Washington
Ah ... the lone computer hacker, chomping on Doritos in a basement, testing the limits of computer and network security for the sheer joy of knowing.
We need to abandon that romantic image, according to Dave DeWalt, president and CEO of Santa Clara, Calif.-based computer security firm McAfee Inc.
If folks like that still exist, they're now likely working for McAfee or a competitor, or, alternatively, in organized gangs trying to steal your money.
 |
| Dave DeWalt, president and CEO of McAfee Inc. |
"Eighty percent of the malware we're seeing now is financially motivated," DeWalt told an audience of U.S. government security types at the company's recent Public Sector Executive Summit here in Washington.
"As we've watched the economy decline over the past six months, we've seen a complete upward trajectory on the opposite side."
Dewalt quoted the recent IBM X-Force Trend and Risk Report, which, he said, showed a 50-percent year-over-year increase in a particularly nasty form of cyber attack - malware on legitimate corporate websites.
DeWalt dispelled the comforting but erroneous notion that people only get infected if they do something stupid, like opening an email attachment called I LOVE YOU.
"It's just so easy to be able to put malware up on websites," he said, "and then you just search the internet, click on the website and you can get infected."
In one technical session, a McAfee presenter showed how bad guys can easily trick you into thinking you're on a secure connection at a public access computer, when actually your keystrokes are going to bad guys in the Ukraine.
In fact, you don't even need to go online to get infected. According to a person who should know, some U.S. soldiers in Afghanistan received Amazon "parcel reject" packages in 2008. This can happen when a package is undeliverable and gets returned, supposedly to the sender.
Imagine their glee as they opened the boxes and found shiny new USB thumb drives. Just the thing for storing photos of the family and, well, whatever else soldiers like to keep around. Of course, they popped the USB sticks into the nearest computer. It turns out they were infected with invisible malware, causing a massive problem for the U.S. Department of Defense. Result: In November 2008, the U.S. Army banned the use of removable media.
USB sticks are also a common vehicle for corporate espionage and accidental data leakage. DeWalt presented statistics on the number of devices that get left in taxicabs or stuck in airport lounge computers.
Sensing a market opportunity, security vendors have come up with more secure USB drives, including one that requires biometric activation with the owner's finger.
If you knew who to ask (nicely) at this conference, you could get a sample of the SanDisk Cruzer Enterprise FIPS edition. It requires a password and encrypts your data "on the fly" with little impact on performance. The thing is sealed with epoxy to prevent physical tampering.
The downside is, that what would normally be a 1GB flash drive retailing for a few dollars costs well over US$100 if you want the secure version.
Still, saving a few bucks buying cheapie USB sticks could be a false economy.
As several presenters noted, data breaches can be horrendously expensive, both in dollars and reputation cost. Governments are clamping down with new regulations for their own computers, and business will probably follow suit. Using something as simple as one of these encrypted USB sticks can provide evidence that a company at least made an attempt to protect its data.
Compliance, and the risks of messing it up was definitely the "500-pound gorilla" lurking in the minds of many of the government IT honchos in the room.
As the largest computer security company on the planet, McAfee's DeWalt assured them that, for a fee, his company had solutions to address their computer security woes both at the endpoint (desktop or portable device) and the network.
It's become a mantra that you should keep your software, especially your anti-virus software, completely up to date.
But there's still a problem - the "production gap" between when a bad guy releases a new piece of malware and when the virus companies like McAfee put out a patch for it, and then you install it on your computer. In the meantime, you're totally vulnerable.
McAfee claims to have reinvented computer security by tackling this problem with an internet-based service called Artemis.
Announced last September, it continuously takes in information from 40 million users in 73 countries. If you're hooked into it, your computer sends a "fingerprint" of suspicious looking files to McAfee, which immediately checks to see if they pose a threat. If it does, it's deleted or quarantined.
The important difference from traditional virus scanning is that Artemis can catch new vulnerabilities that have not yet been added to your virus checker's signature file.
Of course, McAfee uses the information to update its knowledge base, but you get the benefit instantly.
DeWalt says this has cut the "production gap" from days to just minutes.
Lest we get too excited about this powerful new technique, it's worth remembering that the bad guys are thinking just as hard, and only have to find one hole in our system.
William Pelgrin, the chief cyber security officer of New York State, made that clear in his talk to the group.
Pelgrin showed how hackers can embed links to their own sites into legitimate websites, either to lure people or just to increase their rankings on the search engines so they can sell more Viagra.
"We have the ability to detect these," he said, "and we're putting out hundreds and hundreds of notices about these to state and local governments around the country (with infected websites)."
Still, the bad guys don't lack creativity and they keep Pelgrin's 24/7 monitoring centre in Albany, N.Y., pretty busy.
"This one is frightening," he said, showing off a technique called "Java script obfuscation," which makes the evil instructions virtually invisible. "Some bright, clever person decided that space could equal one and tab equal zero" to replace malicious code.
When you use space and tab what do you get? White space. This one is very difficult to detect."
In chasing the miscreants who want to steal your identity, empty your bank account, or just sell you fake Viagra, the good guys always seem to be playing catchup.
Pelgrin says the old method of security is not going to cut it anymore, and that information sharing - even when it's embarrassing - and co-operation are the keys to the future.
"Information sharing," he adds, "has to become as second nature as buckling your seatbelt."
(Tom Keenan is a professor at the University of Calgary and an expert on technology and its social implications. He can be reached at keenan@businessedge.ca)