educate them in order not to fall victim to such threats in the future than silently shield them against an assortment of hidden perils.

    • Hey Bogdan,

      In the “real” world we post Danger signs where an unsafe condition exists, so that the the public recognizes the need to be cautious. The virtual world is no different. When danger exists, a “Danger” sign needs to be posted. Anyone who disagree with this common sense approach is an idiot.

      I’ve reported on DIY kits here any number of times in the past, not to inform hackers, but to warn readers of what they’re up against. I can’t imagine anyone holding the view, that hackers come to my site to find the latest DIY kits. LOL

      Visitors to my Blog are generally high level users, or IT professionals, and you’ll notice that not one comment disagrees with my position on this issue. To the contrary – every comment is supportive of my position. That says it all.

      Thanks for weighing in on this.

      Bill

  14. Pingback: Geek Squeaks’ of the Week (#74) « What's On My PC