Perimeter

Guest Blog // Selected Security Content Provided By Sophos
What's This?
8/13/2013
02:45 PM
Maxim Weinstein
Maxim Weinstein
Security Insights
50%
50%

The More Things Change

Today's malware is more complex than ever, yet it's still based on three basic hacks

I've been working in the tech field for a bit over 15 years now. It's amazing to see how the industry and the technology has changed during that time. In my first job out of grad school, I taught corporate employees how to use Netscape Communicator on their Pentium II desktop PCs, which had just been migrated to Windows NT 4.0. I was the only person in my family with a cell phone -- a large, clunky object with a telescoping antenna and a belt holster. And IBM had just announced a new hard drive for notebook PCs that broke barriers by providing 6.4 GB of storage, three times the average in those days.

Malware has changed a lot, too, since 1998. Back then, floppy disks were just giving way to email as the infection vector of choice. Money was rarely a motivating factor for malware authors and distributors. The stereotype of the nerdy, young man wreaking havoc from his mother's basement probably wasn't too far off in many cases. The volume of new malware was so low that security experts could name and analyze each new sample.

Things look very different now, of course. Our multicore, always-connected devices can be infected via the network, email, SMS, USB, or the Web. Social engineering has advanced well beyond asking users to open a picture of Anna Kournikova naked (though variations of that trick still work). Behind the scenes, malware has "matured from a cottage industry to a Henry Ford style production line funded by organised crime," as my colleague Peter Szabo put it. Analyzing every piece of malware now would be impossible, with several new samples arriving each second of the day. Simon Reed, who runs SophosLabs, describes his team's work as a big data processing and mining operation.

With all the new technology and the rapid growth of "mass market" cybercrime, it may be easy to overlook one constant: Malware depends on finding a way to install or run on its target without the user's informed consent. And, in 15 years in the industry, I've only seen three fundamental ways for that to happen: exploiting a vulnerability, compromising user credentials, and/or tricking the user. That's it. An entire generation's worth of malware -- tens of millions of variants -- reduced to three simple hacks.

Fortunately, as security professionals, we already know how to defend against these three hacks, even if we don't always give them the attention they deserve. We stop exploits by building or buying more secure software, patching vulnerabilities as they arise, and implementing configurations that balance usability and security. We protect user credentials by implementing multifactor authentication, encouraging or enforcing the creation of strong and unique passwords, and securing the credentials in transit and at rest. Users are human, so they'll always be fallible, but security awareness and education -- emphasizing the why, not just the how -- can go a long way in reducing susceptibility to social engineering.

It's easy to describe these defenses, but implementing them properly, consistently, and completely is much harder. Security products help by providing visibility and by leveraging automation and vendors' expertise. They also fill the inevitable gaps in an organization's defenses, detecting threats that slip through. As such, security tools have had to evolve as the threats have evolved. Firewalls have given way to UTMs, antivirus software has developed into multilayer endpoint protection, and Web and email filters have helped users make fewer and better decisions about what to download or open. They may not be perfect, but they're better than their predecessors, and they're a heck of a lot better than nothing.

So, yes, a lot has changed in 15 years. All things considered, I'd rather not go back to my Pentium II and my dumb brick of a cell phone, even if security was simpler then. But going back to the basics of malware protection, with a little help from today's technology? Well, that doesn't seem like a bad idea at all. Maxim Weinstein, CISSP, is a technologist and educator with a passion for information security. He works in product marketing at Sophos, where he specializes in server protection solutions. He is also a board member and former executive director of StopBadware. Maxim lives ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
8/24/2013 | 1:05:54 PM
re: The More Things Change
....it may have, although it may be that some software builders are less than totally well-intentioned...

when you link that library how do you know what you are getting ?

remember: "zero defects" ...is a responsibility not a right. Zero Defects is what you do, not what you get.
Maxim Weinstein
50%
50%
Maxim Weinstein,
User Rank: Apprentice
8/23/2013 | 1:24:12 PM
re: The More Things Change
Excellent point, Mike. In the case you describe, the malware probably used one of my three core hacks to get in to the original supplier's build. But there's also the potential for deliberate insertion of a backdoor or spyware component by an upstream supplier, or by an insider within an organization, for that matter.
macker490
50%
50%
macker490,
User Rank: Ninja
8/22/2013 | 11:17:04 AM
re: The More Things Change
you missed one: supply system integration.

defending against malware requires authentications and authorizations. when software is presented it must be authenticated: is this what it claims to be? and then it must be authorized by the system administrator. earlier systems didn't even bother to check they just let anything in. oh well.

in supply system integration a reputable supplier un-knowingly integrates malware as he completes his builds. he then signs for his works and forwards it on the supply system or to the customer, signed and sealed, malware unknowingly included.

only a zero-defect program can control this: each builder along the supply line must take responsibility for validating not only his own work -- but -- other inputs he is incorporating into his product. this seems daunting at first but if you start at the beginning and follow through it can be done. when I compile any module I must assume responsibility for it being what I say it is.

the implications are enormous. but I think we've about had it with the un-checked method.
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-10078
PUBLISHED: 2019-02-23
Vembu StoreGrid 4.4.x has XSS in interface/registercustomer/onlineregsuccess.php, interface/registerreseller/onlineregfailure.php, interface/registerclient/onlineregfailure.php, and interface/registercustomer/onlineregfailure.php.
CVE-2014-10079
PUBLISHED: 2019-02-23
In Vembu StoreGrid 4.4.x, the front page of the server web interface leaks the private IP address in the "ipaddress" hidden form value of the HTML source code, which is disclosed because of incorrect processing of an index.php/ trailing slash.
CVE-2018-20785
PUBLISHED: 2019-02-23
Secure boot bypass and memory extraction can be achieved on Neato Botvac Connected 2.2.0 devices. During startup, the AM335x secure boot feature decrypts and executes firmware. Secure boot can be bypassed by starting with certain commands to the USB serial port. Although a power cycle occurs, this d...
CVE-2019-9037
PUBLISHED: 2019-02-23
An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is a buffer over-read in the function Mat_VarPrint() in mat.c.
CVE-2019-9038
PUBLISHED: 2019-02-23
An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is an out-of-bounds read problem with a SEGV in the function ReadNextCell() in mat5.c.