Notes from the RSA Conference on security

Michael Lasky

Long gone are the days when PC security mostly meant installing anti-virus software and keeping it updated.

Today, the digital assault on our money and privacy is expanding and changing at a truly mind-boggling pace.

Cyber crime and privacy theft now threaten our mobile phones and tablets, our email and phone calls, retailers’ credit-card terminals, and all online sales and services — potentially any digital device or network with some form of onboard computing capability. (How long will it be before we’re regularly updating the antihacking capabilities of our cars’ onboard computers?)

Defending us against the mounting cyber threat are thousands of security professionals, many of whom met at the recent RSA Conference in San Francisco. Although the main focus of the conference’s attendees was enterprise and government security, it was clear from my talks with show vendors that end users — all of us who connect with the World Wide Web — are the ultimate victims of cybercrime. And, in many cases, we’re also the weakest link in the anti-malware chain, according to security experts.

As I did nearly a year ago (see the March 21, 2013, Top Story, “The malware wars: How you can fight it”), I sat down with security expert Andrew Brandt at the conference and discussed the latest in the battle against malware. Andrew is Solera Networks’ director of threat research, Advanced Threat Protection Group.

The honey pot — luring malware to open servers

With malware code changing with chameleon-like rapidity, security companies are constantly looking at new malware to understand how hackers are operating, how they smuggle their malicious code onto our digital systems, and what actions the code performs when it activates. Security companies must then rapidly adjust their defenses accordingly.

Looking for new threats is what Brandt does all day. Working out of an underground bunker, he monitors an array of intentionally vulnerable PCs.

“It’s called a honey pot,” explains Brandt. “The purpose is to welcome attacks, so I can examine the attackers’ methods of gaining entry and deconstruct their code to see what tasks the code is set up to perform. Once that’s figured out, we can construct a defense to prevent the exploit from functioning.”

Many security companies use honey pots in a network (known as a honey net) for early-warning surveillance — but sometimes also as a decoy to direct malware attacks away from production servers.

“This is a game of cat-and-mouse or whack-a-mole, because attackers doggedly make changes to their code to infiltrate systems once again,” notes Brandt. Systems are most vulnerable after a new exploit is discovered and before security companies create and distribute a defense. During that time, any attempt to compromise systems with the new exploit is called a zero-day attack.

“The second you connect to the Internet, you’re fair game to hackers. While most Web-based attacks employ JavaScript [not to be confused with Java, Oracle's executable application], many use vulnerabilities in Java, Adobe Flash, or Microsoft’s Silverlight,” says Brandt. JavaScript is commonly used to automate tasks in a webpage.

Every webpage your browser loads is an opportunity for malware, explains Brandt. For example, one of the standard page-display operations is identifying which browser — Chrome, Firefox, IE, etc. — requested the page. Also, the browser loads all associated parts of the page, including third-party ads.

Brandt notes, “Hackers basically throw the kitchen sink at browsers on page loads. They will write conditional statements such as if IE, try this; if Firefox, try this; and if neither of those is receptive, go to the next step. This all happens instantly.

“Exploits can happen on any webpage. For example, the New York Times homepage once delivered malware to visitors because an exploit was loaded inside a banner ad placed by an affiliate advertising service.”

Malvertising: Web ads that trick your clicks

Web-based advertising can be fertile ground for malware-based attacks. Malvertising (also known as social engineering) is specifically designed to trick you into clicking a link, which then takes you somewhere you never intended to go.

For example, many PC users still fall for those big, bright scareware ads — “Your computer has 300 infections; click here to fix it!” (For more on this topic, see the March 18, 2010, article, “New names, new threats from fake security apps.”)

Some of the most pernicious ads are cleverly disguised as legitimate content — especially on freeware sites. No doubt you’re familiar with this ploy: a webpage for an app you want has a big download button (sometimes more than one); but clicking the button actually downloads an app you had no intention of installing.

Some of these potentially unwanted–program (PUP) downloads are relatively benign. They can be blocked from installing by unchecking a box during the installation process, or they are easily uninstalled.

Potentially unwanted programs

Figure 1. On freeware download pages, it can be difficult to tell which link downloads the application you want and which downloads an unwanted program — or even malicious code.

But the most dangerous malvertising is malicious: clicking a disguised or fake link installs code that might, among other things, steal passwords, record your keystrokes, or even make your PC into a robot that delivers malware to others every time you connect to the Internet.

“Probably the most hazardous infection for PC victims is CryptoLocker ransomware [shown in Figure 2], and it usually enters your system after you’ve become infected with something else,” notes Brandt. CryptoLocker encrypts all documents on your hard drive; victims are then given about 72 hours to pay up — or they never get the decryption key. The ransom is usually around U.S. $300 to $500. For people who don’t have backups on another drive or in the cloud, all that data is lost if you don’t pay up. (For more on CryptoLocker, see the Oct. 24, 2013, Top Story, “CryptoLocker: A particularly pernicious virus.”)

CryptoLocker warning

Figure 2. Here's a warning you never want to see. CryptoLocker could be the most serious threat to PC users today.

As Brandt noted, some malware finds its way onto online ad-serving services. For that reason, services such as DoubleClick (now part of Google) and ValueClick scrupulously vet their affiliate advertising agencies. But malvertising coders still find ways around the vetting.

“Malvertising scams require significant advance planning,” explains Brandt. “One step the hackers take to evade ad-checking is to register a domain and then park it for 12 to 18 months before using it. They know that part of the vetting process checks whether a domain has been previously blacklisted in the past year.

“By parking it, the hacker’s domain stays clean and will probably pass muster. They can then place advertising-agency ads that have embedded, obfuscated JavaScript. Although initially unreadable, the script is sort of like a self-assembling jigsaw puzzle that can then do its nasty handiwork when reassembled.” Once these domains are caught and blacklisted, they go dark for another year or so — then come alive again and evade agency vetting.

Downloading ebooks: When cheap is expensive

Thanks to Amazon’s Kindle, Barnes and Noble’s Nook, and a host of smaller vendors, ebooks have exploded in popularity — and so has the availability of pirated “free” books, found mostly on peer-to-peer networks but also available on so-called file-hosting services. Cheapskates balking at paying $10 to $15 for legitimate downloads can acquire unlocked copies of copyrighted bestsellers from hosting sites such as DepositFiles, uploaded.net, Rapidgator.net, Novafile, and TurboBit.net. But the downloads might come at a heavy cost in the form of tag-along malicious apps.

As discussed in Brandt’s RSA Conference presentation, those sites also host many PUPs and other malvertisements. Download an ebook or other file, and various buttons attempt to foist fake updates for media players, codec packs, Flash updates, and browser add-ons on unsuspecting visitors.

The sites are also filled with recurring pop-under and pop-over ads (usually containing annoying video and sound) that can be difficult to eliminate. In some cases, quick downloads are offered for a fee, while completely free downloads require navigating multiple pages loaded with misdirecting download buttons and links.

As Brandt sighs, “All this trouble just to avoid paying for an ebook.”

The growing threat to our cellphone data

This past January, Harris Interactive conducted for WinMagic a survey of some 2,000 adults who own a laptop, desktop computer, or mobile device. The company wanted to find out what personal data users considered most at risk if their devices were lost, stolen, or otherwise compromised.

In the survey, 62 percent of respondents selected personal email; pictures and video followed at 54 percent, and social-media accounts came in at 37 percent. Surprisingly, only 38 percent of respondents deemed banking and financial information most at risk. That gives you some idea of the typical computer user’s priorities.

When asked about their security protocols for their digital devices, just 31 percent of the survey respondents regularly change their passwords — and a mere 14 percent encrypt their data. It’s small wonder that end users are considered the weakest link in the cyber-security chain.

In Blue Coat Systems 2014 Mobile Malware Report, the security company points out, “For desktop users, search-engine poisoning and email links are by far the most prevalent vectors that drive users to threats or malicious content. When we look at mobile users, however, we see a much different picture. Search engines barely crack the top 10 — sending unsuspecting users to malware only 3.13 percent of the time.”

Because Apple keeps its operating system for iPhones (iOS) tightly controlled, and its tightly vetted apps are downloaded in a virtual sandboxed environment, its devices have — so far — escaped malware intrusions. Google’s Android operating system, making up the majority of cellphones, has been more susceptible. As Blue Coat’s report notes, “Increasingly, mobile users are being subjected to more ads — even more so than PC users — as sites everywhere continue to refine their mobile advertising strategies. This is a particularly worrying trend, as it coincides with a significant increase in malvertising.”

In February 2014, Web ads became the single biggest threat for mobile users, according to Blue Coat Systems. One time in five, a user is directed to mobile malware via Web ads. That’s triple the number recorded in November 2012.

Malware/malvertisement risk on mobile devices

Blue Coat’s advice is simple: avoid clicking ads on your mobile device. Consider blocking Web ads altogether. Never download or purchase an app outside legitimate markets such as Apple’s App Store, Google Play, or Amazon. (Oh, yes: avoid pornography sites on your phone or tablet.)

One reason Android phones are more prone to malware is that they feature premium Short Message Service (SMS; more info) apps. Many of these apps/services are scams in disguise; they quietly charge a user’s mobile-phone account a per-use or per-month fee. They’re akin to the old 900 number scams that bilked customers of millions of dollars. Some premium SMS apps were established to let users donate money to a charity or for natural-disaster relief — a perfect foundation for malware. Instead of helping someone that needs it, that $5 donation goes to a cybercriminal’s favorite cause — himself. (In the U.S., most mobile users can report these scams to their carrier by forwarding spam SMS messages to the number 7726 — “spam” on the dial pad.)

At the RSA security conference, the security software company Webroot (site) reported that 42 percent of Android applications checked between 2011 and 2013 were classified as either malicious, unwanted, or at least suspicious. Webroot also found that in 2013, the majority of potentially dangerous apps were broken down as: SMS malware, 38.7 percent; ad-based PUPs, 39.8 percent; and malware using obfuscated coding, 8.9 percent.

On iOS devices, 92 percent of apps were deemed “benign.” The other 8 percent were possibly vulnerable, low- or no-cost ad-based apps.

If all this information leaves you feeling a tad nervous, you should be. Cyber criminals are getting ever more determined and creative. Security research firm HBGary (site) reported in February that it reverse-engineered an exploit that used Skype as a transport for malware. Once discovered, the vulnerability was plugged, but the incident demonstrates the lengths hackers will take to spread malware across the planet — and the challenges security companies face chasing new exploits down.

It’s a never-ending game of cat and mouse. In large part, it’s up to us to help ensure the cats don’t win.



Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!

= Paid content

All Windows Secrets articles posted on 2014-03-06:

Michael Lasky

About Michael Lasky

WS contributing editor Michael Lasky is a freelance writer based in Oakland, California, who has 20 years of computer-magazine experience, most recently as senior editor at PC World.