In recent weeks, the Conficker virus has been causing a lot of havoc everywhere – account lockouts, network congestion and a lot of headaches. People running Symantec anti-virus software know the same virus as “Downadup”, and that’s not the 1st time a Virus gets labeled differently by different companies. After all, there’s no single authority that investigates viruses, but that got me thinking – maybe it’s time we had one.
With things as they are now, it takes the anti-virus market some time to react to new viruses. Each AV vendor gets samples from its customers, analyzes them and issues signature updates to its product. Each vendor uses its own methodology to assign a priority, and as a result, some vendors take longer to react. In the Conficker case, for example, Symantec’s product is still unable to remove the infection today, almost 3 months since the virus’s first appearance. Even when an update is issued, it’s usually available only for customers of AV vendors, while users with AV software are stranded (We’ll discuss the stupidity of not having AV software on your computer another time).
When a new type of virus or disease appears in the real world, no one waits for Pfizer or Bayer to classify it and inform the public. In the USA, we have the Department of Health and Human Services and the CDC (Center for Disease Control), as well as other federal agencies like FEMA to help manage outbreaks. Since computer worms and viruses do have an economic impact, which could easily reach disastrous proportions (like in the case of worms such as MS Blaster, Code-Red and Sasser), I feel that this sort of thing should definitely be at-least shared by the governments of the world. A Federal Malware Research Center could bring some order to this wild field, and have the necessary resources to inform the public of new threats and how to manage them.
And another thing, while we're at it...we should stop giving worms "cool" and distinctive names. Maybe if the latest virus was called "The Dumbass 1", virus writers were a little less proud of themselves. Now seriously, a malware's name is not a big deal, but it's sad to say that the press today is still glorifying viruses, thereby encouraging low-self-esteemed jerks to write them. Writing a virus is stupid and detestable, and this message should be delivered clearly whenever the issue is discussed in the media - no discounts or exceptions.
Showing posts with label malware. Show all posts
Showing posts with label malware. Show all posts
Wednesday, January 28, 2009
Tuesday, December 30, 2008
Unleash the hounds!
Most security people are concerned with their current firewall or SSL-VPN, but some are already thinking about the future. We all know that the current line of security products are very secure, and we already have solutions for most current threats, but it's a cat-and-mouse game. We put up firewalls, and the hackers turn their attention to our Dial-up banks. We implement call-back, and they go after the VPN cluster. We get digital certificates and they start targeting our endpoints with Trojans. This is never going to end, of course, but the question is...what's next?
As long as there is money and computers in the world, there will be cyber criminals looking for ways to get them. The question of what threats and exploits are on the horizon is being asked not only by security professionals, but also by software development companies. The 1st company to predict the next threat will possibly the first to develop a solution for it, and capitalize on it when everybody rushes to buy it. So, how do you find the winning horse?
The major shift in the security industry lately was from network security to endpoint security. As security products for the network and the backbone have matured, attackers turned to exploiting the weakness of the human nature. Trojans and spyware became a global phenomenon, opening a channel for direct access to the corporate network through any desktop. Security companies quickly developed a slew of solutions - Anti spyware scanners, Endpoint lockdown mechanisms and Network Access Control systems. By now, most companies have implemented at least some of these, but there are more threats on the horizon.
Criminals are drawn to where the money is, and in the technology world, the money is where the DATA is. While the data in your servers and workstation is probably protected well enough, there are still some sources of data that are less protected. The 1st threat, as I see it, are mobile devices. Pretty much every phone in the world today can do everything a computer can - it can hold contacts, schedules, email and files, and often quite a lot of those. Usually, money can't be stolen directly off your phone, but the personal data can be easily used for identity theft, which can be used to hack the corporate network of your company. Imagine the phone of a company's IT manager being stolen...a list of vendors the company works with can be easily compiled, orders of hardware can be diverted, and passwords can be socially-engineered. If an attacker knows when your IT manager is on vacation or in long meetings, these timetables can be used to coordinate a focused attack. All this is not new, and Security solutions for phones are already quite advanced. Some solutions encrypt the phone's internal memory, so it can't be accessed without a password. Other solutions lock out the phone or format it when given a remote command through the carrier's network. There are, of course, quite a few anti malware products as well. One thing no one is doing yet is a way to prevent the phone from being lost. Cabs, airports, coffee shops - all are prime locations for forgetting your phone, and most are never recovered. Technologies such as RFID can be used to prevent this sort of loss, but it still doesn't have significant adopters.
Another abundant data mine is home networks. Securing a wireless home network isn't hard, but many people are still afraid to mess-around with their router's settings and just leave it open. Some people are concerned about sharing their bandwidth with driver-byers, but the real danger is that an unwanted guest might have unlimited access to your computers. Even if you setup a password on your computer, an attacker has all the time in the world to brute-force it, and it's likely that the average user won't check his event log and notice the failed attempts. Securing the home network is not that hard, really, but apparently, most people don't bother. Very few companies enforce a policy to prevent or control how their employees connect the company laptop to the home network, not to mention storing business files on the home PC. An ideal solution would be for the company to give its employees desktops, which would allow the company full control over what goes on inside it.
Buy every employee a PC, on the company dime? Am I crazy? Well, it will cost a pretty penny, but consider the costs for a minute. This could amount to several hundred dollars per year per employee, but would still be only a negligible part of the cost of an employee to the company. If it would prevent even a single attack, it could be well worth it. I'm not very optimistic that many companies will adopt this idea, but what should definitely happen is an improvement to home network security and cellular phone technologies. Instead of confusing dialog boxes about TKIP, AES, WEP, WPA and Hex Keys, a home router should be secure by default, and easy to configure. For example, a router could be pre-set to generate a random password and display it on a small LCD. The user will be asked to type it into his machines when connecting for the 1st time. Same goes for phones. Phones today are like Windows 3.11. You have to really try to set a lock on it. I think that settings a strong password should be the default action when getting it from the carrier, and only users who really want to and have the know-how can bypass it. No doubt it will be annoying to many, but so is locking your home every time you leave...and yet we are all OK with that! Currently, all router producers focus on performance and price, and I've yet to see even one that boasts better security. Same for phones - it's all about the music and easy texting, but not a single device that is safer. Will we ever learn?
As long as there is money and computers in the world, there will be cyber criminals looking for ways to get them. The question of what threats and exploits are on the horizon is being asked not only by security professionals, but also by software development companies. The 1st company to predict the next threat will possibly the first to develop a solution for it, and capitalize on it when everybody rushes to buy it. So, how do you find the winning horse?
The major shift in the security industry lately was from network security to endpoint security. As security products for the network and the backbone have matured, attackers turned to exploiting the weakness of the human nature. Trojans and spyware became a global phenomenon, opening a channel for direct access to the corporate network through any desktop. Security companies quickly developed a slew of solutions - Anti spyware scanners, Endpoint lockdown mechanisms and Network Access Control systems. By now, most companies have implemented at least some of these, but there are more threats on the horizon.
Criminals are drawn to where the money is, and in the technology world, the money is where the DATA is. While the data in your servers and workstation is probably protected well enough, there are still some sources of data that are less protected. The 1st threat, as I see it, are mobile devices. Pretty much every phone in the world today can do everything a computer can - it can hold contacts, schedules, email and files, and often quite a lot of those. Usually, money can't be stolen directly off your phone, but the personal data can be easily used for identity theft, which can be used to hack the corporate network of your company. Imagine the phone of a company's IT manager being stolen...a list of vendors the company works with can be easily compiled, orders of hardware can be diverted, and passwords can be socially-engineered. If an attacker knows when your IT manager is on vacation or in long meetings, these timetables can be used to coordinate a focused attack. All this is not new, and Security solutions for phones are already quite advanced. Some solutions encrypt the phone's internal memory, so it can't be accessed without a password. Other solutions lock out the phone or format it when given a remote command through the carrier's network. There are, of course, quite a few anti malware products as well. One thing no one is doing yet is a way to prevent the phone from being lost. Cabs, airports, coffee shops - all are prime locations for forgetting your phone, and most are never recovered. Technologies such as RFID can be used to prevent this sort of loss, but it still doesn't have significant adopters.
Another abundant data mine is home networks. Securing a wireless home network isn't hard, but many people are still afraid to mess-around with their router's settings and just leave it open. Some people are concerned about sharing their bandwidth with driver-byers, but the real danger is that an unwanted guest might have unlimited access to your computers. Even if you setup a password on your computer, an attacker has all the time in the world to brute-force it, and it's likely that the average user won't check his event log and notice the failed attempts. Securing the home network is not that hard, really, but apparently, most people don't bother. Very few companies enforce a policy to prevent or control how their employees connect the company laptop to the home network, not to mention storing business files on the home PC. An ideal solution would be for the company to give its employees desktops, which would allow the company full control over what goes on inside it.
Buy every employee a PC, on the company dime? Am I crazy? Well, it will cost a pretty penny, but consider the costs for a minute. This could amount to several hundred dollars per year per employee, but would still be only a negligible part of the cost of an employee to the company. If it would prevent even a single attack, it could be well worth it. I'm not very optimistic that many companies will adopt this idea, but what should definitely happen is an improvement to home network security and cellular phone technologies. Instead of confusing dialog boxes about TKIP, AES, WEP, WPA and Hex Keys, a home router should be secure by default, and easy to configure. For example, a router could be pre-set to generate a random password and display it on a small LCD. The user will be asked to type it into his machines when connecting for the 1st time. Same goes for phones. Phones today are like Windows 3.11. You have to really try to set a lock on it. I think that settings a strong password should be the default action when getting it from the carrier, and only users who really want to and have the know-how can bypass it. No doubt it will be annoying to many, but so is locking your home every time you leave...and yet we are all OK with that! Currently, all router producers focus on performance and price, and I've yet to see even one that boasts better security. Same for phones - it's all about the music and easy texting, but not a single device that is safer. Will we ever learn?
Subscribe to:
Comments (Atom)
Posts
