End users are not keeping PC software up to date, nor are they updating and patching the websites and blogs, such as those build on Wordpress, they manage, the two say. As a result, cybercriminals are getting in, Kellermann and Rasmussen say during this interview with Information Security Media Group (transcript below).
"We need to appreciate what a botnet is - essentially an army of computers that are working as puppets for some cyber-puppetmaster," says Kellermann, chief cybersecurity officer at the security firm Trend Micro.
In fact, most end users are not even aware that their devices or sites have been compromised, he adds. Users also don't fully appreciate the need for malware protections, he adds.
"It's not just social engineering," such as phishing, that's a worry, Kellermann says. Watering-hole attacks, which compromise websites frequently visited by a particular group of targeted users, also highlight the need for more protection of the online ecosystem, he says.
During this interview, Kellermann and Rasmussen discuss:
- How DMARC, the Domain-based Message Authentication, Reporting & Conformance initiative, is having a positive impact on thwarting phishing attacks;
- Why two-factor authentication, especially for online financial transactions, is a necessity; and
- The pitfalls of placing too much reliance on encryption to protect accounts and online information.
Kellermann is a certified information security manager who analyzes emerging cybersecurity threats as well as relevant defensive technologies. Before joining Trend Micro, he served on The Commission on Cyber Security for the 44th Presidency. He also was vice president of security at Core Security for six years and previously worked as a senior data risk management specialist for the World Bank Treasury Security Team.
At the Anti-Phishing Working Group, an international consortium of online security experts, Rasmussen serves as an industry liaison, speaking on behalf of the consortium at events around the world. He also works closely with ICANN, the international oversight body for domain names. Rasmussen is co-founder, president and chief technology officer of online threat mitigation firm IID, also known as Internet Identity.
TRACY KITTEN: When we talk about the hygiene of the Internet, what first comes to mind?
TOM KELLERMANN: The reality is that many users don't feel like they will be targeted by cybercrime. They're not really cognizant that the Internet is actually a hostile environment. Law enforcement does not control the landscape. We should recognize and appreciate that prosecution rates of the FBI in cyberspace are less than 2 percent, yet it's the No. 1 criminal priority for the FBI. Unless we can appreciate the fact that many individuals are acceptable to social engineering and/or spear-phishing attacks when they are coaxed into clicking on a link or downloading their password, [then] Gameover Zeus will be installed on a machine that will bypass the firewalls and virus scanners.
ROD RASMUSSEN: One word that comes to mind when you say Internet hygiene is oxymoron. The hygiene in the Internet is very poor in general, and it comes from a myriad of things, mainly because it's full of human beings to start with. We're all working on a system that was built from the ground up for a different purpose than its serving today, and you now have all of human activity on a network which was designed more for communications between researchers and the defense department. [It is] now is being used for e-commerce, and along with e-commerce came crime. So we're trying to retrofit the Internet in flight to be able to handle the onslaught of things like botnets or DDoS attacks. The Internet is being used against itself in order to perpetuate all kinds of nasty activities. And it is going to take a while to make the Internet a lot cleaner place and safer place to operate.
The Spread of Gameover Zeus
KITTEN: What does the massive spread of Gameover Zeus tell us about the current state of Internet hygiene?
KELLERMANN: Well what it tells us is that traditional criminals have moved heavily into cyberspace, and it is not their intent or desire to destroy your machine, but [to] steal your credentials, money, and secrets at will. Individuals as a whole need to begin to appreciate that when the machine says critical update, they must download it immediately. They should appreciate that Wi-Fi in a public space is vulnerable to criminality, and they should appreciate that you need antimalware virus scanners and firewalls on your machine, even if you do have an Apple. There is a marketplace and capabilities out there that are producing over 220,000 pieces of malware or attack like Zeus on a daily basis. Albeit, not all of this malware is as significant, we need to appreciate the construct that we exist in - a cyberspace that is truly lawless.
KITTEN: How was Gameover Zeus able to infect so many PCs? Is it this social engineering piece that has helped to facilitate its growth?
RASMUSSEN: The social engineering part is a large factor. The people behind GAZ were very good at creating lures that target their victims very well. We could have all the various pieces of software and protection on the computer; I can usually create something to get around those. But I still have to have a human saying "yes" to running this program in order to infect a large portion. So the social engineering aspect is very key. I think the underside is the technology involved, and that some of the most sophisticated malware out there behind this was able to engineer things to avoid detection on a better rate than other kinds of traditional defenses. So it's a combination of things; when you have lures that target you as the controller of a company very well, you're more likely to be infected with it and the bad guys know how to do that.
KELLERMANN: I would liken it to an apartment building in the Bronx. Essentially your superintendent is nefarious, and the superintendent has not only stolen the key to your apartment, but by having a presence within your apartment and the building, can use the same attack that our Zeus has. And that is a master key to open up every other computer that you are connected with, and or to create these lures or social engineering techniques with spear-phishing that would emanate from your computer to target others. And so we need to appreciate what a botnet is, and that's essentially an army of computers that are working as puppets for some cyber-puppet master. These computers can be told to do a multiplicity of things, but most importantly the desire of this cybercriminal spreads the infections in many computers that are trusted by the initial source of infection.
Failing to Keep Up
KITTEN: How does this massive spreading of GAZ illustrate why we are failing at keeping up with phishing trends?
RASMUSSEN: We're always on defense and that's the number one issue. The spread of malware is similar to phishing, or phishing gets you to go to a fake website and enter your credentials of malware there. It kind of gets you around the problem of falling for a fake website, it just gets the code on your computer to make it so that it communicates with the bad guy's server when you actually are going to the real websites. So it's a little bit different, but the evolution is, we see phishing trends change over time; it's hard to keep up with for anybody, much less the average person on the street. But one of the things that we're seeing, too, is you have people not installing updates, patches, etc., as Tom mentioned earlier, and the ISPs and others that are trying to play defense on the behalf of their users while making efforts to keep up, it's not necessarily their primary task to do. So it's difficult to stay on top of the very latest trends and defend against things unless you have a very vested interest in doing so. For example, if you are running a government lab, you might have a bigger incentive to stay on top of the latest trends rather than the average consumer or small business owner.
KITTEN: Would say that lacking incentive has hindered our ability to stop some of these socially engineered schemes?
RASMUSSEN: That is certainly part of it, in that people don't necessarily realize that they're being targeted. Gameover Zeus really is a great example. All the kind of banking malware has trended towards this as the bad guys have learned how to target very well. So instead of getting an e-mail from a bank that I don't belong to, even though those are still sent out, I get a notice from NACHA or from a processing bank. Something that I would do at my job, so I'm much more likely to click on that. The refining of techniques and better targeting of victims has really been exemplified by this case. The other side is, "Well I've got victims now. They're not a controller of a company or an employee of a bank, but they do have $500 bucks on their credit card. So I'm going to encrypt all of their files and exhort money from them." So they are better utilizing their targeting based on who they've managed to infect. That is how they continue to have success even though we may be stopping more spam with our technology and blocking more things. Well, they just increase their efforts and do a better job targeting.
Phishing for Financial Gain
KITTEN: Would you say that most phishing attacks are waged for financial gain such as account takeover?
RASMUSSEN: When you're talking financial account takeover, I think that we're still seeing phishing attacks. We have seen a lot of diversity of late in what is being targeted. For example, a lot of account takeover in the online gaming space, which may or may not be directly involved with financial gain. Sometimes it is when people can show off those accessed accounts, but other times it's for being able to just take things over. The other major exception to that, from an impact perspective, is more of your espionage kinds of phishing attacks, where you have greater highly targeted spear-phishing and that could be targeted by a state actor against another state or industries within that country. We saw the FBI's most wanted list now has several officers in the Chinese army at the top of it for their alleged hacking. And then we also have people looking into its own citizens trying to get them to install surveillance programs and the like on to their computer. So we're seeing a change in how phishing attacks are being used, but the sheer volume of it is still for financial gain.
Financial Industry's Problem
KITTEN: Is this a problem the financial industry should be taking a lead in resolving?
RASMUSSEN: The financial industry has, in some extent, taken on this problem. I think they could do a lot more with the evolution of the attacks that we're seeing; it is a shared responsibility where you do have any industry being targeted and you have people who are being attacked because of their political beliefs and things like that. So it's not just the financial industry's daily work anymore, but certainly I think there is more that could be done as far as getting information shared between the financial industry and ISPs and security companies. We could have a better notification and anti-fraud type of setup where people get infected with a computer, or who have their computers infected and get alerts from their banks and have transactions scrutinized or blocked based on this higher suspicion level things like that.
KELLERMANN: I'm in agreement with that, that greater information sharing needs to occur, but also [banks needs] greater information sharing to their constituencies as a whole. I think in large part, the financial institutions tend to [act much like] the financial movement of the 1990s, moving away from the critical mission focus of preserving safety and soundness, trust and confidence. And they've done that by over-relying on encryption to protect their users' accounts. We need to respect the reality that the cybercriminals in Eastern Europe and South America can create Trojans and malware like Zeus that can bypass perimeter defenses. And in doing so, we need to respect the fact that social engineering is effective because we cannot authenticate users where there is a lack of widespread implementation of DMARC, which I think is fundamental.
In addition to that, credentials are far too easy with the existing use of passwords and merely multifactor authentication schemes. We have to move the two-factor authentication. We have to implement DMARC. And we have to have a way in which we can notify and alert customers that either the devices are compromised or that their devices are under siege. Because in their area of the world, there is massive criminal activity that is attempting to heist that bank.
Approaching Problem Differently
KITTEN: Are there different ways to approach the problem that we haven't been giving enough attention to?
KELLERMANN: Social engineering itself has evolved, not just in terms of using spear-phishing to target users and attack them, but to recognize and appreciate that watering hole attacks are flourishing well. And that is when pages within websites have been compromised specific to user sets and those websites themselves, trusted financial websites and others, are now attacking their constituencies. I think the protection of the larger ecosystem from social engineering and not merely looking at spear-phishing and e-mail-based attacks as the only conduit to be conned but also at the application of mobile attacks through SMS or smishing, at location-based attacks, and attacks on the websites themselves, and the use of those websites to socially engineer and drive traffic to criminals is of paramount importance as well.
RASMUSSEN: I was actually fairly skeptical of DMARC when it first came out, but partners we've been working with see really good results, being able to detect a lot of attacks. I highly encourage, especially the attack brands, to adopt DMARC. It is a pretty effective tool. It needs to address some of these issues. I also see, and I mentioned earlier, the Internet infrastructure itself has got lots of issues. We have issues with the security in itself, and DMARC adoption addresses and handles some of those things, like Wi-Fi access point issues and the like, that people are susceptible to. We have issues around authenticated routing, which we're still trying to figure out how to address. But those efforts are not really progressing very quickly at all.
This gets to the fundamental hygiene on the Internet itself, and we've got to do a much better job at the ISP level around protecting that. Then, my final thought, too, is around browser - hardening the endpoints themselves. You have an emphasis on functionality and features, and not a whole lot on doing things to keep applications from automatically installing, like when you visit a watering hole or some sort of other exploit site. Mobile is really going to exasperate that in future years, as those devices have less capability and, to some extent, less ability to add protection services.
Internet Hygiene, A Policy Issue
KITTEN: You argue that Internet hygiene is a policy issue in many ways. Can you explain what your perspective is there?
KELLERMANN: I'm a huge proponent of the Australian approach, in that if your computer is compromised, and it's been known to attack others, the neighborhood itself has to react and at least talk to the owner and let the owner know that their dog is running loose and rabid. So ISPs should notify consumers when their computers are acting as parts of these botnets and acting criminally, regardless of whether it's the users fault or not. In addition, the same ISPs should be providing security solutions or referring these users to solutions that will clean up their machines so they don't set the rest of the neighborhood on fire. This is also coupled with the reality that it is far too difficult for a financial institution or corporation to write the cease and desist letter necessary to sinkhole or shutdown malicious [actors] that are attacking.
There should be some sort of streamline mechanism to achieve that. And then finally, we need to appreciate that ... Eastern Europe has essentially become the new Silicon Valley. ... There is a tremendous amount of money in it, billions and billions of dollars. And that being said, all that money that is traded as professional services in that community is laundered outside of the financial sector through anonymous payment channels and digital currencies. Yet none of these entities are regulated, and even if they are shut down, as in the case of Cryptolocker, none of those monies are actually forfeited and they could easily be forfeited for the cause of greater cybersecurity. So I would challenge policy makers and the financial institutions of the world to recognize and appreciate that you're losing your retail customer base to these anonymous payment channels and digital currencies. At the same time, 98 percent of bank heists are occurring in cyberspace, and the money that was stolen from you last night is being laundered through these same mechanisms.
KITTEN: Are there any final thoughts that either one of you would like to share?
KELLERMANN: Maintaining trust and confidence should be important, but encryption alone will not achieve this. I look forward to the day where my financial institution offers me two-factor authentication and offers me the capacity to authenticate my e-mail transactions with them through DMARC.
RASMUSSEN: I'd like to point out that this Gameover Zeus/Cryptolocker announcement culminated a long-term, multiyear investigation with many law enforcement agencies security companies, researchers, ISPs etc., around the world. They were all working together, sharing information, and doing a lot to help each other out to understand the scope of the problem and the origins of the problem by being creative; this is a model example of how to go after an enterprise like this. And from all the reports, the suspect is an on-the-run so to speak. We know he is in Russia. This needs to be inspiration for all of us. We have a much greater level of awareness of activities we need to be doing in order to take on these issues and working together. Making those things happen on a much broader scale is what we should take as an inspiration from this particular incident so we can really up our game overall throughout, not just financial sector, but everything that touches the Internet itself.