Security in this connected world means a lot more than just the physical aspect. Digital security is a rising concern and we need to be more aware of it. We talk to Joe Levy, CTO, Sophos, John Shier, Senior Security Expert, Sophos and Hemal Patel, Senior VP, India Operations, Sophos about the various digital threats one can encounter and how the digital security industry is helping normal users face them.
Digit: What are the different type of online threats that could affect a normal user?
John: Broadly there are three types, based on their impact level - they're National, Organisational and Individual level threats. Beyond these, certain threats are indiscriminate in nature - they believe in ‘spray and pray’. In such threats, a lot of emails, or any other form of communication, is sent out hoping that some of it stick. This brings to mind the older stock scams, where scam operators would dial a bunch of numbers, and with the ones that would pick up, they would hope to convince them into acting. Similarly, such individual attacks convince users to actually act on the message often resulting in a different type of outcomes. If it’s Ransomware it’ll hold your computer hostage, if personal or bank information is stolen then it can be resold to some underground firm or use that elsewhere. Nobody is really immune to receiving these because the attackers spray IP addresses, so it could be .gov or a .com address, wouldn’t be any different to them.
Digit: What are some of the things unique to each type of threat?
John: At the national level, there are a lot of state secrets to be protected. Even breaking it down from there, at municipal or city levels too there is a lot of information pertaining things like infrastructure that cannot fall into the wrong hands. And at these levels, targeted attacks are the most common. At the organisational level, the business secrets are at stake. If you are a company, you have a lot of your own as well as client data to protect. Take Caterpillar, a construction equipment firm. If designs for their machines get stolen, it would be disastrous for their future plans. By association, if your customer data gets breached, you immediately lose customer loyalty and suffer from brand damage. Along with that, there’s the possibility of business disruption, due to a multitude of reasons ranging from server failure to equipment hacks. This happened a few months ago at a hospital in Germany where they had to cease computer operations for the time being and switch back to pen and paper, while they could reboot the entire system on the side.
At the individual level it is more about protecting the identity and all associated data - be it financial information or social networking data. After all, it is very important, especially at an individual level, to stay safe online, considering that we have seen edge cases of extortion and stolen identities entirely taking place online.
Digit: What are some of the objectives unique and/or common to the categories?
Joe: Well, at the individual level it is monetization. At this level, it is mostly thugs who would do anything to make money off you. Taking it one step higher, at the organizational level, you get multiple reasons. It could be one company taking down the website of a rival, stealing intellectual property or just taking out a grudge. At the national level, it may or may not be state-sponsored but it definitely involves the animosity towards the target state. And more often than not, governments happen to keep an arm's length distance from groups that operate at a national level - neither encouraging them, nor shutting them down.
John: I’ll give you an example of the monetization aspect. There was a breach of a large supermarket chain in the UK, where the attackers, in turn, sold the data to another group. This second group ran a ransomware campaign with the same data. Now the first group made money by selling the data itself whereas the second group made money by using the data for malicious reasons. This kind of a chain is not uncommon at all out there.
Digit: Based on the categories that you have explained, it seems that it is easier to figure out what is at stake at the national or organisational level, with specific targets to be protected. Whereas, it is mostly an individual who ends up thinking that they are completely safe with just an antivirus. Where are they going wrong?
Joe: The first mistake that most people make is believing that they are not a target and could never really be one. While it is true that the attackers aren’t looking for a specific victim, they are casting a very wide net hoping to rope in some of the vulnerabilities in your system that they could exploit. The vulnerability could be in the software you’re using, or it might be a behavioral vulnerability. In fact, social engineering attacks are by far the most successful ones against individuals. Even if you consider that a very small percentage of people actually click on the spam emails, it is still considerable. Think about it - there are botnets out there that can send over a billion spam emails in a single day. And if you say that 0.01% of those emails are actually being clicked on, that’s still 100,000 clicks every day!
Hemal: Often it is also a case of bad luck. For example, if you create an Amazon account with your personal email ID and then Amazon gets hacked, there’s nothing you can do at that point specifically to protect your email ID, although you almost did nothing wrong.
Digit: Phishing, ransomware etc based attacks are mostly carried out through spam. But isn’t spam practically non-existent right now? Thanks to spam filters in our email, we almost have to see none of it in our main inbox. Then how is still an effective way of carrying out such attacks?
John: The spam that we used to see earlier was what I like to call ‘amateur spam’. A lot of it was fairly easy to spot and that infrastructure that was being used to deliver it was fairly concentrated. It was easier to just identify the IP addresses that are sending out spam and block them across the industry. But there has been innovation on the other side too. Spammers are now using techniques like load distribution to spread out the outgoing messages over thousands of hosts, which when looked at individually are not sending more than 10 spams at a time. That is a fairly acceptable number and not suspicious. Heuristically speaking, it used to be easier to detect spam. What we are seeing now is a dropped quantity but increased the quality of spam, that makes it much harder to detect. And you cannot expect users to not fall for that. A couple of spams I received recently, maybe from Amazon or a similar website, I can challenge anyone I know to identify that as spam by looking at it.
The older ones are still here and still play a role. Like the Nigerian gold scam or similar ones, if people think they spotted that one they feel they are safe for the day. Whereas the actually dangerous ones come from email IDs that look highly believable, like the local bank, as they are geographically targeted as well.
Joe: The obviousness of it has definitely gone down. Like other things, the law of evolution has also kicked in with spam that has been the fittest surviving to a point where it is indistinguishable from the real stuff, with all sorts of specialisations. One such type is spear-phishing CEOs of important companies, which can lead to the loss of tens of millions of US Dollars. In fact, the FBI is tracking this closely now and they have reason to believe that over the past three years, this particular type of attack has caused losses upwards of 2 billion USD. Interestingly, this type of targeted spear phishing of CEOs is called whaling. With publicly available information and some internal knowledge, this type of a con is really hard to catch.
Digit: For those who can’t really distinguish such emails or scams, or click on them even when they know it’s not safe, what exactly happens when one click on such a link?
John: Well, first, most such links take you to a website. The first part of the link will mostly contain a legitimate domain (say example.com). After that part comes the bit that takes you to a malicious link. There might be multiple reasons that hackers could use the domain, ranging from similar domain names to actually compromised domains. But once the link is clicked, there are a few possibilities. First, a file gets downloaded and executed on the local machine in the background and now you have ransomware. Secondly, the link could take you to a gate after multiple URL hops where you will land at something called an exploit kit. An exploit kit will scan your machine for specific vulnerabilities in the OS or the applications and THEN use that information to download a second payload, which could be ransomware or other harmful programs.
Hemal: Then again, it’s not always detectable from the user end. Sometimes, the website itself is compromised or replicated in such a way that it appears legitimate to the user and they would have every reason to trust it with their personal data.
John: There are some very innovative measures attackers use to avoid detection in such cases. Sometimes, they make it so that every nth request to the website will actually fetch malware. In such a situation, a webmaster checking the website would find nothing wrong with it 9/10 times. Overall, to avoid such cases, never click on any such links in your email. Always, either call up the sending organisation or type in the legitimate URL known to your separately into the browser in a secure environment.
Hemal: Such awareness is especially relevant in India where the number of smartphone users has increased manifolds recently, but without them having proper knowledge of how several features work on such a phone, including security measures. They are not be blamed, as many of them are from the generation that got skipped over by the computers and are now directly dealing with smartphones.
Joe: Sadly, not all kinds of attacks actually need the victim to interact in any form. Take the Stagefright vulnerability in Android and how it was exploited by hackers to completely ruin numerous phones by a simple MMS. Even the iPhone had a similar kind vulnerability recently.
Digit: Talking about remote attacks, we are always warned not to connect to public wifi. But in that situation, I am not clicking any suspicious link, I am still not an individual to be targeted, then why am I at risk there?
John: The design of such public Wifi networks is meant to be zero security. So there’s no privacy of the traffic. I can sit there with my laptop, maybe running Linux with all its neat hacking tools built into the operating system, and I can sniff all the traffic on the network regardless of what machine it is coming from. It can be dumped onto my storage for me to analyse. With better Wifi protocols this can be avoided, but there are other ways too. You mentioned Man in the Middle earlier. I can set myself up as a proxy so that you connect to me instead of the router. And then from that one machine I can actually inspect a lot of traffic. And it’s quite trivial to do. The best way to approach it is to use a VPN on any open network that you need to connect to. Although that doesn’t guarantee a foolproof record, it is good enough for 90% of the time.
Joe: Exactly. Recently, I was at the Blackhat convention at Las Vegas. The general wisdom there is to never connect to the Blackhat public wifi network because there are bad people doing bad things on it. But perhaps I threw caution to the wind and did connect, then I only did so after my suit of armor was up in the form of VPN. Even then, don’t do risky things on public networks. Don’t do your banking transactions there, wait to get home for that.
Digit: With the advent of IoT, there seem to many new points of attack available. Based on your experience, what was one of the unique attacks that you came across recently?
Joe: Really, IoT devices are only increasing the surface area for attacks. Most of these things run on a basic TCP/IP stack to keep things light. If you can get into one of these things, you may use it as a foothold in that particular network to go further.
John: A major problem is that there is no common platform. They are using customized libraries and lots of different chipsets, so there is widespread discord at both hardware and software level. Although this works in the favor of users sometimes because of the diverse methods required to break into all of them. And most such devices still need physical access to be hacked into. So we are relatively secure on the IoT front for now. For how long? No one knows.
Hemal: You mean as long as there is no standardisation. But what would be the gain?
John: If you ask me, I would be going after the cloud broker. Then I wouldn’t need much standardization to begin with. And about the gain, suppose you want to crash a power-grid - turning up the thermostats of all the homes in the area can achieve that.
Joe: Also, these are computing devices themselves, albeit with limited power. But they can still be used to send out spam, probe the internal network, create a botnet and more. For example, if anyone happens to hack into one of the 30 or so IoT devices that I have in my home right now, they’ll have access to my internal network. One of the ways I have tried to avoid that from happening is by assigning a separate SSID for all my IoT devices so that they cannot communicate with my computer, my server and other parts that I want to keep isolated from them. But this is not something an average user will do. And we as security providers need to make it easier and more approachable to achieve this level of security for everyone.
Digit: Five years down the line, what could be some of the emerging threats versus the security measures to tackle them?
Joe: It will be a lot like today. We’ll still be dealing with a lot of stuff that we do today. There’d still be spambot networks out there, so will be drive by exploits and other malicious codes and methods. The change will only happen when it needs to. And for now, the current threat methods are working so the hacker doesn’t need to change that. It would be an expensive undertaking. Also, I don’t think the industry itself has been driven to a point where it is looking at a certain change in the near future.
John: Actually, we’ve seen attacks from the past resurfacing again. Take document malware for example. Even though Microsoft has incorporated measures that have taken care of macros being executed by default when a document is opened, we have seen a recent increase in the number of such document malware emails, with the only change being targeted document names and subject lines based on the person they are being sent to (INVOICE for the finance department, RESUME for HR and so on).