The computer security industry in particular draws the wrath and ire of malware creators everywhere. As it should.
By Dancho Danchev
It’s that time of the year! The moment when we look back, and reflect on Webroot’s Threat Blog most popular content for 2012.
Which are this year’s most popular posts? What distinguished them from the rest of the analyses published on a daily basis, throughout the entire year?
Let’s find out.
By Dancho Danchev
Cisco Systems, recently announced the release of ’Cisco Global Threat Report’ for 4Q11, containing threat intelligence based on Cisco’s observation of the malicious threat landscape.
Key summary points:
By Mel Morris
From Stuxnet to Sony, a number of cyberattacks emerged in 2011 that experts have predicted for quite some time. I predict 2012 will be even more pivotal, thrusting cybersecurity into the spotlight. These are my top seven forecasts for the year ahead:
1) Targeted, zero-day attacks will be the norm.
Looking back over the past year, an increasing number of breaches were the result of custom malware and exploits targeting specific enterprises. I predict 2012 will be the year of targeted attacks, which have slowly evolved from large-scale threats to unique attacks designed to infect a handful of very specific people. Traditional blacklist and signature approaches have already become ineffective; once a virus is spotted, malware writers simply create a new one. As targeted, zero-day attacks intensify, more security vendors will realize the pressing need to analyze threats and behavior more holistically.
2) 2012 will be the start of a revolution.
For the last several years, the security industry and cybercriminals have had a symbiotic relationship that has kept the market in balance. The “good guys” have done just enough to thwart attacks – and the bad guys haven’t needed to dramatically evolve as they’re still making money doing exactly what they’re doing. I predict the scales will tip in the coming year. More innovative and effective security technology will drive a revolution and we’ll see a heated battle emerge between security companies and cybercriminals. It’s survival of the fittest. As soon as cloud-based technology and behavioral protection strengthen their foothold in the antimalware sector, hackers and cyber mafias will up the ante and scope out new vulnerabilities.
3) Cyber threats will gain political traction.
The Stuxnet worm is an example of something we detected long ago, and its impact has now taken on a whole new meaning. The virus’s sophisticated ability to infiltrate government systems, silently gather information, and disable nuclear power plants has prompted a wakeup call, driving leaders to reassess federal technology standards and regulations. Stuxnet gives us a very real and very scary glimpse of what’s to come.
4) Masses will migrate to cloud platforms.
Now that Cloud has an “i” front of it, the cloud will truly hit the mainstream. The appeal of file sharing and remote access will be a major draw for an increasingly tech savvy population that connects to the Internet from tablets, smartphones, and multiple PCs. This will not only drive widespread adoption of cloud-based tools and applications amongst consumers, but it will dramatically accelerate migration in the business world. Many companies are already on board with cloud platforms and applications, but the power of the masses will act as a tipping point, pushing the vast majority of IT professionals to shun old-school, on-premise approaches and look to the cloud for infrastructure and data solutions.
5) Your smartphone will be a target. Security companies have done a fairly good job of stopping attacks at the endpoint, and this will lead cybercriminals to focus their efforts more heavily on mobile devices, which are still quite vulnerable in today’s environment. We will see an increase in Android and iPhone attacks: rogue apps, malicious links, and spyware targeted at smartphones and tablets. It’s all about data, and business users and consumers alike store an abundance of highly sensitive and poorly guarded information on their mobile devices.
6) Legitimate applications will be used for illegitimate activities.
Rogue Android apps are just the tip of the iceberg. We load our mobile devices with applications that are designed to simplify our lives, yet we don’t stop to consider what else they are capable of – or what someone is capable of manipulating them to do. Even legitimate apps can grab information and use it without our permission. A simple glance at an application like Plane Finder illustrates the vast amount of data that is at anyone’s fingertips. And that’s not to mention the many other opportunities roaming devices present; a criminal could leverage a mobile device to pick up data from a nearby network, or hack into a plane’s WiFi connection and send signals to devices left in improper flight mode.
7) Our weakest link will be strengthened.
When it comes to security, the weakest link has always been people. In 2012, indifference toward security will diminish. Businesses will invest in security and strengthen duty of care measures. Employees and consumers will see the ramifications of breaches and begin incorporating smart Internet practices into their everyday behaviors.
By Andrew Brandt
The Black Hat briefings, held Wednesday and Thursday this week, once again brought together some of the best and brightest in the security industry to share knowledge about novel attacks and better defenses against old and new attacks. And, once again, there were some eye opening moments at the conference.
Right from the beginning, it was clear the scope of the conference had shifted from the previous year. Conference founder Jeff Moss described a new, more rigorous committee-driven process that Black Hat had begun to employ to scrutinize and vet talk proposals. Talks this year would be more technical, go deeper into security threats, and would encompass a broader range of topics than had been done in years past.
But soon after Moss introduced former ambassador and CIA counterterrorism expert Cofer Black, the opening keynote speaker to the conference, someone pulled a fire alarm in the hall where the speech was taking place. While lights flashed and warning sirens sounded, Black joked about the prerecorded messages playing over loudspeakers.
This week, Webroot’s Thre@t Reply managed to steal some time with Ian Moyse, who knows a thing or two about the benefits of putting your computer and network security into the cloud, out where the threats are, rather than keeping your security inside your network or on individual computers.
As always, feel free to submit your security question to @webroot, or by email to blog (at) webroot (dot) com, or in the comments below and we’ll get one of our threat researchers to answer it on an upcoming Thre@t Reply video. To see any of our other video replies to reader questions, visit the Webroot channels on YouTube or Vimeo.
By Gerhard Eschelbeck
As 2010 winds down, I wanted to pull out the crystal ball and talk for a moment about where the security industry seems to be heading in the coming year, and where we anticipate threats and targets.
Mobile platforms: If you’re reading this, there’s a good chance you have either an iPhone, an Android phone, or a Blackberry in your pocket, case, or on your desk right now. If that’s true, then the data on that device is the next big target for criminals, and the newest front in the war on cybercrime. Users have embraced the advantages of mobile platforms, and even though IT admins may officially consider some or all of them “unsupported” in some organizations, you can’t abandon users who will choose convenience over strict IT policy. I predict that mobile platforms will continue to grow at a rapid pace, and we’ll soon reach the threshold level where malware creators start to take notice in significant numbers. IT admins should embrace these new platforms, and take steps to protect users who insist upon having them, even though doing so may make their work harder.
Social engineering: Whether you use a single PC at home, or manage a network of 25,000 laptops and desktops at work, social engineering scams have become so convincing that it’s a wonder IT admins ever get a good night’s rest.
It doesn’t matter how comprehensive your patch and update schedule is — when a sufficiently convincing spam email reaches a gullible employee, all bets are off. With targeted attacks becoming more common, the best defense against this threat continues to be education. Every user, from the newest administrative assistant to the C-level executives, needs training in identifying and avoiding fraudulent email and other messages, harmful file attachments, and Internet behavior that can lead to trouble.
Cloud vs. Desktop: We’ve seen demand for cloud-based services increasing across all segments of the business. In small and medium-sized businesses, we’re continuing to see strong demand for cloud-based solutions, and we expect that to continue next year. Overworked admins like the ease of administration and the performance benefits of cloud security services. And for the first time, we’re seeing consumers getting interested in the advantages the cloud brings to PC protection, including the speed that updates make it to the user of an infected computer.
At the larger end of the enterprise business segment, IT administrators must juggle the requirements of government regulations with the performance advantages that cloud services have to offer. In those cases where security regulations may not permit some kinds of data to move out into the wider Internet, we’ve seen a demand for what we call private cloud architecture — something that offers the performance benefits and features of a cloud solution, within an organization, while, at the same time, satisfying regulatory constraints on how companies move or store data.
We also can see how criminals have developed a taste for the vast volumes of sensitive data stored in the cloud, and anticipate that malware creators and other attackers will try to steal data stored in the cloud with increasing frequency.
Security Updates: More than 60 percent of malware attacks come from known vulnerabilities, so no matter whether you’re a one-person shop, or manage many thousands of desktops, maintaining not only the operating system but also the third party applications on which you (and your organization) depend should be a top priority. Besides office applications, attacks in the past year have focused on programs like Adobe Reader, Java, Flash, AutoCAD, media players, graphic design tools, and various browsers and browser plug-ins. IT departments should never let a new computer get to an employee that has anything older than the very latest build of these critical applications.
Consolidation: While not expressly a security trend, larger companies — some in the security space, and some that have not previously played there — have been augmenting their offerings. Intel’s purchase of McAfee, for example, appears to extend their platform beyond mere chipmaking. Other acquisitions, such as Webroot’s purchase of Brightcloud and Prevx, help companies acquire capabilities that can defend against, or remediate, a specific kind of threat. HP, IBM, and Symantec have done similar things, and with each acquisition, the companies gain another part of a toolkit they can use to respond to emerging threats. We expect to see more companies in this space merge and transform themselves over the next year.
By Andrew Brandt
For years, the makers of those snake oil security programs we call Rogue Security Products have spent considerable effort making up new names, developing unique graphic design standards, and inventing backstories for their utterly useless, expensive scam products. Now a new rogue has taken this never ending shell game one step further, releasing a single program that calls itself one of five different names, depending on what button an unfortunate victim clicks in a highly deceptive dialog box. Let’s call it what it really is, though: A malicious play in five acts.
The rogue’s delivery method, or Act 1 in this melodrama, is no different from the many we’ve seen in the past 18 months which use a Javascript-enhanced Web page to convince viewers they’re watching a live malware scan on their computer. This trick is so hackneyed, it’s become the cybercrime equivalent of the dastardly villain in a silent movie tying the hapless woman to a railroad track, then twisting the ends of his mustache for dramatic effect. Does anyone still fall for this?
Only, this time the fakealert delivers a different payload: When the victim runs the rogue executable (named simply setup.exe), Act 2 begins. The rogue displays a dialog box that looks like an alert message issued by Microsoft Security Essentials, cautioning the victim that a legitimate Windows component present on most or all installations of Windows, such as iexplore.exe or cmd.exe, is actually a piece of malware.
The rogue helpfully offers to perform some sort of online scan, and that’s where it gets weird. The rogue pretends to scan the hard drive with 32 different antivirus engines, a-la VirusTotal. The vast majority of them are well known, at least in the security community. But five are new, and it’s those five that merit closer inspection.
By Andrew Brandt
If you’re a customer or an employee of McAfee, chances are, you’re having a rough week. The company published a false positive, or FP, in its antivirus definitions that went out to customers a few days ago. The FP resulted in some computers going into a loop where the antivirus engine misidentified a key component of the Windows operating system as malicious, Windows replaced the quarantined file, and then the McAfee engine removed it again.
I really feel badly both for McAfee’s customers as well as their researchers. The customers certainly didn’t deserve or want their protection to go haywire. Security firms that make antimalware programs, like Webroot and McAfee do, confront the risk of publishing false positives every day. I don’t think there’s a single company that doesn’t strive for a zero percent false positive rate (aside from the snake oil pitchmen who sell rogue antivirus products, whose entire business model is predicated on lies and deception).
Every legitimate company in this space has had to retract some definition set at some point because it misidentifies or removes the wrong thing. We’ve done it, too; It’s nothing to be proud of, but it’s the reality of the situation in which anti-malware researchers work. The malware creators do their best to make this task as difficult as possible. We also know that every minute longer it takes to work on an updated definition, is another minute where our customers roam the Web unprotected from the dangers that lurk around virtually every corner. In the rush to press forward, we sometimes make mistakes. And as a result of those mistakes, we’ve made some improvements over time: Our desktop Webroot Antivirus product can’t, for example, accidentally quarantine some of the key system files Windows needs just to remain operational, as long as those system files remain unmodified by malware.
What happened with McAfee has been the subject of a lot of water-cooler discussion here, too. One of the bright points that has come out of the internal conversations I’ve shared with some of my colleagues is this: Putting the definitions into the cloud, instead of letting them reside on the “endpoint” (the desktop computer running the antivirus software) has a clear advantage in cases like this. If a definition hosted in the cloud goes horribly, horribly wrong, we can pull that definition from circulation immediately, thereby limiting the scope of the damage, and hopefully containing it to the small number of users who happen to be in the unlucky position to be first to use a defective definition set.
Another point that someone made concerned the Webroot Web Security Service, which is a Web filtering service we sell to businesses as a way to protect their entire network from dangerous Web sites hosting malware-pushing exploit kits or phishing pages. Web SaaS provides a critical layer of protection from Web-based threats in the unlikely event that you might have to temporarily remove a misbehaving endpoint anti-malware product. Our Email SaaS service does the same for threats that might come through corporate mail systems. SaaS security won’t ever totally replace some sort of security app running on the computer, but it does a bang-up job keeping you safe from most threats.
When it comes to offering protection, the state of the Internet today demands a far more rapid response to threats. We need to respond immediately to new attacks, so our customers are protected the minute we discover something new. And likewise, we need to be able to pull back changes immediately, so we can limit the damage if we make mistakes. This immediacy is the benefit of keeping some security components out in the cloud, and we’re working towards a goal that protects not just the computer, but the people using that computer, the minute new threats reveal themselves. Waiting days and days for protection just isn’t an option anymore.
By Gerhard Eschelbeck
It’s been a busy year in Internet security — cybercriminals were crafty and creative while we security vendors worked hard to stay a step ahead. Let’s take a look back at the biggest security trends of 2009, and at predictions for what’s ahead in 2010.
2009 – The Year in Review
Conficker. Targeted at enterprise networks but also crossing over to individuals who could bring it home on a USB stick, Conficker generated a lot of media discussion which drove confusion among consumers and concern among IT admins. Conficker renewed the public’s focus on Internet security, at a time when the threat landscape was growing more complex.
Consolidation. In 2009, we saw Symantec acquire MessageLabs, McAfee acquire MX Logic, Cisco acquire ScanSafe, M86 acquire Finjan, and Barracuda acquire Purewire. Many large vendors have track records of poorly integrating smaller companies after acquiring them for a key piece of technology. At the endof this year, we’re left asking, will true innovation now only be possible among the few independent vendors remaining?
Social Media. Concerned about productivity and infection, enterprises struggled with corporate usage policies of social networks — media that is now ubiquitous, and also integral to communicating with and understanding customers. Meanwhile, consumers adopted social networks en masse, providing cybercriminals with a huge target for harvesting personal data via Koobface and various spam campaigns.
The Cloud. While the definition of “cloud computing” and “in the cloud” held different meanings in 2009, enterprises continued to adopt security as a service for its easier, faster, more efficient and cost-effective distribution of security updates. Vendors extended their SaaS-based technology into their consumer solutions after proven success in the enterprise market — an exciting convergence of technologies.
Malware Trends. We saw a changing Internet user who is highly mobile, presenting a new set of attack vectors for malware authors. We also saw increasingly sophisticated malware — cybercriminals using email to distribute malicious Web links and manipulating SEO by programming malicious links near the top of search results for popular news stories — and an explosion of social engineering tactics employing fake security alerts and rogue AV products with new variants launched seemingly in real-time.
2010 — The Year Ahead
Threat Landscape. The malware attacks of today are different than in recent years. Hybrid malware, combining the use of Web and email to carry out sophisticated attacks, will become even more prevalent in 2010. Narrowly targeted malware, which requires the presence of specific applications or data to engage in malicious activity, will also be on the rise. Finally, the increasing “real-feel” of phishing sites and emails — as evidenced by a recent Verified by Visa scam — are keeping security vendors, IT directors and consumers on their toes.
Social Media. Attacks on social networks will continue to increase in volume and scope, targeting communities such as Facebook and Twitter as well as those we’ll see emerge in the coming year. Social networks present a very good ROI for cybercriminals using them as a platform for perpetrating URL-based attacks. This trend will intensify — through shortened links, user-generated content, videos, and so forth. Friend, Follower, Tweeter, beware.
The Cloud Grows. We predict cloud computing as the computing platform, such as the Amazon data center model, will be the next generation of the Internet. Computing will become like a utility, similar to how we use electricity today. We will pay for what we use; the PC will become the visualization tool we look into for applications in the cloud. More cloud computing platforms will become available as we capitalize on this economical, scalable model.
While this may seem like a daunting list of threats and predictions, the good news is, the security industry has never been stronger: The level of innovation, the raised awareness, the healthy competition among vendors — together make for an optimistic outlook. We at Webroot wil continue to work hard to create effective technologies to make the Internet and the cloud a safe place for consumers and businesses alike.
By Brian Czarny
This week it was impossible to escape the “big news” that Twitter got hacked. The French hacker, known as “Hacker Croll,” who made headlines back in May for a similar Twitter breach, was at it again. This time he managed to get his hands on at least 310 sensitive Twitter business documents by gaining access to an employee’s email account, subsequently using information found in that account to then access the employee’s Google Apps account to steal the confidential company documents. The hacker sent the documents to TechCrunch, who then chose to publish them along with an account of the breach.
This highly publicized breach got people talking, and ignited a wave of speculation about two things: first, about the security of passwords and how easy it is to guess the answer to someone’s security question based on publicly available information found on social media sites; and second, about the security of data stored “in the cloud” – in this case, Google Apps.
On the second point, let’s not take this too far. This incident has little to do with the security of the cloud apps themselves. It is much more about the first point and the security practices that users of all Web sites and applications – whether they are banking sites, social media sites or cloud applications – should be employing in their day-to-day use.
The key learning end users should take from this incident is that password security is critical, both in terms of the passwords you choose as well as the amount of data you expose publicly through social media sites like Twitter and Facebook.
Twitter spells this out on its blog response and even Hacker Croll himself articulates that his intention is to teach people a lesson about the security holes in secret questions:
“What I would like to say is that even the biggest and the strongest do silly things without realizing it and I hope that my action will help them to realize that nobody is safe on the net. If I did this it’s to educate those people who feel more secure than simple Internet novices. And security starts with simple things like secret questions because many people don’t realise the impact of these question on their life if somebody is able to crack them.”
