Truth About Computer Security Hysteria
A simple filter rule stops ILoveYouRob Rosenberger, Vmyths co-founder
Thursday, 2 November 2000
HENRI DELGER WRITES TipWorld's popular "Virus Alert" newsletter. He recently covered the issue of double extensions. ILoveYou used this 4yr-old technique to destroy the Internet as you may recall. "You should view such a file with suspicion," he concluded, "because an extra (false) extension is a trick virus writers use to fool people into opening a file."
Graham Cluley (Sophos) covered the issue of double extensions in his speech at VB2000. I could run through a list of experts who feel the same way. I'm not exactly alone here, if you catch my drift.
Still, I took heat for a recent editorial where I blamed security managers for letting double extensions arrive in email. They should block attachments with two periods in the last eight characters of the filename, I insisted.
My opinion didn't exactly please everybody. Unix gurus like to send ".tar.gz" files to each other, for example. Others think we should blame Microsoft because Windows hides trailing extensions. Some people said--
No, waitaminit. Let's get over this "blame Windows for double extensions" thing right now. You might as well blame the financial industry for computerized money laundering. After all, they made it possible to launder money by computer. Capiche?
So where was I? (Oh.) Anyway, my critics cited "false alarms" most often. "Do you realize how many innocent emails will get quarantined because of your stupid little filter rule?" No problem, I said: just modify the filter to meet your needs. Simple, right? I withstood every critique — because no one could tell me how many false alarms would result from a simple ".???.???" filter rule.
But I didn't want to win this debate by default! My opinions should stand or fall based on evidence, not the lack thereof.
So I turned to Alex Shipp (MessageLabs). His company provides managed email security on three continents. I figured if anyone could prove me right or wrong, he could. MessageLabs conducted an experiment as a favor for me, and Shipp reported these results:
229,852 emails in the test
My critics will berate me at this point. "Look at all those false positives!" Yeah — but my stupid little filter rule achieved 100% detection where it counts. It could have stopped ILoveYou, NewLove, Serbian-Badman, and Stages before they existed. Today's popular antivirus software couldn't stop them until after they existed.
Time to make a decision, kiddies. You can impact everyone in your firm because ILoveYou got through ... or you can impact one person who quietly sifts through false positives.
This filter rule causes almost no false positives. And it can stop ILoveYou dead in its tracks.
Today's popular antivirus products bind themselves to desktop email software. They scan every incoming email for dangerous attachments. And they failed to detect ILoveYou. Do you see the problem here?
Time to make another decision, kiddies. You can buy into managed email security ... or you can buy a better antivirus product.