ESET Threat Blog

"Now may I suggest some of the things we must do if we are to make the American dream a reality. First, I think all of us must develop a world perspective if we are to survive. The American dream will not become a reality devoid of the larger dream of brotherhood and peace and goodwill. The world in which we live is a world of geographical oneness…" - Dr. Martin Luther King, from a speech delivered at Lincoln University, Pennsylvania, June 6, 1961

If Dr. King had still been alive today to see the wonders of the global connectivity of the Internet, he would probably consider the quoted portion of his speech as a "statement before its time."

Today the current global Internet penetration rate stands at approximately 24%. With a global population of 6.7 billion, that equates to roughly 1.6 billion users on the Internet across the globe. At the current penetration rate, cybercrime has become pervasive, pandemic and increasingly connected with other parts of the criminal ecosystem. It ranges from the theft of an individual’s identity to the complete disruption of a country’s Internet connectivity due to a massive distributed attack against its networking and computing resources.

With the remaining 5 billion users to connect to the Internet, there are significant challenges – one of which is cybercrime (via its many methods). There are technological preventative measures that help mitigate cybercrime attacks, but technology alone is not the answer.

The next one billion users on the Internet will not come from developed countries, but rather mostly from developing countries. Awareness, even simple levels of awareness, of various types of risks and cybercrime attacks can yield positive results. This is primarily due to the fact that the weakest link in the “security chain” is, correctly, always quoted as being the end user. The additional one billion users on the Internet will be considered “fresh targets” by the cybercriminals.

The target of cybercrime centers on information – the data that is electronically stored for retrieval and subsequent use. For instance, even with varying levels of per-capita income, the amount of money that stands to be lost to a cybercrime called “phishing” (one of the most common online attacks where a person is socially engineered to provide personally identifiable information by someone posing to be a trusted source) has the potential to be quite significant due to the sheer number of users at risk (unaware).

A real-world example of the scope of the threat: cybercrimes, like phishing and data breaches, are a scalable threat to the United States. These threats are so severe they are detailed as national security threats in the 2009 Annual Threat Assessment Intelligence Briefing to the Senate Intelligence Committee. This representes the scope of one cybercrime problem in a single country, whose users have had several years of exposure to the Internet. New Internet users will face the same difficulties – but from cybercriminals that have had also years of experience and that have optimized their attack and evasion techniques. 

Infrastructure build-out, deployment and subsequent end-user connectivity should be coupled with effective cybersecurity awareness training – in addition to application usage training. It is the ignorance of on-line risks that poses the greatest threat to the new generation of global Internet citizens. Coordinated global efforts in effective awareness training will transform these new Internet citizens from potential victims to increasingly aware, and less vulnerable, people as a whole.

Jeff Debrosse
Senior Research Director

Securing Our eCity community initiative: http://www.securingourecity.org/

CNN reported that there a new sleeper virus out there. http://www.cnn.com/2009/TECH/ptech/01/16/virus.downadup/index.html

There is nothing sleepy about the Conficker worm, it is wide awake and looking for people who are asleep at the security wheel.

CNN reports that Conficker could allow hackers to steal personal and financial data, and they also report that it “it is not very serious in terms of what it does. So far it doesn’t try to steal personal information or credit card details.”

Huh? Ok, I’ll follow suit… Conficker could allow hackers to rig elections and shut down critical power and communications infrastructure, but it doesn’t.

What Conficker could allow hackers to do is truly as irrelevant as it gets. The conditions that allow Conficker to spread mean that any semi-skilled hacker or malware author can do the same and much worse with complete and total impunity.

Conficker was one of the first worms to exploit a fairly recent and serious security vulnerability in Windows (MS08-067). Conficker doesn’t stop there though, it also is able to guess passwords set by people who do not understand security (think Twitter admin). Yes, Conficker can guess weak passwords. Conficker also exploits autorun, a vulnerability that Microsoft should have patched a long time ago, but MS insists that auto-infection is a feature. Companies that make digital photo frames, MP3 players, GPS systems, and other assorted USB devices have really embraced the auto-infect technology too!!!

To Microsoft’s credit, most of the infections are coming from the corporate space. Why is this to Microsoft’s credit? Because it means that Windows Update is working pretty well in homes, where it is usually allowed to work.

For businesses this is a dismal finding. This means that standard security basics are not being enforced. There is really sobering news here. Perhaps businesses are not investing in security. An IT person needs some budget and time to do his or her job. Maybe businesses do not know how to evaluate competent security professionals to put in charge. “We needed time to test” is not an excuse for not having deployed the patch for MS08-067. If there is a legitimate reason for not having deployed the patch then there are other many other layers of defense that should be in place for protection.

Conficker should be a complete non-story, and actually it is not the story. The real story is that people are still not doing the basics. Keep your systems patched, keep your applications patched, and require and use strong passwords.

Randy Abrams
Director of Technical Education

I promised you some more thoughts on the AVAR conference. Randy Abrams and I put together a paper on user education for the conference (it should be up on our White Papers page quite soon) about the argument between the two main camps in security thinking on the topic. You could sum it up as "If user education was ever going to work, it would have worked by now!" versus "You can’t fix social problems with technological solutions!" And I guess you could sum up our position as "Since neither approach is going to eradicate security breaches, why not integrate the best elements of both approaches into a multi-layered strategy?" (Not as simple as it sounds, but it’s worked for both of us in our previous careers.)

While Randy was doing the presentation (it’s called delegation ) I had one of those moments of blinding clarity. The trouble with these instances of dazzling insight is that sometimes they turn out to be about suddenly realizing something that the rest of the world has taken for granted since the Renaissance, but I’ll share it with you anyway.

I’ve spent a great deal of my working life in user support: not so much manning (personning?) the helpdesk phone – though I’ve a fair amount of flying time there, too – but second and third line support. You can certainly look at user education and training as a close relative and in some contexts a subset of user support functionality (no, that isn’t the insight).

There are, it occurs to me, two ways of approaching user support (not that they’re mutually exclusive): for each trouble ticket with your name on it you can take whatever technical measures are appropriate almost without reference to the end-user. That way, you often get a quick fix (re-install, disinfect, replace a malfunctioning component, reset a password) and you can move on quickly to the next job. Users are generally happy because you aren’t expecting any significant effort from them. But what if it’s a problem to which they contributed in some way? All they’ve learned is that if the problem reoccurs, you’ll come back and sort it again. You’ve treated the symptom, not the disease.

The alternative is to look at each trouble ticket (logged request for support) as (potentially) a learning experience. If the user has some understanding of what the problem is, he or she may also realize that there’s a better way of approaching the task that originally sparked the problem. Involving the customer more directly in the problem-solving process may add significantly to each incident resolution, but that’s not a problem if it results in some reduction of the overall volume of incidents. This is social engineering in its more general sense, persuading people to do what’s good for them and the groups to which they belong, not what’s good for some blackhat Svengali.

Of course, some users will resent any attempt to educate them: they will regard it as your job to fix anything they break, just as some AV users expect that because they’ve installed AV, they should be able to click on anything they like without thinking about it. Well, teachers don’t manage to educate all their pupils, either, but we haven’t given up founding schools and universities…

David Harley CISSP FBCS CITP
Director of Malware Intelligence