The Latest in Internet Attacks and Vulnerabilities May 31, 2006 – A Q&A with Scott Carpenter, Secure Elements
The following is a Q&A session with Scott Carpenter, the Director of
Security Labs at Secure Elements.
Based on the recent SANS Institute reports detailing the Top 20 Internet
Security Vulnerabilities and the marked increase in zero-day attacks and
growth in attacks on Apple OS/X, Scott provides his expert feedback on the
what, why, and who behind this new trend, and strategies for protection
against these vulnerabilities.
Q: What is the motivation behind smaller-scale attacks, such as these
zero-day attacks aimed at IE. What is the advantage as opposed to spreading
viruses and worms that race around the globe looking for un-patched Windows
PCs?
A: In the beginning, worms and viruses for the most part provided their
creators with a reputation. The only financial incentive was to prove how
good they were and hope to get a job with a security company that created
software to combat the same malicious software they wrote. Today, the
techniques malicious software creators use has become more sophisticated.
This is in part due to lessons learned, and in part due to a shift in
motivations. We are seeing targeted attacks that are making money directly
for the virus writers. These targeted attacks vary in nature.
Q: What are some major types of financially motivated malicious software?
A: There are two types that are the most common.
The first is zombie PC's, which is where an attacker takes control of a
machine without the users knowledge. Once they have control of the machine,
it can be used to send SPAM emails. Some virus writers can control thousands
of zombie PC's at once and use these PC's to send simultaneous attacks to a
commercial web site. They will often use this capability to extort money from
the owners of large web sites.
The second type is information gathering. Most users have some form of
personally identifiable information on their computer from social security
numbers to credit card numbers. A virus that can look for this information
and send it back to its creator is valuable. It can be sold to criminals or
used by its creator who can in turn sell the information.
Q: How are these software writers able to create these programs?
A: They simply take advantage of mistakes made by operating systems and
application programmers. An overwhelming majority of the mistakes are
completely unintended, but until they are discovered, usually do not cause a
user any problems. A very large amount of work goes into product testing of
all major operating systems and applications when change is made. Most
mistakes are caught during this process, but some do make it through. The
malicious software writers discover these mistakes and try to take advantage
of them before the original software manufacturer can issue a software patch
to correct the mistake. Humans create software and no software package is
immune to mistakes during its creation.
Q: What is it about today's virtual environment that makes these types of
attacks so profitable and easy to carry out?
A: There are three key current trends that invite these types of targeted
software attacks.
The first is increased "always on" internet connections. Home internet users
are growing at the highest rate ever seen with the broadband internet boom.
Many users have switched from the old dial up internet connections that were
infrequently used to having many home computers connected all of the time.
This means more targets for virus writers.
The second is an increase in the rate of uneducated users. The sharpest
growth of internet users are home users that are not highly technical and do
not have a team of security professionals at their beck and call to help them
with security threats.
Thirdly, Windows is used by almost everyone. Since Windows has the lion's
share of the PC market in both operating system and internet browser,
malicious software writers focus their efforts on Windows software. Also of
note, Microsoft's Internet Explorers major competitor, Firefox, has also seen
its share of software bugs this year. No software is immune, and if there is
money to be made on exploiting mistakes in any software, it will be
exploited.
Q: What piece of advice would you offer for those who wish to protect
themselves against these attacks?
A: If you have to choose only one solution to the problem, user awareness and
education will provide the biggest bang for your buck. Nowadays, most people
know that if someone calls them asking for their credit card numbers, it is
most likely a scam. The same types of people are the ones behind the worms
and email scams that are going around right now. Making everyone aware the
types of malicious software out there and ways to protect him or herself from
it will reduce the financial motivation that is causing the problems. It is
not a panacea, but it will help alleviate the problem.
Q: What are some helpful web-based educational sources on this topic?
A: Some helpful online security tips can be found at these websites:
Scott Carpenter is the Director of the Secure Elements Security Labs.
Carpenter is responsible for managing a team of security analysts who produce
threat analysis content, vulnerability and exploit detail and remediation
actions. Carpenter previously established the security management programs
for the Transportation Security Administration, The District of Columbia
government, DynCorp, Netsolve, Coremetrics, and All.com. Carpenter is a CISSP
and has over 15 years experience in the security industry.
The Latest in Internet Attacks and Vulnerabilities
