Windows Secrets editor Woody Leonhard and I go way back. I mean waaaay back. We moved in some of the same circles in those halcyon days when I worked deep within the financial industry. I labeled him “one of the foremost authorities on macro viruses” in the previous millennium.

Leonhard asked for my viewpoint while fleshing out his recent column on the Sinowal trojan, aka the Mebroot trojan. Let’s pick up at the point where he mentions me:

So, you’d figure the banks and finan­cial insti­tu­tions being targeted by Sinowal / Mebroot would be up in arms, right? Half a million compro­mised accounts for sale by an unknown, sophi­sti­cated, and capable team that’s still harvesting accounts should send a shiver up any banker’s spine.

I asked Rob Rosenberger about it, and he laughed. Rosenberger’s one of the original virus experts and was also one of the first people to work on network security at a large brokerage firm.

“I’ll be labeled a heretic for saying this, but … from a banking perspec­tive, frauds like this have never qualified as a major threat. A banker looks at his P&L sheets and writes off this kind of fraud as simply a cost of doing business. Such fraud may amount to billions of dollars each year, but the cost is spread across all sectors of the banking industry all over the world.

“Banks have dealt with this kind of fraud for many, many decades,” Rosenberger continued. “Forget the Internet — this kind of fraud existed back in the days of credit-card machines with carbon paper forms. The technology of fraud gets better each year, but this type of fraud remains consistent. From a banking perspec­tive, the cost to obey govern­ment regu­la­tions dwarfs the cost of any indivi­dual case of fraud.”

The banking industry will call me a heretic, claiming “we actually do quite a bit to reduce this kind of fraud!” Very true — but government regulations force bankers to be accurate, not to be advocates. If your credit card gets harvested, a banker will correctly tell you to file a police report so the cops can catch the robbers.

The government, too, will call me a heretic, claiming “we actually do quite a bit to reduce this kind of fraud!” Very true — but law enforcement agencies focus on protecting the society, not the individual. If your credit card gets harvested, a policeman will correctly tell you to file a copy of the report with your bank so they can credit you for any fraudulent transactions.

Let’s get back to Leonhard:

If the bankers aren’t going to take up the fight against Sinowal / Mebroot, who will? The antivirus software companies have a long tradition of crying wolf, and their credibility has suffered as a result.

In this particular case, the major AV packages have failed to detect Sinowal / Mebroot over and over again. It’s hard to imagine one of the AV companies drumming up enough user interest — or enough business — to fund a mano-a-mano fight against the threat. Besides, the AV companies are chasing the cows after they’ve left the barn, so to speak.

Very true. Vmyths has documented quite a bit of wolf-crying over the last two decades. I’d give you a link to something more specific … but I honestly don’t know where to begin.

And despite all their chest-thumping, the antivirus industry doesn’t put their money where their mouth is. They’ll only go so far as to announce they’ve joined “the fight against crime,” as if to lend credibility to the fact they wear tights & capes & codpieces and fight whatever crime amuses their shareholders.

Chest-thumping law enforcement agencies don’t put their money where their mouth is, either. You don’t hear about the U.S. Justice Department offering rewards for information leading to the arrest & conviction of credit card harvesters scattered all over the world.

Microsoft finally one-upped everyone when they set up a $5 million “Anti-Virus Reward Program.” Despite all their chest-thumping, the antivirus industry remained mostly silent about it. Go figure.

Continuing with Leonhard’s column:

The folks who make malware these days constantly tweak their products, often using VirusTotal or a proprietary set of scanners to make sure their programs pass muster. A day or an hour later — before the AV companies can update their signatures — the bad guys unleash a new version. AV companies know that and are moving to behavioral monitoring and other techniques to try to catch malware before it can do any harm.

Very true — but here I must defend the antivirus industry. They tried to offer “behavioral monitoring and other techniques” back in 1991, much of it based on techniques proven in the 1980s by Andy Hopkins and Wolfgang Stiller, et al. Antivirus firms couldn’t market their newfangled “hybrid” products because their customers wanted nothing to do with them. They blindly demanded virus-scanning technology, period.

Leonhard goes on to say:

The only company that seems to be in a position to fix the [exploited vulnerability] is Microsoft. But it’s hard to imagine MS management devoting the time and resources necessary to fix major security holes in a seven-year-old product, particularly when XP’s successors (I use the term lightly) don’t appear to have the same flaw.

This is short-sighted, however. It’s only a matter of time before Sinowal / Mebroot — or an even-more-dangerous offshoot — finds a way to do its damage on Vista systems as well.

I agree very strongly with Leonhard. Quoting myself from a previous column: “Symantec worked for years on Vista’s security back in the day when Microsoft called it the ‘Longhorn project.’ We know this because, years ago at a global Virus Bulletin conference, Symantec gave a hoity-toity speech on all of the new types of malware they feared would debut with Redmond’s new operating system.”

The tech­nology of fraud gets better each year, but this type of fraud remains con­sis­tent. From a banking per­spec­tive, the cost to obey govern­ment regu­la­tions dwarfs the cost of any indi­vi­dual case of fraud.

So. Who (besides the criminals) can we blame for present and future Internet-centric credit card fraud?

• You can’t really finger Microsoft. Their customers scream so much for ease of use that it drowns out any whimpers for cumbersome security.
• You can’t really finger the antivirus industry. Their customers still demand inferior technology.
• You can’t really finger the customers. They only know what they find on store shelves.
• You can’t really finger the government. They’re just a very large customer.

You could almost describe it as “four corners of stagnation,” couldn’t you? Continuing with Leonhard’s column:

If Microsoft decides to take on Sinowal / Mebroot, the company is up against a formidable opponent that draws on many talented programmers. John Hawes at Virus Bulletin says ‘I recently heard someone estimate that a team of 10 top programmers would need four full months of work to put together the basic setup.’

Aha, but the initial setup would be just that — initial. These Sisyphean programmers would toil forever just to keep up with the bad guys. It would be like … um … like … well, it would be like working at an antivirus firm, wouldn’t it?

Now, don’t get me wrong! I’ve long believed an elite team could tackle this eternal project. But they won’t work for Microsoft, they won’t work for an antivirus firm, and they certainly won’t work for the banking industry. There’s simply no profit in it.

A product for the good of society that prevents credit card harvesting would need to come from a government team working towards society’s best interests under the auspices of, say, US-CERT.

Just don’t hold your breath for a government solution to credit card harvesting over the Internet. As I told Leonhard: “from a banking perspec­tive, frauds like this have never qualified as a major threat.” The technology of fraud gets better each year, but this type of fraud remains consistent. Government officials and bankers alike will highlight the need for “user education” and that will be that.

From a banking perspective, Leonhard is just one more person with a Cassandra complex…

Dear Howard (may I call you Howard?),

Long time no talk. Waitaminit, when’s the last time we ever gabbed on a phone? You never call, you never write. But enough chit-chat. Let’s discuss your new chairman position at US-CERT.

An open letter to Howard Schmidt, a former White House cyber­space secu­rity advisor who returned to Wash­ing­ton as chair­man of US-CERT

We’ll begin with the obvious. As a whole, the antivirus industry dismisses CERT/CC as a naïve little sister who gets injured every time she tries to play football with her big brothers. I don’t make this claim lightly. Worse: the antivirus industry views US-CERT as the siamese twin to CERT/CC. I myself hold neither agency in high regard due to their co-dependent relationships with some of the dead wood at DHS.

Richard Pethia’s leadership at CERT/CC certainly annoys me — but I felt a lot better about US-CERT when you got tapped for the chairmanship. I’m an unabashed fan of yours and I ain’t afraid to admit it. Call me crazy but I like you. So if you don’t mind, I’d like to advise you on three big issues you should focus on during your tenure.

First, we need another roundtable meeting to bring government computer security analysts together with the Fortune 1000 CISOs. My sources say you’ve tried to bring the corporate sector to Washington at least since mid-2004 so they can (in your own words) “articulate to the government” where they see the role of government. You’ll head in the right direction with this effort and you need to keep it up. Ignore anyone who thinks otherwise.

You’ll notice I didn’t say “conference” and I didn’t say “computer firms.” You specifically need a roundtable meeting with the Fortune 1000 CISOs. The U.S. corporate sector as a whole needs to tell the government what cybersecurity missions they can do all by themselves; what they can’t do all by themselves; and what they collectively need from the government. Conversely, the feds must reveal what cybersecurity missions they can do all by themselves; what they can’t do all by themselves; and what they need from the corporate sector. This explains why you need to set up a roundtable meeting rather than a conference.

And remember! You bestow true legitimacy on a meeting when you invite a true critic. Notice I didn’t say “me” and I didn’t include Vmyths. Richard Forno (InfoWarrior.org) would make an excellent choice, for example. I can name other critics if he declines.

You & I travel in some of the same circles, so let me point out a major issue for your roundtable meeting. You know many CISOs incorrectly fear the U.S. Freedom of Information Act (FOIA). A roundtable meeting may help to allay those fears. Government analysts are experts at assembling and sanitizing intelligence data. Computer security analysis is a realm best left to the intelligence community. You must make this clear to the corporate sector.

(I just hope those government cyber-analysts will someday realize their pecking order within the intelligence community. “Who needs HUMINT when you can monitor IRC chat rooms?” Bah. You don’t even want to get me started about the SQL/Slammer threat briefing you & Richard Clarke received at the White House. “This mIRC log conclusively proves a hostile nation-state ordered its über-warriors to blow up western civilization right after they finished the evening shift at Taco Bell!” Sheesh. I just hope you didn’t fall for such a shoddy intelligence briefing. Ah, but I digress…)

Second, US-CERT must continue to strive for a standard naming convention for viruses & worms. The industry’s historic lack of concern (and I do mean “lack of concern”) has reached a crucial point — not within the antivirus industry, but within the industry’s customer base. Critics want a single standard name for each virus. Customers want it, too. The U.S. government is a big antivirus customer. You gotta throw enough bucks at MITRE.org so they can get this project off the ground.

Trust me, Howard. Antivirus firms are lazy beasts. If Washington comes up with a virus naming convention, the global antivirus industry will moan & groan, but they will embrace it. And then they’ll usurp credit for it. But hey, that’s life.

Third, you need to reiterate the threat posed by our “blind trust in software firms,” as you yourself so eloquently put it. You’ve pointed out the P-Tech Software/Al Qaeda Terrorism investigation and the JECC Software/Aum Shinrikyo Terrorism investigation. This time, deep within US-CERT, you also need to point out how U.S. antivirus firms armed China for years under our very noses. Members of the antivirus industry now arm Cuba with viruses and they almost certainly arm North Korea, too. (Let’s hope your intelligence analysts already knew this.) We’d never trust some of these virus experts with the combination to a GSA safe, yet we blindly trust them to protect top secret government PCs. There’s something wrong with this picture and you know it.

Okay, now you know the three big issues you should focus on during your US-CERT tenure. Time for me to ramble incoherently for the next few paragraphs.

Amit Yoran struck me as an optimist who felt our top bureaucrats wanted to protect corporate infrastructures from suicide hackers. Neither you nor I (yet) subscribe to this view. We both realize the top bureaucrats need to nitpick over the political apparatus before they can police our corporate infrastructures. The bureaucrats lost sight of their true mission when they started fighting over turfs & budgets.

This explains why Amit Yoran resigned in frustration. He went to D.C. to guide cyber-security initiatives when in fact he should have guided the apparatus. Yoran was the wrong man for the job.

Poland’s Lech Walesa faced the same kind of problems you faced at Microsoft. Each apparatus needed someone to bring it back into focus. Granted, neither you nor Walesa got the credit you deserved for pulling the apparatus together during your tenures. But hey, you both realized what needed to be done and you did it. You were the right men for the job. This puts you above Amit Yoran.

Just remember: you’re starting over again and you’re quite a bit lower on the food chain this time around. Good luck.

So! Let’s end this on an upbeat note, Howard.

Your CERT/CC counterpart, Richard Pethia, missed Melissa‘s ultimate lesson in 1999. The antivirus industry dismisses him as a myopic figurehead — but they don’t dismiss you so far as I know. To be specific, you helmed Microsoft’s security teams at the turbulent beginning of real change. More to the point, I know for a fact your teams recognized Melissa‘s ultimate lesson the day it struck. Just be sure to get your virus expertise from real virus experts. (And I don’t mean myself.)

That’s it for me. Hope you enjoyed the holidays. Your unabashed fan, Rob.