Thursday, September 6, 2018

You Suck. You Can’t Even Detect EICAR!


It is amazing that so many people *think* that they know how to use the EICAR test file without knowing the very first thing about the file. If you do not know that detection of the EICAR test file is a false positive then you do not know the very first thing about the file.

The EICAR test file was designed as a deliberate false positive. It drives me nuts when I see someone write “this product can’t even detect EICAR.” Guess what, no product has to. Perhaps the vendor chose not to. It is a choice that does not say anything about quality. It literally is saying that a product sucks because it did not use a string signature.

If a product you test does not detect the EICAR test file, the first step is to find out if it is designed to. If not, then the test is not applicable to your product. If your product is designed to detect the file and it does not, you just learned what the file was designed to indicate. You have a problem. The problem may actually be a corrupted installation, a conflict with another product, or some other problem.

If you do not understand that the EICAR test file is a false positive, then please read EICAR– The Most Common False Positive in the World. And then share it with people who try to extrapolate anything about product quality from EICAR detection.

Randy Abrams
Senior Security Analyst
Webroot

Friday, June 22, 2018

An Awesomely Good Bad Password

You would think that “Let's try again” (without the quotes) would be a horrific password but “Let's try again” is a fantastic password. Granted, for almost every use case the password is pretty bad, but I have a use case that makes the password quite satisfactory. What makes this password so good?

The answer is steganography. Steganography is the art of hiding information in plain sight. So, you might say that it is not well hidden since I just told you that it is a password, but you might be wrong. What if “Let's try again” is a decoy? It is not a decoy. Perhaps another phrase in the blog is the real password.

The truth is that there is one person in the world who knows to look here for a password to decrypt something. The contents of the encrypted item will be fairly temporal. Even if the item is decrypted by the wrong party then any potential damage will be contained. Now I could have hidden the password in the picture below, but I didn’t. I will be writing a couple of blogs on steganography in the near future, and I will use an audio file that clearly shows how secret messages can be sent in files.

For now, my work is done. The one person in the world who needed the password now has the password. The encrypted container will soon be destroyed.

Welcome to the world of steganography, it’s even more fun than “Fun With Flags!”

The Internet is pointless without cats. Mrs. Mewer was a sweet heart.

Randy Abrams
Senior Security Analyst
Webroot