St. Patrick's Day security

by Paul Ducklin on March 18, 2010 | Leave a comment

Filed Under: Malware

Dear Diary,

Back from another trip to New Zealand. Wellington on Tuesday and Auckland on Wednesday. Probably should have arranged to stay over Wednesday evening, as it was St Patrick's Day.

Thanks to timezone magic, Auckland is almost the first place in the world which gets to celebrate St Pat's (the Eastern islands of Kiribati, at UTC+14, are the very first to get there). This means that Aucklanders are able to start really early, to celebrate that they are able to celebrate earlier than everyone else. By noon, therefore, the streets were already filling with green shirts and hats, all containing people.

St Pat's in Auckland is a bit like Royal Ascot or Melbourne Cup Day, but with a much greater sense of purpose, and without the horses.

Seriously, though, I had genuine business to conduct, speaking at our twice-yearly Sophos Signature Luncheon events which we hold in cities around Asia Pacific. We get together regional experts and thought leaders in information security, and discuss the changing nature of the computer security threat landscape. (That's what I tell the auditor chappie, anyway.)

Recently, I've grown tired of hearing the doomsayers going on about how the security battle is lost, that anti-virus is dead, that cybercriminals are smarter than the rest of us, that SophosLabs might as well give up, and we're all doomed anyway.

So I gave a talk about the Halting Problem, and its cousin, the issue of whether it's possible to write a Perfect Anti-Virus. For "Perfect Anti-Virus", you can generalise to any analytical software which aims to predict the correctness or incorrectness of the behaviour of other programs. Can you have a Perfect Security Program?

You can't.

The bad guys can always play one more card to circumvent the protection you currently have in place. You don't have to make it easy for them – in fact, with decent defence in depth and proactive detection, you can make it darned tough – but it will always be mathematically possible for them to force you to respond.

So although, at SophosLabs, we rate our proactive detection capabilities very strongly indeed, the fact that we also maintain reactive skills and systems is not a sign of weakness, but of necessary strength.

And there's a neat thing about the mathematical proof that a Perfect Anti-Virus (one which never, ever needs updating) is impossible. It comes with a corollary, namely that a Perfect Virus (one which can never be detected) is impossible, too. You can't write a virus I will never be able to detect.

So, forasmuch as the Halting Problem says that the cybercriminals always win, since they can force us to come up with one more update, it also shows that they always lose.

Enough, therefore, with the pessimism! Stop assuming that the cybercriminals are clever whilst we are not!

Oh, and please watch our new video, which takes you inside SophosLabs to show you how a Dream Team of malware fighters is made.

Tags: , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

About the author

Paul Ducklin is Sophos's Head of Technology, Asia Pacific. He won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. (Try saying that quickly.) Email him in the Sydney office or follow him on Twitter at @duckblog.