The failing war against cybercriminalsDate: Jun 02, 2009
Sophos senior security consultant Graham Cluley explains why it has been difficult to defeat international cybercriminal gangs. He talks about the evolving antivirus industry and industry attempts to defeat the Conficker worm.
Read the full transcript from this video below:
Please note the full transcript is for reference only and may include errors. To report an error, contact firstname.lastname@example.org.
The failing war against cybercriminals
Rob Westerville: Hello. I am Rob Westerville, the news editor of SearchSecurity.com. Thank you for joining us. Today we are going to be talking about the threat landscape with Graham Cluley. Graham is a Senior Technology Consultant with security vendor, Sophos. You have been in the antivirus industry for more than 15 years; talk a little bit about some of the changes you have seen. Has antivirus gotten any better?
Graham Cluley: Certainly, the scene has changed enormously. When I first joined the antivirus industry, there was something like 200 viruses in total. It was big news whenever new viruses came out, and we wrote huge, long descriptions of exactly what they did. Today, we see something like 30,000 new pieces of suspicious code coming into our labs every single day, all the time; there is one every four seconds, coming into the labs. Has antivirus gotten better during that time? I actually think it has. I think we have gotten much better at being proactive at detecting brand new threats as they come out, before they come out, and defending people. Also, we have added more strings to our bow; we are not simply stopping viruses anymore. We are also helping companies protect themselves against compliance issues, whether they are properly patched, and we are helping them with firewalls. All sorts of things are now being done by what is traditionally called your antivirus component.
Rob Westerville: We have seen an explosion of use of social networking websites like Twitter, Myspace, Facebook and others. Talk a little bit about how attackers are taking advantage of that.
Graham Cluley: We have seen a variety of attacks against the social networks. We have seen spamming, malware and fraud. It is really interesting that the cyber criminals are now abusing those systems to try and take advantage of people and make cash. It is almost as though they found it too hard breaking into people's conventional PCs, and they are viewing the social networking accounts as softer targets. We have all see spammers taking over, for instance, Facebook accounts then forwarding messages to all of your Facebook friends. You are probably more likely to read them and act upon them because you think it is your friend who has sent it to you. You think they are inside your circle of trust, so you click on that link and you may go to a malicious website, for instance. We also see these fraudulent attempts where people will they take over an account, and they say, ‘It it Jim here. I am holidaying in London at the moment. I have just been mugged and I have lost my air ticket home. Can you wire me some money to get home?’ Maybe you think, ‘I didn't know Jim was on holiday, but that sounds really bad,’ and you may get into a conversation with them online. Of course, they are using information they've stolen from the profile, like, ‘Lauren says hi, and the kids, they are not sleeping too well,’ so it makes you fooled into thinking that this is a genuine thing which is happening. The hackers are targeting the social networks. Frankly, the hackers go where the users are. It is like tigers finding out where the zebras go to get their drink of water; they are going to chase after them and take advantage of them, and right now, people on the social networks.
Rob Westerville: How do companies defend against social networking threats?
Graham Cluley: Firms can be affected by social networking threats because their users share too much information. They may be saying who their favorite football team is, the name of their best friend, or their first dog, and quite often inside corporations, this will be information which would help you guess the password, sometimes the corporate passwords used by their users. Also, if you go to a network like LinkedIn, for instance, you can get a corporate directory of everyone who works at that particular company, then the hackers could send an email claiming to be from head of HR to the person who has been newly employed by the firm, all information you find out from LinkedIn, do a spear fishing attack, and begin to get information that way, so your users may be at risk of sharing too much information, which can endanger the business. What you can do as a company is you can begin to filter your web content. I do not mean just block access to these sites, because I think we have to accept there are business purposes for some of these sites, but you can be more careful about what your users click on. If they do click on a link going to a dangerous site, which they may have been sent via social network, we can prevent that. We can stop them from going into that site because we spot the malicious code at the other end. For instance, the recent Twitter worms, which have been spreading in the last few weeks, they have been all exploiting cross-site scripting vulnerabilities in Twitter. Twitter has frankly been struggling to defeat these. Good antivirus software and protection of your web gateway can intercept them and prevent your users from passing the infection on.
Rob Westerville: I know you have tracked an increase of malicious email attachments. Is education the best defense against that?
Graham Cluley: Education would be wonderful if it worked, if people wanted to learn. Most people are too busy trying to get that Excel spreadsheet done for the boss that they are not going to remember to watch out for these kinds of emails, or this sort of attachment can be dangerous but these are not. It is too complicated, frankly, for most people, so I think raising awareness is a great thing, but you cannot rely upon it. Your users, I am afraid, you are never going to be able to properly patch them entirely against all the vulnerabilities in their brain, so you need technology, as well, to reduce the risks. That is what we see most companies these days doing, really. A bit of education, but also an awful lot of technology to better defend the user.
Rob Westerville: The Conficker Working Group seems to have been successful thus far in thwarting major Conficker worm issues. Does the level of cooperation that we have had around the Conficker worm translate necessarily, into thwarting attacks such as what we saw in Estonia?
Graham Cluley: I think the Conficker Group was really important because it brought different vendors together to make sure that they had one real common voice in talking about the problems associated with Conficker. Let's not forget, the hackers behind Conficker have never actually instructed it to do anything meaningful, so we are still in a waiting game, waiting for something to happen. The Working Group has helped, but it may not be the end of the story; we have to still protect everyone against a threat which may still come along. What has been great with both the Conficker Working Group and also internet initiatives, which for instance shut down McColo, an ISP which were responsible for a lot of the spam and scams which were spreading across the internet, is it shows that when people get together we can make a bit of a difference.
Unfortunately, the cyber criminals realize this, and they are increasingly not using one central point to control their attacks. Something like the botnets that have been run via McColo are not going to be run like that in the future. It is not going to be the case of knocking out one ISP in order to stop these things, and that is the problem with the Estonian attacks, as well. That is a distributed denial of service attack. You would have to shut down all of those computers around the world to make sure that they were not bombarding innocent Estonian websites with traffic.
Rob Westerville: Of course, we have the law enforcement conundrum, as well.
Graham Cluley: It is a huge problem. There is the problem of different laws in different countries, different languages and different time zones; the world is getting better at communicating with one another. Undoubtedly, the criminals are taking advantage of that complexity. It is also costly. Sometimes I speak to the police in my country and say, ‘Look. We have found this thing. We believe it is being run by a bunch of Russian gangsters,’ and they say, ‘This is interesting, but frankly, it is too expensive for us to investigate, to do all the forms, and make the investigations and work with our colleagues in Russia.’ Unless this is of sufficient size, chances are it is probably going to get ignored. That is depressing when that happens, but there is a lack of budget around the world sometimes to deal with these threats and properly investigate them.
Rob Westerville: On your Sophos blog, you have written about the hype surrounding ‘Conficker Worms: April 1st Update.’ What was your take?
Graham Cluley: I remember headlines saying, ‘Tick tock, tick tock. Time bomb virus about to . . . millions of computers around the world are going to melt. Yes, actually, physically melt on April the 1st,’ is what you would believe if you read the headlines. I had my head in hands for about two weeks before April 1st thinking, ‘How are we going to get through to people this is not what's going to happen?’ All we could do is just say, ‘That is not what we think is going to happen.’ Yes, there was something very minor which was going to change inside Conficker, but it did not mean you were any more likely to get infected on April 1st than on May the 30th, April the 14th, or any other day of the year.
I actually think most of the security in the street was pretty good at putting that threat in context and saying, ‘Get yourself protected, but we do not really think there is any reason why anything will change on April the 1st, as far as you, the users are concerned. We cannot say for certain, but we do not think that that is likely, based upon what we have seen.’ Unfortunately, some of the vendors, when they are dealing with particularly the national media or the TV stations, I think they can be easily manipulated into saying what the TV crews want them to say. Of course, by the time it gets dumbed down for that general audience, you do begin to think, ‘9:00 tomorrow morning, when I turn my computer on, on April the 1st, everything is going to turn into creosote. It is going to just be disastrous.’ That is damaging to us as an industry because the public will not believe us next time. We need to be careful about it but also, the media have to be responsible too, and they have to accept that sometimes the story may not be quite as sexy as they think. There is a long history of predictions in the computer security industry, which have proven to be entirely wrong. Whenever you hear about a deadline of something going to happen, it invariably does not happen; it is a bit of a damp squid. Make sure you are protected, but do not run around like a headless chicken.
Rob Westerville: We have heard reports of successful cyber spying attacks. We have had the issue of investigators finding malware on the US Electrical Grid. We have even had the Australian Prime Minister targeted by Chinese attackers; at least we think they were Chinese attackers. How difficult is it to track who is actually responsible for this?
Graham Cluley: It would be great would it not, if we could all point our fingers and say, ‘That's the bogey man. That is the one who is really causing the problem’? What I would ask people to do is look at their email inbox, look at the spam that they are receiving, because a large proportion of the spam you are receiving in your inbox is actually being sent from Chinese computers, but I bet my bottom dollar it is not in Chinese. You will find spam, which is advertising American products, Polish products, and all kinds of countries around the world, but it is being sent from Chinese computers. It is the same problem when it comes to denial of services and spyware attacks, which appear to have a Chinese connection. Yes, maybe there was a Chinese computer which somewhere along the line was sending the attack or somehow controlling the attack. It does not mean that Chinese computer was under the control of the Chinese authorities. It could be a hacker anywhere in the world. All it means is there are Chinese computers out there, which are not properly protected. Guess what, there are computers all around the world, in every country in the world, which are not properly protected and can be taken advantage of by hackers.
Having said that, though, yes, of course the Chinese government and the army are spying on people around the world using the internet. You know what, so are the Americans, the British, the French, and the Danish. Every country in the world, I am sure, is looking at the internet and thinking, ‘What can we do to use the cyber world to increase our intelligence and get an advantage over our enemies and sometimes our trading partners?’ looking for ways to do that. We would be naive to think that they are not doing it, but it is very foolish to point fingers unless we have firm, strong evidence, and that is what is really missing there, is a smoking gun.
Rob Westerville: About a year or so ago, some security experts and some vendors have said that attackers are not necessarily getting more sophisticated. There is more sophisticated or automated tools out there that help them pull of these attacks in more successful ways. Is that still the case these days? Is it the automated tools?
Graham Cluley: I am fed up of hearing about all the hackers being these criminal masterminds and geniuses; it makes for a lazy headline in some of the national newspapers. I just think most of what we see is pretty humdrum mundane stuff; it is a conveyor belt of mass-produced cyber crime coming along. They just keep on pumping out yet another banking Trojan, yet another video claiming to be of Angelina Jolie; it is the same old thing. It is not that they are super-brainy; it is that we as users are super-dumb. We keep falling for the same tricks; they do not have to be super-sophisticated. Sure, sometimes we do see hackers using a brand new exploit or infecting you in a clever way, but most of what we see is not really that cunning. In fact, I hanker back for the old days, maybe 10 or 15 years ago, where I think the hackers had more personal pride in their viruses, because they were not doing it for money, they were doing it for kudos, to show off to their mates, to rub the antivirus industry's nose in it. They would spend months and months honing a new attack, trying to make it undetectable.
Today, they could not care if some of the products already detect it, as long as some do not, as long as some people will still get infected, because there will be another Trojan horse along in five minutes to infect the ones who were defended, so there is a lack of ingenuity there, in some ways. What has really changed is the amount of malware. Like I said, it is mass-produced, it is being pumped out all the time, and it is that glut of malware, which means that people really have to invest in a proactive security solution and make sure they are keeping up to date with their antivirus updates.
Rob Westerville: Thank you very much for joining us, Graham, and thank you for joining us. For more information on this topic and others, go to SearchSecurity.com.