This week sees the 25th Virus Bulletin conference, which takes place in Prague from 30 September to 2 October. We spoke to Virus Bulletin’s editor, Martijn Grooten, about how threats have changed over the last 25 years.
My colleagues and I have been very busy preparing for this week’s 25th annual Virus Bulletin International Conference, but on the occasion of this anniversary I wanted to take a little bit of time to reflect on how much has changed in the last quarter of a century.
Looking back at the presentations delivered at the early Virus Bulletin conferences in the 1990s, it’s shocking to see how easy it was back then for computer viruses and worms to spread to millions of computers.
And yet, we were fortunate that attackers really only wrote their viruses for vanity, and seemingly had no intention of making money from infecting computers.
As readers of this site surely know, today’s attackers have become much more professional: whether they’re in it for money or for political reasons, they are often part of organisations with ample resources for both large-scale and more targeted attacks.
Thankfully, security has steadily improved over the past 25 years as well, and today’s attackers have to work a lot harder.
We’re fighting back with new, secure-by-design mitigation techniques like ASLR (which makes buffer overflow attacks much harder to pull off), and security products that go beyond signatures for better detection of suspicious files and behaviours.
One thing hasn’t changed: users continue to cause problems for themselves and their organisations by doing things they shouldn’t do.
Security experts tend to get very excited – or, depending on the person, very worried – about vulnerabilities that can be exploited without any user interaction. And it’s true, such vulnerabilities are pretty scary.
But whether they’re a small-time cybercrook or a nation state-sponsored APT gang, attackers find that it’s much easier to exploit one impossible-to-patch vulnerability: the human.
One of the most costly cyberattacks to date, the $66 million attack on security vendor RSA, started when a curious employee looked at an email that was boobytrapped with malware.
Many other large-profile attacks succeeded because an employee did something even my late grandfather knew not to do: open an unsolicited email attachment.
We shouldn’t be smug. Many people who should know better make very basic mistakes.
When he was on the run from Belize police, antivirus pioneer John McAfee had his location tracked through EXIF data.
Security guru Bruce Schneier is an encryption advocate and expert, but he tells a story of a time he was so busy encrypting documents on his laptop, to keep them from the prying eyes of airport security, that he forgot to delete the unencrypted originals.
What can we do better in the future?
We should, of course, continue to increase our efforts to write secure code. At least in theory, it’s possible for all code to be properly secure. (In practice, it’s good to keep in mind that code is written by humans; Heartbleed, one of the most serious vulnerabilities of recent years, was a human error.)
And we should mitigate the harm that can be done by those sitting between chair and keyboard with education and clear warnings.
Ultimately, neither security software nor training alone can protect unpatched systems and unwary users from today’s sophisticated and opportunistic threats, which is why a coordinated defence is essential.
I can’t see into the future to know what tomorrow’s threats will look like.
But I have little doubt that in 2040, there will be a 50th Virus Bulletin conference somewhere in the world – when experts will grapple with problems we can’t foresee, in devices and services we can’t imagine.
And people will probably still bemoan users and their insistence on doing things they shouldn’t do.
Sophos at Virus Bulletin International Conference 2015
Our talented researchers from SophosLabs will be presenting four papers at the VB2015 conference, covering a range of hot topics from Android malware to banking Trojans and APTs. Visit our Sophos Blog to find out more about who our experts are and what discoveries and insights they’ll be sharing in their talks.
Image of circuit board clock courtesy of Shutterstock.com.
billcaelli
Re RSA – but what would have been the situation if a full “MAC” or “FMAC” OS was used by RSA rather than an obsolete DAC system? Would not have mattered about clicking on a malware attachment – it would not have the necessary “profile” to achieve anything outside the profile of the user / host program. Just look at the original statement by the USA’s NSA when it announced the release of SELinux 1 – NO – not the software – look at the background “rationale”.
TIME TO STOP BLAMING THE END USER!
Any worthwhile OS would have the necessary “brakes” to prevent this anyway!
Yes – have a look at the original USA “Orange Book” / TCSEC – oops – happy 30th birthday to the final edition of December 1985!
NO – not the techie stuff – look at the rationale or background reasoning for, say, the functional specifications of the “B2” class – an almost exact prediction of where we are today in relation to deploying and using computer programs of unknown origin and thus the need for such a paradigm for protection.
SELinux’s time has well and truly come –
BUT – does anyone care? Is government taking a role in mandating such ICT protection via laws and regulations ( like the car industry)?
After all the UK’s own PM, as well as the last PM of Australia, have both stated that the primary role of government is the safety and security of the people of the UK and Australia – AND THAT MEANS IN CYBERSPACE as well as in the physical world.
However, is anyone, including a CIO charged with procurement, etc., educated and trained in this “mandatory” system environment?
Is any UK or other University / college anywhere teaching the technology / operation / management of such systems ? (Trouble may be that the answer is NO!) For example, how do Sophos products work in Redhat RHEL 6.2 environment, with tagging, where RHEL has been evaluated to EAL4 via the Common Criteria / IS15408 – to which the UK and Australia are both CCRA signatories.
Suspect NOT – no market! Your see – in that environment, properly administered, you may not need Sophos products anyway.