Print
Email
Print Edition Stories
The Murphy brothers' software-selling family tree
MHT Editor Doug Banks on NECN: How companies are using social media
Rodney Brown on NECN: Hacking into medical devices
If you’re paid to think about IT security, you already know there are armies of hackers, mostly based overseas and in developing countries, working to gain command and control of your computers.
What you may wonder is, who is really getting paid from all this cyber crime? Is anyone making any real money? The answer is, yes. You are.
From the Russian mobster buying lists of credit card numbers, down to the swarms of “meat cloud” keyboard jockeys creating fake Gmail accounts by the batch, few black-hat hackers make as much as the professionals paid to protect our data, according to Val Smith, founder of Attack Research LLC.
Smith, whose New Mexico company analyzes digital attack methods, was on hand for the Source Boston conference last Friday to tell a smallish function room packed with Boston IT professionals how offshore criminals are infecting us with malware.
Surprisingly, cyber criminals tend to be very lax with their own IT security, Smith said. With hackers launching attacks from one anothers’ unsecured networks, it’s often difficult to pin down the source. But with security so lax, it’s easy for white-hat hackers and IT professionals to quickly obtain the valuable fingerprints to attacker code, he said.
Part of Smith’s presentation focused on the so-called “Chinese Injection.” This attack infects a seemingly innocuous website with malicious code that attacks visitors’ computers, opening them to command and control from afar. He walked back step by step from an example site, using little more than Google Inc.’s (Nasdaq: GOOG) search and analytics to discover how hackers targeted the victim site, opened it to posts and led unknowing visitors to their own malicious sites and downloads.
Hackers’ web-crawling bots find weaknesses in database libraries that allow what are known as “SQL injections.” On one site, they uploaded a .gif image embedded with Microsoft Corp. (Nasdaq: MSFT) Visual Basic script. Microsoft’s Internet Information Services finds and executes the code, which sets up a server-side shell on the site. Now the hackers are posting to the site. One post sets up a username for a backdoor, which allows hackers to get in, grab files and read files. Most importantly, it allows them to put a hidden line of malicious JavaScript on every page of the site.
Following the path of links and exploits from there led Smith directly to a valuable find: a so-called “zero-day” virus, meaning one for which no patches exist. This one was designed to exploit Microsoft’s Internet Explorer 7. “It’s flawed and not very effective to take down (the hackers),” Smith said. “Might as well take their zero-days.”
For IT security professionals, the fingerprint of a new virus is money in the bank — probably more money than it’s worth to whoever created it.
WHITELISTING
For companies, whitelisting is kind of a no-brainer. Hackers are writing new viruses at a rate of about 2,000 a day. Rather than pay IT security professionals to track down and fingerprint those, companies can tell employees OK, here are the 10, 20, or 100 applications you can download and run on your machine. Anything else, forget it.
Now, imagine trying to tell that to your 16-year-old. Almost a year after desktop security company Symantec Corp. (Nasdaq: SYMC) CEO John Thompson mentioned whitelisting in his address at the RSA Conference in 2008, two Massachusetts companies are putting home-whitelisting applications to the home-use test.
But both Kaspersky Lab Inc. and Bit9 Inc. recognize the technique may not be applicable for home users who want their computers to be as flexible as possible.
“We can’t use it in and of itself,” said Peter Beardmore, senior product marketing manager at Kaspersky. “It needs to be put into context.” The Russian company, with operations in Woburn, began rolling Bit9’s whitelist database into its home security offering last August.
For now, the Bit9 whitelist allows the Kaspersky software to bypass trusted applications and devote computing resources to more questionable applications. Eventually, however, household CIOs will be able to control what others download, Beardmore said — setting controls based on the risk level assigned by Bit9.
My hat’s off to the household CIO who can get the household board of directors to buy that.
RSS Feeds
Comments
Please Login/Register to post comments.
No comments have been added or approved.