In hot pursuit of mal practice

Constantly reinventing itself, malware is a persistent thorn in the side of all IT users but there are a number of ways to combat it

Malware – malicious software designed to access a computer system without the owner’s informed consent – has been around for three decades but today’s incarnation is far more agile and insidious than its 20th-century forebear.

Where the 1980s version hitched a ride on floppy disks to spread to other users’ computers and IT devices, 2011 malware uses any device that stores or moves data as an infection vehicle. Anything from a USB stick to a portable hard drive, smartphones and the internet can become a carrier.

Yet this diversification of interconnected devices is something that can be also exploited by users to good effect, says Graham Cluley, senior technology consultant with IT security specialist Sophos.

There is an argument, he says, to dispense with a Windows PC and use either an Apple Mac computer or, if only email and web surfing is involved, an Apple iPad. The reason? The Apple platform is currently only slightly affected by malware and viruses.

“We’re seeing around 95,000 new security threats ranging from viruses to Facebook click-jacking [misuse of internet links] on the Windows platform every single day. That compares with just a couple of threats every week for the Apple platforms,” he says.

While Cluley feels sorry for new users of the internet and computers in general, the reality is that many computer users want their PCs to be as easy to use as their TVs, when in fact they are infinitely more complex to maintain, he says.

Breaking down the updates and security patches procedures – needed to keep the computer’s operating system and software as up to date as possible against a sea of threats – into 10-minute sessions throughout the week is the best advice, he adds.

But even if computer users, at home or in the office, go down the Apple Mac route, Cluley advises that they should not lose sight of the fact that, no matter how smart and stylish the computer is, it’s still a computer. Users can still be ‘phished’ for their banking or similarly financially useful online credentials or even lured to a website that has been infected with malware. (Phishing being a usually criminal way of attempting to acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication.)

Peter Wood is CEO of First Base Communications and a member of the security conference committee of ISACA, the not-for-profit IT security association with more than 95,000 members worldwide and which has a wealth of free security advice on its website. Wood’s company specialises in penetration testing of business IT systems and defending against malware is a topic he encounters a lot with the organisations whose IT security systems he tests, he says.

Computer users want their PCs to be as easy to use as their TVs but they are infinitely more complex to maintain

There is, he explains, a lot of ignorance in business-land about what malware is with terms such as ‘virus’ and ‘malware’ being used interchangeably, despite the fact they are specific technology terms.

Malware is a general term used by IT professionals to mean a variety of forms of hostile, intrusive, or annoying software, he says. A virus is a computer program that can copy itself and infect a computer. A true virus can spread from one computer to another when its host is taken to the target computer – such as when an infected file is sent over the internet – or carried on a removable medium such as a floppy disk, CD or DVD.

After his team have penetration-tested an organisation’s IT systems, Wood prepares a report on their security inadequacies and sits down to discuss their best options. It’s at this stage that he recommends IT security software, which usually centres on a mix of best-of-breed security products, rather than a one-size-fits all suite.

“We’re honest enough to realise this may not be possible in a corporate environment because of the cost of supporting different security software, while SMEs, of course, do not always have the in-house technical expertise to maintain a mixture of IT security and systems,” he says.

Most IT people, he observes, are looking for simple solutions and, since a growing number of business software comes with a web browser interface (Internet Explorer, Firefox and so on), he recommends that computer users use the Firefox browser.

The reason, he explains, is that Firefox has a number of free add-ins such as Noscript, which blocks unwanted programs from running within the web browser without permission.

Another useful add-in for Firefox that Wood recommends, and which is also available for other browser software, is Ghostery, which displays messages about the various tracking facilities – cookies – which a growing number of websites use.

Ghostery, says Wood, allows users not only to see what tracking elements a website is throwing at users, and click through for more information, but it also permits users to selectively block cookies as and when required.

Intelligent use of add-ins like Noscript and Ghostery allows users to take control of their web sessions and stop websites from knowing too much about the user and their computer when visiting a given page.

And since a number of less reputable websites – and downright nasty internet portals – use these tracking elements to know when a repeat visitor is looking at their pages, this reduces the risk profile of an internet user, a strategy which Wood says he always advises clients to take.

Another handy internet widget that Wood and his team recommend to clients is Team Cymru’s Malware Hash Registry (MHR) project. MHR allows internet users to look up the checksum of a file to be downloaded against a public database, enabling you to verify that its integrity is intact and that the file has not been tampered with.

The MHR widget is free for non-commercial use and, Wood adds, is a very useful tool in a computer user’s arsenal against the darker forces of the internet.

Caroline Ikomi, technical director at IT security firm Check Point, echoes Wood’s comments, noting that her own company’s Zone Labs division offers a variety of security software, including the popular Zone Alarm free firewall application. Originally released in the 1990s and since enhanced, it is a personal firewall software application that includes an inbound intrusion detection system, as well as the ability to control which programs can create outbound connections.

The crucial thing to remember about viruses and malware, says Ikomi, is that the so-called script kiddies’ [amateur] viruses of the 1980s and 1990s have given way to a cyber-criminal malware fraternity that is trying to rip you off in many different ways.

And, she explains, with the wealth of security software now available – many of which are free or low-cost – it is vital that an IT department or computer-savvy person in the smallest company has a reporting system that tells them what is happening or what has happened.

“Most good IT security software has some form of reporting system that presents data on what is going on to the user – or in a format that can be used by a reporting application. On a company computer system, it’s worth tapping this data from several applications and then presenting it in a simple dashboard for the manager to look at and interpret,” she says.

The good news is that most good company security software and systems come with a dashboard overview facility that can draw on data from third-party security software and present it to the manager in an easy-to-interpret format.

Ikomi recommends that company managers ask their security systems software supplier to provide them with this facility.

Interestingly, she is also in favour of users switching to Apple Macs on the basis that the computer platform is far less liable to malware and viruses, but the Mac, she observes, carries a financial premium with it.

This does not, she adds, absolve the user from taking care when using the internet or extras such as USB sticks and disk drives.

“Users have to remember that they are part of the solution and not just part of the problem. People need to be responsible for what they do on their computers and on the internet,” she says.

Ikomi says that another important facet of helping to prevent virus-infected emails and malware-ridden websites from dropping their payloads on to your computer is the need to look at the message or website closely.

“The old adage of, if it looks too good to be true, then it probably is, applies here,” she says.

“Installing good IT security software is only part of the equation. Users have to stay safe online, and think before they click.”

Steve is technical editor on Infosecurity magazine. He also writes on cellular and communications matters.

Tags: , , ,