Third day of the VB 2010 Conference

The 3rd and last day of the conference was also very interesting and offered a lot of hot topics. The Corporate track started with a very interesting discussion of how the human psychology is used to make spamming successful. Directly after, ICSA Labs explained how do they perform AntiSpam testing on enterprise solutions. I found out that ICSA is actually generating the HAM messages in order to create a bigger HAM corpus. I don’t think this a good method because it practically deactivates important features like RBL and Gray Listing. The Technical track was mostly dedicated to malware analysis, password stealing for MPG (Massive Multiplayer Games) like WoW, In the cloud URL scanning and how and why large scale malware experiments are done.

One presentation has started some tough reactions in the audience: AV Testing exposed. The 5 members of the team from ESET had discussed the entire time about how important it is to have a large enough test set which should be clearly defined, well proofed and by all vendors validated, before doing any testing. I agree with this, but there is way more than this in AV testing. What I completely miss is the fact that the user is never mentioned.

Why would a user care about how many samples did an AV catch or miss, when he is visiting a website and gets infected? I think that the entire testing should be done from a user’s perspective. The user must feel free to do whatever he wants to do when he has an AV solution installed. In order to help the user decide which product he should use, the AV testers should provide him this kind of information. Sure, I agree that there has to be a baseline, but this exists and it is represented by the “In The Wild List” (ITW).

As a conclusion, in my opinion, testing of AV solutions should be performed from multiple perspectives: baseline check (ITW), dynamic detection of threats (polymorphic malware, Java scripts, etc.), and URL categorization and blocking (spam, malware and phishing links).

The conference was closed with a panel session about the “Social Networks and computer security”. For the first time, the panel discussion had a live feed on Twitter where people in the room and from all over the world could send questions and comments.

The discussion was too short to reach to conclusions, but everybody agreed on one thing: we, the engineers working in the software security industry, have to create more awareness about the digital threats. User education is becoming more and more important these days, when the threats are evolving every day.

Sorin Mustaca
Data Security Expert