Cyber threats are real, increasingly sophisticated, and can threaten the very survival of small-to-medium businesses (SMBs) as well as the financial stability of its officers, employees, and customers. These threats can come from the least expected places on the Internet including legitimate business sites, even your own business's site. In the face of those threats, computer firewalls, and traditional anti-virus programs are not enough says Roger Thompson, chief of research at leading data security and anti-virus system AVG Technologies Inc. In this exclusive interview with Wikibon.org, he spells out the threat and the multi-layered defense that businesses and individuals need to operate reasonably safely over the Internet.
Wikibon: The nature of the threat to our computers and data seems to be changing constantly. Originally the exploits were mostly pranks—malware that would send a message to everyone in your e-mail address book and kids who hacked corporate firewalls and PCs to prove they could do it. Now the threat seems to be focused on theft—ID theft, credit card fraud, and denial-of-service attacks designed to force companies to pay ransoms, and, of course, the thousand variations on the Nigerian e-mail scam. What do you consider the most important threats that organizations face today?
Mr. Thompson: The major difference today is that the real threat is coming in from the Web. Old-style computer viruses have just about disappeared—except for a couple of really nasty ones that you don't want on your computer. And as firewalls have become stronger and better, successful direct penetration attacks have also become rare.
The advantage of using the Web [to deliver malware] is that you start your browser from a trusted place inside the firewall, and when you then access a Web site you create an an instant tunnel through your defenses. Today an entire underground economy of gangs is using increasingly sophisticated strategies to induce you to invite them in right through your firewalls, onto your computer. So if the Web site you visit was designed with a hostile intent or is hiding malware such as a key logger, that malware has a shot at coming through the firewall and executing on your machine. I would go so far as to say 99% of the malware today is being delivered via the Web, almost nothing via e-mail, almost nothing forcing its way in.
Wikibon: So then the idea is to avoid accessing sites that are not reputable and may be designed to infect your computer?
Mr. Thompson: Certainly that is a good start. Visiting a Web site of, shall we say, ill repute is as dangerous as visiting a house of ill repute, except that instead of having your wallet stolen while you are there, you are likely to have malware programs designed to steal your passwords and online personal or business identity, to let the crooks behind the site clean out your accounts.
However, that is not enough by itself. The interesting thing is the bad guys have developed methods of launching attacks from innocent sites down to a fine art. They can hack into perfectly legitimate sites so that visitors will download malware without realizing it. Another favorite trick is to plant false banner ads on sites that seem to be for legitimate products, but when someone clicks on the ad they are taken to a site that downloads malware. Today the bad guys' primary strategy is to convince you to download the malware voluntarily so it can install itself on your computer.
Wikibon: That sounds like bad news – particularly the part about the bad guys planting malware traps on trusted sites. How bad is this?
Mr. Thompson: I blogged the other day about several Facebook applications that have been hacked by someone so that when you clicked on them they connected you to an exploit site in Russia. Twitter and MySpace apps and messages have been hacked. So even when you are doing something as supposedly safe as playing on Facebook, if you choose the wrong app it will try to launch the Adobe Reader exploit. The bad guys, by the way, love Adobe reader because it is pervasive, and it hasn't been subjected to a lot of scrutiny. Adobe Reader is the Internet Explorer 6 of 2009, but problems have been found with the other Adobe products as well.
Wikibon: And of course Adobe applications are very commonly used in businesses today. What else is happening out there?
Mr. Thompson: The bad guys are continually finding new ways to attack via the Web. Another trick they use is remote file injection to divert legitimate Internet searches to their malware sites. They often use this with major news events. For instance, within 24 hours after the Samoan earthquake and the tsunami [on Sept 29, 2009], the top page that turned up on Google searches for information was actually a link to a malware site.
Another favorite trick is a banner ad with a scripting language embedded in it to direct anyone who clicks on it to a rogue site. The gang creates an ad for some legitimate product [and a link to the legitimate site connected to that product] and presents that to an online ad network that places these banners on legitimate sites. Once the ad starts running, the crooks swap out the legitimate version for one with a link to their site or to a rotator site that will randomly connect people to a rogue X-rated or Viagra site, a rogue anti-virus site, or some other site—including possibly the page for the real product. That way you almost never see the same thing twice, and it becomes much harder to identify exactly what the rogue ad is doing and defend against it. These rogue ads can pop up on any Web property in the world that has advertising—CNN, the New York Times, any place—and because they are being distributed through legitimate advertising networks, no one realizes what is happening until the damage is done.
Wikibon: You mentioned rogue anti-virus sites. How common are they and what do they do?
Mr. Thompson: We encounter rogue anti-virus sites every day. These sites offer you a supposedly free anti-virus scan. They then tell you that your computer is infected (they may have infected it when you clicked on the free scan offer) and you need to buy their anti-virus software. When you do that, two things happen. First the site downloads a supposed anti-virus program that is almost always something malicious. That is often protected with a root kit. So if your computer wasn't infected before, it is now. And they capture your credit card information, and of course they can do anything with that. The next thing you know your account is being charged for thousands of dollars of stuff you never bought.
Wikibon: So obviously we all need strong security protection for our computers. And I presume that the main part of that protection is what has been called anti-virus and now is being renamed anti-malware, such as the security applications your company develops and sells.
Mr. Thompson: Anti-virus applications have been the center of PC security for years. But today the anti-virus companies, including AVG, face a major problem that is making their products less effective. All the anti-virus products are basically signature scanners. The principle is that each piece of malware has a specific “signature” in its code that identifies it. As new malware appears, the security companies analyze it and send out updates that contain the new signatures. These updates come out often—sometimes several times a week—which is why it is important to update your anti-virus software frequently. This software very good with dealing about the malware it knows about but not with dealing with stuff it doesn't.
The problem is that the bad guys understand this and are producing tens of thousands of variations of their malware, each requiring a different signature, every week. These are all presented to the anti-virus companies. In fact every anti-virus lab gets 250,000 samples, of which 20,000-30,000 are new and unique, every day.
Then these gangs of bad guys only release a few hundred of those variations at a time, but the anti-virus companies don't know which are being released. So they have to update the software on your computer to search for all of those variants. That's why anti-virus software now takes several hours to do a full scan of a disk.
In a few days the gangs then swap out the versions they released for new versions from another batch of thousands of variations, starting the process over again. And there are several hundred of these gangs operating worldwide on the Internet, so every few days we are talking about several hundred new malware variants. The result is that the anti-virus systems are being swamped. They are still an important part of computer security, but none of them can catch everything any more.
Wikibon: So if anybody, regardless of how careful they are, can be tricked to invite malware through their firewall, and if anti-virus software cannot be relied upon to catch the malware, what is the answer? It looks like a pretty grim picture.
Mr. Thompson: The good news in all this is that 99% of this malware are being delivered via the Web, and that the bad guys really only have a relative few basic exploits and engineering engineering tricks to deliver it. So we advocate a layered defense with anti-virus to watch for signatures and other products to watch for the behavior both of the delivery system and of the software itself. So for instance, our product, LinkScanner, watches for malicious stuff coming from the Web. If it sees something using a method associated with malware delivery to get onto the computer system, it stops the download based on the suspicious activity rather than a signature. The idea is that if I receive a letter bomb I don't really care what kind of letter bomb it is, I'm just going to stop it. We give LinkScanner away, so there is no excuse not to have it on your computer.
Then last year we bought Sana Security. Its product watches for malicious behavior rather than specific signatures. This is another weak point in the malware—there may be thousands of signatures out there, but all of them have basic behaviors in common. So when Sauna sees those behaviors, for instance that the code runs hidden and continues running after a reboot, it removes the malware without being taught. So the combination gives you three layers of protection that add up to pretty good security.
Wikibon: So organizations should be putting a layered security system on their employee's computers. What else can they do?
Mr. Thompson: First, I like to tell people to sharpen up their skepticism bone. No one really wants to send you $20 million. You don't really have a secret admirer. That pretty Russian girl who wants to be your friend isn't really pretty, is probably not a girl, and certainly isn't your friend. She just wants your money. And by the way, there are people who use the same strategies on the telephone to try to get your passwords, so be skeptical of suspicious phone calls as well.
Second, you should use multiple, strong passwords, so that if someone does get one password they cannot access all your accounts. And you should change those passwords regularly. I say that it is fine to write them down on a piece of paper and carry it in your wallet. At least then if your wallet is stolen you know you need to change the passwords immediately.
And third, laptops still get stolen. So try to avoid having really sensitive information on your laptop, or if you do at least encrypt it so that a thief cannot get to it. And pay close attention to what happens to your laptop, particularly in airports and other public places.
Finally, those public WiFi hot spots at restaurants and other places are not secure. When you are away from your office or home, you should be using a 3G or 4G cell phone connection to get to the Internet, not a public WiFi spot.
Action Item:
Footnotes: