Thursday, 18 December 2014

What Did You Do in the Cyber War, Daddy?

We often read about cyber-attacks, and some of you may even have heard of the expression zero day vulnerability, but this exotic world is usually pretty far removed from our everyday lives.

If for example you’ve been following the story of the Sony Pictures hack, or FBI reports on the widespread proliferation of Iranian malware, and you would be forgiven for thinking that this doesn’t actually affect you. This week, however, I’m beginning to realise that this may not be the case.

We see computers with malware infections every day, and most of these are actually relatively unsophisticated, regardless of the harm they cause to the system. A typical infection is most likely to come from visiting a compromised website, as these days people are too savvy to risk opening infected attachments. Anybody can radically reduce the risk of what we call drive-by infections by ensuring that their operating system is up to date, and that they have a good (also up to date) antivirus program in place*.

If it is a superficial infection then we use a variety of cleaning tools - the art is in determining which tools to use at any given time, and in which order, and also how the tool is used, and our standard operating procedure will change according to the prevalent threats at any given time. Most customers won't appreciate the level of care that goes into what we call a Level 1 clean.

A proportion of machines, typically 10% to 20% depending upon the threat cycle, will be so badly compromised that we carry out what we call a Level 2 clean, which is where we back up any user data, and completely wipe and reinstall the computer. In most cases this is because we’ve identified a root kit, which is where the operating system itself has been overwritten to mask nefarious activities; in this case wiping the machine is often the only way we can be sure that we are returning the computer with an operating system which has not been compromised.

In the last couple of weeks however, we've seen a fundamental shift in the nature of malware attacks, and while our industry is used to reading over-hyped articles about malware threats in the press, in this case you would be hard pressed to find any mention of this in the mainstream newspapers.

At the start of the week the technical press reported that a widely used plug-in for WordPress had been compromised on a huge scale with more than 100,000 infected sites having been identified. It appears that these attacks were exploiting what’s known as a zero day vulnerability in Firefox and Internet Explorer. The term zero day attack refers to an attack that has not been previously identified, and is therefore one that developers have not had time to address and patch.

Since this happened we have seen a surge in cases of computers misbehaving without any apparent reason, which is to say our scanning tools aren't finding anything to explain this behaviour.

What’s been particularly worrying is the case of a customer who has just narrowly avoided a bank fraud which almost certainly resulted from the interception of his on-line banking credentials. In itself this isn’t unusual, however unlike most victims he didn’t click on a link in some phishing email, but logged on via a bookmark. Most worrying of all is the fact that two weeks ago the machine in question came in with a malware infection and we carried out a level 2 clean, which means that we can be sure that he was using the most up-to-date virus scanner, drivers, and operating system updates.

So this Christmas I’d like to wish you a particularly vigilant holiday, and a cyber safe New Year.

*If you’re on a budget we recommend AVG Free , although the most recent versions have become so insistent in their nagging you to purchase the paid-for version that I’m more inclined to point you towards our preferred paid-for option which is Eset Smart Security, which has consistently been at the top of our A list for a decade.