- Apr 25, 2013
- 5,356
The threat landscape has changed, with cybercriminals more dangerous than ever. Alex Kidman looks at the dangers, and how the professionals are protecting us.
Security is a cat and mouse game with malware writers and cybercriminals on one side, and anti-virus security firms on the other. As users, we sit in the middle, prey for one side and customers for the other. That probably makes us the cheese, and like a cheese left out in the sun, things have become distinctly less pleasant over time for everyday users. There was a time when security software was just about Anti-Virus, but those days are long gone. Security suites offer a plethora of tools to keep your system safe, secure and running optimally, although many rely on free alternatives. Is that enough?
IS FREE ACTUALLY FREE?
It depends on whom you ask. ESET’s Chief Executive Officer Richard Marko isn’t a big fan of free antivirus, noting that it’s often supplied as part of a bundle with a lot of other applications. “Nothing is for free; it’s just how the money is collected in the end. What we’ve found is that our application often detects and flags these bundles because they come with a lot of other potentially unwanted applications bundled as well.”
According to Symantec’s Senior Principal Systems Engineer for Norton, Nick Savvides “Free is better than nothing, but it generally isn’t enough. More than half the threats that we see today are not detected using AV modules; the old signature based approach. It doesn’t get you where most consumers need to be in security terms. Using the new types of detection capabilities is where you pick up most of the threats.”
AVG Security’s Michael McKinnon sees it as an issue of feature sets and one group of users supporting the others for better overall security as a whole. “In the freemium model it’s essentially the paid consumers who are supporting the free version. Detection always continues to be a struggle against an avalanche of malware threats.”
McKinnon also notes that simply paying for a security suite is in itself not enough to keep yourself secure. “We’ve got users who would pay for our software who would perhaps be in the situation where because they’ve paid for it, they think they’ve got everything they need, and then they stop updating their operating system, or their apps. There are other things that users need to be doing. It’s not just about the security software itself.”
NEW THREATS
So if free antivirus is a better bet than simply risking it, what are the threats that need a more robust, suite-based approach, and what do these suites offer to combat those threats? It’s been a shift away from a pure signature-based approach and into a variety of technological approaches that use an analytical framework. “We really started to see the big change around 2009 when around that timeframe it started to ramp up moving from detecting threats from signatures to a behavioral and analytical approach” says Savvides.
Part of the issue is that all of our computing habits cover many more devices than they used to. “Five years ago it was very likely that I only had one laptop, and generally a feature phone that didn’t do much besides receive phone calls and send SMSs” says Savvides. “Today as a consumer I have two laptops, two mobile phones and an iPad. If somebody steals my identity, I don’t really care that they stole it from my laptop or from my tablet. All I care about is that my identity has been stolen.”
Security suites now often allow for remote tracking and wiping where this isn’t built into the software itself. This isn’t just limited to mobile owners, but it’s where it can work to greatest effect. ESET’s Chief Research Officer Juraj Malcho sees it as “a natural progression that once you have these tracking technologies, once you have GPS, all sorts of connections, camera perhaps, microphone, you’re trying to do stuff to protect the device. I think this can be done much more effectively on a mobile phone than on a laptop. On the mobile it can be done much more effectively because there are more sensors. You have GPS, which typically laptops don’t have. You can do notifications; something you can’t really do an on a laptop.”
Malcho notes however that simply having tracking software on a laptop or mobile device won’t always ensure that your lost or stolen device will be found. “We have managed to find some phones with our product with our technology. In general finding these things is going to be quite difficult; once the bad guys learn that there are technologies like this they will take precautions. It’s always going to be a chase game.”
MOBILE SECURITY
Back when the only thing you had to worry about in terms of viruses was whether it would rewrite your motherboard’s BIOS, you probably kept your important phone numbers on paper, or even in your head. That’s a thankless task that most of us have now shifted to our mobile devices, because it’s so much easier to tap on a photo of your contact’s head to call them than remember a phone number that could easily dip into double digits.
What that means, however, is that everyone’s smartphone is a far richer source of personal information now, with mobile contacts only the tip of the identity theft iceberg. That information has a very concrete value on the open market. The Attorney General’s department recently released a report (Identity crime and Misuse in Australia Key finding from the National Identity Crime and Misuse Measurement Framework Pilot, because security documentation rarely carries thrilling titles) that estimates the value of identity theft crime in Australia at roughly $1.6 billion dollars per year.
Symantec’s Nick Savvides notes that “Mobiles have become a very tasty target to attackers. The challenge that attackers face is that those ecosystems are harder to break into because they’re a lot more curated than Windows or Mac. So having to download my apps from Google Play or the Apple App store or Windows Marketplace offers a level of protection, but what we’re seeing is attackers increasing sophistication of the level of attacks to bypass those.”
Android has been the largest area of malware growth in the mobile space, partly because it’s relatively simple to sideload software or obtain it from alternate app stores, which is why your Android device by default warns you before installing from non-Google Play sources.
That doesn’t mean, however, that those on the iOS side of the fence are completely immune from malware threats. AVG’s McKinnon notes that Apple “engineered their platform from day one to be closed; they’re very heavy on the use of cryptographic signing and certificates. You don’t want to jailbreak a device because you break all of that” and that in some ways Android has “become the ‘Windows of Mobile’, simply because of the fact that there are more Android handsets in use in the world than there are iOS ones.”
That didn’t stop an outbreak of ransomware appearing on Australian iOS user devices in May 2014, with a warning that compromised devices had been hacked by an “Oleg Pliss” who demanded $100 to unlock a compromised iOS device. That hack worked via a phishing attack to gain AppleID credentials, but it’s not the only way that iOS devices could be compromised.
More recently in China, the Wirelurker malware exploit first infected Mac OS systems but was built to be capable of infecting iPhones and iPads, whether jailbroken or not, if they were connected to a compromised Mac system. Many security commentators noted that it signified a new level of sophistication in malware threats, because while many Apple users tend to consider themselves entirely secure, the new reality is that attacks like Wirelurker are only going to get more sophisticated in their patterns.
It’s dangerous to think that you won’t be a victim due to your relative anonymity, something that Savvides sees as users trying “to map in their head physical world crime to cybercrime”. The reality, he states, is that “You don’t need to be doing anything special to be a target of cybercrime. You just need to be there.”
It’s a problem exacerbated by the fact that we’re all living more of our lives online in just about every aspect. According to AVG’s McKinnon “One of the best and worst pieces of advice we give in the security industry is “Don’t click on stuff”. The reality is that we live in a world where you can’t look at a link and know if it’s safe or not. Legitimate websites get compromised, so it could be a link to what would be a legit site, and this week it’s been compromised, so it’s important that people understand that clicking on links is something we all have to do to use the Internet, but it’s also where the risk is.”
RANSOMWARE
It’s not just the value of the information to the attacker that’s of value, however. 2014 also saw the emergence of the first Android ransomware, Simplelocker. Simplelocker masqueraded as a video player app needed for certain adult content sites, but when installed, instead encrypted compromised mobiles and demanded a ransom otherwise the phone infected would be wiped.
There are ways that you can protect against Ransomware on mobile devices that don’t require a suite style product, but do rely on having a robust backup strategy for your mobile device content. “”You can technically destroy data, but if people are mobile, they usually use some kind of cloud storage as well” says ESET’s Chief Research Officer Juraj Malcho.
Having that cloud backup gives you some level of control if your mobile device is compromised, because it then becomes feasible to restore device contents from that backup, and simply wipe the compromised device yourself. That relies on having backups running, and naturally trusting the cloud sources you’re backing up your data to.
Part of the issue for Ransomware is that while it’s an emerging category, a small amount of success for one malware writer will often lead to a surge in exploits from every other cyber-crook. “When it works for one crook and it gets media coverage and attention and they’re making money out of it the other crooks follow pretty quickly behind them” says Symantec’s Savvides. “Ransomware is going to continue to be a big threat to end users.”
THE FUTURE OF SECURITY SUITES
The nature of computer based security is that it’s always a game of escalation, with new threats being blocked as they emerge while malware writers work out ever more complex ways around detection and blocking strategies. “It’s genuinely a game of cat and mouse” Symatec’s Savvides says. You develop a detection technique and people try to work their way around it.”
Prediction is always tricky, but while malware writers are driven by greed, ESET’s Malcho notes that they’re often fundamentally lazy. “They’re extremely smart, they’re very well motivated by money; in fact there seems to be more money in cybercrime these days than in the Antivirus business, which is quite bad; it puts us in a difficult position because we’re fighting well funded professionals. At the same time these guys are lazy, and they’re only going to do stuff, invent tricks and malware which only just beats the benchmark.”
That opens up opportunities for technologies which block exploits before they become actively used. “With software exploits, and malware abusing these vulnerabilities for malicious purposes, and we responded with a pretty cool technology we call exploit blocker. What it does is monitor processes in the system, and if they’re performing certain actions in unusual ways, the blocker steps in and stops them. We managed to detect a couple of exploits from day zero; we didn’t need to make adjustments to the technology to stop these threats.”
The one thing that everyone agrees on is that the problems of cybercrime are only going to escalate, because the potential rewards are quite alluring. “The prize is quite high” says Savvides. “You can live pretty well off the proceeds of cybercrime in certain countries.”
Source
Security is a cat and mouse game with malware writers and cybercriminals on one side, and anti-virus security firms on the other. As users, we sit in the middle, prey for one side and customers for the other. That probably makes us the cheese, and like a cheese left out in the sun, things have become distinctly less pleasant over time for everyday users. There was a time when security software was just about Anti-Virus, but those days are long gone. Security suites offer a plethora of tools to keep your system safe, secure and running optimally, although many rely on free alternatives. Is that enough?
IS FREE ACTUALLY FREE?
It depends on whom you ask. ESET’s Chief Executive Officer Richard Marko isn’t a big fan of free antivirus, noting that it’s often supplied as part of a bundle with a lot of other applications. “Nothing is for free; it’s just how the money is collected in the end. What we’ve found is that our application often detects and flags these bundles because they come with a lot of other potentially unwanted applications bundled as well.”
According to Symantec’s Senior Principal Systems Engineer for Norton, Nick Savvides “Free is better than nothing, but it generally isn’t enough. More than half the threats that we see today are not detected using AV modules; the old signature based approach. It doesn’t get you where most consumers need to be in security terms. Using the new types of detection capabilities is where you pick up most of the threats.”
AVG Security’s Michael McKinnon sees it as an issue of feature sets and one group of users supporting the others for better overall security as a whole. “In the freemium model it’s essentially the paid consumers who are supporting the free version. Detection always continues to be a struggle against an avalanche of malware threats.”
McKinnon also notes that simply paying for a security suite is in itself not enough to keep yourself secure. “We’ve got users who would pay for our software who would perhaps be in the situation where because they’ve paid for it, they think they’ve got everything they need, and then they stop updating their operating system, or their apps. There are other things that users need to be doing. It’s not just about the security software itself.”
NEW THREATS
So if free antivirus is a better bet than simply risking it, what are the threats that need a more robust, suite-based approach, and what do these suites offer to combat those threats? It’s been a shift away from a pure signature-based approach and into a variety of technological approaches that use an analytical framework. “We really started to see the big change around 2009 when around that timeframe it started to ramp up moving from detecting threats from signatures to a behavioral and analytical approach” says Savvides.
Part of the issue is that all of our computing habits cover many more devices than they used to. “Five years ago it was very likely that I only had one laptop, and generally a feature phone that didn’t do much besides receive phone calls and send SMSs” says Savvides. “Today as a consumer I have two laptops, two mobile phones and an iPad. If somebody steals my identity, I don’t really care that they stole it from my laptop or from my tablet. All I care about is that my identity has been stolen.”
Security suites now often allow for remote tracking and wiping where this isn’t built into the software itself. This isn’t just limited to mobile owners, but it’s where it can work to greatest effect. ESET’s Chief Research Officer Juraj Malcho sees it as “a natural progression that once you have these tracking technologies, once you have GPS, all sorts of connections, camera perhaps, microphone, you’re trying to do stuff to protect the device. I think this can be done much more effectively on a mobile phone than on a laptop. On the mobile it can be done much more effectively because there are more sensors. You have GPS, which typically laptops don’t have. You can do notifications; something you can’t really do an on a laptop.”
Malcho notes however that simply having tracking software on a laptop or mobile device won’t always ensure that your lost or stolen device will be found. “We have managed to find some phones with our product with our technology. In general finding these things is going to be quite difficult; once the bad guys learn that there are technologies like this they will take precautions. It’s always going to be a chase game.”
MOBILE SECURITY
Back when the only thing you had to worry about in terms of viruses was whether it would rewrite your motherboard’s BIOS, you probably kept your important phone numbers on paper, or even in your head. That’s a thankless task that most of us have now shifted to our mobile devices, because it’s so much easier to tap on a photo of your contact’s head to call them than remember a phone number that could easily dip into double digits.
What that means, however, is that everyone’s smartphone is a far richer source of personal information now, with mobile contacts only the tip of the identity theft iceberg. That information has a very concrete value on the open market. The Attorney General’s department recently released a report (Identity crime and Misuse in Australia Key finding from the National Identity Crime and Misuse Measurement Framework Pilot, because security documentation rarely carries thrilling titles) that estimates the value of identity theft crime in Australia at roughly $1.6 billion dollars per year.
Symantec’s Nick Savvides notes that “Mobiles have become a very tasty target to attackers. The challenge that attackers face is that those ecosystems are harder to break into because they’re a lot more curated than Windows or Mac. So having to download my apps from Google Play or the Apple App store or Windows Marketplace offers a level of protection, but what we’re seeing is attackers increasing sophistication of the level of attacks to bypass those.”
Android has been the largest area of malware growth in the mobile space, partly because it’s relatively simple to sideload software or obtain it from alternate app stores, which is why your Android device by default warns you before installing from non-Google Play sources.
That doesn’t mean, however, that those on the iOS side of the fence are completely immune from malware threats. AVG’s McKinnon notes that Apple “engineered their platform from day one to be closed; they’re very heavy on the use of cryptographic signing and certificates. You don’t want to jailbreak a device because you break all of that” and that in some ways Android has “become the ‘Windows of Mobile’, simply because of the fact that there are more Android handsets in use in the world than there are iOS ones.”
That didn’t stop an outbreak of ransomware appearing on Australian iOS user devices in May 2014, with a warning that compromised devices had been hacked by an “Oleg Pliss” who demanded $100 to unlock a compromised iOS device. That hack worked via a phishing attack to gain AppleID credentials, but it’s not the only way that iOS devices could be compromised.
More recently in China, the Wirelurker malware exploit first infected Mac OS systems but was built to be capable of infecting iPhones and iPads, whether jailbroken or not, if they were connected to a compromised Mac system. Many security commentators noted that it signified a new level of sophistication in malware threats, because while many Apple users tend to consider themselves entirely secure, the new reality is that attacks like Wirelurker are only going to get more sophisticated in their patterns.
It’s dangerous to think that you won’t be a victim due to your relative anonymity, something that Savvides sees as users trying “to map in their head physical world crime to cybercrime”. The reality, he states, is that “You don’t need to be doing anything special to be a target of cybercrime. You just need to be there.”
It’s a problem exacerbated by the fact that we’re all living more of our lives online in just about every aspect. According to AVG’s McKinnon “One of the best and worst pieces of advice we give in the security industry is “Don’t click on stuff”. The reality is that we live in a world where you can’t look at a link and know if it’s safe or not. Legitimate websites get compromised, so it could be a link to what would be a legit site, and this week it’s been compromised, so it’s important that people understand that clicking on links is something we all have to do to use the Internet, but it’s also where the risk is.”
RANSOMWARE
It’s not just the value of the information to the attacker that’s of value, however. 2014 also saw the emergence of the first Android ransomware, Simplelocker. Simplelocker masqueraded as a video player app needed for certain adult content sites, but when installed, instead encrypted compromised mobiles and demanded a ransom otherwise the phone infected would be wiped.
There are ways that you can protect against Ransomware on mobile devices that don’t require a suite style product, but do rely on having a robust backup strategy for your mobile device content. “”You can technically destroy data, but if people are mobile, they usually use some kind of cloud storage as well” says ESET’s Chief Research Officer Juraj Malcho.
Having that cloud backup gives you some level of control if your mobile device is compromised, because it then becomes feasible to restore device contents from that backup, and simply wipe the compromised device yourself. That relies on having backups running, and naturally trusting the cloud sources you’re backing up your data to.
Part of the issue for Ransomware is that while it’s an emerging category, a small amount of success for one malware writer will often lead to a surge in exploits from every other cyber-crook. “When it works for one crook and it gets media coverage and attention and they’re making money out of it the other crooks follow pretty quickly behind them” says Symantec’s Savvides. “Ransomware is going to continue to be a big threat to end users.”
THE FUTURE OF SECURITY SUITES
The nature of computer based security is that it’s always a game of escalation, with new threats being blocked as they emerge while malware writers work out ever more complex ways around detection and blocking strategies. “It’s genuinely a game of cat and mouse” Symatec’s Savvides says. You develop a detection technique and people try to work their way around it.”
Prediction is always tricky, but while malware writers are driven by greed, ESET’s Malcho notes that they’re often fundamentally lazy. “They’re extremely smart, they’re very well motivated by money; in fact there seems to be more money in cybercrime these days than in the Antivirus business, which is quite bad; it puts us in a difficult position because we’re fighting well funded professionals. At the same time these guys are lazy, and they’re only going to do stuff, invent tricks and malware which only just beats the benchmark.”
That opens up opportunities for technologies which block exploits before they become actively used. “With software exploits, and malware abusing these vulnerabilities for malicious purposes, and we responded with a pretty cool technology we call exploit blocker. What it does is monitor processes in the system, and if they’re performing certain actions in unusual ways, the blocker steps in and stops them. We managed to detect a couple of exploits from day zero; we didn’t need to make adjustments to the technology to stop these threats.”
The one thing that everyone agrees on is that the problems of cybercrime are only going to escalate, because the potential rewards are quite alluring. “The prize is quite high” says Savvides. “You can live pretty well off the proceeds of cybercrime in certain countries.”
Source
