Cluley on Operation Aurora, information security attacksDate: Sep 23, 2010
Read the full transcript from this video below:
Cluley on Operation Aurora, information security attacks
Rob Westervelt: Hi. I'm Rob Westervelt, the News Editor of
very much for joining us. Today we're going to be talking about some of the
latest attack techniques, and ways companies can defend against them with
Graham Cluley. Graham is a security consultant with Sophos. Graham, thanks
very much for joining us.
Graham Cluley: Pleasure to be here.
Rob Westervelt: Graham, let's start off with a general question. Are attacks becoming
more sophisticated or are they just more persistent?
Graham Cluley: I think they're not becoming more sophisticated. I think actually
what we see is a conveyor belt of mass-produced malware and attacks. The
actual effect is that they're bombarding us, it's like hailstones on the
roof. Just keep on rat-tat-tat-tat, coming through. Sometimes, sure, they
will use a new exploit or a vulnerability to try and infect you. The impact
can be more serious because they're stealing information or money. But when
you compare it to the viruses and attacks we saw 10, 15 years ago, where
they honed their piece of malware for month and months to try and make it
undetectable, it's less of a work of art. It's not as sophisticated, I
think. But there's a lot of it, every day we see 50,000 new examples of
malware in our labs. So, it's one every couple of seconds. The problem is
now huge. It's one of volume more than anything else.
Rob Westervelt: So, we're not necessarily seeing an increase in cyber criminals, we're
seeing an increase in these automated tools?
Graham Cluley: That's what's happening. They have production lines
effectively where they're mass producing this stuff. I'm sure a lot of regular
criminals are beginning to be attracted to the internet and the potential
for making a lot of money that way. But what we're really seeing is just
the volume that they're producing. It's just accelerated like nothing we've
ever seen before.
Rob Westervelt: Let's talk about the recent Google attacks. How sophisticated do you
think they were?
Graham Cluley: What was happening effectively was they were using Internet
Explorer and other vulnerabilities in order to break into these
organizations, including Google. That is something which we see happening
all the time. Not just against huge companies like Google and Intel, but
also against smaller companies. We are actually beginning to see attackers
actually automate targeted attacks. If it's automated, it's not like they
have to spend a long time crafting something to get it into a smaller
business as well. So, I wouldn't say it was really earth shattering or
something we'd never seen before, those sort of attacks. What was
extraordinary was that Google went public and said they weren't ashamed.
Most companies don't want to talk about these sort of things. Furthermore,
they pointed a finger in a very particular direction, and said it was these
guys who did it. That's what made it fascinating and made it news around
Rob Westervelt: As you said, attackers targeted an Internet Explorer's Zero Day
vulnerability and that prompted some governments to call for users to
switch browsers to Firefox or Google Chrome. Is that necessarily the right
way to go?
Graham Cluley: So, we saw the French and German governments, for instance, do
exactly that. Putting out statements saying you should really switch
browsers to maybe to Firefox or Opera or Safari. I think that's crazy.
There are good reasons to consider alternative browsers, but you need to
make those over time and consider the implications. Certainly, if you
switch your browser from Internet Explorer to another browser, you may find
that some functionality or home grown applications, maybe inside your
organization, may no longer work properly. That will have much more impact
than the maybe small chance of yourselves being hit by a targeted attack. I
think the most important thing to do, actually, was what Microsoft said.
Which was, whichever browser you're using, use the most up-to-date one. For
heavens sake, let's put Internet Explorer 6 in a coffin and nail it shut.
We don't want to dig that beast up again. So, stop using that.
Unfortunately, many government agencies and corporations do still use IE 6.
So, we need to be more mature about our browser choice, but let's not make
rash judgments. Make it based upon solid facts in determining what's best
for your company.
Rob Westervelt: Let's switch gears for a moment and talk about social networks. It
seems like every day there is an attack on a particular social network in
the news. How are attackers taking advantage of social networks?
Graham Cluley: It's easy pickings for the criminals. And those sites have grown at
such an extreme rate that they haven't always necessarily matured, when it
comes to things like security. Just to give you an example, the likes of
Hotmail, Yahoo, and Gmail are pretty good at stopping you from receiving a
virus attachment or a malicious link or a piece of spam. Generally they
will quarantine it and it won't arrive in your inbox. The social networks
aren't as proactive at scanning those messages. Yet, 400,000,000 people are
Many of those people are using the social network as one of their primary
ways to communicate. Maybe more so in some cases than traditional email,
socially at the very least. So, those messages have to be scanned. It's not
just the social networks' fault, though. I think as users, we need to grow
up and understand the implications of what we're doing with our personal
information and the risks which we're putting ourselves in every time we
click on one of those links.
Rob Westervelt: So, what's really the answer here? Should enterprises ban the use of
social networks outright?
Graham Cluley: If you ban social networks inside your workplace, well, you're
actually kidding yourself, you haven't banned it. Your users are going to
find a way onto them. Even if they don't use your desktop computer, they'll
be using their smart phones. They will get onto them somehow because
they're addicted to them. And anyway, there are people inside your business
who probably have perfectly legitimate reasons to go on social networks.
The marketing teams and the sales teams say, "We want to be on Facebook, we
want to be on Twitter, to be close to our customers. To have a conversation
with them." This is a new way of running businesses.
So, don't close your doors on those things. You know if email and the web
were invented today, many IT system administrators would probably say, "We
don't want that inside our organization. Imagine all the threats which can
come through." Yeah, there can be threats via email on the web, but we all
accept the enormous benefits. I think that's true of social networks as
well. So, what are we going to do about them? Well, you need to scan every
link, every webpage which your users click on, to see if it's malicious, to
see if it's phishy, to see if it's spam, so you can protect your users that
way. You also need to educate your users to use different passwords on
every website they use. 33% of people use the same password on every single
website, and probably inside your organization as well. So, if they get
phished in one place, that could potentially be a big, big problem. You
need to start controlling the data, the movement of data inside your
organization, as well. When a system begins to upload information which
isn't appropriate to the internet, it should be blocked and prevented. Just
as it would be if your copying it onto a USB stick. That way you can begin
to protect your employee information and your customer information too.
Rob Westervelt: Is there anything enterprises can do about phishing attacks other than
just end-user education?
Graham Cluley: User education is obviously important, to teach people how to use
the web. There's an assumption that people know how to use internet browsers and
email when they come into a company, rather than saying, "Actually, we're
going to induct you on something you already know. We're going to teach you
how we use the web and email here." I think essentially you need to scan
every link which users click on. You need to look at the reputation of the
link which you're going to. And modern web filtering software will not only
look to see whether there's something malicious at the other end, it can
also do checks, for instance, to see when was the website actually
Quite often, in a phishing scan for instance, the website was actually only
registered yesterday or the day before. That instantly makes it a more
suspicious website than one which has been around for five or 10 years. So,
that's one way in which to do it. So, up-to-date security software can help
you with phishing, but ultimately it is the human being. If they're
determined to enter their Social Security Number or their passwords onto a
webpage, it's very hard to stop them from doing it. So, I think education
has really got to be key.
Rob Westervelt: Well, thanks very much Graham.
Graham Cluley: Thank you.
Rob Westervelt: Thank you for joining us. For more information on this topic you can
go to SearchSecurity.com. For other videos on this topic, you can go to
SearchSecurity.com/video. I'm Rob Westervelt. Have a great day.