skip to main |
skip to sidebar
11:05:00 PM
valgeo
Conventional security software is powerless against sophisticated
attacks like Flame, but alternative approaches are only just getting
started.
Two weeks ago today, computer security labs in Iran, Russia, and Hungary announced the discovery of Flame, "the most complex malware ever found," according to Hungary's CrySyS Lab.
For at least two years, Flame has been copying documents and
recording audio, keystrokes, network traffic, and Skype calls, and
taking screenshots from infected computers. That information was passed
along to one of several command-and-control servers operated by its
creators. In all that time, no security software raised the alarm.
Flame is just the latest in a series of incidents that suggest that
conventional antivirus software is an outmoded way of protecting
computers against malware. "Flame was a failure for the antivirus
industry," Mikko Hypponen, the founder and chief research officer of
antivirus firm F-Secure, wrote last week. "We really should have been able to do better. But we didn't. We were out of our league, in our own game."
The programs that are the lynchpin of computer security for
businesses, governments, and consumers alike operate like the antivirus
software on consumer PCs. Threats are detected by comparing the code of
software programs and their activity against a database of "signatures"
for known malware. Security companies such as F-Secure and McAfee
constantly research reports of new malware and update their lists of
signatures accordingly. The result is supposed to be an impenetrable
wall that keeps the bad guys out.
However, in recent years, high-profile attacks on not just the Iranian government but also the U.S. government
have taken place using software that, like Flame, was able to waltz
straight past signature-based software. Many technically sophisticated
U.S. companies—including Google and the computer security firm RSA—have
been targeted in similar ways, albeit with less expensive malware, for
their corporate secrets. Smaller companies are also routinely
compromised, experts say.
Some experts and companies now say it's time to demote
antivirus-style protection. "It's still an integral part [of malware
defense], but it's not going to be the only thing," says Nicolas Christin,
a researcher at Carnegie Mellon University. "We need to move away from
trying to build Maginot lines that look bulletproof but are actually
easy to get around."
Both Christin and several leading security startups are working on
new defense strategies to make attacks more difficult, and even enable
those who are targeted to fight back.
"The industry has been wrong to focus on the tools of the attackers,
the exploits, which are very changeable," says Dmitri Alperovitch, chief
technology officer and cofounder of CrowdStrike,
a startup in California founded by veterans of the antivirus industry
that has received $26 million in investment funding. "We need to focus
on the shooter, not the gun—the tactics, the human parts of the
operation, are the least scalable."
CrowdStrike isn't ready to go public with details of its technology,
but Alperovitch says the company plans to offer a kind of intelligent
warning system that can spot even completely novel attacks and trace
their origins.
This type of approach is possible, says Alperovitch, because,
although an attacker could easily tweak the code of a virus like Flame
to evade antivirus scanners once more, he or she would still have the
same goal: to access and extract valuable data. The company says its
technology will rest on "big data," possibly meaning it will analyze
large amounts of data related to many traces of activity on a customer's
system to figure out which could be from an infiltrator.
Christin, of Carnegie Mellon, who has recently been investigating the
economic motivations and business models of cyber attackers, says that
makes sense. "The human costs of these sophisticated attacks are the one
of the largest," he says. Foiling an attack is no longer a matter of
neutralizing a chunk of code from a lone genius, but of defeating
skilled groups of people. "You need experts in their field that can also
collaborate with others, and they are rare," says Christin. Defense
software that can close off the most common tactics makes it even
harder for attackers, he says.
Other companies have begun talking in similar terms. "It goes back to
that '80s law enforcement slogan: 'Crime doesn't pay,' " says Sumit
Agarwal, a cofounder of Shape Security,
another startup in California that recently came out of stealth mode.
The company has $6 million in funding from ex-Google CEO Eric Schmidt,
among others. Agarwal's company is also keeping quiet about its
technology, but it aims to raise the cost of a cyber assault relative to
the economic payoff, thus making it not worth the trouble to carry out.
A company with a similar approach is Mykonos Software, which developed technology that helps protect websites by wasting hackers' time to skew the economics of an attack. Mykonos was bought by networking company Juniper earlier this year.
Antivirus companies have been quick to point out that Flame was no
ordinary computer virus. It came from the well-resourced world of
international espionage. But such cyberweapons cause collateral damage
(the Stuxnet worm targeted at the Iranian nuclear program actually
infected an estimated 100,000 computers), and features of their designs
are being adopted by criminals and less-resourced groups.
"Never have so many billions of dollars of defense technology flowed
into the public domain," says Agarwal of Shape Security. While the U.S.
military goes to extreme lengths to prevent aircraft or submarines from
falling into the hands of others, military malware such as Flame or
Stuxnet is out there for anyone to inspect, he says.
Agarwal and Alperovitch of CrowdStrike both say the result is a new
class of malware being used against U.S. companies of all sizes.
Alperovitch claims to know of relatively small law firms being attacked
by larger competitors, and green technology companies with less than 100
employees having secrets targeted.
Alperovitch says his company will enable victims to fight back,
within the bounds of the law, by also identifying the source of attacks.
"Hacking back would be illegal, but there are measures you can take
against people benefiting from your data that raise the business costs
of the attackers," he says. Those include asking the government to raise
a case with the World Trade Organization, or going public with what
happened to shame perpetrators of industrial espionage, he says.
Research by Christin and other academics has shown that chokepoints
do exist that could allow relatively simple legal action to neutralize
cybercrime operations. Christin and colleagues looked into scams that
manipulate search results to promote illicit pharmacies and concluded
that most could be stopped by clamping down on just a handful of
services that redirect visitors from one Web page to another. And
researchers at the University of California, San Diego, showed last year
that income from most of the world's spam passes through just three banks.
"The most effective intervention against spam would be to shut down
those banks, or introduce new regulation," says Christin. "These complex
systems often have concentrated points on which you can focus and make
it very expensive to carry out these attacks."
But Agarwal warns that even retribution within the law can be
ill-judged: "Imagine you're a large company and accidentally swim into
the path of the Russian mafia. You can stir up a larger problem than you
intended."
0 σχόλια:
Post a Comment