AV just doesn’t work for targeted attacks: Schneier

F-Secure’s Mikko Hypponen partially agrees.

Antivirus vendors missed Flame, Stuxnet and Duqu because they never considered them a priority, not because the attackers were superior, says security technologist Bruce Schneier.

Schneier takes a shot at F-Secure’s Mikko Hypponen, who recently explained the AV industry’s failure to detect military-grade malware samples was because the contest between attacker and defender was “unfair”.

Hypponen argued while AV can protect against “run-of-the-mill” malware, the better-resourced attackers likely went to great lengths “to make sure that the malware wouldn’t be detected”.

“They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons,” wrote Hypponen.

The problem Schneier has with the argument is that every day crooks that write viruses, worm and spam have been doing this for decades.

AV vendors admitted when Flame first made it on their radar that they had samples of it, but Schneier says “they just didn’t do anything about them”.

The real reason why AV vendors missed all three high profile threats is that it was “never a priority to understand”.

“[T]he difference has more to do with the ways in which these military malware programs spread. That is, slowly and stealthily,” wrote Schneier.

Hypponen doesn’t disagree with Schneier's assessment.

“Bruce is right, too. We had copies of Flame sent to us via automated systems in 2010. We had categorised them as clean, because that's what the files looked like,” he told CSO.com.au.

“And since there were so few reports, we never went back to re-categorise them until 2012 when we finally realised how important they were.”

But if, as Hypponen said, missing the malware was a "spectacular failure" of the entire industry, it just suffered another one last week.

The spying trojan Symantec labelled Naid, that was used against visitors to Amnesty International’s Hong Kong website was on its records back in January 2010 but no vendor added a signature until last week after it was associated with an attack that exploited the IE zero day flaw Microsoft patched last week.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about Amnesty InternationalF-SecureMicrosoftSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts