Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
8/13/2013
02:45 PM
Maxim Weinstein
Maxim Weinstein
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

The More Things Change

Today's malware is more complex than ever, yet it's still based on three basic hacks

I've been working in the tech field for a bit over 15 years now. It's amazing to see how the industry and the technology has changed during that time. In my first job out of grad school, I taught corporate employees how to use Netscape Communicator on their Pentium II desktop PCs, which had just been migrated to Windows NT 4.0. I was the only person in my family with a cell phone -- a large, clunky object with a telescoping antenna and a belt holster. And IBM had just announced a new hard drive for notebook PCs that broke barriers by providing 6.4 GB of storage, three times the average in those days.

Malware has changed a lot, too, since 1998. Back then, floppy disks were just giving way to email as the infection vector of choice. Money was rarely a motivating factor for malware authors and distributors. The stereotype of the nerdy, young man wreaking havoc from his mother's basement probably wasn't too far off in many cases. The volume of new malware was so low that security experts could name and analyze each new sample.

Things look very different now, of course. Our multicore, always-connected devices can be infected via the network, email, SMS, USB, or the Web. Social engineering has advanced well beyond asking users to open a picture of Anna Kournikova naked (though variations of that trick still work). Behind the scenes, malware has "matured from a cottage industry to a Henry Ford style production line funded by organised crime," as my colleague Peter Szabo put it. Analyzing every piece of malware now would be impossible, with several new samples arriving each second of the day. Simon Reed, who runs SophosLabs, describes his team's work as a big data processing and mining operation.

With all the new technology and the rapid growth of "mass market" cybercrime, it may be easy to overlook one constant: Malware depends on finding a way to install or run on its target without the user's informed consent. And, in 15 years in the industry, I've only seen three fundamental ways for that to happen: exploiting a vulnerability, compromising user credentials, and/or tricking the user. That's it. An entire generation's worth of malware -- tens of millions of variants -- reduced to three simple hacks.

Fortunately, as security professionals, we already know how to defend against these three hacks, even if we don't always give them the attention they deserve. We stop exploits by building or buying more secure software, patching vulnerabilities as they arise, and implementing configurations that balance usability and security. We protect user credentials by implementing multifactor authentication, encouraging or enforcing the creation of strong and unique passwords, and securing the credentials in transit and at rest. Users are human, so they'll always be fallible, but security awareness and education -- emphasizing the why, not just the how -- can go a long way in reducing susceptibility to social engineering.

It's easy to describe these defenses, but implementing them properly, consistently, and completely is much harder. Security products help by providing visibility and by leveraging automation and vendors' expertise. They also fill the inevitable gaps in an organization's defenses, detecting threats that slip through. As such, security tools have had to evolve as the threats have evolved. Firewalls have given way to UTMs, antivirus software has developed into multilayer endpoint protection, and Web and email filters have helped users make fewer and better decisions about what to download or open. They may not be perfect, but they're better than their predecessors, and they're a heck of a lot better than nothing.

So, yes, a lot has changed in 15 years. All things considered, I'd rather not go back to my Pentium II and my dumb brick of a cell phone, even if security was simpler then. But going back to the basics of malware protection, with a little help from today's technology? Well, that doesn't seem like a bad idea at all. Maxim Weinstein, CISSP, is a technologist and educator with a passion for information security. He works in product marketing at Sophos, where he specializes in server protection solutions. He is also a board member and former executive director of StopBadware. Maxim lives ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
8/24/2013 | 1:05:54 PM
re: The More Things Change
....it may have, although it may be that some software builders are less than totally well-intentioned...

when you link that library how do you know what you are getting ?

remember: "zero defects" ...is a responsibility not a right. Zero Defects is what you do, not what you get.
Maxim Weinstein
50%
50%
Maxim Weinstein,
User Rank: Apprentice
8/23/2013 | 1:24:12 PM
re: The More Things Change
Excellent point, Mike. In the case you describe, the malware probably used one of my three core hacks to get in to the original supplier's build. But there's also the potential for deliberate insertion of a backdoor or spyware component by an upstream supplier, or by an insider within an organization, for that matter.
macker490
50%
50%
macker490,
User Rank: Ninja
8/22/2013 | 11:17:04 AM
re: The More Things Change
you missed one: supply system integration.

defending against malware requires authentications and authorizations. when software is presented it must be authenticated: is this what it claims to be? and then it must be authorized by the system administrator. earlier systems didn't even bother to check they just let anything in. oh well.

in supply system integration a reputable supplier un-knowingly integrates malware as he completes his builds. he then signs for his works and forwards it on the supply system or to the customer, signed and sealed, malware unknowingly included.

only a zero-defect program can control this: each builder along the supply line must take responsibility for validating not only his own work -- but -- other inputs he is incorporating into his product. this seems daunting at first but if you start at the beginning and follow through it can be done. when I compile any module I must assume responsibility for it being what I say it is.

the implications are enormous. but I think we've about had it with the un-checked method.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.